Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads

User Tag List

ransom:HTML/Crowti.A troubles

This is a discussion on ransom:HTML/Crowti.A troubles within the Resolved HJT Threads forums, part of the Tech Support Forum category. Hello, Chemist Thanks to you my system is free of whatever that virus(es) was.... Is it possible that yet another


 
 
Thread Tools Search this Thread
Old 06-13-2015, 06:24 AM   #21
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1





Hello, Chemist

Thanks to you my system is free of whatever that virus(es) was....

Is it possible that yet another one remains? As of this morning I still have almost twenty instances of svchost.exe running, several of which are over 600,000k of resource use, forcing the machine to act similarly as it has been in that it's slower than usual and the the fan is running full tilt as the CPU is being overly taxed.

If another thread needs to be dedicated to this particular issue, please advise either way.

I manually shut down some these processes however which ones are actually valid there's no way to tell. They are running as Local, Network and System versions.

Thanks again for the help, it would help to know what virus my system actually had for reference if you could tell me; was this the ransom:HTML/Crowti.A virus? This has piqued my interest so much that I'm considering the Academy. Knowing that these issues can be corrected offers such satisfaction in their eradication!
mat68046 is offline  
Sponsored Links
Advertisement
 
Old 06-13-2015, 09:47 AM   #22
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. Again, I don't think you are infected.

Thanks to WinDefender, you weren't infected with ransom:HTML/Crowti.A. If you had, your files would have become encrypted.

Ransom:HTML/Crowti.A

Ransom:HTML/Crowti.A

------------------------------------------------------

Did you read that link to svchost.exe? It gives instructions for how to determine which service is running each svchost.exe process.

You can use TaskManager or ProcessExplorer to find out which services are using those processes with 600,000k of memory.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-13-2015, 11:38 AM   #23
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Thanks, Chemist....

I did read up on svchost.exe and I'll have to just monitor it for now as the suggestion is that it's all normal. I don't tend to have many open tabs on my browser nor do I have many things operating in the background to justify that many instances of the svchost running, however I did look at the processes running under some of the svchosts running per your advice and they do seem legit.
Couple of exit questions:

I did the sc delete MpKsl460bdd8f, what was this for?

Still curious what virus/trojan/rootkit/etc I did have?

How often should I create a restore point going forward?
mat68046 is offline  
Sponsored Links
Advertisement
 
Old 06-13-2015, 06:11 PM   #24
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, mat68046. Other than some adware, you were never infected. As before, it appears WinDefender prevented that from happening.

The number of svchost.exe processes vary from machine to machine. That command deleted an orphaned driver.

If system restore is turned on, it should automatically create one every now and then, typically once every one or two days.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-13-2015, 06:34 PM   #25
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1


Well, Chemist, thanks again.
Pretty powerful adware then to screw up a machine that much....

I can go ahead with your recommendations to delete Adaware etc....now?

Well done

Glad I didn't have a more serious problem!

Mark
mat68046 is offline  
Old 06-13-2015, 07:10 PM   #26
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome. Yes, please follow those instructions in post #16 above. Let me know.
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-19-2015, 12:50 PM   #27
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mark. Still with us? Did you finish cleaning up the tools, etc.?

I want to check one more thing.

Press the Windows "logo" key and "R" key then copy/paste the following entry into the Run box and press Enter:

cmd /c net start > 0 & notepad 0

A log should open. Please post the contents of the log in your next reply.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-21-2015, 10:54 AM   #28
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



Hello Chemist

Update so far is normal machine behaviour....No recurrence of the issues you've addressed.

Contents of the log you requested:

These Windows services are started:

