Hello everyone, this is my first post on Bleeping Computer so bear with me please. It's a long one. Thanks! I'm running Win7 Pro 64 Bit.
On the night of October 29, I was doing some maintenance on my PC. Win7 has a tendency to fill up my C: drive so I was trying to open up some space. I ran a full scan from Advanced System Care and defragged the hd, deleted shadow copies up to the most recent restore point, deleted temp files, deleted some old NVidia driver files from installs dating back a few years, etc.
While I was doing this, I noticed that I was unable to open Outlook. I would get a message saying that Outlook could not open my default email folder because it was not a .pts file. I then noticed that some pictures saved to my desktop no longer had the "preview" and upon clicking them they would not open. Message said that they could not be found or were of a different file type. Many Word documents were unable to be opened too.
Microsoft Security Essentials was having a fit and would give pop ups in rapid succession telling me that there were detected threats being cleaned, but "no action needed."
Here are some of my symptoms:
I have been unable to locate any type of "decrypt_instructions" file on any drive.
There are a few "install_tor" files that were created around the time I was doing my maintenance. There are a handful of these, one of which I found in my Windows Users folder. It's not in every folder.
I have seen no ransom messages.
Turns out not all of my Word files are messed up. I was able to open Word, PDF, etc. that were saved to other partitions and external drives. Nothing on my C: drive seems to open.
None of my pictures seem to open. From anywhere.
Virus and Malware scans turn up a couple of trojans and your normal malware junk that's usually found. I quarantined and cleaned these. Symptoms are still here.
There are 59 "install_tor" files found on my PC. They are all IE shortcuts and contain the following URL: https://paytordmbdekmizq.torsona.com/w02t6c
I am able to open some documents, but these are on different partitions. It seems all of my pictures and Outlook files are unable to be opened across the board. I also do not have any shadow copies from before the incident.
I am getting random Internet Explorer, COM Surrogate, and Windows Explorer "has stopped working" errors, and Security Essentials is still freaking out with pop ups every 90 seconds telling me that potential threats are being cleaned.
I am also getting random audio playing that sounds like ads, news updates, etc. When I open Task Manager, it is showing several Internet Explorer windows open to shopping websites. I haven't used IE and use Waterfox instead. I didn't turn IE on. I also cannot see these windows playing the audio.
So is this cryptowall? locker? Torrent locker? A variant?
Maybe it's none of these and I just screwed up the registry with my maintenance?
It seems that I have some form of Cryptowall, but the lack of ransom message or decrypt_instructions make me think I only contracted a portion of the virus.
Thank you for your help.