Please Help: Bitdefender 09 Unable To Remove Trojan.cryptredol.gen.2

oriontoo

I was recently running my weekly update and full system scan when several infected item(s) popped up on the scan statistics page. I was later surprised to see that there were 26 occurrences of the above mentioned virus being reported and that No Action was possible from bitdefender.

From what I can gather, this is a rather pervasive yet relatively unknown virus. I have tried several other utilities (Malwarebytes, etc) ans they show no presence of any infected items in my system. Yet, scan after scan with Bitdefender shows the presence of this trojan.

I am at my wits end and am disheartened by the fact that my system has been compromised. I would appreciate any assistance anyone can provide who knows how to remove this trojan or direct me to a product/site that can. Thank you for your time!

-Dan

Alex Stanciu

Hello oriontoo ,

Please run a Deep System Scan with BitDefender and then post here the scan report download link :

- Before running the scan please make sure that you have the latest virus definitions downloaded via the Update module: open BitDefender, click the "Switch to Basic View" button (if it is not already in Basic View) and choose the "Update Now" task on the right;

- After the update process completes successfully you can proceed to running the scan task: select the "Deep Scan" task;

- When the scan ends, click the "Show Log File" button at the bottom right of the scan window;

- A browser window will open displaying the scan report;

- Save this file on a location of your choice , then upload it on :http://www.sendspace.com/ and post here the download link .

Thank you .

stormygail@charter.net

I ran across a Trojan that Bitdiffender is not able to remove. I made sure that I had the latest update and ran a deep system scan before posting.

Below is a link to the log file:

http://www.sendspace.com/file/l52edu

Please provide instructions on how to remove this from my system. I am running Windows XP

Thanks for your help.

oriontoo

Hello oriontoo ,

Please run a Deep System Scan with BitDefender and then post here the scan report download link :

- Before running the scan please make sure that you have the latest virus definitions downloaded via the Update module: open BitDefender, click the "Switch to Basic View" button (if it is not already in Basic View) and choose the "Update Now" task on the right;

- After the update process completes successfully you can proceed to running the scan task: select the "Deep Scan" task;

- When the scan ends, click the "Show Log File" button at the bottom right of the scan window;

- A browser window will open displaying the scan report;

- Save this file on a location of your choice , then upload it on :http://www.sendspace.com/ and post here the download link .

Thank you .

First, thank you for your quick response and help! I appreciate your efforts.

As requested, I ran an update and immediately followed that with a Deep Scan. As per the norm the trojan did show up and a log was generated. I will post the sendspace link below. I am completely new to this forum and have never encountered a trojan so problematic as this one. I appreciate your time, patience, and suggestions.... Best regards.

-Dan

http://www.sendspace.com/file/3a4a5s

Alex Stanciu

Hello stormygsa and oriontoo,

We would like you to perform the steps from the next BitDefender article:http://kb.bitdefender.com/KB490 and post here the download links for the AVIS and Gmer reports .

Thank you .

oriontoo

Hello stormygsa and oriontoo,

We would like you to perform the steps from the next BitDefender article:http://kb.bitdefender.com/KB490 and post here the download links for the AVIS and Gmer reports .

Thank you .

Alex,

As instructed, I've attached the Sendspace links for both of the requested logs. Please let me know if there is any additional information or scans you require I perform to get you the data that you need. Again, thank you, all that are involved, for your time, patience, and expertise. I am truly grateful.

-Dan

http://www.sendspace.com/file/dsa9q2

Avis Zip Log

http://www.sendspace.com/file/tat454

Gmer Text Log

a4azza

hey i have a problem deleting a trojan called trojan.cryptredol.gen.2 an if you could please guide me threw the steps to delete thanks bit defenders detecting 33 of them thanks aaron

http://www.sendspace.com/file/70rnlq

Alex Stanciu

Hello oriontoo ,

We have sent the reports to our Virus Analysis team . We will contact you , shortly after we receive an answer from them .

Thank you .

Alex Stanciu

Hello a4azza ,

Go to the next link:http://kb.bitdefender.com/KB490 , run Avis and Gmer , upload the reports on :http://www.sendspace.com/ and post here the download links .

Thank you .

a4azza

Hello a4azza ,

Go to the next link:http://kb.bitdefender.com/KB490 , run Avis and Gmer , upload the reports on :http://www.sendspace.com/ and post here the download links .

Thank you .

hey thanks for the fast respond http://www.sendspace.com/file/jwgyu0 avis

i will put gmer on in 10 mins thaks

a4azza

hey thanks for the fast respond http://www.sendspace.com/file/jwgyu0 avis

i will put gmer on in 10 mins thaks

http://www.sendspace.com/file/sq50fy gmer log thanks

Alex Stanciu

Hello a4azza ,

We have submitted the Avis and the Gmer reports to my colleagues from the Virus Analysis team . We will contact you as soon as we have an answer from them .

