Warning: Cryptor trojan is hard at work again

[Barbara Eyre]

Well, yesterday, while strolling through various marketing websites ... I had a lovely AVG message come up saying threat alert. I barely had enough time to focus in on it before my computer shut down on its own and restarted.

The result? All antispyware programs were blocked: Malware Antivirus, SuperSpyware, Spybot Search & Destroy. AVG put a couple of files in their vault, but it didn't do any good.

Every so often, some media would play on its own ... typically audio, like pre-recorded radio station stuff, comedic soundbites, etc. You can have everything but the very basic running on your computer (just those things that keep your computer on) and it will still play. Nothing showed up in Task Manager to say what program was running these things.

Plus, I saw ... when looking at properties of folders on my computer ... that my Documents and Settings folder was quickly growing in size ... you can see the numbers change while looking at it's properties. And my RAM was quickly eaten up.

Fix? Well, the popular consensus, according to 3 hours of research on my hubby's computer found that disabling system restore, rebooting, running removal program, then re-enabling system restore would do the trick.

Ummmm, no. For one, I had no "removal program". And every time I tried to download any program, it was blocked. Many times, I would go to any anti-virus website, the Cryptor trojan would divert me elsewhere. The darn thing wouldn't even let me do any system restore points.

There was no clear consensus on what this trojan does. Many say it was a keylogger. As soon as I got the threat, I closed down everything and did all my research on my husband's computer. Most say it was a minor risk threat. I'd saying having to restore your computer to factory specs is not "minor". It's a full day hassle. I've lost over a full day's work, at a time when I needed to work every second of the day because we have clients who doesn't deem it necessary to pay for work completed. I haven't been able to pay any of my utilities for the month, nor the car insurance. Rent is due on August 5th and we don't have a dime for it. We've been able to collect just enough to feed ourselves this month. I truly did NOT need this trojan right now. Sorry ... /rant.

So, I spent the night double saving client files and other important stuffs and this morning did a complete recovery of my computer. That was the only other alternative we could find. Twice, while saving things to CDs, my computer shut down on its own.

While AVG was able to tell me about the threat, it wasn't able to do anything about it. So, I put on Avast ... I hope this does better.

I had several websites open at the time, and I was reading on one (thus inactive) for easily 15-20 minutes before this even happened. It did not happen upon entering a website. So, it was timed. More than likely scripted within a sidebar ad or something.

I'm still working on getting my computer back to where I need to get back to work: reloading software (free and paid), getting Firefox back with addons, all those little things when you have to get your "house" back in order.

I'm not computer savvy as most of you here and this was evening time when it happened ... so the chances of getting help from any of you were slim. So, if there was another solution that could have saved me time ... oh well. I was forced to clean up my computer however. *chuckles*

Anyways, just wanted to let everyone know about this nasty that, according to various forums we found via a search for a solution, was active back in August/October 2008 and has made a resurgence here in the last month or so. Just make sure you have all your antivirus software at full throttle. Save all important files and such to an external harddrive or CDs.

Oh .... I do my emails through Outlook Express 6. I was able to compress my folders into a 499MB file and save to CD. But OE won't recognize the file to import back in those emails. Any ideas? I get my "work orders" through those emails and there were a few that came in shortly before the trojan started. Otherwise, they were saved emails, one folder for each client. There doesn't seem to be an easy way to save emails to your computer, except for one by one. No, these emails are not on the server. However, I do now have that setting set so that they are, just in case.

Ok, back to work I go.

[Rich Struck]

You mentioned Firefox - Was that the browser you were using when this happened?

[Barbara Eyre]

Yes, it was. Firefox is my work-horse. I do have IE up and running, but only use that to see how my work looks in that browser.

[Rich Struck]

Quote:

Originally Posted by Barbara Eyre

Yes, it was. Firefox is my work-horse. I do have IE up and running, but only use that to see how my work looks in that browser.

Interesting. I thought FF was supposed to help prevent stuff like this.

[Barbara Eyre]

Well, FF isn't an antivirus program. Yes, they do have better security protection than IE (from what I understand, I'm not techy). It's your antivirus program, such as Norton, AVG, Avast, etc, that is supposed to stop this stuff. But, it all depends on how these nasties are scripted I guess.

