What happened? somewhat related to CRYPTIC.AZC

[mm]

What happened? somewhat related to CRYPTIC.AZC

A friend had an HP netbook with some respectable AV software, and she
got a virus it seems that allowed the Welcome to XP screen to show,
but nothing beyond that.

She took it to Best Buy where the guy started it up, took one look at
it, threw up his hands, and gave it back to her.

HP wanted 139 dollars to do somethign, but she says the whole netbook
was only 300! (And she eventually wants to buy a laptop anyhow,
because this one has small keys. I point out that many laptops have
smaller keys than the a desktop, but she doesn't say anythign.)

I like a challenge, and she's a friend, so I installed the portable
version of AVG on a flash drive, changed the boot order to start with
the USB port, booted, ran the AVG, found two consecutive occurrences
(in the same temp directory) off CRYPTIC.AZC, looked it up on my
computer and found the manual way of removing it, let AVG finish on
her computer, rebooted, and XP ran fine!!!!!

Boy did I feel good. I checked Task Manager and sysdpt.exe wasn't
running, checked the system32 directory and sysdpt.exe wasn't there,
and checked the two places in the registry and the references to it
weren't there. I felt even better, and better about AVG

Just about then an screen appears from the MS AV program, something
essetial. At this time I didn't know what AV she had but there was a
little yellow castle turret in the systray, with 3 high spots and two
places in between for the archers to shoot from. I didn't know what
software that represented. What does it represent?

Anyhow, 20 progress bars, for 20 difgferen6t AVG programs showed up,
ran across the screen and 5 of them came up with removal programs for
the virus it had anmed. I'll admit, I clicked on one. It was a fraud.

Maybe it was AntispySafeguard. That name is in this story somewhere.

MY QUESTION IS; Does it matter if I click on something. After all,
the virus must be there already to display the message that I have a
virus. What if I didn't click? Would it just give up and go home?
Surely it would do all the same bad things. Is that right?

After this, I told my story to my other friend I wrote about with a
virus, and she says she didnt' actually click on the scan as she it
said to do. I assumed she had, I guess, but it started by itself.

QUESTIONS 2 ARE: Did AVG do anything, accomplish anything?

Did I dl a new virus in the 5 minutes I was running windows, even
though I didn't dl any email, didn't iirc open a web browser, and
didnt' click on anything?

Or was this a leftover from CRYPTIC.AZC? and AVG only got part of it?
And not enough to prevent it from messing everything up. Or did AVG
actually get none of it?

Is http://www.spywaredb.com/remove-trojandownloader-win32-crypt/
incorrect when it says the four places that sysdpt.exe infects things?

 

[David H. Lipman]

From: "mm" <[email protected]>

| What happened? somewhat related to CRYPTIC.AZC

| A friend had an HP netbook with some respectable AV software, and she
| got a virus it seems that allowed the Welcome to XP screen to show,
| but nothing beyond that.

| She took it to Best Buy where the guy started it up, took one look at
| it, threw up his hands, and gave it back to her.

| HP wanted 139 dollars to do somethign, but she says the whole netbook
| was only 300! (And she eventually wants to buy a laptop anyhow,
| because this one has small keys. I point out that many laptops have
| smaller keys than the a desktop, but she doesn't say anythign.)

| I like a challenge, and she's a friend, so I installed the portable
| version of AVG on a flash drive, changed the boot order to start with
| the USB port, booted, ran the AVG, found two consecutive occurrences
| (in the same temp directory) off CRYPTIC.AZC, looked it up on my
| computer and found the manual way of removing it, let AVG finish on
| her computer, rebooted, and XP ran fine!!!!!

| Boy did I feel good. I checked Task Manager and sysdpt.exe wasn't
| running, checked the system32 directory and sysdpt.exe wasn't there,
| and checked the two places in the registry and the references to it
| weren't there. I felt even better, and better about AVG

| Just about then an screen appears from the MS AV program, something
| essetial. At this time I didn't know what AV she had but there was a
| little yellow castle turret in the systray, with 3 high spots and two
| places in between for the archers to shoot from. I didn't know what
| software that represented. What does it represent?