Thank you .

brendahobbs

I have the same problem with the trojan cryptredol.gen.2 virus, please let me know when you guys have founs a solution....

a4azza

Hello a4azza ,

We have submitted the Avis and the Gmer reports to my colleagues from the Virus Analysis team . We will contact you as soon as we have an answer from them .

Thank you .

thanks look forward to hearing from you another thing i wanted to no about the same time ive noticed a process called bfnaiadibx.exe and tryed to google it but got know results do you know what it is thanks

stormygail@charter.net

Hello stormygsa and oriontoo,

We would like you to perform the steps from the next BitDefender article:http://kb.bitdefender.com/KB490 and post here the download links for the AVIS and Gmer reports .

Thank you .

Alex,

I get an error message when I try to download Avis & Gmer when clicking on the links provided at the above link. It is a page load error. What do I need to do to be able to get these two files?

Gail

stormygail@charter.net

Alex,

I get an error message when I try to download Avis & Gmer when clicking on the links provided at the above link. It is a page load error. What do I need to do to be able to get these two files?

Gail

I found a better link on one of the other postings: Here are the links for the Avis & Gmer reports:

http://www.sendspace.com/file/brhd76

http://www.sendspace.com/file/dn5wpk

Thanks for your help!

Gail

Alex Stanciu

Hello stormygsa ,

We submitted the reports to my colleagues from the Virus Analysis team . Until , we receive an answer from them , we have sent you an email with a procedure for manually removing the infected file using our Gmer tool . Please let us know what happened .

Thank you .

a4azza

hey i followed steps in normal an in safe mode an was unsucessfull when scan had finished it showed i was infected i went to files drives c and d were in left colum id click on c drive an nothing would happen it was like the whole c drive was empty

stormygail@charter.net

Hello stormygsa ,

We submitted the reports to my colleagues from the Virus Analysis team . Until , we receive an answer from them , we have sent you an email with a procedure for manually removing the infected file using our Gmer tool . Please let us know what happened .

Thank you .

Alex,

I followed the directions I received via email, but when I go to the "Files" tab, all I can see is the C:, when I click on it, no files come up. I ran the scan to make sure I didn't miss something, and I can see the infected files under the "Rootkit/Malware" tab, but can not delete it from there. Am I missing something? - Gail

In order to remove the infected objects from your computer you need to perform the following steps:

1. Disable the BitDefender real-time protection and/or any other active security solution(s) that you are using; 2. Save the GMER tool (and then extract it if needed) to a location of your

choice:

RECOMMENDED: http://www.gmer.net/download.php

alternative: http://www.bitdefender.com/files/KnowledgeBase/file/gmr.zip

or use the version attached to this email: gmr.zip (not available for all email providers) 3. Make sure you close all active applications and then run the tool; 4. Allow the tool a few moments to load up and perform the initial scan; 5. In the upper left of the GMER window, you will see the tab "Rootkit/Malware" and ">>>"; Please click on ">>>"; Next click on the tab "Files"; 6. Use the tree list on the left to browse and the list on the right to locate the following file(s):

C:\WINDOWS\system32\hjgruitnpspwmt.dll

7. Once you located the file select it with one click (in the list on the right), then press the button "Delete"; A new window will open asking you to confirm (choose "Yes"); 8. Close the tool once this operation is complted.

In order to check whether the virus removal procedure has succeeded, we recommend another complete scan of your computer with BitDefender.

~

[how to DISABLE THE REAL-TIME PROTECTION on BitDefender 2009]

In order to disable the real-time protection please open BitDefender, "switch to Advanced View", go to "Antivirus" > "Shield" and click on "Real-time protection is enabled", select the time interval that suites your troubleshooting needs and click "OK" (the message will change to "Real-time protection is disabled"). The real-time protection should be enabled after performing the troubleshooting procedure.

If the situation persists or you require further assistance please do not hesitate to contact us.

Best regards,

Alexandru Stanciu

BitDefender Technical Support Engineer

-------------------------------------

http://www.bitdefender.com/help

https://myaccount.bitdefender.com

-------------------------------------

Alex Stanciu

Hello stormygsa ,

In some cases Gmer is not useful in removing some infected files. My colleagues have finished the analysis of the files that we had from you . We have sent you an email with further instructions on how to provide us a sample with a file from your system . Please reply as soon as possible.

Thank you .

stormygail@charter.net

Hello stormygsa ,

In some cases Gmer is not useful in removing some infected files. My colleagues have finished the analysis of the files that we had from you . We have sent you an email with further instructions on how to provide us a sample with a file from your system . Please reply as soon as possible.

Thank you .

Hi Alex,

I was able to do the beginning portion of the instructions -

1. Disable the BitDefender real-time protection and/or any other active security solution(s) that you are using; 2. Display hidden objects in Windows (how to information is written bellow);

I am having problems with this part -

3. Locate the suspect/infected files:

C:\WINDOWS\system32\hjgruitnpspwmt.dll

Help! I ran the bitdefender scan again and the trojan is still there.

