Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Am I infected with Crowti?


  • Please log in to reply
5 replies to this topic

#1 Legoman03

Legoman03

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 01 June 2015 - 03:05 PM

My operating system is Windows 7 with all updates, using Windows Security Essentials and windows firewall.

 

For last 3 days I have been noticing popup messages from Windows Security Essentials telling me that it had prevented a trojan and than I do not need to do anything as it has taken care of it. When I checked the history tab in WSE it shows that it has quarantined Ransom:W32/Crowti or Crowti.A, there were a couple of other ones but yesterday I deleted them so cannot check their name and they haven't appeared in the log since. I don't experience any symptoms other that I have noticed the laptop sometimes feels a bit hotter and the fan revs up a bit more frequently which might suggest some process using more CPU. This might just be unrelated. When I check in the Task Manager, there is nothing abnormal with CPU usage or processes. Yesterday these WSE popups were appearing 3 times within 10 minutes and sometimes nothing for few hours. Last night I run WSE Quick scan and also Full scan overnight and also Microsoft safety scanner. Initially at the beginning of the scan WSE shows a message saying that "Preliminary results show that malicious or potencially unwanted software might be on your system, you can review detected items after scan has completed". When the scan finishes nothing shows up as detected. It gives a green tick and says Your PC is being monitored and protected. In addition to the scans i run CCleaner and Disk Cleanup and removed any temp files and any unwanted junk that windows and browsers collect. I checked for any unrecognisable apps but I haven;t noticed anything. Today WSE only quarantined Crowti only twice in the whole day. 

Does the fact that WSE is preventing a trojan mean that my laptop is infected or is the trojan only trying to infect me? Is that trojan file on my system or am I being attacked from outside ie internet? Do I need to do anything or shall I leave it for WSE to keep quarantining them?



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 PM

Posted 01 June 2015 - 04:48 PM

Crowti is generic name and results in CryptoWall ransomware 90% of the time. As such, it brands itself as CryptoWall or CryptoDefense when it informs victims their data has been encrypted. Like CryptoWall, Crowti directs its victims to a Tor page and gives them instructions on how to purchase Bitcoin to unlock their information.

Similar to CryptoWall, a fairly recent Cryptolocker variant, Crowti uses a valid digital signature to appear legitimate and then, once installed, demands users pay in Bitcoin to purportedly decrypt their files.


Ransom:Win32/Crowti

This ransomware encrypts the files on your PC and directs you to a webpage with instructions on how to unlock them. It asks you to make a payment using bitcoins.

The ransom or "lock" screen can use the name CryptoDefense or CryptoWall.

This threat can be downloaded by other malware, such as TrojanDownloader:Win32/Onkods or TrojanDownloader:Win32/Upatre. It can also be downloaded when you click on a link in a spam email.


- CryptoWall 3.0 leaves files (ransom notes) named:
HELP_DECRYPT.TXT
HELP_DECRYPT.HTML
HELP_DECRYPT.URL
HELP_DECRYPT.PNG

Did you find any?

A repository of all current knowledge regarding CryptoWall, CryptoWall 2.0 & CryptoWall 3.0 is provided by Grinler (aka Lawrence Abrams), in this topic: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall (including versions 2.0 & 3.0) does and provide information for how to deal with it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Legoman03

Legoman03
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 01 June 2015 - 06:59 PM

Thanks, I don't have these files on the desktop. I have read the page about Cryptowall and used the tool to scan for registry entries associated with it and none were found. It looks like it hasn't been installed but occasional attempts are being detected.



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 PM

Posted 01 June 2015 - 09:49 PM


You may want to perform a scan with Malwarebytes Anti-Malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Legoman03

Legoman03
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 04 June 2015 - 05:59 PM

I managed to finally get rid of it by manually deleting the temp folder, nothing has been detected for few days. WSE and Malwarebites were detecting that something is wrong but could not clear it completely. Thanks for the help. I've since used CryptoPrevent program to protect muyself from these nasties.



#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,597 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:25 PM

Posted 04 June 2015 - 06:07 PM

You're welcome. :thumbup2:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users