| Anyhow, 20 progress bars, for 20 difgferen6t AVG programs showed up,
| ran across the screen and 5 of them came up with removal programs for
| the virus it had anmed. I'll admit, I clicked on one. It was a fraud.

| Maybe it was AntispySafeguard. That name is in this story somewhere.

| MY QUESTION IS; Does it matter if I click on something. After all,
| the virus must be there already to display the message that I have a
| virus. What if I didn't click? Would it just give up and go home?
| Surely it would do all the same bad things. Is that right?

| After this, I told my story to my other friend I wrote about with a
| virus, and she says she didnt' actually click on the scan as she it
| said to do. I assumed she had, I guess, but it started by itself.

| QUESTIONS 2 ARE: Did AVG do anything, accomplish anything?

| Did I dl a new virus in the 5 minutes I was running windows, even
| though I didn't dl any email, didn't iirc open a web browser, and
| didnt' click on anything?

| Or was this a leftover from CRYPTIC.AZC? and AVG only got part of it?
| And not enough to prevent it from messing everything up. Or did AVG
| actually get none of it?

| Is hxxp://www.spywaredb.com/remove-trojandownloader-win32-crypt/
| incorrect when it says the four places that sysdpt.exe infects things?

First, where did anything really state this was a "virus" and not a trojan ? All
idications are trojan actividy, not viral activity.
spywaredb.com is an affiliate site whose job it is is to to get you to install and
purchase SpyWare Doctor. Instructions at such sites must be taken with a grain of salt
because their objective is always affilaite revenue. Revenue that won'y be aerned if the
instructions aare 100% effective.

Additionally, one of the problems the anti malware industry has always faced is naming
malware across all vendors. That is a given piece of malware may be identified by
multiple vendors with different names. Sometime they may be similar, somethimes the
majority are the same but more times that not, each vendoe will identify a given piece of
malware with a different name.

Knowing the nameing problem, we really can't go by these "removal" instructions as being
partially correct or 100% correct.

AVG defined the malware as; CRYPTIC.AZC. Searching the library of AVG Technolgies, http://free.avg.com/us-en/virus-encyclopedia
, for "CRYPTIC.AZC" or "CRYPTIC" is no help.

What you did in the first place by scanning the system using a portable version of AVG
from a flash drive was *good* work. However, you failed to follow up that scan with
additional scan of anti malware utilities to discern if there were additional types of
malware AVG failed to detect. It appears that the notebook was infected by a fakeAlert
type trojan and you further infected the notebook by falling for the FakeAleret con.

 

[FromTheRafters]

How do you make a USB drive bootable?

You can't, unless your BIOS supports it (I'm guessing most do these
days).

 

[FromTheRafters]

What happened? somewhat related to CRYPTIC.AZC

A friend had an HP netbook with some respectable AV software, and she
got a virus it seems that allowed the Welcome to XP screen to show,
but nothing beyond that.

Doesn't sound like a virus.

She took it to Best Buy where the guy started it up, took one look at
it, threw up his hands, and gave it back to her.

Ayup - there's yer problem right there - it's broke.

[...]

I like a challenge, and she's a friend, so I installed the portable
version of AVG on a flash drive, changed the boot order to start with
the USB port, booted, ran the AVG, found two consecutive occurrences
(in the same temp directory) off CRYPTIC.AZC, looked it up on my
computer and found the manual way of removing it, let AVG finish on
her computer, rebooted, and XP ran fine!!!!!

Never heard of it, but many simarly named malware programs are trojan
downloaders.

Boy did I feel good. I checked Task Manager and sysdpt.exe wasn't
running, checked the system32 directory and sysdpt.exe wasn't there,
and checked the two places in the registry and the references to it
weren't there. I felt even better, and better about AVG

I did a quick google for that filename and come up with references to
"TrojanDownloader.Win32.Crypt" is *this* what you have?

....sorry, close doesn't count - you have to be specific about what
malware name was given by what antimalware or antivirus program.

An online file submission scanner (virustotal.com, jotti.org,
virscan.org to name a few) can be helpful in giving you names assigned
by other scanners - more food for google to eat.