I purposely did not use the FF addon that blocks ads, but ads is where we make our living online. And I find lots of useful resources via banner ads, etc. There's pros and cons to using that addon. I wonder, if I had that addon activated, would it have block the trojan? *shrugs* I don't care to experiment LOL.

[Josh Semke]

I use Avast home edition and Spybot Search and Destroy.

Whenever I think something funny is going on, I immediately pull my ethernet cord (I'm old school) and sometimes hit the power button (even if I do lose work).

But every now and then I'll get a bad one and have to save everything and completely wipe out everything and start all over again. Getting the operating system and drivers and utilities CDs with your computer is a must.

I don't know of any other way. It seems to be the easiest, fastest and cheapest for me.

[Lawrh]

Something that is not commonly realized is that when an infection blocks security updates, it is possible to get them elsewhere. I dealt with one case where all AV sites were blocked. I used Google and found Malwarebytes on Cnet and was able to download and clean the machine. Malicious software blocks the vendor sites but not other download sites. Keep this in mind next time, with experience you learn there is usually always another solution.

[Barbara Eyre]

Yes, we were able to get to download pages and physically download the programs. But that was it. The trojan wouldn't let us install/run any of the programs. Anything that could harm itself, it blocked. Smart bugger.

[Arted4Life]

I have a 1TB External HD next to my computer. I backup everything nightly, after running a few quick virus scans. I find that with this method the most I can lose is a days worth of work. I'm sorry to hear, that it destroyed your computer so such and to such an extent, hopefully you'll make a full recovery.

Good luck!

[Mark Hess]

I was having the same problems with malware, viruses, etc... and actually had to get my hard drive replaced and programs restored because of this.

I switched to Google Chrome and I haven't had any problems since... plus chrome is a lot faster than FireFox... to bad they don't have any seo addons for it yet.

(and NO I wasn't looking at porn)

[Matt Gannon]

backing up files is very good idea anyways, never know when your hard drive will die. I think ill do it now!

[Lloyd Buchinski]

Quote:

Originally Posted by Barbara Eyre

So, I put on Avast ... I hope this does better.

Avast has a really nice feature that has saved my bacon. When you first install it and start it, you are offered the option of doing a 'boot time scan'. (Not sure if that's exactly what they called it) If you select that option, it does a restart of your computer and halfway through the restart it stops the restart and does a scan when nothing else is moving yet. It is really fast since all the power in your computer goes to nothing else, not even your start up programs.

When I wound up with a nasty trojan it found 2 files that it wanted to delete and I accepted the offer (!) Everything was back to normal.

If you missed that chance to do the boot time scan, the only way I know to get it done is to uninstall avast, then download and reinstall it. I did suggest in their feedback that they make this available at any time.

best wishes, lloyd
.......__o
.......\<,
....( )/ ( )...

[Barbara Eyre]

Yes, after the recovery, I installed avast and got that boot-time scan ... but it was on a virgin harddrive at that point, so it didn't do any good.

Yes, I have an external harddrive also. But I wasn't sure if it was compromised or not, thus why I spent the extra time saving client website files and images to CDs.

So, no, I didn't lose anything per se, it was just the time it took to get it all back onto my computer and tidied up and such.

[kf]

Barbara. Sympathies. Went through something similar a few months ago.

I'd highly recommend the Acronis True Image program. It basically 'ghosts' your machine so once I got rid of the nasties, I simply chose an earlier image and my computer was up and running within minutes - including all software, all settings, even my desktop the same.

I 'ghost' my machine once a week to an external HD and back-up files daily to another external HD. So worse case scenario is losing up to a week when I re-install to an earlier 'image' and any lost files can be recovered from the daily back-ups.

It's a small investment when you consider the huge time suck doing all the re-installs can be. When you're back on your feet, you may want to consider it.

