I can't remove the ransomware wallpaper

Forums › Desktop computing › I can't remove the ransomware wallpaper

Gravy

14 posts

Geek
+1 received by user: 1

Topic # 173571 27-May-2015 22:43

Stupidly, of all things it was a recipe website that got me - it opened an unrelated page and I guess hit me when I clicked the button to close it. I've been running windows AV and it got straight through.

Anyway, lesson learned and I ran malwarebytes through the system first then did a factory reset. No way would I consider paying them for the key.

Following the reset, I still have the ransomware "theme" with wallpaper and colouring so I guess it must still be sitting somewhere. I've run an AV scan and it turned up nothing.

Laptop came with windows pre-installed so I can't do a format and reinstall as I don't have the dvd to do it.

Does anyone know where the remnants of this nasty thing might be sitting? Any ideas for another solution would be appreciated. I'm a bit worried a piece of this may be enough for it to crop up again.

cheers

Dynamic

2517 posts

Uber Geek
+1 received by user: 750

Trusted

Lifetime subscriber

Reply # 1313175 27-May-2015 22:50

If you are confident, open the registry and search for 'wallpaper'. Leave the registry keys in place but remove the data (the path and file name) from them and reboot.

"4 wheels move the body. 2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

roobarb

483 posts

Ultimate Geek
+1 received by user: 286

Trusted

Reply # 1313176 27-May-2015 22:51

One person supports this post

Normally when you get a machine without CD media they give you a recovery partition and a tool to create install disks to recover from in case of hard disk failure.

Using the recovery partition often gives you a number of levels of restore from just deleting user accounts to formatting and reinstalling the OS either in full or as a minimum install. I generally choose the minimal install to avoid all the freeloading crapware.

The format option from the recovery partition should not normally delete the recovery partition, just the C drive.

gzt

10677 posts

Uber Geek
+1 received by user: 1748

Reply # 1313179 27-May-2015 22:54

Does malware bytes still detect the ransomware?

DravidDavid

1889 posts

Uber Geek
+1 received by user: 317

Reply # 1313192 27-May-2015 23:26

gzt: Does malware bytes still detect the ransomware?

I'd say it would. It's a pretty good application and highly recommend it.

Sometimes what you don't get is a blessing in disguise!

gzt

10677 posts

Uber Geek
+1 received by user: 1748

Reply # 1313206 28-May-2015 00:03

Gravy: Laptop came with windows pre-installed so I can't do a format and reinstall as I don't have the dvd to do it.

As above there is nearly always a way to do that. Name the brand and model and someone will tell you exactly how.

lNomNoml

1108 posts

Uber Geek
+1 received by user: 249

Reply # 1313211 28-May-2015 00:39

Give your PC a scan with the ESET online scanner, just to make sure.

linw

1982 posts

Uber Geek
+1 received by user: 403

Subscriber

Reply # 1313249 28-May-2015 08:46

Worth trying ADWCleaner as well. It has found stuff that Malwarebytes missed.

Good luck.

Gravy

14 posts

Geek
+1 received by user: 1

Reply # 1313276 28-May-2015 09:40

Does malware bytes still detect the ransomware?

Yeah it did. It picked up the trojans related but I guess it doesn't eliminate everything. It won't decrypt files of course but nothing available right now was able to do it. Tried pretty much everything a fairly extensive google search turned up. Luckily this one didn't completely freeze the system it just shut down the interwebby from to time.

Most files were backed up externally so I haven't really lost much out of this apart from a damaged ego and sore after a massive face palm.

I wondered if there may be something in the registry seeing as I can't get rid of the "theme" but not overly keen to play around with it. I might have a wee gander and search for wallpaper as suggested above.

Thanks for all your help everyone. I'll have a crack at some these things when I get home.

johnr

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user

Reply # 1313289 28-May-2015 10:08

' recipe website ' ;)

hio77

'That VDSL Cat'
9922 posts

Uber Geek
+1 received by user: 2323

Trusted

Spark

Subscriber

Reply # 1313306 28-May-2015 10:24

http://www.howtogeek.com/howto/16929/prevent-users-from-changing-screen-saver-and-wallpaper-in-windows-7/

check that it hasnt simply flagged the prevent changing option in the registry.

johnr: ' recipe website ' ;)

hey now, thats a recipe for something....

#include <std_disclaimer>

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.

1101

1704 posts

Uber Geek
+1 received by user: 410

Reply # 1313367 28-May-2015 11:39

Malware removal, for malware as nasty as that, isnt as simple as running a few scanners across it

It could have made many other changes to the system itself : services disabled, hidden or protected registry entries added, proxies added, added entries in scheduled tasks, changes at a policy level, browser shortcuts changed etc etc etc

It really should be wiped & reloaded/re-imaged.

If its Win8 , there is a good restore/refresh utility built in
laptops sometimes have a recovery partition , you can use that to re-install (Re-image) windows
you can often buy system recovery disks from the manufacturer, sometimes they will send them for free

Its a long shot, but try using system restore to restore to before the infection happened.
a long shot as malware usually removes previous restore points.

gbwelly

770 posts

Ultimate Geek
+1 received by user: 326

Subscriber

Reply # 1313430 28-May-2015 12:46

Burn it with fire, or at least DBAN it and reinstall. The machine can no longer be trusted as it stands.

cyberhub

224 posts

Master Geek
+1 received by user: 22

Reply # 1313559 28-May-2015 15:15

roobarb: Normally when you get a machine without CD media they give you a recovery partition and a tool to create install disks to recover from in case of hard disk failure.

Using the recovery partition often gives you a number of levels of restore from just deleting user accounts to formatting and reinstalling the OS either in full or as a minimum install. I generally choose the minimal install to avoid all the freeloading crapware.

The format option from the recovery partition should not normally delete the recovery partition, just the C drive.

+1 Pretty much every new Windows PC has this recovery. Just Google the make and model of your laptop along with factory reset and you will get instructions about how to restore it.

Best way to be completely sure that you have gotten rid of it as you don't know what else may of been installed such as keyloggers, botnet etc.

CyberHub - Hosting Made Simple

Gravy

14 posts

Geek
+1 received by user: 1

Reply # 1313690 28-May-2015 20:21

One person supports this post

johnr: ' recipe website ' ;)

Yeah I figured that would sound like rubbish but it's actually completely honest. When I clicked it from the Google search it posted up a new page over the IE session that had did have porn on it. It was clicking off it that infected the computer - one of those get em if they enter or get em if they don't things. I stupidly hit the "close window" button instead of closing the window remotely.

Hell if I got it looking up porn I wouldn't be half as p!$$ed at myself for being so dumb.

Azzura

358 posts

Ultimate Geek
+1 received by user: 51

Reply # 1316533 3-Jun-2015 04:08

Did you see if it's in the add/remove programs area of windows. Sometimes it pays to check...