Just about then an screen appears from the MS AV program, something
essetial. At this time I didn't know what AV she had but there was a
little yellow castle turret in the systray, with 3 high spots and two
places in between for the archers to shoot from. I didn't know what
software that represented. What does it represent?

Probably MSSE (Microsoft Security Essentials).

Anyhow, 20 progress bars, for 20 difgferen6t AVG programs showed up,
ran across the screen and 5 of them came up with removal programs for
the virus it had anmed. I'll admit, I clicked on one. It was a fraud.

Funny, you usually have to browse the web for this to happen (or did you
just neglect to mention that you fired up the browser?).

Maybe it was AntispySafeguard. That name is in this story somewhere.

MY QUESTION IS; Does it matter if I click on something. After all,
the virus must be there already to display the message that I have a
virus.

Sometimes you only have a script with limited scope running (untrusted
internet zone) and it wants you to click it. Once clicked, you have
given it tacit permission to run as the current user with the privileges
that user enjoys (no longer as limited as the initial script was).

What if I didn't click? Would it just give up and go home?
Surely it would do all the same bad things. Is that right?

Not necessarily, if it was the old "Message From Webpage" pop-up, you
can just ignore it and it will patiently wait for input it never gets.
When you close your browser, it dies. If you use Task Manager to end it,
it usually ends the entire session, and so I just ignore it until I'm
ready to stop browsing.

After this, I told my story to my other friend I wrote about with a
virus, and she says she didnt' actually click on the scan as she it
said to do. I assumed she had, I guess, but it started by itself.

If it started by itself, then there is an unpatched vulnerability on her
machine somewhere.

QUESTIONS 2 ARE: Did AVG do anything, accomplish anything?

Unknown, but since you became able to boot, I assume it did *something*.

....and entered something in a log file I presume...

Did I dl a new virus in the 5 minutes I was running windows, even
though I didn't dl any email, didn't iirc open a web browser, and
didnt' click on anything?

You probably have something running that connected the browser to a
malware server.

Or was this a leftover from CRYPTIC.AZC? and AVG only got part of it?
And not enough to prevent it from messing everything up. Or did AVG
actually get none of it?

Is http://www.spywaredb.com/remove-trojandownloader-win32-crypt/
incorrect when it says the four places that sysdpt.exe infects things?

I haven't read that yet, but it hasn't been established that CRYPTIC.AZC
= TrojanDownloader.Win32.Crypt - they are probably entirely different
beasts (and both not viruses at all).

 

[mm]

David's post is longer. I'll get to it tomorrow, I hope.

How do you make a USB drive bootable?

Two ways that I know of.

The first was what I did, use the portable version of AVG. If you
can't find it on the net, email me, remove the NOPSAM, and I'll figure
out where I got it. It's free. I downloaded it using XP, and I
followed directions. I think I installed it straight to the usb drive,
and it included a program in it that made the drive bootable. Maybe
it was called makeboot.exe.

At first I had trouble, because I already had things on this drive so
I made a directory and put AVG in it. When I moved AVG to the root
directory of the flash drive, makeboot worked.

I would guess that one can do all this and then use some of the files
from AVG on a different flashdrive that doesn't have AVG at all, but I
have no time to test this, especially considering method two.


The second is flashboot 2.0t . Again, if you can't find it let me
knwo. I haven't had occasion to use it, but it's purpose is to install
windows from a flash drive or USB hard drive, and it says it works
with anything else also, so it probably works.
http://www.prime-expert.com/flashboot/ It's not free, but the demo
version works for 30 days from the date the drive was formatted, and
each distinct USB disk can be formatted by FlashBoot demo version no
more than 16 times. If you use it every month for 16 months, you
should really buy a copy! 30 euros.

I was going to try this one to enable me to copy the Recovery CD to a
flash drive and then install windows on m friend's netbook from that
-- I know it is designed to install Windows with -- but A) HP has a
dowloadable, installable from a flash drive, recovery partition, for
its netbooks, and maybe other computers, and B) before I knew that I
decided to buy a cable that will enable me to connect a any IDE or
SATA drive or DVD or CD drive to the USB port. It hasn't come yet, but
I have so many CD's to run, counting AV CD's on this netbook alone,
and there will be more netbooks in the future, that I don't want to
keep loading them to the flash drive, so I'll connect a CD drive to
the this new cable and use the CDs. It's 20 dollars from Newegg, no
charge for shipping. I don't know if it works but it had 105 ratings
and most of them were overwhelmingly positive. The rest complained a
little about the SATA cable, which the buyer himself replaced with
another one.

