Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: A question about ransomware

1 Week Ago   #1
TrustMe

Windows 7 Home Premium 64bit
 
 
A question about ransomware

My friend's computer is infected with ransomware. She called the number on the screen and let them take over her computer. She thought she was talking to Microsoft. Now the computer is asking for a password which she never needed before. The guy on the phone said it will cost $200 for the password.

My question is, if I use the OEM recovery partition to restore her computer to factory defaults, would you trust that to get rid of the virus? Is it possible for the virus to be lurking some where else? Do you think I need to wipe the hard drive and do a clean install? I kind of hate destroying the OEM recovery partition but I will if it is necessary.

She is bringing me the computer later today so i haven't looked at it yet. It's a Dell laptop.


My System SpecsSystem Spec
.
1 Week Ago   #2
samuria

win 8 32 bit
 
 

It doesn't sound like ransom ware that encrypts your files but you can login. What is exactly asking for the password Windows or BIOS? The recovery should work OK. We need to see screenshot of it asking for password to identify what it is. It may be worth getting a free bootable virus scanner CD and try that as a first step. It can be a simple scam that just runs a file at startup so cntl and c may break it or cntl alt del may let you run task manager and kill it
My System SpecsSystem Spec
1 Week Ago   #3
mrjimphelps

Dual Boot Linux Mint 32-bit / Windows 7 Professional 64-bit
 
 

The OEM recovery partition process should sufficiently clean her computer. However, if she has a set of factory rebuild disks, that would be even better, because you would be using something to do the rebuild that will definitely not be infected. If she doesn't currently have these disks, she should be able to purchase a set of factory rebuild disks for her computer from Dell.
My System SpecsSystem Spec
.

1 Week Ago   #4
TrustMe

Windows 7 Home Premium 64bit
 
 

@samuria, @mrjimphelps thanks for the replys. I will post a screenshot this evening when I receive the computer.

Thanks for reminding me about the Dell recovery drive. I remember making one when she first bought the computer. I just talk to her on the phone and she is going to look for it. I'll keep you posted.
My System SpecsSystem Spec
1 Week Ago   #5
DonnaB

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
 
 

Hi TrustMe,

Sorry to hear about your friends computer. This is one of the oldest tricks in the book and so many people fall for it.

I agree that this type of ransomeware is not the type that encrypts the personal data, though since she is being locked out of her computer till she pays the $200 ransome fee, it is one variation of many types of ransomeware out there just waiting for it's next victim. Without looking at a diagnostic log I/we could not determine if it is file encrypting ransomeware or not. Who knows what you will find once you get past that password.

Reformatting with the OEM recovery disks is the easiest way out and will ensure a clean machine since you are not sure what other types of malware had been installed, though it will wipe out all her personal files. We could try to remove the password on the computer, get any files off she just can not live without then reformat if you want to try that route, or if it is found that there are no serious backdoor trojans installed you may not need to reformat.

I am pretty sure that when you reformat using the OEM recovery partition (if there is one and it is usually found on the D: drive) or the recovery disks them selves, the recovery partition will be reinstalled during the reformat. I think Dell only provides the ability to create recovery disks, though the manufacturer may have created that D: recovery partition.

Anyway, when you get possession of the computer, see if you can boot it into safe mode. If so, this could be a way around that password so we can get a diagnostic log to reverse whatever changes the scammer did when she allowed him to access the computer remotely. If safe mode is not an option, we could also use a USB flash drive to create a bootable USB and use a recovery.iso to get through the "backdoor", per se'. Up to you though how you want to go about doing this.

Donna
My System SpecsSystem Spec
1 Week Ago   #6
TrustMe

Windows 7 Home Premium 64bit
 
 

Hi DonnaB, Thanks for the reply.

I just wanted to give an update. There was no message about the password (she originally told me there was). On startup it just brought you to the normal login screen. She never used a password before. I used Hirens Boot CD to clear the password and it booted to the desktop. From there i was able to save all her personal files to a portable hard drive.

She found the Factory Restore flash drive I made when the computer was new and I used it this morning to restore her computer. Now i'm in the process of installing all the updates. It's installing the first 35 now. It will probable take two days to install them all. lol

After the updates, she has a few programs I need to install.

Thanks everyone for your input.
My System SpecsSystem Spec
1 Week Ago   #7
DonnaB

Win7 64-bit, Vista 32-bit, XP 32-bit, W2K 32-bit (VM)
 
 

Excellent! I love success stories. Nothing better than having friends who know their way around the computer. I am sure she will remember this experience for a long time coming. Please tell her to pass along her experience. If she tells 2 friends and they tell 2 friends (and so on and so on), maybe together we can all put these bad guys out of business who take advantage of the uneducated.

If you encounter any questions or concerns, please don't hesitate to ask.
My System SpecsSystem Spec
Reply

 A question about ransomware




Thread Tools




Similar help and support threads
Thread Forum
Ransomware
I too would like to know how to completely remove Bitlocker. <Attempting to provide relevant data only> I upgraded to Windows 10 a few weeks ago, and today I woke up and SURPRISE; All my hard drives now read as encrypted with Bitlocker (except for my primary OS drive (SSD)) I went...
System Security
Ransomware?
Hi All, A friend of mine recently had an online experience where he was browsing and a screen popped-up telling him he had been downloading blahblahblah, demanding $300 , locking his computer, he thinks. He is a bit of a novice on-line and I first thought he had some ransom malware or virus. He...
System Security
FBI Ransomware
I had the Fbi ransomware a couple of days ago but I did a system restore and ran malwarebytes and it found 1 file so I thought it fixed the problem but today It came back so I did the same thing but I believe its still on my pc somewhere, please help me kill it.
System Security


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 10:25.
Twitter Facebook Google+ Seven Forums iOS App Seven Forums Android App