New
#11
Just roll back to latest image ( Macrium !) ................and nothing happened !
Just roll back to latest image ( Macrium !) ................and nothing happened !
It is nearly impossible to figure out or many businesses with IT depts. that get hit, just pay. As your friend suggested, you are VERY lucky that everything except your OS was not encrypted, which happened to me. As 'PrivacyFreak suggested, save those files, someone will eventually make a decryption key. If you already have them backed up, skip them in the next step.
Disconnect from the internet, back up your data to external drive(s). Then do a full, clean install incl letting Windows repartition to one space (pay attention to Steps 10 and 11). This is the ONLY 100% guaranteed way to remove any and all ransomware or virus present (a Repair install will retain them). When finished, you can create a new D partition/drive and restore your data. Good Luck. - Clean Install Windows 10
If Windows Defender is your only AV, you can enhance ransomware coverage by enabling Controlled Folder Access which blocks untrusted apps from accessing your This PC folders. May be a pain to whitelist, as you go along but you shouldn't have too many programs not recognized by Defender - https://winaero.com/blog/controlled-...ss-windows-10/
Last edited by mrgeek; 03 Jan 2019 at 10:50.
@archz2: Sorry for the delayed response. Since the strain of GandCrab has been around for a while now, most AVs/AMs should detect it and get rid of it from your system. You can use a free 3rd party second opinion scanner such as Emsisoft Emergency Kit, Malwarebytes Free or Hitman Pro to scan your system.
In your case, I speculate that WD got rid of it but only after the ransomware encrypted a few files. WD may not have been able to roll that action back (don't know if it is capable of doing so.)
The only way to be 100% sure that it's gone is as mrgeek suggests to perform a clean install of Windows (after you've performed a full system scan (all partitions) with a couple of good 3rd party AVs and after taking a backup of your data.)
Last edited by PrivacyFreak; 03 Jan 2019 at 11:34.
Okay, yesterday without waiting for your replies, here's what I did.
1. I formatted my C partition during the windows 10 installation that I did using bootable USB. Then I installed windows 10 -1809 in it.
2. I kept my E partition intact.
3. All this while my LAN cable was disconnected.
4. After windows installation, I installed ESET internet security.
5. I updated it using the internet. Ran a full scan.
6. It detected the ransomware txt instructions file as virus. It didn't detect virus in the encrypted files in the E: partition.
7. I spent 6-7 hours installing various software from scratch yesterday.
8. It's been ever since, that my computer is working fine now.
So based on the above evidence, I believe that the virus was in C: partition. Otherwise my other folders would have got encrypted too by now.
"So based on the above evidence, I believe that the virus was in C: partition. Otherwise my other folders would have got encrypted too by now."
Excellent news ! Reinstalling Windows after wiping the disk is the only effective solution. The time one wastes trying to diagnose can be put toward reinstalling programs (not as bad as people make it out to be since you get a 2nd chance to figure out what you actually need/use and get updated software versions) and restoring personal files from backup.
We're lucky to be in the Win10 era, when this happened to me on XP, I had 4-5 years of updates to reinstall, requiring a restart after almost each ! When Staples offered to include it for the virus removal charge, I let them go at it ... for 4 days.
Once you have everything put back together, make a system image that you can use as a new beginning point. Cheers.
May I ask you ; why not Just roll back to latest image ( Macrium !) ..............
Much easier and should be enough !
Always good to hear a successful outcome. Thanks for letting us know.