Gail

neongenesis

Hi all,

I too have been hit by this virus, and after much searching of the net have done everything suggested so far.

Just a thought on a possible solution, I'm not the best with computers but might have stumbled across a way to manually sht this virus down - someone with far more knowledge will stop me if I'm wrong I'm sure.

What if you use the registry editor to disable it? It's located under HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Services \ CryptSvc. If you right click on this folder and go to permissions, select advanced, then untick "Inherit from parent the permission entries that apply to child objects", you can then remove the owner from having permissions. Which in theory means you're back in full control, so what would be stopping you from deleting the whole registry entry, followed byt he following files:

C:\WINDOWS\system32\crypt32.dll

C:\WINDOWS\system32\cryptdlg.dll

C:\WINDOWS\system32\cryptdll.dll

C:\WINDOWS\system32\cryptext.dll

C:\WINDOWS\system32\cryptnet.dll

C:\WINDOWS\system32\cryptsvc.dll

C:\WINDOWS\system32\cryptui.dll

Then, delete the quarantined files that BitDefender initially picked up on, and I'd think that the registry cleaner in BitDefender should clean up the last few links. I know it's not the perfect solution, but might be better than wiping your hard drive and reinstalling everything.

Or have I over-complicated things with the above and there's already a professional fix lol? Hoping a solution is made available soon.

Thanks,

Neon

stormygail@charter.net

I'm starting to get very frustrated now. I now have 56 infected files. Nothing you've told me to do has helped! Now what?

Sm3K3R

stormygsa ,in the intention of helping you i ve send you a PM with some advices.Reply me with a PM if any of those finds anything.

It would be nice to not delete what those scaners find ,but to archive the infected files (before removing them) with passoword infected and upload them to some file hosting service.Post here a link to those files maybe some virus resercher will look into it.

Do not mention those scanners name here .

Good Luck!

neongenesis

archive the infected files (before removing them) with passoword infected and upload them to some file hosting service.Post here a link to those files

Link to the files that I mentioned, as you suggest Sm3K3R: http://www.sendspace.com/file/w2fipy

Also noticed it's not just HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet003 \ Services but also HKEY_LOCAL_MACHINE \ SYSTEM \ ControlSet002 \ Services, and disabling the owners permissions in one control set didn't work - permissions were fully restored (and OWNER added back to the list of permissions groups) once restarted, but this was before I'd realised it's in ControlSet002.

Hope this helps all, this thing is driving me nuts. Almost tempted to wipe the whole OS and start again " /> . I know it's not BitDefender's fault.

Later I'm going to deliberately infect another machine here, delete the files I mentioned and the registry entries and see what happens - it's an old machine and about to be wiped anyway so it won't hurt. Will post the results once I've done it.

Yell out if you want more info.

Neon

stormygail@charter.net

stormygsa ,in the intention of helping you i ve send you a PM with some advices.Reply me with a PM if any of those finds anything.

It would be nice to not delete what those scaners find ,but to archive the infected files (before removing them) with passoword infected and upload them to some file hosting service.Post here a link to those files maybe some virus resercher will look into it.

Do not mention those scanners name here .

Good Luck!

Thanks for your advice Sm3K3R,

Unfortunately, only two files were able to be removed using the programs you suggested. I can't get one of them to work on my computer either and the website does not have any troubleshooting ideas. I now have 56 files infected and figure I'm out of luck. Its very depressing since I rarely go to unknown websites and have no idea how I got this in the first place. I guess I'll have to pay someone to try and remove it or to reformat my computer, since I don't have the knowledge to do it myself.

I appreciate your help though.

Gail

Sm3K3R

Thanks for your advice Sm3K3R,

Unfortunately, only two files were able to be removed using the programs you suggested. I can't get one of them to work on my computer either and the website does not have any troubleshooting ideas. I now have 56 files infected and figure I'm out of luck. Its very depressing since I rarely go to unknown websites and have no idea how I got this in the first place. I guess I'll have to pay someone to try and remove it or to reformat my computer, since I don't have the knowledge to do it myself.

I appreciate your help though.

Gail

Check the PM again!

lbennett

Hello

I too have the same virus (approx 49 instances). I've tried downloading the AVIS and GMER apps, but I get an error when trying to run the AVIS app ("R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information")

Looks like it may be missing a dll or something. Any ideas on where I can get a different build? Any other ideas?

Also, do you know when BitDefender will adddress this in their next virus definitions?

I've attached a copy of the GMER scan.

Thanks

Larry

/applications/core/interface/file/attachment.php?id=5356" data-fileid="5356" rel="">gmer.log

a4azza

hey my system is stil infectected with Trojan.CryptRedol.Gen.2 http://www.sendspace.com/file/3uvcvp