 

[mm]

Thanks for the details mm. I just checked, and my BIOS doesn't allow
booting from the USB drive. I'm using an older computer.

Neither does mine, but the HP mini is only about 2 years old. In
addition, since it doesn't have a floppy drive or a CD drive, they
figured they had to provide some source other than harddrive to boot
from.

If my long trip actually gets scheduled, I'm going to buy a netbook,
or maybe if she buys a laptop, I can borrow this one.

 

[mm]

My next thread is a lot more important than this is now. It's about
the same computer, but after running Panda and Kaspersky, plus 3
general questions.

What happened? somewhat related to CRYPTIC.AZC

A friend had an HP netbook with some respectable AV software, and she
got a virus it seems that allowed the Welcome to XP screen to show,
but nothing beyond that.

Doesn't sound like a virus.

She took it to Best Buy where the guy started it up, took one look at
it, threw up his hands, and gave it back to her.

Ayup - there's yer problem right there - it's broke.
Darn.

[...]

I like a challenge, and she's a friend, so I installed the portable
version of AVG on a flash drive, changed the boot order to start with
the USB port, booted, ran the AVG, found two consecutive occurrences
(in the same temp directory) off CRYPTIC.AZC, looked it up on my
computer and found the manual way of removing it, let AVG finish on
her computer, rebooted, and XP ran fine!!!!!

Never heard of it, but many simarly named malware programs are trojan
downloaders.
Okay.

Boy did I feel good. I checked Task Manager and sysdpt.exe wasn't
running, checked the system32 directory and sysdpt.exe wasn't there,
and checked the two places in the registry and the references to it
weren't there. I felt even better, and better about AVG

I did a quick google for that filename and come up with references to
"TrojanDownloader.Win32.Crypt" is *this* what you have?

I think so. I found hits like this one. I thought I searched on the
virus name as I wrote it here, and found exact hits, but maybe I just
got on the CRYPTIC part, or CRYPT.

...sorry, close doesn't count - you have to be specific about what
malware name was given by what antimalware or antivirus program.

That was the name I got from the program.

An online file submission scanner (virustotal.com, jotti.org,
virscan.org to name a few) can be helpful in giving you names assigned
by other scanners - more food for google to eat.

I'll check them, but as you can see in the next post, I'm really in
deep water now. I removed 42 instances of malware and one isn't
removed so far.

Probably MSSE (Microsoft Security Essentials).

Yeah, that was it. But that might have been a lie. Now that I ran
Kasperssky, it showed the Norton Quarantine directory as having
malware. Well of course! Though Panda didn't show it. I wonder if
that is better or not as good to cite things found in a quarantine
folder or virus vault.

Funny, you usually have to browse the web for this to happen (or did you
just neglect to mention that you fired up the browser?).

No, I don't think I did. That's why I think it was already there, and
AVG only found one malware and not this one.

Sometimes you only have a script with limited scope running (untrusted
internet zone) and it wants you to click it. Once clicked, you have
given it tacit permission to run as the current user with the privileges
that user enjoys (no longer as limited as the initial script was).

Bummer, so it might well be partly because of what I did.

Not necessarily, if it was the old "Message From Webpage" pop-up, you
can just ignore it and it will patiently wait for input it never gets.
When you close your browser, it dies. If you use Task Manager to end it,
it usually ends the entire session, and so I just ignore it until I'm
ready to stop browsing.

Uh huh. I really don't get popups anymore, but I do get messages that
FFox suppressed a popup and I can let it pop up if I want.

If it started by itself, then there is an unpatched vulnerability on her
machine somewhere.

Maybe. My other friend with the other computer didn't always accept
security updates, or maybe she did because they were set to be
automatic by her other friend. I don't know so much about the owner
of this one.

