# Cryptne.dll -- unremovable?



## Black Panther (Jan 3, 2008)

I hope I'm posting this in the correct forum, since it's more like 'unwanted software' than 'general software'.

On this work pc I've got the trojan virus cryptne.dll. Avast can't remove it, I've searched and it appears that it cannot be removed by normal anti-virus programs since access is denied.

I've been searching for instructions - apparently there is some method through regedit but I can't find the procedure anywhere.

Can anyone please give me some help on how I can get rid of it?

Thanks a lot.

Edit: btw the file is found in C:\Windows\system32
I saw it there and tried to delete it, even under safe mode and even after removing all processes I could from the task manager.... but still no luck.


----------



## ex_reven (Jan 8, 2008)

try a program called "Move on boot"

The trick is removing it before the process is started, because then access is denied.
Moveonboot deletes the file before it is booted into ram.


----------



## Black Panther (Jan 31, 2008)

Thanks ex-reven, but still nothing doing.

I get the message from Moveonboot that it cannot access and failed...

I took a screenshot, emailed it to myself from work to home, and yes we've noticed emails aren't going through...

It's a small family business and normally I do the techie work on the pc's... my dad uses that pc for internet banking and all that stuff, since getting this virus we can't access any secure sites!

Strangely enough, the virus shows on hijackthis. If you try to remove it you get no errors, but then I scan immediately after and it's back in hijackthis. 

I also read about cryptne.dll -- apparently it gets into the RAM or something... 

I'd appreciate any ideas.
How would you deal with a virus that gets into memory as soon as the pc loads (even in safe mode)?

What I'm thinking of is booting in safe mode command prompt only and delete the file from there, I haven't tried that yet.
Because I've forgotten what I have to type in command prompt to delete a file...  It's so long since I used dos commands...


----------



## Black Panther (Feb 1, 2008)

Avast identifies the virus in cryptne.dll as Win32:BHO-KD trojan horse.

I've tried in safe mode command prompt:
del /f c:\windows\system32\cryptne.dll

And also I got the result that 'access is denied'.


----------



## Black Panther (Feb 1, 2008)




----------



## SiXx` (Feb 1, 2008)

Have you a) done start > run > msconfig > and disable it from starting in the services tab and startup tab? b) try using a program called unlocker(http://ccollomb.free.fr/unlocker/).


----------



## Black Panther (Feb 4, 2008)

'Unlocker' doesn't work either.

This is what it gives me. It doesn't manage to delete, then gives me the option to delete the file in the next startup.
However, when I then reboot avast tells me I've got the virus, it is still there in System32.


----------



## oily_17 (Feb 4, 2008)

Download and scan with SUPERAntiSpyware Free for Home Users
•	Double-click *SUPERAntiSpyware.exe *and use the default settings for installation.
•	An icon will be created on your desktop. Double-click that icon to launch the program.
•	If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
•	Under "_*Configuration and Preferences*_", click the Preferences button.
•	Click the *Scanning Contro*l tab.
•	Under *Scanner Options* make sure the following are checked (leave all others as they are):
o	Close browsers before scanning.
o	Scan for tracking cookies.
o	Terminate memory threats before quarantining.
•	Click the "*Close*" button to leave the control center screen.
•	Back on the main screen, under "_*Scan for Harmful Software*_" click Scan your computer.
•	On the left, make sure you check *C:\Fixed Drive*.
•	On the right, under "_*Complete Scan*_", choose Perform Complete Scan.
•	Click "*Next*" to start the scan. Please be patient while it scans your computer.
•	After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*".
•	Make sure everything has a check mark next to it and click "*Next*".
•	A notification will appear that "Quarantine and Removal is Complete". Click "*OK*" and then click the "*Finish*" button to return to the main menu.
•	If asked if you want to reboot, click "*Yes*".

See if that helps!!


----------



## Black Panther (Feb 4, 2008)

I tried running with the least processes open using msconfig, and it enabled me to get to this point.






However if I try to kill the process I get the memory error also shown in the above picture, and explorer restarts (all desktop icons disappear and reload).

As unlocker shows it, the virus is actually part of Explorer. I can't shut down the process of the whole explorer otherwise I won't be able to do anything except stare at the desktop picture...

Does there exist maybe some program which can open similar to a task manager but will also open all the processes included in Explorer, so that I can choose which processes to kill?


----------



## Black Panther (Feb 4, 2008)

oily_17 said:


> Download and scan with SUPERAntiSpyware Free for Home Users
> 
> -snip-



Thanks I will try that. However I've got the complete copy of Spyware Doctor, and it didn't solve the issue either... So my hopes aren't high...


----------



## Mussels (Feb 4, 2008)

CHEAT!

take the hard drive out, plug it into another PC (USB cage is a good one for this)

You can delete it all you want, it cant protect itself from another OS


----------



## [I.R.A]_FBi (Feb 4, 2008)

Mussels said:


> CHEAT!
> 
> take the hard drive out, plug it into another PC (USB cage is a good one for this)
> 
> You can delete it all you want, it cant protect itself from another OS



agreed!


----------



## Black Panther (Feb 4, 2008)

Mussels said:


> CHEAT!
> 
> take the hard drive out, plug it into another PC (USB cage is a good one for this)
> 
> You can delete it all you want, it cant protect itself from another OS



Brilliant idea! 

However we're dealing with a virus here.... you _sure_ the virus won't find some way to copy itself on the OS of the computer it's plugged in?
If that happens I'd double my problem...


----------



## JousteR (Feb 4, 2008)

Have u tried AVG it has removed more trojans for me than any other A/V.
And it's free ..may be worth a run..?
Here It may not work as a dll is a crapper to remove..


