OK kids got a customer with a PC that has been hit by ransomware, it's got the W10 upgrade (from W7) so the recovery disks are useless and he did not create a new one.

So I have pulled the hard drive and I'm doing all the A/V, Malware and spyware while it's outside the system.

Now if it does not find anything how to fix it?????

It comes up with a page asking for a password, and all passwords do not work, I have tried looking for any passwords using a password finding tool and all it came up with are the user's passwords and the admin password, those do nothing.

This page asks for the password and if you get it wrong three times it resets the PC.

I guess I may have to download an ISO windows 10 file and start fresh if the scans don't find anything.

Anyone with any ideas would help.

there have been some articles which say there is no way to fix it That was a few months ago though

Have you been able to ID the Ransomware (which one, Petya or Locky, etc.)

There is a Website ID Ransomware, that says it can ID "IT" AND give suggestions on what Tools/decryptor to use

I am no expert on this just offerring some ideas.

Petya ransomware decrypt tool & password generator

No, no idea on the type/name of this POS, but it's looking like a reformat, the bad part is that I have to download an ISO file for W10 and burn my own DVD.

Then try a recovery....I would like to find out who is doing this and send a few of my guys over to mess with them.

You can try here: emsisoft.com they have alot of Free decrypter programs you can download/try

i would use rkill , it should stop it ....... then regedit >>> find program/virus >>> open with c+ or hex editor >> get email where money is suppose to be sent >> then go from there ..........

You can go here: id-ransomware.malwarehunterteam.com

This should ID (name) it and offer Tools/suggestions on how to deal with it

i've always had luck with starting it in safe mode and superanti spyware works for most the crap i get lol

Well Scooby if I could get it to safe mode it would be the first thing I would do, but the very first thing that comes up after the BIOS is a little box asking for a password, and it's none of the system or users passwords, it's a password from how ever dounloaded the ransomware, I have a couple of cruze missiles ready for that guy if I can find him.

I have pulled the hard drive out of the infected PC an have it hooked into the test bed,(a special computer that allows me to run tests on external hard drives) I'm running every knowen form of scan I can find on it, (and it has found a ton of stuff, some OK like cookies, but other stuff is bad) once done I will re-install it and see what happens.

Auggi, will that run on a stand alone drive? (this comes up as a "G" drive)

Auggi, will that run on a stand alone drive? (this comes up as a "G" drive)
Not sure, you upload a ransom file to them and they will try to ID, IT, and give you options etc.
Have you tried a boot CD/DVD like PcUnlocker, or Linux to Bypass/Reset (Passwords, to Get in, Back-door)
I'm No Tech on this Stuff, just what has worked for me, when I got BIT awhile back
The common thing to all this seems to be W10 have had people/friends same thing

Are you locked out of the drive, by encryption of files (asking for $$ to unlock) or a ROOTKIT etc.
If the Files are locked by encryption (ransom) then I would suggest to go to id-ransomware.malwarehunterteam.com
and see if they can help you out. 2667826677

This maybe some help with identification;
2667926680266812668226683

Nope none of those match what I have.

All I get after the BIOS screen is a blue background with a small rectangle box about 4 inches by 2 inches asking for a password, with a next button and a reset button at the bottom, if you try 3 times with the wrong password the PC will re-boot.

I can't take a screen shot as it can't get past this, I may round up the digital camera and see if I can get a shot of it.

How ever the external scans have found a ton of junk and have purged this drive will be trying it out soon as the last one is done.

Sorry it's a black background. here is a photo, this is as far as it will let you go.

26684

And none of the passwords stored in the computer will work.

Do you know if the files have been encrypted Terry?If you run the drive as slave,can you see the directories/folders???

You can also try here: www dot nomoreransom dot org
May be able to help

When I run it on the test bed I can see all files and folders.

Just a shot, for Password,have you tried 123 or 1234 or 12345

Just a shot, for Password,have you tried 123 or 1234 or 12345


Yup, and I think this one is toast as no one can ID the ransomware, I have tried all known scanners and nothing gets by the password screen.

Cut & run....I would pull/save/disinfect any critical data & format.I have been lucky enough to defeat ransomware twice,but the o/s was never the same anyways.It seems the disinfecting was fatal.

I know the feeling , i've bombed my own computer quite a few times making those things in the past ...........

Hummmm...reformat maybe an idea, if I can gust format the "C" drive and then recover from the "D" drive it may work, but this one had the free upgrade to W10, it came with W7, I wonder if it would come back as W7???

And I have saved all photos and other data to a USB drive.

I have downloaded an ISO file for windows 10 but I need a slightly larger DVD recordable disk then 4.7 GB, as when I try and burn it to DVD it needs about 300 MB more then whats available on the DVD.

And I'm having problems burning it to an 8 GB USB drive, it just wont do it.

no i have the answer , give me a second to find the program .....

i used the second one
https://www.lifewire.com/free-windows-password-recovery-tools-2626179

only problem is these types of malware morph eg: say the original file downloaded was test.exe ......... a good one morphs & changes itself to dll , jpg ect ect ........ & doesn't stop

in this case if the above doesn't work , only option you have is to manually remove it ..... start>>search/run>>type regedit >>> systemconfig >>> uncheck Load Start up services " Under General Tab >>> apply >>> reboot >>> systemconfig >>> Start up tab >> check manufacturer >>> look for Unknown ....... >>> if you don't know what the program is hit disable >> regedit >> & i'll show you how to manually remove it ..........


worst case , remove hard-drive from pc , put it in a enclosure & scan from a clean computer ......... with the correct tools ..........

OK after posting at several AV forms I have found out it is not ransomware but a SYSKEY scam, I need to find out how to edit the SAM folder, if I set the syskey back to zero it should start normally.

This might help, Hopefully this will fix the problem. You need to do this offline with a linux disk as it cannot be done in Windows. The first thing to check is the date of the hives in the following directory. C:\Windows\System32\config\regback. The hives must be dated before the date of your problem.



Download Parted Magic here. Burn the iso file to a CD on a Windows 7 or later computer by right clicking and selecting Burn Disk Image. You will need to disable SecureBoot in your UEFI settings and enable Legacy or CSM boot. Your computer may have a boot menu accessed at boot by tapping a key to select the boot device, in your case the optical drive.



At the Parted Magic Desktop you should mount your devices per this guide( see second image ). Browse to the regback folder to confirm if the date on the hives in regback is before the date in the config folder. If it is rename the following hives in config



SAM to SAM.bak

SOFTWARE to SOFTWARE.bak

DEFAULT to DEFAULT.bak

SECURITY to SECURITY.bak

SYSTEM to SYSTEM.bak



Copy the above hives from regbak to config. Exit out of PartedMagic and reboot.

I thought this was interesting Terry:




...as long as you can access this while the drive is slave.

you can also go here: hxxp://triplescomputers.com/blog/casestudies/solution-this-is-microsoft-support-telephone-scam-computer-ransom-lockout/[/url] It gives a step by step (iso download) how to solve

If you can access the data, save it and reinstall windows 7 with a format. You can enter the product key from the sticker. Windows 10 is probably why he got virus in the first place.

WOW what a battle, got it fixed, I tried all suggestions from you all but finally found this one to work.


https://www.sevenforums.com/tutorials/243880-syskey-set-startup-password-lock-unlock-windows.html

Had to do some registry editing but got it going, many many many tanks to all that helped.

Terryl

May ALL your problems be so small...lol