[kimothy777]

Thanks for the tips. I reinstalled firefox after not having it for a few months. Just did it the day before yesterday. and yesterday my computer crashed twice. Not sure if it was because of firefox or some other trojan but you have reminded me of the importance of backing up data nightly. Thanks

[Regional Warrior]

Quote:

Originally Posted by kimothy777

Thanks for the tips. I reinstalled firefox after not having it for a few months. Just did it the day before yesterday. and yesterday my computer crashed twice. Not sure if it was because of firefox or some other trojan but you have reminded me of the importance of backing up data nightly. Thanks

Mate Firefox 3.5 is very buggy and will crash the computer/laptop it is known issue.best thing to do is go to the Mozilla site and look for 3.1 and download it works great

Cheers

[Gail Sober]

I don't know if it's too late but here's the info on backing up and restoring email

How to back up and to restore Outlook Express data

Since I see that you may already be past this point, you may try to get those compressed files (uncompress first) into csv format before importing if possible.

Also, next time I guess, you might want to start your computer in safe mode before running any scans which you might be able to run from a disc if you don't have it on your actual system (burn on the other computer).

Good luck and sorry for your trouble. I've dealt with plenty of these
issues on friends and relatives computers. It can be a major ordeal
trying to pick them out of your system.

[Lawrh]

Quote:

Originally Posted by jps2261

Mate Firefox 3.5 is very buggy and will crash the computer/laptop it is known issue.best thing to do is go to the Mozilla site and look for 3.1 and download it works great

Cheers

I've had it since the day it was released and have never had even one crash. Even with my 24 add-ons it's completely stable.

[Barbara Eyre]

Gail,

Thanks for your help.
Yeah, past the point of those instructions, but now I know for next time (knock on wood that there is no next time) .... I have to find a way to uncompress .dbz files (that is what was created by OE) ... and hopefully it will at least let me view them ... I don't have to import them necessarily ... but look at image attachments and such that clients send. *shrugs*

Also, we did try the the safe mode thing ... stupid trojan kept the computer from going into safe mode! Imagine that one!!

Quote:

Originally Posted by Gail Sober

I don't know if it's too late but here's the info on backing up and restoring email

How to back up and to restore Outlook Express data

Since I see that you may already be past this point, you may try to get those compressed files (uncompress first) into csv format before importing if possible.

Also, next time I guess, you might want to start your computer in safe mode before running any scans which you might be able to run from a disc if you don't have it on your actual system (burn on the other computer).

Good luck and sorry for your trouble. I've dealt with plenty of these
issues on friends and relatives computers. It can be a major ordeal
trying to pick them out of your system.

[Lutz80]

thanks for the heads up

[jendoe]

I've been getting virus-like behaviors too lately - thanks for the tip about Avast and the boot scan.

After some poking around, I found out (and just tested) - you CAN do a boot scan with Avast (free version), WITHOUT having to reinstall.

It's documented in the user guide, here: [edited, because apparently I CAN post links now! Thank you WF!] - http://www.avast.com/eng/download-us...nd-manual.html

Here's what I did:

- Start up the antivirus dashboard that you use when you want to initiate a scan.

- Access the "Options". I did this by clicking on the small "Up" arrow, in the top left corner of the dashboard.

- One of the options here is "Schedule boot-time scan" (about half way down on mine). Click this!

- You can now set up your scan parameters (what you want to scan, and what to do with suspicious files). I had suspicious files moved to the chest, and told it to ask me for system files (to avoid breaking anything).

- It will prompt you to reboot. When you do, it automatically initiates the boot-scan.

Awesomeness. I would never have known to go looking for it, so thanks for the tip - and hopefully some others can use it without going through the re-install now!

(And, nope, didn't find anything on my computer... it looks like, hopefully, I've managed to kill off whatever was coming after me. *Fingers crossed*.)

Thanks!
-Jen

[MDalton10]

Was it crypt.fhv.dropper? Because I am acutally the person who discovered that virus lol.
"Dear Sir/Madam, thank you for your email. Please let us inform you that the file attached to your previouse-mail was really infected with a new variant of Trojan horse. Thedetection will be available with the next AVG virus definitionsupdate. Thank you for your cooperation. Please feel free to contact us if we can be of further help. Best regards, Ondrej PlotenyAVG Technical Support website: http://www.avg.commailto: support@avg.com"

It installs itself by using a setup file with a flag. The flag installs another file while you're distracted.