----------



## Black Panther (Feb 4, 2008)

JousteR said:


> Have u tried AVG it has removed more trojans for me than any other A/V.
> And it's free ..may be worth a run..?
> Here It may not work as a dll is a crapper to remove..



Yes. That plus 20 more utilities I guess by now! 

The problem with this file is that it forms part of a process of Windows Explorer. As soon as the pc is powered up this file starts being 'in use' by the RAM. Even if I boot on safe mode command prompt only (which I can't understand, is Explorer also launched in safe mode command prompt?!?).

So essentially, no matter how I try to delete it and whatever methods I use, it's always not inacessible because it is 'in use'. Surprisingly, programs which are supposed to delete the file in the next boot don't work either. Probably because the dll file gets loaded before the program which is supposed to be deleting it.


----------



## johnspack (Feb 4, 2008)

I've had to deal with these nasties before.. several options here-  sometimes a copy of it is in the \windows\prefetch cache folder,  it may have an strange extension so just search for the first part of the filename.  Also to delete the main offending file,  you may need to go to it's file properties and attempt to take ownership in the security tab.  Also you could try a UBCD4Win boot cd,  which can't get infected,  and delete the file/files that way.  Just goto www.ubcd4win.com  and you'll need an xp cd to build it.  Oh and build it on a clean pc too of course..


----------



## Black Panther (Feb 4, 2008)

Thank you johnspack.

I'll check the prefetch folder first.

I had tried to go to its file properties but it simply doesn't allow any changes to happen there. Always the inaccessible problem.

I like your idea of making the ISO. Definitely less risky than putting the hard-disk in another pc. Never thought it was possible. So then the ISO works just like the old floppy boot diskette and you use the xp on that cd rather than the xp on the hdd, meaning that cryptne.dll wouldn't then be 'in use'?


----------



## pepsi71ocean (Feb 4, 2008)

did you try making a dos disk and going into your computer through dos?


----------



## Black Panther (Feb 4, 2008)

I've tried in safe mode command prompt by typing:del /f c:\windows\system32\cryptne.dll

And also I got the result that 'access is denied'.

You think that making a dos 3 1/2" floppy to execute that command might work?
*
Edit*: Oh wait a sec... that pc doesn't even have a 3 1/2 inch floppy...  Can it be done through USB?


----------



## pepsi71ocean (Feb 4, 2008)

in theory a dos start up disk loads even before windows. So it wouldn't load the hdd. Make sure to set the attributes to not Read Only.

do you  have a computer with a 3.5 floppy. You could get a floppy from another computer and hook it up tho this computer, or just swap hdd's.


----------



## Wakou (Feb 5, 2008)

Get hold of a linux live cd, or hiren's boot,or  pref. "Barts Boot Windows PE", with Barts you have two AV progs already on. Follow his directions to make an .iso file, including latest defs. Boot from it, run AV, and Bob's your favourite smokin' drinkin' uncle. If the AV's on there don't work, you can delete the nasties manually from within the Win PE environment. Bart's Win PE, is a bit piratical, but it is a MUST HAVE (IMHO)


----------



## zatblast (Feb 5, 2008)

killbox is another one that deletes a process before it can be started... but anyways just use that other one since i think kb is outdated... anyways just ah a minor thing to say... have you tried booting safe mode yet? i mean if its this resiliant so far i would guess safe mode is not gonna help too much but...worth a shot


----------



## X800 (Feb 5, 2008)

Try this linux cd it boots from cd http://www.knoppix.org/ .It has saved me many times.You can delte or alter your system like you want and if harddrive the crash (coruppted)this will allso get stuff from there.


----------



## Deleted member 24505 (Feb 5, 2008)

If you make a bootable cd using nero,and use nero's boot image,you can boot from it and access any ntfs partition.Dos wont access ntfs partitions.

You could possibly use this and delete it,as someone said above.


----------



## Mussels (Feb 5, 2008)

plugging the drive into another PC would be easiest... at least he wont be trying to navigate an  OS and tools he's never used before.


----------



## cherryfav (Feb 5, 2008)

Kaspersky free trial has done it for me in the past


----------



## Namslas90 (Feb 5, 2008)

Man thats a nasty one;

If you have  not killed this thing yet, try XoftSpy SE.  Use link below for access to link and manual instructions for removal complete with list of Registry keys.

http://removal-tool.blogspot.com/2007/12/trojanwin32bhoaqz-removal.html

or 

Try E-Squared(Free); http://www.emsisoft.com/en/software/free/

After scan/removal (either one) and BEFORE reboot, download and run JavaSUN registry scanner;

http://www.majorgeeks.com/Sun_Java_Runtime_Environment_d4648.html

I thought for sure you had gotten this one allready, but the thread just kept comming up.


----------



## johnspack (Feb 5, 2008)

Yes,  you can boot from and load xp from the ubcd4win cd,  which also comes with some av and antispyware apps,  but hopefully you could just delete the file at that point.  Also when you checked the file properties in the security tab,  did you then click advanced,  then goto Owner,  then check your user name to take ownership?  Most likely though,  a live cd like ubcd4win or one of the linux ones would give you access to your filesystem without getting infected..  Hiren's boot cd is a good one with built in tools as well.


----------



## Black Panther (Feb 8, 2008)

Done the ubcd4win disk... and the computer didn't want to boot from the dvd drive! Even when I went in the bios again and removed the HDD from being a boot device and put just the DVD rom. 

Finally, as per Mussels' suggestion, I removed the HDD, put it in my rig, deleted cryptne.dll effortlessly, and put the HDD back again. All it took was 10 minutes...

But at last I got rid of that pest!


----------



## Namslas90 (Feb 8, 2008)

Be sure to run a good registry cleaner, before it re-downloads that thing again.


----------