Adobe Acrobat Update Service
Apple Mobile Device
Application Information
Application Layer Gateway Service
Background Intelligent Transfer Service
Base Filtering Engine
Bonjour Service
CNG Key Isolation
COM+ Event System
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
Desktop Window Manager Session Manager
DHCP Client
Diagnostic Policy Service
Diagnostic Service Host
Diagnostics Tracking Service
Distributed Link Tracking Client
DNS Client
Encrypting File System (EFS)
ESET Service
Extensible Authentication Protocol
Function Discovery Provider Host
Function Discovery Resource Publication
Group Policy Client
HomeGroup Provider
HP CUE DeviceDiscovery Service
HP Support Solutions Framework Service
hpqcxs08
hpqwmiex
IKE and AuthIP IPsec Keying Modules
Internet Connection Sharing (ICS)
IP Helper
IPsec Policy Agent
Macrium Reflect Image Mounting Service
Microsoft Antimalware Service
Multimedia Class Scheduler
Net Driver HPZ12
Network Connections
Network List Service
Network Location Awareness
Network Store Interface Service
Offline Files
Peer Name Resolution Protocol
Peer Networking Grouping
Peer Networking Identity Manager
Plug and Play
Pml Driver HPZ12
PnP-X IP Bus Enumerator
Portable Device Enumerator Service
Power
Print Spooler
Program Compatibility Assistant Service
PST Service
Remote Access Connection Manager
Remote Procedure Call (RPC)
RPC Endpoint Mapper
Secondary Logon
Secure Socket Tunneling Protocol Service
Security Accounts Manager
Security Center
Server
Shell Hardware Detection
SSDP Discovery
Superfetch
System Event Notification Service
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Themes
UPnP Device Host
User Profile Service
WDDMService
Windows Audio
Windows Audio Endpoint Builder
Windows Event Log
Windows Firewall
Windows Font Cache Service
Windows Image Acquisition (WIA)
Windows Management Instrumentation
Windows Modules Installer
Windows Search
Windows Update
WinHTTP Web Proxy Auto-Discovery Service
WLAN AutoConfig
Workstation
XAudioService

The command completed successfully.

ESET is active in the background but "disabled"...MSE is enabled and active.
If you see anything in the log file that can be addressed please advise.

Thank you.....
mat68046 is offline  
Old 06-21-2015, 01:07 PM   #29
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



Hello again, Mark. You're very welcome! Sounds good.

Let me know when you finish those cleanup instructions in post #16 above.

------------------------------------------------------
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
Old 06-22-2015, 11:04 AM   #30
Registered Member
 
Join Date: May 2015
Location: NH
Posts: 15
OS: Win 7 Ultimate SP1



All cleanup done per post #16, including loading the new HOSTS file...

So far so good.

Can you tell me how the adware or whatever it was that got into the machine manifested itself and became active? Do we know if any of my data besides tracking info was compromised?

Thanks for all of your efforts and close the thread at your discretion....

Best regards

Mark
mat68046 is offline  
Old 06-22-2015, 12:22 PM   #31
Security Team
Moderator, Analyst
Rangemaster, TSF Academy
 
chemist's Avatar
 
Join Date: Oct 2007
Location: Georgia
Posts: 29,790
OS: XP/Win7/Win10



You're very welcome, Mark! Glad to have helped.

Again, you were lucky and it appears WinDefender prevented the ransomware from taking hold and encrypting your files:

https://www.microsoft.com/security/p...:HTML/Crowti.A

As far as data being compromised, there is no way to tell from the logs. It would still be a good idea to change your passwords and make sure they are strong:

Password Strength | Password Strength Calculator and Strength Checker
__________________
Our services are free, but you may contribute to the author of ComboFix via PayPal

Proud member of UNITE

Microsoft MVP - Consumer Security 2014, 2015
chemist is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
Keyboard Troubles
I'm enhavinhbg ek eybgoard etroubgl es. I'm having keyboard troubles. Spaces have e's after them among other things.
bachrock Windows 8, 8.1 Support 25 08-11-2014 07:06 AM
Bluetooth Mic troubles. pc noob
Hi and I apologise for having to post here as I know there is alot of info on this already. The problem is making sense of said info has frustrated me to the point of asking you kind, knowledgable folk for help. I have TurtleBeach PX5's. They work fine except for the bluetooth mic. It pairs to...
Hsv7ltr Windows XP Support 6 02-16-2013 05:04 PM
TSST TSL642C video playback troubles
Hello; I've sene many other threads related to this DVD/CDRW drive, but none of them answred my personal question relating to sound and video at the same time. When incerting and playing a music CD, the sound works just fine, there are no troubles whatsoever encountered with the sound. When...
Awinita Removable Media Drives 5 11-12-2011 03:35 PM
Troubles in navigating
Hello, I have Windows 7 and I've had troubles with all the browsers since about one month ago. I cannot recall exactly when and how the problem started but it is indeed a nuisance. For example, I cannot never visit this page TIM Ricarica e Vinci I tried with Firefox, opera, Chrome...no way....
kukuviza Resolved HJT Threads 1 10-06-2011 09:27 AM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 02:07 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts