[dreadpiratedazza]

Hi, I'm trying to sort out my girlfriend's laptop. She couldn't get access to the internet or to her files and hadn't been updating her windows or her firewall, so it was totally vulnerable. Installed on the desktop were two files, both the same entitled "Help! Your Files!". They informed her that her files has been encrypted with RSA-2048 and that a ransom needed to be paid. The email address started with "xoomx".

 

So I changed the bootup settings with a view to removing the ransomware, so the laptop went into safe mode. However, after I did this and rebooted the computer and went to put the pin in on the opening screen it wouldn't let me in. The pin had then been changed. So at the moment I can't get access to the computer at all. So the first hurdle is to get past the opening screen.

 

The windows version is 8 and it is an Acer Aspire V5-132P laptop. At the moment I have no other details for the laptop as it is unfamiliar to me.

 

Many thanks

[Advertisements]

Hi dreadpiratedazza,

I do apologize for the delay. Do you still need help?

If so...

Are you sure the OS is 8 and not 8.1?
Do you have access to a clean computer to download and transfer files and a blank USB drive of at least 4GB storage?

[DonnaB]

Hi dreadpiratedazza,

I do apologize for the delay. Do you still need help?

If so...

Are you sure the OS is 8 and not 8.1?
Do you have access to a clean computer to download and transfer files and a blank USB drive of at least 4GB storage?

[dreadpiratedazza]

Hi, yes still need help. I do have a blank USB drive.. Not sure what version it is though. How can I tell if its win 8 or 8.1?

thanks

[DonnaB]

Hi dreadpiratedazza,

After asking around a bit, I think we could go with the 8.1 version... I will post the instructions at the end of this reply, then I will be sending you the link for the W8.1 RE.iso in a private message. The site has limited bandwidth for downloads and I prefer not to post it on the public forum...

In regards to the following:

So I changed the bootup settings with a view to removing the ransomware, so the laptop went into safe mode. However, after I did this and rebooted the computer and went to put the pin in on the opening screen it wouldn't let me in. The pin had then been changed. So at the moment I can't get access to the computer at all. So the first hurdle is to get past the opening screen.

Was a local admin account created or is there only the Microsoft acct?

Instructions to create bootable USB drive. I am pretty sure the system is 64-bit, so follow those instructions:

Download the following three programs to your desktop and create bootable USB as follows:

1. Rufus

For 64bit systems
2. W8.1 RE.iso ... I will PM the download link
3. Farbar Recovery Scan Tool x64

Insert the USB stick Then run Rufus

Select the ISO file on the desktop via the ISO icon.

Press Start Burn

Then copy FRST to the same USB

Insert the USB into the sick computer and start the computer. First ensuring that the system is set to boot from USB
Note: If you are not sure how to do that follow the instructions Here


When you reboot you will see this.
Click repair my computer

Select your operating system

Select Command prompt

At the command prompt type the following :

notepad

Press Enter. The notepad opens.
Under File menu select Open.
Select "Computer" and find your flash drive letter and close the notepad.

In the command window type e:\frst64.exe or e:\frst.exe dependant on system and press Enter

Note: Replace letter e with the drive letter of your flash drive.

The tool will start to run.
When the tool opens click Yes to disclaimer.

Press Scan button.
It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

[DonnaB]

Hi dreadpiratedazza,

Afterthoughts....

You can try enabling the built-in administrator account by following the instructions in the link below:

Offline enable the Windows 8 built-in administrator account

The first method might be easiest.

Honorable mention: Many thanks to SleepyDude for his guidance.

[dreadpiratedazza]

Hi DonnaB,

sorry for not replying sooner, lots of work on. Don't give up on me! I will start going through all your advice. Thanks

[dreadpiratedazza]

"Select the ISO file on the desktop via the ISO icon."

 

​I've downloaded all three files. Ive run Rufus, but I'm not sure what you mean by this instruction "via the ISO icon". I have an icon on the desktop, do I just run it?

[DonnaB]

Hi dreadpiratedazza,

I am sorry for the delay. Work has me overwhelmed also
 

but I'm not sure what you mean by this instruction "via the ISO icon".

I got stuck on that instruction the first time I played around with Rufus as well.. You will need to open Rufus to find the icon in question. See image below:



I have outlined the icon (and drop down field) in green. The version of the .iso file, if done correctly, will display at the bottom left of the Rufus window as shown in the image above.

[dreadpiratedazza]

Hi Miss Congeniality,

 

I'm back! Its not quite 2 months is it? I have finished all my studies now so I am free to concentrate on this.

 

First up: the system is Windows 8.1

 

I have set up the USB boot as per your instructions I think. I am trying to use it but it keeps going round in circles on me. I have manages to enter BIOS and changed the boot order to my 32GB sandisk cruzer blade.

However, all I get is  a prompt to select the keyboard type and then I am back to the screen with 4 options: continue to windows 8.1, use a device, troubleshoot, turn off your PC. I choose 'use a device' and then select my USB drive. Then I am back to the keyboard prompt.

 

So, what's next?

 

thanks

[DonnaB]

Hi dreadpiratedazza,

Do you have another W8.1 that you can try the bootable USB on to make sure it is the computer giving you the problem and not that the USB was not created properly?

If you can not get this bootable RE.iso USB to work properly so we can get a scan log, you will have to take it to local tech shop to have them reload the hard drive for you. Not much else that we can do..

[dreadpiratedazza]

Thanks for all your help. In the end because I wasn't bothered about any data on the laptop and found the reset facility in Windows 8.1. It has solved everything.

 

By the way, what software would you recommend to stop this from happening again?

 

thanks

Darren