Home Forums Discussions Problems anyone heard of ransomware attacking through amazing charts?

I am a solo private practice DO using an old version of Amazing charts on 2 desktop and one laptop. When I got to the office Friday my staff had the desktop with the data base and the laptop up and running. When I tried to open AC on my desktop I got a "windows is preparing to install your program" message and then Viper antivirus asking if I wanted to allow changes to my computer. I knew better but I clicked yes, but when it said it would take 120 min to install I clicked cancel. I finished the day with the two working stations but when I tried to back up the data base on the main computer at the end of the day Viper quarantined the amazing backup file. I have the following message in Viper: "Gen:Heur.Ransom.Hidden Tears.1". I closed AC and tried to reopen it and it gave me the "windows is preparing to install your program" message also. The laptop can still open charts so the database has not been encrypted yet.

I post here because everything else on both computers seems to be working fine. All three computers are running Windows 7. I run a full virus scan with Viper which didn't detect anything else.

Ransomware spreads through the network via shared folders. Usually it can't encrypt the AC database because it's in use by SQL Server. However, Imported Items will get hit.

Best thing you can do to limit the spread is identify the source machine and disconnect it from the network. Most likely it's your machine that has the ransomware since the AC installer popped up. It's also possible that viper already found it and removed it. But I would check shared folders and documents to see if any files got encrypted.

It is on both desktops, one of which is the main computer so it is too late to disconnect. I am running version 6.0.10. I tried uninstalling AC from the one that first acted up (the one without the database) and reinstalled it without any luck.

I will add that we do the bare minimum. The nurse opens a chart enters the chief complaint and vital signs, forwards it to me where I enter the findings and print prescriptions. We don't import any faxes or documents and don't do any e prescriptions.

Here is a pic of what Viper did after I tried to run amazing backup.

and here are some pictures of what happened with the main computer today.


I stopped the application with the padlock and hit retry and the program opened.

If it were me, I'd import a copy of the most recent backup onto a fresh installation of A.C. on a different computer, one which was certain not have become infected, and completely wipe all of my current computers completely (if possible) and reinstall the OS. If not possible, it's time for new computers. I believe you're using a version of A.C. that can be run (after installation) entirely without connection to the internet; you may want to consider doing that, especially since you're using an older OS.

EDIT: ACv8.3 won't run as a "main" computer on Windows 10 (although it's OK in the other computers), so I would imagine ACv6 won't either. If you replace your computers, be aware of that.

Either that or go back to paper charts. I have considered trying to get back into the fold and upgrading to the new version if that is even possible from such an old one. I blame hackers that caused my credit card company to issue all of its customers new card numbers which caused my auto renew on maintenance to fail. It happened right after maintenance doubled in price. I simply asked if I was going to have to pay the new price or the old one and no one ever got back to me.

Tried to install version 6.0.10 on an old Win 8.1 laptop I wasn't using and it didn't work. The version of SQL Server it uses is incompatible with Win 8.1 would be my guess. I have two new hard drives on the way from Amazon. I plan to rebuild the main desktop and hook it up to a separate network router and not give it access to the internet.

I still find it odd that the desktops are working fine like nothing is wrong as long as I don't try to open AC.

Hi Michael,

Sorry for your issues. First, try to listen to the ideas and see if you can execute them and then report back. It is difficult for us to troubleshoot if we are suggesting some things, and you are doing others. Which I know it's hard to wait, and it's not like ten people are helping.

When you get in a situation where things suddenly start acting funny, and you have a possible detection of a virus, randomly trying things out are the worst thing you can do. As Sandeep suggested, isolating the problem computer from the network and then troubleshooting later in the evening when things are quiet and calm would be better.

Also, it doesn't make a lot of sense to run a backup, if you think there may be a virus present. You are just backing up the virus. In fact, I think you mentioned your A/V finding something with a backup file.

The first thing I would do is to research the malware, which looks like it is a trojan. This could be very real or it could be a false positive. So, what you are looking to do is ask, "Is my computer infected, and how do I get rid of the virus?" So, there are many A/V, anti-malware programs out there. The first one to run would be MalwareBytes Antivirus (MBAM), just the free version that is used as a 3rd party tool. This is a very good program, which may show that the computer is clean. (Doesn't mean it is). Or it may find it, and tell you it is quarantined and show you the path. You can then delete it.

One of the error messages is very revealing. The locked file you are seeing is one of the SQL Server databases in your AC folder for codes. It is even telling you that another program has access to it. I don't know if that is the trojan or just another program. AC is also notorious for being seen as a virus even if it isn't.

Using two hard drives will basically be the same as reformatting your computer. I am not quite sure what you mean by rebuild...

At this point, not using the questionable computer, making sure the others are clean by running multiple A/V applications and multiple A/V companies' website detections that can run from the cloud would be helpful.

You can simply reinstall v6 on one of those machines and choose to install SQL there. But, you will need to restore with a backup that was pre-malware.

Here is the 1,000,000 question. What is your full computer backup. Having just an AC backup is not enough. For instance, if you have a virus on your computer, just restoring a good backup, while it may solve the problem, may leave the virus behind. A good 100% clean backup could be restored.

The saying "Once infected, always suspected," is definitely applicable here. If you fix things, installing new drives and reinstalling Windows and AC will insure you are OK.

A few other things:

As you tell everyone what you did, you want to keep it straightforward and in order. Every step you try. Try not to use extraneous info like a hacker go to your bank's credit cards. Sorry about that. So:

1. Found this error message
2. Ran MBAM twice and nothing came up
3. Tried reinstalling, AC (which will likely not help)
4. Tried what kurt suggested and this happened

There are many sites that will tell you how to uninstall a virus. You have to make sure it is a reputable site, as it is easy for hackers or people with malicious intent to use malware to draw you to their site.

An antivirus program is no enough protection in this day and age. It is important to have a zero day anti-malware program that does not depend on definitions. They also say run an A/V program with it. Although there is some argument on that. I do.

There is also a site called Experts-Exchange, which you can get a trial membership for a week. Asking about being infected by that virus will likely get you help from people who know more about virus that most. They are experts who just help from Britain, Australia, U.S., etc. But, if you ask a question there, you would want to do everything they suggest. They know of MBAM and Combofix and VirusTotal and the way to run them. They may know if this is a false positive.

If you went that route, which would be very helpful, I would just focus on the question that I ran my A/V and it came up with this. What should I do? You can add other stuff later. If you write everything in your posts above, everyone will be confused and not even attempt. They have examples of how to ask questions, even mods who will help you write them.

Good luck.

Thanks for the reply. I think or at least hope I have it fixed. Spent most of the weekend doing it but everything seems to be working as it should today. I have a laptop with AC and a backup (that is a little older than I would like but the newest that I could find that wasn't on one of the infected machines) on standby so I can do as you suggest the next time.

It wasn't a backup file but the applications Amazing Backup and Backup Restore Utility that were quarantined as infected on both desktops. There was also a file called DataBaseTuner.exe in the receptionist document folder that was quarantined with the same virus.

I didn't want to reformat the original HD so I bought a new one and used the restore disk to reinstall windows 7 on it and then AC. Once I had that up and running I unhooked the new HD and went back to the old one. I uninstalled AC and reinstalled it restored a back up I made at the end of the day Friday and it seems to work without problems. I know I said above that uninstall/reinstall didn't fix the secondary desktop but after turning it off and back on it seems to work fine also.

The reason I didn't want to reformat the main computer was that I was able to see patients all last week by using the nurses laptop, which doesn't seem to be infected, and just turning the main computer on without trying to open AC on it.