Hello. It appears that I have contracted the CryptoWall virus. I’m not sure what I opened or downloaded that was infected. I don’t recall anything suspicious. I try to be very cautious, but apparently I messed up somewhere. I did update Java last week and have now read that it is vulnerable. Perhaps I got it from that? Anyways… Saturday afternoon I started receiving Web Shield popup warning alerts, one right after another. They were coming up so fast you couldn’t read them. An example:
Object: C:\Users\Gery\AppData\Local\Apple Computer\Safari\LocalStorage\DECRYPT_INSTRUCTION.URL
Infection: URL:Mal
Process: C:\Windows\explorer.exe
I ran a full system scan with Avast. It found the following files:
C:\ProgramData\Windows Genuine Advantage{73DF2915-E5AC-47B3-A863-90AA33CDCFA8}\msiexec.exe
C:\ProgramData\Windows Genuine Advantage{8FADCCF2-C9C0-4917-9227-64AA60A631DF}\msiexec.exe
C:\ProgramData\Windows Genuine Advantage{4214961A-ACEE-4564-8C7B-E32FC6647729}\msiexec.exe
C:\ProgramData\Windows Genuine Advantage{8FADCCF2-C9C0-4917-9227-64AA60A631DF}\msiexec.exe
I did the auto fix and Avast moved the first and third files to the Chest. The second and fourth appear to be the same file, which kicked back this error message: “Error: The system cannot find the file specified.”
The popups persisted. I held off on doing a boot time scan and started poking around the internet for info, which is when I learned about CyrptoWall. I also noticed that all my folders now have those dreaded DECRYPT_INSTRUCTION.html & DECRYPT_INSTRUCTION.txt files within them and all my files are corrupted so-to-speak (or encrypted).
I found a link to this instruction page off the Avast forum: http://www.precisesecurity.com/rogue/remove-cryptowall
I attempted Option 1. I downloaded, installed, & ran Malwearebytes Anti-Malware program (free version). It found 23 infected items which it threw into quarantine. I then deleted the files out of quarantine. I’ve attached the scan log for reference (MBAM_scan_log_111014a). I still get a warning every so often, but I’m not bombarded like before. Example:
Object: http://www.movieroomreviews.com/jamie-dornan/fifty-shades-grey-get-special-x-rated-version-184451?utm_source=29021&utm_medium=cpc&utm_campaign=clickpayz_29021
Infection: URL:Mal
Process: C:\Program Files\Internet Explorer\iexplore.exe
or
Object: http://www.abcmedine.net/|{gzip}
Infection: HTML:Framer-inf[Trj]
Process: C:\Program Files\Internet Explorer\iexplorer.exe
I’ve also started getting…
regsvr32.exe - Application Error: The exception Breakpoint
A breakpoint has been reached.
(0x80000003) occurred in the application at location 0x7775805d.
…messages every so often.
I take it deleting the quarantined files was a no no and I possibly screwed stuff up even more? (Why on earth did I do it?!?) At least I having a bad feeling about it because… I came across another thread where the postee appeared to have the same issue as me (https://forum.avast.com/index.php?topic=158653.msg1143795#msg1143795). Someone responded and said not to do anything until someone helped. So now I’m afraid to continue on with the instructions from precisesecurity.com. I saw the postee ran several different scans and attached the generated logs. After some more poking around I found the post that provided the links to those same scanning programs. Since I’d already ran MBAM, I skipped to FRST64. The logs for it are attached (FRST.txt and Additions.txt). Next I ran aswMBR, but it seems to hang after so long. 4.5 hours went by and the time stamp & scanning location had not changed. In the meantime I was re-reading the “Logs to assist in cleaning maleware” post. I noticed that the instructions for MBAM said to checkmark “Scan for rootkits” under Settings > Detection and Protection. (I did not have this checked during the first scan.) So I checked that setting and re-ran the scan. It detected one additional malicious file which I quarantined BUT did not delete (MBAM_scan_log_111014b). And since it needed to restart the computer to do so, I went ahead and stopped the aswMBR scan (it didn’t seem like it was doing anything anyway) and saved the log for it thus far. When the computer restarted I started a new aswMBR scan. Once again it hung about 1.5 into the scan. After another 4 hours of just sitting there the time stamp and “Scanning” line finally updated. Then it’s updated about once an hour since then. (Last time stamp was 9:19am CT.) With no type of progress bar I have no idea how long it will take to finish. It’s already been going for 9 hours. I’ll continue to let it sit here and run, but wanted to get a post up in the meantime. I’ll provide the log file once available.
Additional info: I have an HP Pavilion dv6t laptop that is running Windows 7. If you needs any other stats, please let me know.
Not sure what my next step should be. I’m completely lost when it comes to virus issues. Is there any hope in recovering some of the encrypted/corrupted files? I have some work items that would be nice to retrieve if possible. Do I need to use my restore disc and reset the laptop to get rid of everything, such as those blasted DECRYPT_INSTRUCTION files ALL over the place? Will doing so get rid of the virus or will it still be lurking somewhere? Any help – suggestions, recommendations, directions, etc – would be greatly appreciated.