My friend's computer is infected with ransomware. She called the number on the screen and let them take over her computer. She thought she was talking to Microsoft. Now the computer is asking for a password which she never needed before. The guy on the phone said it will cost $200 for the password. My question is, if I use the OEM recovery partition to restore her computer to factory defaults, would you trust that to get rid of the virus? Is it possible for the virus to be lurking some where else? Do you think I need to wipe the hard drive and do a clean install? I kind of hate destroying the OEM recovery partition but I will if it is necessary. She is bringing me the computer later today so I have not looked at it yet. It's a Dell laptop.
Had this problem with my daughter's computer last month, also a Dell laptop booted Hiren copied all her personal files, downloads, documents, pictures, videos etc to a portable drive. I had previously saved an image of her os on the portable drive 3 years ago. So it was a simple job to erase the partition and restore the image then copy her personal stuff back from the portable drive. I did not have to do more than erase the partition to clear the ransomware, no low level format required. Later I thought of searching for all files with a recent date and erasing them one by one but this method was less time consuming. Preparing for disaster by saving an image of a system when it's working well is an vital thing to do. Restoring from a clean iso, and reinstalling all your software from scratch is much more messy and requires that you have documented somewhere what you have installed, and saved all the installation disks ...T
As far as I know, no ransomware works with WSH disabled (it also disables like 90% of malware), unless you run it (exe) by yourself. Code: reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
Tools for to use with SSD's have all to be taken with caution! Personally, I would only use tools from the Manufacturer of the SSD!
Thanks everyone for the replies, I just thought I would give an update. It turned out the files were not encrypted. They just put a password on her computer. I was able to clear it with Hirens BootCD. @Anteaus Thanks for your post. It reminded me I made a Restore USB drive when her computer was new. Luckily she was able find it. This afternoon I used it to restore her laptop to factory defaults. I'm now in process of installing all the updates (it's Windows 7). @tonto11 I'm definitely going to create an image after the updates and programs are installed.
Simplix is very handy to apply all the updates when restoring from a previously made image forgot to mention that previously ...T
Just so everyone knows, The Daz loader won't work to activate Windows 7 with Windows Script Hosting disabled. It will fail with an error about not being able to inject the certificate, and it doesn't give any indication that WHS being turned off is the problem. Is anyone aware of this being mentioned anywhere already? If not, and even if it is, the loader needs to be updated by Daz, or a wrapper script needs to be made (I'll volunteer) to turn on WHS, then run the loader, then afterwards disable WHS before rebooting. Or maybe a script that toggles WHS on and off, or 2 scripts, one to turn it on and one to turn it off. Any ideas on this? I don't want ransomware, but I don't want my boot code to get screwed up somehow 6 months from now and and I get deactivated and I can't figure out why the loader doesn't work anymore. So right now I'm afraid to disable WHS, and I'm also afraid to leave it enabled.
As an interim fix you could put a copy of your post in the folder with your daz loader to remind you to turn on wsh before you start fixing the loader, as I understand it once installed the loading process grub runs copies the bios from rom to ram adds the certificate then passes the loading process to win so the loader never sees that wsh is turned off so it' only when you have to fix it that you need wsh am I wrong? ...T
Correct, after you run Daz' loader with WHS turned on, you can then turn off WHS and windows will stay activated. WHS is only required to initially run the loader to activate.