Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Crowti.A on Win7?


  • This topic is locked This topic is locked
8 replies to this topic

#1 acordeon

acordeon

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 16 October 2014 - 11:35 PM

Hello!

 

Nasty symptoms started today on my Win 7 box and have me a little stumped re what I should do.  This is Win7 64-bit. I have MS Security Essentials installed and up-to-date.

 

MSE reports that it detected 2 malware today: Ransom:Win32/Crowti.A and Trojan:Win32/Neurevt.B  It reports that both were quarantined because "could not find the malware".

 

However, whenever I reboot I get a flurry of errors of various kinds - programs set to run on startup that are failing to run, Windows Explorer crashing, etc.  Stuff all kinds of messed up.  And then every time MSE pops up again saying it detected the Crowti.A, and quarantined it.  Same result as before.  But every time I reboot, it's back.

 

I tried booting into safe mode and running a full scan w/ MSE but it didn't find anything at all.  But it's back as soon as I do a standard reboot.

 

Meanwhile, the main symptom seems to be a heinous memory leak.  I have 8GB of RAM, and something claims more and more of it until it's all in use.  Closing programs only helps momentarily.  My disks constantly thrash (assuming due to constant swapping.)  None of this happens in safe mode.

 

What should I try next, if the malware is still there but MSE can't find it in safe mode?

 

Thanks!

 

 



BC AdBot (Login to Remove)

 


#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:21 AM

Posted 17 October 2014 - 12:06 AM

Hello -

I tried booting into safe mode and running a full scan w/ MSE but it didn't find anything at all.

Quite often Safe Mode is not the best way to find infections. The infection will "hide" from you in Safe Mode.

 

Open Microsoft Security Essentials, run a full scan in Normal Mode, and look in the Quarantined or Removed tab to see if the problem is still there.

If it is, please "delete it".

 

Next -

Please download and run RKill by Grinler.

  • A black DOS box will appear for a short time and then disappear.
  • This is normal and indicates the tool ran successfully.
  • At most the tool will usually run for about 2 minutes
  • Please Copy / Paste the small log back here.

Do not reboot your computer until you complete the next step.

 NOW :

 

  • Download AdwCleaner by Xplode and save to your Desktop.
  • Double-click on AdwCleaner.exe to run the tool.
     * Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button (only once)
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button only once for accuracy.
  • A report (AdwCleaner[R0].txt) will open in Notepad for your review.
  • Check the listed removals and see if you are OK with them.
  • If you have questions, post the Report log back here.

 Next

  • Click on the Clean button only once for accuracy
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK finally to allow AdwCleaner to Restart the computer and complete the removal process.
  • After rebooting, a log report (AdwCleaner[S0].txt) will open automatically.
    Copy and Paste the contents of that log in your next reply.

Note: With most Adware / Junkware / PUPs it is strongly recommended to deal with it like a legitimate program and uninstall from Programs and Features or Add/Remove Programs in the Control Panel. In many cases, using the uninstaller of the adware not only removes the adware more effectively, but it also restores any changed configuration. After uninstallation, then you can run specialized tools like AdwCleaner and JRT to fix any remaining entries they may find.

 

Next -

Run ESET Online Scanner.

  • For Internet Explorer users only, hold down Control  (Ctrl) and click on This Link to open ESET OnlineScan in a new window.
  • Click the ESET Online button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
  • Click on esetsmartinstaller_enu. to download the ESET Smart Installer. Save it to your desktop.
  • Double click on the esetsmartinstaller_enu icon on your desktop.
  • Check "YES, I accept the Terms of Use" and Temporarily Disable your Antivirus
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives and Remove Threats"
  • Click Advanced settings and select the following:
     Scan potentially unwanted applications
     Scan for potentially unsafe applications
     Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer.
  • Please be patient as this will take some time (2 hours is not unusual for a first scan).
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

NOTE:Sometimes if ESET finds no infections it will not create a log.

 
Next -
Note - If not installed, please follow these directions -
Please download Malwarebytes Anti-Malware and save it to your desktop.

 

  • Double-click on the setup file (mbam-setup.exe) to install, then follow These instructions for doing a THREAT SCAN in normal mode.
  • Don't forget to check for database definition updates through the program's interface (preferable method) before scanning.
  • If you cannot update Malwarebytes or use the Internet to download any files to the infected computer, manually update the database by following the instructions in FAQ Section A.4. Issues.

Malwarebytes may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily Disable such programs or permit them to allow the changes.

If Malwarebytes encounters a file that is difficult to remove, you will be asked to reboot your computer so it can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally will prevent Malwarebytes from removing all the malware.

  • After the scan, make sure that everything is checked and then click the Remove Selected button to remove all the listed malware.
  • After rebooting the computer, copy and past the mbam.log in your next reply.

 

Thank You -


Edited by noknojon, 17 October 2014 - 12:08 AM.


#3 acordeon

acordeon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 17 October 2014 - 01:09 AM

OK, thanks noknojon.

