This malware made me redo my entire computer, and I still have a long, long way to go to get everything setup to close to what I had.
I had the most recent updates to Avast. I had all of the security updates for Windows 7. I have a hosts file to help filter out a variety of bad websites. I’m not sure if this made a huge difference, but I had the second to most-recent version of Adobe Flash… I’m not sure if the most recent version would’ve made a difference.
All I did was visit a regular website that had at least one of these injecting ads (I don’t know if it was caused by Adobe Flash, JavaScript, or some other security flaw in Windows or IE). I didn’t click on any links or install anything… it just went off by visiting the website. Avast gave some pop-up warnings, and then I saw downloading activity. I then disconnected my Internet connection, but it was too late. I was able to go through the browser cache in IE to delete out everything, but the files were in a few different locations.
Explorer.exe seemed to be infected, and I couldn’t to anything to look through files and directories using it because the whole computer was very slow… it seemed like it was almost out of memory.
I used HijackThis to remove the bad entries and then rebooted, but that didn’t help. I ran a full scan with Avast… nothing. I scanned the computer with Windows Defender… nothing. I installed and scanned the computer with Malware Bytes… nothing. I ran TDSSKiller… nothing. I ran Microsoft’s Malicious Software Removal Tool… nothing. I ran ComboFix… nothing. Running in Safe Mode made no difference.
I looked into regedit and saw there was an entry for CryptoWall 3.0. It did list some of the files it supposedly compromised, but they appeared to be fine… possibly because I stopped the program before it had a chance to encrypt the files. I think the payment listing was to paypaymentto.com. I have no idea if just CryptoWall 3.0 was installed or if additional things were installed.
I was able to get the command prompt to come up, and I deleted out at least some of the files (as mentioned here: http://www.bleepingcomputer.com/virus-removal/cryptowall-ransomware-information)… they were all named something like 1a1vasd.exe. This did nothing. It is also a huge pain to navigate around via the command prompt.
I thought I’d try the Internet again, so I reconnected… same problem as before… downloading and Avast alerting me with all these pop-up blocks that were ads being served from the a couple of IP addresses.
Because the computer was so slow and I did everything I could think of to fix this with no avail, I just gave up.
At least I had another PC to access the Internet and look things up with. I also have most of my files backed-up… luckily, the majority of them are unimportant.
So, Avast failed me tremendously. I am 1000% disappointed it didn’t prevent this virus/malware from getting so far out of hand. It has blocked all sorts of things over the years, but this failure is so bad that I am going to look into other anti-virus software.
It is also terrible that so many websites still use Adobe Flash. I’m not sure I will ever reinstall it.