Trojan:Win32/Cridex.NC is a banking trojan variant from the Cridex (also known as Bugat or Feodo) malware family that specializes in stealing financial credentials and sensitive personal information. This particular trojan employs sophisticated code injection techniques to intercept banking sessions, capture login credentials, and potentially grant remote attackers access to your system. While the original Cridex campaigns peaked several years ago, variants like NC continue to circulate through repackaged malware bundles and phishing campaigns targeting both individual users and small businesses.

Trojan:Win32/Cridex.NC — cybersecurity illustration
Photo by Tima Miroshnichenko on Pexels

The Cridex family represents an evolution of the earlier Geodo trojan and shares characteristics with other banking malware like Zeus and Dridex. What makes this threat particularly concerning is its ability to operate silently while monitoring your online banking activities and harvesting authentication credentials that can lead to direct financial loss. The "NC" designation indicates a specific variant configuration, though many security products may detect related samples under slightly different names.

Think you're infected right now? Disconnect from the internet immediately (unplug Ethernet or disable WiFi). Do not access any banking sites or enter passwords until the infection is removed. Banking trojans can capture credentials in real-time, so your priority is isolation. If you need immediate professional assistance, call Computer Repair Roswell at (770) 674-6801 — our malware removal specialists can typically see same-day appointments for urgent infections.

Threat Profile

Malware Family Cridex/Bugat/Feodo (Banking Trojan)
Variant Designation NC (specific configuration/build)
Threat Classification Trojan:Win32/Cridex (Microsoft); Trojan.Cridex (various AV vendors)
Primary Target Platform Windows (all versions vulnerable; targets 32-bit and 64-bit systems)
Family First Discovered Original Cridex family emerged circa 2010-2012; NC variant circulated 2013-2015 with continued detections
Primary Distribution Method Email attachments (malicious Office documents, PDFs with exploits), drive-by downloads, exploit kits, bundled with pirated software
Persistence Mechanisms Registry Run keys, scheduled tasks, DLL injection into system processes (explorer.exe, svchost.exe), browser helper objects
Primary Capabilities Form grabbing, keystroke logging, web injection (Man-in-the-Browser attacks), credential theft, screenshot capture, remote command execution
Targeted Data Banking credentials, credit card information, email passwords, FTP credentials, cryptocurrency wallet data, personal identification information
Network Behavior Command-and-control (C2) communication via HTTP/HTTPS to compromised servers, data exfiltration using encrypted channels, peer-to-peer backup C2 (known for the family)
Typical Indicators Suspicious processes injected into legitimate Windows binaries, unusual network connections to foreign IPs, registry modifications in HKCU/HKLM Run keys, random-named executables in %APPDATA% or %TEMP%
Removal Difficulty Moderate to High (requires safe mode boot, process termination, registry cleanup, and thorough scanning)

How It Spreads

Trojan:Win32/Cridex.NC primarily spreads through social engineering tactics designed to exploit human trust rather than software vulnerabilities. The most common infection vector involves phishing emails crafted to appear legitimate — often masquerading as shipping notifications, invoice requests, tax documents, or urgent communications from financial institutions. These emails contain either malicious attachments (typically Office documents with embedded macros or PDFs exploiting reader vulnerabilities) or links to compromised websites hosting the trojan payload.

The trojan has also been distributed through exploit kits deployed on compromised legitimate websites. When you visit an infected site, the exploit kit silently probes your browser and plugins (Flash, Java, Silverlight) for known vulnerabilities and attempts to install Cridex without any user interaction. This "drive-by download" method was particularly effective during the malware's peak years, though modern browser security has reduced its success rate.

Additional distribution methods include:

  • Malicious email attachments: ZIP archives containing executables disguised as documents, Office files with macro-based downloaders, PDFs exploiting older Adobe Reader vulnerabilities
  • Compromised software downloads: Bundled with pirated software, key generators, and "cracked" applications downloaded from file-sharing sites
  • Secondary payload delivery: Installed by other malware already present on the system, particularly generic trojans and downloaders sold as "malware distribution services"
  • Removable media propagation: Some variants copy themselves to USB drives with autorun configurations (less common with NC specifically)
  • Network exploitation: Spreading laterally through networks with weak security, particularly targeting systems with shared administrative credentials

What It Does On Your Machine

Once Trojan:Win32/Cridex.NC executes on your system, it immediately begins establishing persistence to survive reboots and evade detection. The trojan typically copies itself to hidden locations within your user profile directories — often using random GUID-style folder names and executable names that mimic legitimate Windows processes. It then modifies Windows registry Run keys to ensure automatic execution at every system startup and may install itself as a scheduled task for redundant persistence.