 

I did improve the situation by running msconfig in safe mode, seeing several suspicious entries in the startup programs, and disabling them.  That seemed to stop the major problems on reboot.  And MSE found a new malware (Crowti without the ".A" and again quarantined it.)  

 

But I'm pretty sure I don't have everything actually removed yet.  So i will try your suggestions next.  It's late so I may not get to some of this until tomorrow, but will report back.  

 

Appreciate the help!



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:21 AM

Posted 17 October 2014 - 03:21 PM

OK -

 

Whenever you think it will help you.



#5 acordeon

acordeon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 19 October 2014 - 12:42 AM

OK, first an update on what's happened so far, to help anyone else who may be infected and visit this thread later.

 

First of all, even though MSE seemed to detect and quarantine the virus soon after it appeared, and I never got the ransom screen, it did in fact encrypt (i.e. corrupt) many of my files, and according to what I've read, there's no known fix other than paying them (which I will of course not do).  So watch out people, this is a nasty one.

 

I did run MSE while in normal mode (after disabling the startup programs) and that did seem to remove the primary infection.  At least it reported Crowti removed, and I haven't seen the symptoms reappear.  I then ran Malwarebytes, which found a few unrelated PUP's, but no sign of Crowti.  

 

I will run your other suggestions next, and report results.



#6 acordeon

acordeon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 19 October 2014 - 12:45 AM

RKill results below. First I heard about this Rootkit.  Guess we'll see if another of your steps takes care of that?

 

 
Program started at: 10/18/2014 10:34:49 PM in x64 mode.
Windows Version: Windows 7 Enterprise Service Pack 1
 
Checking for Windows services to stop:
 
 * No malware services found to stop.
 
Checking for processes to terminate:
 
 * No malware processes found to kill.
 
Checking Registry for malware related settings:
 
 * No issues found in the Registry.
 
Resetting .EXE, .COM, & .BAT associations in the Windows Registry.
 
Performing miscellaneous checks:
 
 * ALERT: ZEROACCESS rootkit symptoms found!
 
     * C:\Users\Matthew\AppData\Local\{596330a2-c3b7-05fe-76c3-aa024dd03e6b}\ [ZA Dir]
     * C:\Users\Matthew\AppData\Local\{596330a2-c3b7-05fe-76c3-aa024dd03e6b}\L\ [ZA Dir]
     * C:\Users\Matthew\AppData\Local\{596330a2-c3b7-05fe-76c3-aa024dd03e6b}\U\ [ZA Dir]
 
Checking Windows Service Integrity: 
 
 * No issues found.
 
Searching for Missing Digital Signatures: 
 
 * No issues found.
 
Checking HOSTS File: 
 
 * No issues found.
 
Program finished at: 10/18/2014 10:35:09 PM
Execution time: 0 hours(s), 0 minute(s), and 19 seconds(s)


#7 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:01:21 AM

Posted 19 October 2014 - 12:49 AM

From the latest RKill log, this is a serious infection, and eeds attention by the Experts ............

* ALERT: ZEROACCESS rootkit symptoms found!

 
     * C:\Users\Matthew\AppData\Local\{596330a2-c3b7-05fe-76c3-aa024dd03e6b}\ [ZA Dir]
     * C:\Users\Matthew\AppData\Local\{596330a2-c3b7-05fe-76c3-aa024dd03e6b}\L\ [ZA Dir]
     * C:\Users\Matthew\AppData\Local\{596330a2-c3b7-05fe-76c3-aa024dd03e6b}\U\ [ZA Dir]
 
Please follow the instructions in This Prep Guide starting at Step 6.

Once the requested logs are created, then make a New Topic and post it to the =>> Malware Removal Experts Area <== Not back here.

Copy and Paste any logs created, (do not attach them unless requested) and include a brief description of your problem and what you have done to try to resolve them.
Please note that the area can get a bit busy, so you may need to wait a day or more for a reply.

NOTE - If you cannot produce any of the logs, then please create the new topic anyway. Do not run more tools unless the experts request them.

 

Thank You ................


Edited by noknojon, 19 October 2014 - 12:54 AM.


#8 acordeon

acordeon
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:08:21 AM

Posted 19 October 2014 - 01:46 AM

Will do, thanks!



#9 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,085 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:04:21 PM

Posted 19 October 2014 - 11:09 AM

Hello,
 
New log posted here.

Now that you have posted a log at the above link: you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a MRT Team member, nor should you ask for help elsewhere. Doing so can result in system changes which may not show in the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the MRT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the MRT Team members are EXTREMELY busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the MRT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another MRT Team member is already assisting you and not open the thread to respond.

Please be patient. It may take several days to get a response but your log will be reviewed and answered as soon as possibleI advise checking your topic once a day for responses as the e-mail notification system is unreliable.

If HelpBot replies to your topic, PLEASE follow Step One so it will report your topic to the team members.

To avoid confusion, I am closing this topic. Good luck with your log.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users