Tuesday, March 9, 2010

Rogueware fixed (maybe) - Trojan Horse Cryptic.AM

Our very own Patti Anne managed to get things working yesterday evening.  We both have computer backgrounds, and we both know (yes, even me) that most problems can be solved.  This stuff doesn't happen out of thin air, it's not magic.  It came from somewhere, it exists somewhere, and it can be dealt with.  This can be a challenge however.  You have to have some skills, and frequently some good fortune.

So here's what happened:

- A pdf pops up out of nowhere
- Something called Windows XP Anti-Virus Pro starts running, warning me that I have all kinds of problems
- XP Anti-Virus Pro wants me to register their product (i.e. send them money)
***Don't ever send these people money. It will do no good. Personally, I'll remove my hard drive and smash it with a hammer before I send any money to someone who has hijacked my computer.
- My normal anti-virus software is disabled
- I am unable to download anything
- I am unable to do a system restore
- XP Anti-Virus Pro perfectly mimics Windows Security
- Everything it warns you about is bogus

If you search google, you can find out all sorts of info about this program, with instructions on how to remove it.  My problem is, they all involved downloads of anti-virus software at some point, and I could not download anything.  It effectively disables all your protections and makes it impossible to go online "safely".

Patti Anne took a different approach to the problem. On another computer she typed in "cannot run mbam.exe" (some additional anti-virus software we have), and "a virus has taken over my computer".  She got different information.

So here's what she did:

- she created an "Avira" rescue CD on an non-infected computer
- she put the rescue CD in the CD drive on the infected computer
- she booted up the infected computer in safe mode
*** I have to remember that "safe mode" is F8, not F-anything else.  Also, Patti Anne is not sure that the rescue CD actually did anything.  Just keep that in mind
- from safe mode, she was able to do a system restore to an earlier date
*** I know this worked, because my desktop wallpaper changed; also it's significant, because I could not do a system restore normally.
- at that point we could execute malwarebytes (full scan)
- also, my normal anti-virus software, which had been scheduled to run earlier but didn't, kicked off.

Malwarebytes came back clean - it didn't find anything.

My other software did find something - "Trojan Horse Cryptic.AM", and removed it.   I looked in the history and found that this software had kicked off as scheduled hours earlier, but ended abnormally, with an error message saying its log file was corrupted. Further searching showed that the software had actually found this trojan the first time it had started, in a different location, and had also removed it.  The scan still ended abnormally, and my computer was still infected.

I can't begin to describe how uneasy I feel about all this.  I do not feel secure at all.  Neither of us are a 100% sure that this particular issue is solved. We don't know if this "Cryptic.AM" was the culprit or not, though it seems a likely suspect.   But we've got an online business going, so we need to keep on trudging along.  At the moment, everything appears normal.

This stuff is apparently quite well known, so neither of us understands how it gets past firewalls and our anti-virus software. (I use anti-virus to mean everything, trojans, spyware, adware, etc., just so you know)

Any comments or ideas about this will be very welcome.

10 comments:

Anonymous said...

what software do you mean by "My other software" please be specific. I have determined for myself that Cryptic.AM is the root of xp antivirus pro, so the name of your other software would benefit us all greatly. Otherwise, excellent post. Many Thanks.

linlah said...

I run a program called PCSafe Adware Filter and I can tell you they have saved me a couple of times when Norton didn't. I don't remember what I pay each year but it is well worth the price and far less than Norton. PCSafe also has excellent customer service.

Jennifer said...

I have a Mac which has saved me from a lot of virus pain. I'm sorry that you've been having troubles and Yay! for Patti Ann.

Anonymous said...

I had three different security programs find all kinds of things. Same thing happened to me.

First - Adobe has a vulnerbility that has been known to be attacked.
Make sure you are updated to 9.3 only.

AVG8 found the "av.exe" creep.
MS security essentials found another
and Malwarebytes found 2 others.

Get rid of your limeware too. All of it - in your add/remove and in explorer.

Check your application Data files to insure you have nothing there as well.
Scan everday with your three antivirus/malware tools

A Valdese Blogger said...

Anon I : AVG 9 is the one that caught it, but only after it could run. It was somehow disabled by this trojan - it did not stop the initial infection.

linlah: PCSafe....thanks for the tip. I've also run Norton, and this stuff just gets past it.

Jennifer: Hmmmm A Mac....it's actually something to think about.
Patti Anne's pretty smart, so I second the "Yay".

Anon II: Good information, thank you!

Heather said...

I was just using Norton and yes, I learned it is not enough. I too thought that it would cover everything. I have just recieved somekind of adware and malware protection, now I just need to learn how to use it.

I hope you are fixed up and kudos to Patti Ann.

Bianca Castafiore? said...

what a disgusting way for apparently brilliant minds to pass the time (and steal our money, and sanity).

we dealt with this a few weeks back, too.

not as savvy as youse guys, we ended up calling the microsoft help line (in other words, india) -and lo, the tech quickly found the evil av. exe file...

good post, valdesian.

A Valdese Blogger said...

Heather & Bianca: Thanks for your comments & and that av. exe IS evil. Problem is, I'm not sure if how we handled the problem will work the next time. And I'm pretty sure there will be a next time.

Krysia said...

What is an Avira CD rescue? I also got hit, I think with this Cyrptic. A window popped up saying AVG needed to DL. Too late, I realised AVG never asks me anything. I figured I'd do a System Restore, but none of my programs work. Could someone help please? Thank goodness for manual nackups so I have my desktop computer to still work.
Thanks.

A Valdese Blogger said...

Krysia: to be honest I don't think the avira recue CD did much of anything. Ultimately what worked was booting up in safe mode, manually running the anti-virus software, doing a system restore to a previous date, then booting up normally.