The trojan's core functionality centers on credential theft through multiple techniques. It employs keylogging to capture everything you type, but its most sophisticated capability is web injection (also called Man-in-the-Browser or MITB attacks). When you visit banking websites, Cridex injects malicious code directly into your browser's memory space, allowing it to modify the web pages you see, steal session cookies, and capture form data before it's even encrypted by HTTPS. This means the trojan can harvest your credentials even when you're visiting legitimate banking sites over secure connections.

Form grabbing is another primary mechanism — the trojan intercepts and logs all data submitted through web forms before it leaves your browser, capturing usernames, passwords, security questions, account numbers, and any other information you enter. Beyond financial data, Cridex variants typically exfiltrate email credentials, FTP passwords stored in clients like FileZilla, and browser-saved passwords. The stolen data is packaged and transmitted to command-and-control servers operated by the attackers, often through encrypted channels that blend in with normal HTTPS traffic.

The trojan also provides backdoor functionality, allowing remote attackers to execute commands on your infected system, download and install additional malware, update the trojan's configuration to target new financial institutions, and potentially use your computer as part of a larger botnet. System performance may degrade noticeably, browsers may behave erratically (unexpected redirects, modified search results, injected advertisements), and you might observe unusual network activity even when you're not actively browsing.

Typical Cridex.NC Filesystem and Registry Artifacts
%APPDATA%\{randomGUID}\winlogon.exe // main payload with system-sounding name %LOCALAPPDATA%\{randomGUID}\csrss.bin // configuration/data file %TEMP%\tmpXXXX.tmp // temporary files during installation Registry persistence locations: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\"Windows Update Agent" = "{path_to_malware}" HKLM\Software\Microsoft\Windows\CurrentVersion\Run\"System Monitor" = "{path_to_malware}" HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce\ // backup persistence Injected processes (visible in Task Manager details): explorer.exe // legitimate Windows Explorer with injected trojan DLL iexplore.exe / chrome.exe / firefox.exe // browser processes with injected code svchost.exe // system service host with malicious injection

Manual Removal — Step by Step

01

Disconnect From All Networks Immediately

Before proceeding with any removal steps, physically disconnect your computer from the internet by unplugging the Ethernet cable or disabling WiFi. Banking trojans can exfiltrate data in real-time, so isolation is critical. If you're on a business network, also disconnect from the local network to prevent potential lateral spread to other systems.

02

Boot Into Safe Mode With Networking

Restart your computer and boot into Safe Mode with Networking. On Windows 10/11, hold Shift while clicking Restart, then navigate to Troubleshoot → Advanced Options → Startup Settings → Restart, and press F5. On older Windows versions, repeatedly tap F8 during boot and select Safe Mode with Networking. Safe Mode loads minimal drivers and prevents most malware from starting automatically, giving you a cleaner environment for removal.

03

Open Task Manager and Identify Suspicious Processes

Press Ctrl+Shift+Esc to open Task Manager, then click "More details" if needed and switch to the Details tab. Look for processes with random names running from %APPDATA%, %LOCALAPPDATA%, or %TEMP% folders. Cridex often uses names that mimic legitimate Windows processes (like "winlogon.exe" or "csrss.exe") but run from user directories instead of System32. Right-click suspicious processes, select "Open file location" to verify the path, then end those processes. Note the full path for later deletion.

04

Remove Registry Persistence Entries

Press Windows+R, type "regedit", and press Enter to open Registry Editor. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries with suspicious names (often generic-sounding like "Windows Update Agent" or "System Monitor") pointing to random folders in AppData. Right-click these entries and delete them. Also check RunOnce keys in the same locations. Exercise extreme caution in the registry — only delete entries you've positively identified as malicious.

05

Delete Scheduled Tasks Created by the Malware

Open Task Scheduler by pressing Windows+R and typing "taskschd.msc". Expand Task Scheduler Library and review the task list for entries with random names or descriptions that don't match legitimate software. Cridex variants often create scheduled tasks as backup persistence. Select suspicious tasks, review their properties (particularly the "Actions" tab to see what executable they launch), and delete any that point to the malware files you identified earlier.

06

Manually Delete Malware Files and Folders

Open File Explorer and navigate to the folders where you identified the trojan executable (typically %APPDATA% or %LOCALAPPDATA% — paste these into the address bar with the percent signs). Delete the entire GUID-named folder containing the malware. Also check %TEMP% for any temporary files with recent creation dates. You may need to show hidden files first by clicking View → Options → Change folder and search options → View tab → Show hidden files, folders, and drives.

07

Run Malwarebytes Premium or Similar Reputable Scanner

Download and install Malwarebytes (from malwarebytes.com while still in Safe Mode with Networking) or another reputable anti-malware tool if you don't already have one. Update the definitions and run a full "Threat Scan" that examines the entire system. Banking trojans often have multiple components, and automated scanners can find remnants, registry modifications, and browser extensions that manual removal might miss. Quarantine or remove everything the scan identifies.

