Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




14 posts

Geek
+1 received by user: 1


Topic # 173571 27-May-2015 22:43
Send private message

Stupidly, of all things it was a recipe website that got me - it opened an unrelated page and I guess hit me when I clicked the button to close it. I've been running windows AV and it got straight through.

Anyway, lesson learned and I ran malwarebytes through the system first then did a factory reset. No way would I consider paying them for the key.

Following the reset, I still have the ransomware "theme" with wallpaper and colouring so I guess it must still be sitting somewhere. I've run an AV scan and it turned up nothing.

Laptop came with windows pre-installed so I can't do a format and reinstall as I don't have the dvd to do it.

Does anyone know where the remnants of this nasty thing might be sitting? Any ideas for another solution would be appreciated. I'm a bit worried a piece of this may be enough for it to crop up again.

cheers

Create new topic
2517 posts

Uber Geek
+1 received by user: 750

Trusted
Lifetime subscriber

  Reply # 1313175 27-May-2015 22:50
Send private message

If you are confident, open the registry and search for 'wallpaper'.  Leave the registry keys in place but remove the data (the path and file name) from them and reboot.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

483 posts

Ultimate Geek
+1 received by user: 286

Trusted

  Reply # 1313176 27-May-2015 22:51
One person supports this post
Send private message

Normally when you get a machine without CD media they give you a recovery partition and a tool to create install disks to recover from in case of hard disk failure.

Using the recovery partition often gives you a number of levels of restore from just deleting user accounts to formatting and reinstalling the OS either in full or as a minimum install. I generally choose the minimal install to avoid all the freeloading crapware.

The format option from the recovery partition should not normally delete the recovery partition, just the C drive.

 
 
 
 


gzt

10677 posts

Uber Geek
+1 received by user: 1748


  Reply # 1313179 27-May-2015 22:54
Send private message

Does malware bytes still detect the ransomware?

1889 posts

Uber Geek
+1 received by user: 317


  Reply # 1313192 27-May-2015 23:26
Send private message

gzt: Does malware bytes still detect the ransomware?

I'd say it would.  It's a pretty good application and highly recommend it.





Sometimes what you don't get is a blessing in disguise!

gzt

10677 posts

Uber Geek
+1 received by user: 1748


  Reply # 1313206 28-May-2015 00:03
Send private message

Gravy: Laptop came with windows pre-installed so I can't do a format and reinstall as I don't have the dvd to do it.

As above there is nearly always a way to do that. Name the brand and model and someone will tell you exactly how.

1108 posts

Uber Geek
+1 received by user: 249


  Reply # 1313211 28-May-2015 00:39
Send private message

Give your PC a scan with the ESET online scanner, just to make sure.

1982 posts

Uber Geek
+1 received by user: 403

Subscriber

  Reply # 1313249 28-May-2015 08:46
Send private message

Worth trying ADWCleaner as well. It has found stuff that Malwarebytes missed.

Good luck.



14 posts

Geek
+1 received by user: 1


  Reply # 1313276 28-May-2015 09:40
Send private message

Does malware bytes still detect the ransomware?

Yeah it did. It picked up the trojans related but I guess it doesn't eliminate everything. It won't decrypt files of course but nothing available right now was able to do it. Tried pretty much everything a fairly extensive google search turned up. Luckily this one didn't completely freeze the system it just shut down the interwebby from to time. 

Most files were backed up externally so I haven't really lost much out of this apart from a damaged ego and sore after a massive face palm.

I wondered if there may be something in the registry seeing as I can't get rid of the "theme" but not overly keen to play around with it. I might have a wee gander and search for wallpaper as suggested above.

Thanks for all your help everyone. I'll have a crack at some these things when I get home.

19282 posts

Uber Geek
+1 received by user: 2600
Inactive user


  Reply # 1313289 28-May-2015 10:08
Send private message

' recipe website ' ;)

'That VDSL Cat'
9922 posts

Uber Geek
+1 received by user: 2323

Trusted
Spark
Subscriber

  Reply # 1313306 28-May-2015 10:24
Send private message

http://www.howtogeek.com/howto/16929/prevent-users-from-changing-screen-saver-and-wallpaper-in-windows-7/

check that it hasnt simply flagged the prevent changing option in the registry.

johnr: ' recipe website ' ;)


hey now, thats a recipe for something....







