A question about ransomware

Discussion in 'Application Software' started by TrustMe, Sep 13, 2017.

  1. TrustMe

    TrustMe MDL Member

    May 2, 2013
    161
    49
    10
    My friend's computer is infected with ransomware. She called the number on the screen and let them take over her computer. She thought she was talking to Microsoft. Now the computer is asking for a password which she never needed before. The guy on the phone said it will cost $200 for the password.

    My question is, if I use the OEM recovery partition to restore her computer to factory defaults, would you trust that to get rid of the virus? Is it possible for the virus to be lurking some where else? Do you think I need to wipe the hard drive and do a clean install? I kind of hate destroying the OEM recovery partition but I will if it is necessary.

    She is bringing me the computer later today so I have not looked at it yet. It's a Dell laptop.
     
  2. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,814
    1,997
    210
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. tonto11

    tonto11 MDL Addicted

    Jun 18, 2012
    594
    262
    30
    #3 tonto11, Sep 13, 2017
    Last edited: Sep 13, 2017
    Had this problem with my daughter's computer last month, also a Dell laptop
    booted Hiren
    copied all her personal files, downloads, documents, pictures, videos etc to a portable drive.
    I had previously saved an image of her os on the portable drive 3 years ago.
    So it was a simple job to erase the partition and restore the image
    then copy her personal stuff back from the portable drive.
    I did not have to do more than erase the partition to clear the ransomware, no low level format required.
    Later I thought of searching for all files with a recent date and erasing them one by one
    but this method was less time consuming.

    Preparing for disaster by saving an image of a system when it's working well is an vital thing to do.
    Restoring from a clean iso, and reinstalling all your software from scratch is much more messy
    and requires that you have documented somewhere what you have installed, and saved all the installation disks

    ...T
     
  4. TairikuOkami

    TairikuOkami MDL Addicted

    Mar 15, 2014
    667
    520
    30
    As far as I know, no ransomware works with WSH disabled (it also disables like 90% of malware), unless you run it (exe) by yourself.

    Code:
    reg add "HKLM\Software\Microsoft\Windows Script Host\Settings" /v "Enabled" /t REG_DWORD /d "0" /f
     
  5. pisthai

    pisthai Imperfect Human

    Jul 29, 2009
    6,814
    1,997
    210
    Tools for to use with SSD's have all to be taken with caution! Personally, I would only use tools from the Manufacturer of the SSD!
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. TrustMe

    TrustMe MDL Member

    May 2, 2013
    161
    49
    10
    Thanks everyone for the replies,
    I just thought I would give an update. It turned out the files were not encrypted. They just put a password on her computer. I was able to clear it with Hirens BootCD.
    @Anteaus Thanks for your post. It reminded me I made a Restore USB drive when her computer was new. Luckily she was able find it. This afternoon I used it to restore her laptop to factory defaults. I'm now in process of installing all the updates (it's Windows 7).
    @tonto11 I'm definitely going to create an image after the updates and programs are installed.
     
  7. tonto11

    tonto11 MDL Addicted

    Jun 18, 2012
    594
    262
    30
    Simplix is very handy to apply all the updates when restoring from a previously made image
    forgot to mention that previously

    ...T
     
  8. pf100

    pf100 MDL Addicted

    Oct 22, 2010
    932
    1,047
    30
    Just so everyone knows, The Daz loader won't work to activate Windows 7 with Windows Script Hosting disabled. It will fail with an error about not being able to inject the certificate, and it doesn't give any indication that WHS being turned off is the problem. Is anyone aware of this being mentioned anywhere already? If not, and even if it is, the loader needs to be updated by Daz, or a wrapper script needs to be made (I'll volunteer) to turn on WHS, then run the loader, then afterwards disable WHS before rebooting. Or maybe a script that toggles WHS on and off, or 2 scripts, one to turn it on and one to turn it off. Any ideas on this? I don't want ransomware, but I don't want my boot code to get screwed up somehow 6 months from now and and I get deactivated and I can't figure out why the loader doesn't work anymore. So right now I'm afraid to disable WHS, and I'm also afraid to leave it enabled.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. tonto11

    tonto11 MDL Addicted

    Jun 18, 2012
    594
    262
    30
    As an interim fix you could put a copy of your post in the folder with your daz loader to remind you to turn on wsh
    before you start fixing the loader,
    as I understand it once installed the loading process
    grub runs
    copies the bios from rom to ram
    adds the certificate
    then passes the loading process to win
    so the loader never sees that wsh is turned off

    so it' only when you have to fix it that you need wsh
    am
    I wrong?

    ...T
     
  10. pf100

    pf100 MDL Addicted

    Oct 22, 2010
    932
    1,047
    30
    Correct, after you run Daz' loader with WHS turned on, you can then turn off WHS and windows will stay activated. WHS is only required to initially run the loader to activate.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...