08

Reset All Web Browsers to Default Settings

Since Cridex.NC injects code into browsers, reset each browser you use to remove any persistent modifications. In Chrome: Settings → Advanced → Reset and clean up → Restore settings to original defaults. In Firefox: Help → More troubleshooting information → Refresh Firefox. In Edge: Settings → Reset settings → Restore settings to their default values. This removes extensions, cached injection code, and modified settings but preserves bookmarks and passwords (though you'll change those passwords next).

09

Change All Important Passwords From a Clean Device

Because Cridex specifically targets credentials, assume all passwords entered on this machine during the infection period are compromised. Using a different device (smartphone, tablet, or another computer you're confident is clean), immediately change passwords for your banking accounts, email, PayPal, Amazon, and any other sensitive services. Enable two-factor authentication wherever available. Contact your bank to inform them of the potential compromise — they may want to monitor your accounts or issue new cards as a precaution.

10

Reboot Normally and Verify Complete Removal

Restart your computer normally (not in Safe Mode) and reconnect to the network. Monitor Task Manager and resource usage for the first hour to ensure no suspicious processes return. Run another full scan with your anti-malware tool to verify the infection is completely gone. Check that your browser behavior is normal with no unexpected redirects or injections. If you see any signs of persistent infection, the trojan may have installed rootkit components requiring professional assistance.

Prevention

  1. Maintain skepticism with email attachments. Never open attachments from unknown senders, and be suspicious of unexpected attachments even from known contacts (their accounts may be compromised). Legitimate companies rarely send invoices, shipping notifications, or tax documents as direct attachments — they typically send links to secure portals instead.
  2. Keep all software rigorously updated. Enable automatic updates for Windows, your browsers, Adobe Reader, Java, and all other installed software. The vast majority of exploit-kit infections succeed because of outdated software with known vulnerabilities. Uninstall software you don't actively use, especially browser plugins like Flash and Java that have historically been major attack vectors.
  3. Use comprehensive security software and keep it current. Install reputable antivirus/anti-malware software with real-time protection and ensure it updates automatically. Windows Defender (built into Windows 10/11) provides solid baseline protection, but many users prefer the additional features of commercial products like Malwarebytes, Bitdefender, or Kaspersky. Schedule regular full system scans weekly.
  4. Disable macros in Office documents by default. The vast majority of users never need macro functionality, yet macro-based malware downloaders remain one of the most effective distribution methods. In Microsoft Office, set macro security to "Disable all macros with notification" so they can't execute automatically. If a document requests you enable macros, treat it as highly suspicious unless you specifically requested that document and absolutely need the macro functionality.
  5. Practice least-privilege principle. Don't use an administrator account for daily activities. Create a standard user account for web browsing, email, and regular work. Malware running under a standard account has limited ability to install system-level persistence or modify critical Windows components, significantly reducing potential damage.
  6. Implement network-level protection. Use a router with built-in security features and consider DNS-based filtering services like Cloudflare's 1.1.1.1 for Families or OpenDNS that block known malicious domains. For small businesses, implement proper network segmentation so financial workstations are isolated from general-use systems.
  7. Enable two-factor authentication on all financial accounts. Even if a trojan steals your password, 2FA (particularly app-based or hardware token methods, not SMS) provides a critical second barrier preventing unauthorized access. Most banks, PayPal, cryptocurrency exchanges, and major online services now offer 2FA — enable it everywhere it's available.
  8. Regularly review bank and credit card statements. Monitor your accounts at least weekly for unauthorized transactions. Early detection limits damage and helps identify compromises before attackers drain accounts. Consider signing up for transaction alerts that notify you immediately of charges over certain thresholds.
Our 90-Day Warranty: When Computer Repair Roswell removes malware from your system, we guarantee our work for 90 days. If the same infection returns within that period due to any remnant we missed, we'll fix it at no additional charge. We also provide guidance on prevention measures specific to how you were infected, helping ensure you don't face the same problem twice.

Bring It In

Banking trojans like Cridex.NC represent serious threats with potentially significant financial consequences. While the manual removal steps above can be effective, these infections often have multiple components, rootkit capabilities, and sophisticated hiding mechanisms that make complete removal challenging for non-technical users. Missing even a small persistence mechanism means the infection can reinstall itself, continuing to steal credentials while you believe the problem is resolved.

Computer Repair Roswell specializes in thorough malware removal using professional-grade tools and techniques that go beyond what consumer antivirus software can achieve. We perform deep forensic scans, analyze running processes and network connections, remove rootkits and bootkits, verify BIOS/UEFI integrity, and ensure every trace of the infection is eliminated. We're located at 640 South Atlanta Street in Roswell, and we offer same-day service for urgent infections. Call us at (770) 674-6801 — if you're dealing with a banking trojan, time is critical, and we're here to help protect your financial security and restore your peace of mind.