Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


I think I got Cryptowall...but only partially.

  • This topic is locked This topic is locked
2 replies to this topic

#1 Dryheaves


  • Members
  • 2 posts
  • Local time:12:22 AM

Posted 01 November 2014 - 08:23 PM

Hello everyone, this is my first post on Bleeping Computer so bear with me please. It's a long one. Thanks! I'm running Win7 Pro 64 Bit.


On the night of October 29, I was doing some maintenance on my PC. Win7 has a tendency to fill up my C: drive so I was trying to open up some space. I ran a full scan from Advanced System Care and defragged the hd, deleted shadow copies up to the most recent restore point, deleted temp files, deleted some old NVidia driver files from installs dating back a few years, etc.

While I was doing this, I noticed that I was unable to open Outlook. I would get a message saying that Outlook could not open my default email folder because it was not a .pts file. I then noticed that some pictures saved to my desktop no longer had the "preview" and upon clicking them they would not open. Message said that they could not be found or were of a different file type. Many Word documents were unable to be opened too.

Microsoft Security Essentials was having a fit and would give pop ups in rapid succession telling me that there were detected threats being cleaned, but "no action needed."


Here are some of my symptoms:

  1. I have been unable to locate any type of "decrypt_instructions" file on any drive.

  2. There are a few "install_tor" files that were created around the time I was doing my maintenance. There are a handful of these, one of which I found in my Windows Users folder. It's not in every folder.

  3. I have seen no ransom messages.

  4. Turns out not all of my Word files are messed up. I was able to open Word, PDF, etc. that were saved to other partitions and external drives. Nothing on my C: drive seems to open.

  5. None of my pictures seem to open. From anywhere.

  6. Virus and Malware scans turn up a couple of trojans and your normal malware junk that's usually found. I quarantined and cleaned these. Symptoms are still here.

  7. There are 59 "install_tor" files found on my PC. They are all IE shortcuts and contain the following URL: https://paytordmbdekmizq.torsona.com/w02t6c


I am able to open some documents, but these are on different partitions. It seems all of my pictures and Outlook files are unable to be opened across the board. I also do not have any shadow copies from before the incident.


I am getting random Internet Explorer, COM Surrogate, and Windows Explorer "has stopped working" errors, and Security Essentials is still freaking out with pop ups every 90 seconds telling me that potential threats are being cleaned.


I am also getting random audio playing that sounds like ads, news updates, etc. When I open Task Manager, it is showing several Internet Explorer windows open to shopping websites. I haven't used IE and use Waterfox instead. I didn't turn IE on. I also cannot see these windows playing the audio.



So is this cryptowall? locker? Torrent locker? A variant?

Maybe it's none of these and I just screwed up the registry with my maintenance?


It seems that I have some form of Cryptowall, but the lack of ransom message or decrypt_instructions make me think I only contracted a portion of the virus.


Thank you for your help.


BC AdBot (Login to Remove)


#2 Dryheaves

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:22 AM

Posted 01 November 2014 - 10:48 PM



install_tor is now on my desktop and IE attempts to open the above mentioned URL upon startup. It fails to load the page. Still no sign of decrypt_instructions.

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,744 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:22 AM

Posted 02 November 2014 - 09:46 PM

A repository of all current knowledge regarding CryptoWall & CryptoWall 2.0 is provided by Grinler (aka Lawrence Abrams), in this tutorial: CryptoWall and DECRYPT_INSTRUCTION Ransomware Information Guide and FAQ

Reading that Guide will help you understand what CryptoWall & CryptoWall 2.0 does and provide information for how to deal with it and possibly decrypt/recover your files. At this time there is no fix tool for CryptoWall.

CryptoWall 2.0 uses its own TOR gateways...see Updated CryptoWall 2.0 ransomware released that makes it harder to recover files.

There is also a lengthy ongoing discussion in this topic: CryptoWall - new variant of CryptoDefense.

Rather than have everyone start individual topics, it would be best (and more manageable for staff) if you posted any questions, comments or requests for assistance in that topic discussion.

The BC Staff
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users