#include <std_disclaimer>

 

Any comments made are personal opinion and do not reflect directly on the position my current or past employers may have.


1704 posts

Uber Geek
+1 received by user: 410


  Reply # 1313367 28-May-2015 11:39
Send private message

Malware removal, for malware as nasty as that, isnt as simple as running a few scanners across it

It could have made many other changes to the system itself : services disabled, hidden or protected registry entries added, proxies added, added entries in scheduled tasks, changes at a policy level, browser shortcuts changed etc etc etc

It really should be wiped & reloaded/re-imaged.

If its Win8 , there is a good restore/refresh utility built in
laptops sometimes have a recovery partition , you can use that to re-install (Re-image) windows
you can often buy system recovery disks from the manufacturer, sometimes they will send them for free


Its a long shot, but try using system restore to restore to before the infection happened.
a long shot as malware usually removes previous restore points.

770 posts

Ultimate Geek
+1 received by user: 326

Subscriber

  Reply # 1313430 28-May-2015 12:46
Send private message

Burn it with fire, or at least DBAN it and reinstall. The machine can no longer be trusted as it stands.








224 posts

Master Geek
+1 received by user: 22


  Reply # 1313559 28-May-2015 15:15
Send private message

roobarb: Normally when you get a machine without CD media they give you a recovery partition and a tool to create install disks to recover from in case of hard disk failure.

Using the recovery partition often gives you a number of levels of restore from just deleting user accounts to formatting and reinstalling the OS either in full or as a minimum install. I generally choose the minimal install to avoid all the freeloading crapware.

The format option from the recovery partition should not normally delete the recovery partition, just the C drive.


+1 Pretty much every new Windows PC has this recovery.  Just Google the make and model of your laptop along with factory reset and you will get instructions about how to restore it.

Best way to be completely sure that you have gotten rid of it as you don't know what else may of been installed such as keyloggers, botnet etc.






14 posts

Geek
+1 received by user: 1


  Reply # 1313690 28-May-2015 20:21
One person supports this post
Send private message

johnr: ' recipe website ' ;)


Yeah I figured that would sound like rubbish but it's actually completely honest. When I clicked it from the Google search it posted up a new page over the IE session that had did have porn on it. It was clicking off it that infected the computer - one of those get em if they enter or get em if they don't things. I stupidly hit the "close window" button instead of closing the window remotely.

Hell if I got it looking up porn I wouldn't be half as p!$$ed at myself for being so dumb.

358 posts

Ultimate Geek
+1 received by user: 51


  Reply # 1316533 3-Jun-2015 04:08
Send private message

Did you see if it's in the add/remove programs area of windows. Sometimes it pays to check...

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Orcon announces new always-on internet service for Small Business
Posted 18-Apr-2019 10:19


Spark Sport prices for Rugby World Cup 2019 announced
Posted 16-Apr-2019 07:58


2degrees launches new unlimited mobile plan
Posted 15-Apr-2019 09:35


Redgate brings together major industry speakers for SQL in the City Summits
Posted 13-Apr-2019 12:35


Exported honey authenticated on Blockchain
Posted 10-Apr-2019 21:19


HPE and Nutanix partner to deliver hybrid cloud as a service
Posted 10-Apr-2019 21:12


Southern Cross and ASN sign contract for Southern Cross NEXT
Posted 10-Apr-2019 21:09


Data security top New Zealand consumer priority when choosing a bank
Posted 10-Apr-2019 21:07


Samsung announces first 8K screens to hit New Zealand
Posted 10-Apr-2019 21:03


New cyber-protection and insurance product for businesses launched in APAC
Posted 10-Apr-2019 20:59


Kiwis ensure streaming is never interrupted by opting for uncapped broadband plans
Posted 7-Apr-2019 09:05


DHL Express introduces new MyDHL+ online portal to make shipping easier
Posted 7-Apr-2019 08:51


RackWare hybrid cloud platform removes barriers to enterprise cloud adoption
Posted 7-Apr-2019 08:50


Top partner named at MYOB High Achievers Awards
Posted 7-Apr-2019 08:48


Great ideas start in Gisborne with hackathon event back for another round
Posted 7-Apr-2019 08:42



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.