Unknown, but since you became able to boot, I assume it did *something*.
Okay

...and entered something in a log file I presume...


You probably have something running that connected the browser to a
malware server.

Ugh. I missed this line the first time I read your post.

I haven't read that yet, but it hasn't been established that CRYPTIC.AZC
= TrojanDownloader.Win32.Crypt - they are probably entirely different
beasts (and both not viruses at all).

Okay.

Thanks a lot.

 

[FromTheRafters]

My next thread is a lot more important than this is now. It's about
the same computer, but after running Panda and Kaspersky, plus 3
general questions.

I just posted there, but I must say that Dustin Cook and David H. Lipman
have extensive experience in dealing with malware.

[... CRYPTIC.AZC ... etc...]

Never heard of it, but many simarly named malware programs
are trojan downloaders.

[...]

I did a quick google for that filename and come up with references to
"TrojanDownloader.Win32.Crypt" is *this* what you have?

I think so. I found hits like this one. I thought I searched on the
virus name as I wrote it here, and found exact hits, but maybe I just
got on the CRYPTIC part, or CRYPT.

...sorry, close doesn't count - you have to be specific about what
malware name was given by what antimalware or antivirus program.

That was the name I got from the program.

Too bad they don't publish information on detected things that they
name.

I'll check them, but as you can see in the next post, I'm really in
deep water now. I removed 42 instances of malware and one
isn't removed so far.

Seems to me that the water is receding - down to just the rootkit's
'early opportunity' component now, which will be obliterated when the
proper code is written to the MBR.

[...]

Now that I ran
Kasperssky, it showed the Norton Quarantine directory as having
malware. Well of course! Though Panda didn't show it. I wonder if
that is better or not as good to cite things found in a quarantine
folder or virus vault.

IMO such quarantined objects should be stored in encrypted form.

[...]

Bummer, so it might well be partly because of what I did.

Don't beat yourself up over it, some of them exploit software
vulnerabilities taking the user entirely out of the loop.

Uh huh. I really don't get popups anymore, but I do get messages that
FFox suppressed a popup and I can let it pop up if I want.

No need really, usually by the time you try to report a bad site, it has
moved on to yet another address.

Not something *you* did, but rather something that she didn't do (at
least not soon enough).

Keeping your (her) patch level current is paramount.

[...]

 

[mm]

Not something *you* did, but rather something that she didn't do (at
least not soon enough).

Keeping your (her) patch level current is paramount.

BitDefender has a file manager and I did look at a few of her files
and she had lots of KBnnnnnnnn files, so I guess she has been
accepting all of her MS security updates.

[...]

Thanks, including for the part I snipped.

 

[FromTheRafters]

Not something *you* did, but rather something that she didn't do (at
least not soon enough).

Keeping your (her) patch level current is paramount.

BitDefender has a file manager and I did look at a few of her files
and she had lots of KBnnnnnnnn files, so I guess she has been
accepting all of her MS security updates.

[...]

Thanks, including for the part I snipped.

You're welcome. Sometimes it helps in troubleshooting if you are able to
'get you head around' the concept. OS updates are good, but malware has
taken to attacking applications recently (PDF readers - especially when
a browser has an extension to automatically call the reader or play a
flash file).

I hope you get it sorted out, please keep us posted on your progress.

 

[David H. Lipman]

From: "mm" <[email protected]>

| On Thu, 7 Oct 2010 08:59:22 -0400, "FromTheRafters"



| BitDefender has a file manager and I did look at a few of her files
| and she had lots of KBnnnnnnnn files, so I guess she has been
| accepting all of her MS security updates.

[...]

| Thanks, including for the part I snipped.


Getting Microsoft updates is insufficient.

There are all sorts of software that have vulnerabilities that lead to exploitation that
can result in malware.

To name a few, but defintely not limited to...

- RealPlayer
- QuickTime
- Sun Java
- Adobe Reader/Acrobat
- FoxIt PDF
- Adobe Flash

Secunia has a Java Applet that is free and will check the currency of the OS and
applications for vulnerabilities

http://secunia.com/vulnerability_scanning/online/