Infected hand-me-down laptop
This is a discussion on Infected hand-me-down laptop within the General Computer Security forums, part of the Tech Support Forum category. I received an old Dell and noticed it was infected, including the Ramnit trojan. I am unable to complete a
 2Likes
 |
|
11-18-2019, 12:35 AM
|
#1
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
I received an old Dell and noticed it was infected, including the Ramnit trojan. I am unable to complete a scan using either Defender or MBAM.
Two questions:
- Will restoring to factory settings purge the infections?
- It's currently running Windows 10, which I suspect is a cracked version. Will I still be restore the laptop to its original OS (Windows 7) then upgrade it again to 10?
Thanks!
|
|
|
|
Sponsored Links
|
|
Advertisement
|
|
|
11-18-2019, 06:39 AM
|
#2
|
|
Team Manager
Microsoft Support
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7
|
Start by restoring from the Recovery Partition. You'll know the whole story.
__________________
The stability of an OS is in direct proportion to the stability of the user.
|
|
|
|
|
11-18-2019, 07:47 AM
|
#3
|
|
Elite Commander
Join Date: Apr 2009
Location: Merseyside Uk
Posts: 1,370
OS: Windows 10
|
any new pc that comes into my possession I am to keep or sell on gets formatted (using dban) and a nice clean partition setup with the relevant version of windows.
|
|
|
|
|
Sponsored Links
|
|
Advertisement
|
|
|
11-18-2019, 01:54 PM
|
#4
|
|
Team Manager
Microsoft Support
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7
|
VP & Deejay: The OP mentioned a cracked version. As an OEM unit he might or might not have a key sticker and if a recovery partition existed it would be a good start, After this he could upgrade and with V1909 available soon, it will take the same time as going clean with 1903 then upgrading. All this is assuming he can prove he has the right to a free copy of Windows 10.
__________________
The stability of an OS is in direct proportion to the stability of the user.
|
|
|
|
|
11-18-2019, 02:54 PM
|
#5
|
|
Moderator, Editor, Articles Team
Join Date: Nov 2007
Location: Doncaster, Great Britain
Posts: 11,594
OS: Windows 7 Professional SP1
|
Ramnit pretty much disappeared back in the day but looks like it made a comeback.
If I remember rightly from malware training, Ramnit was unfixable and the only solution was to wipe the drive and start from scratch.
__________________
Regards, Dave.
|
|
|
|
|
11-18-2019, 03:44 PM
|
#6
|
|
Team Manager
Microsoft Support
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7
|
If the Recovery Partition is unmounted, Malware can't get to it.
__________________
The stability of an OS is in direct proportion to the stability of the user.
|
|
|
|
|
11-19-2019, 03:18 AM
|
#7
|
|
Elite Commander
Join Date: Apr 2009
Location: Merseyside Uk
Posts: 1,370
OS: Windows 10
|
v1909 is available now, my machines at home downloaded it last night
|
|
|
|
|
11-19-2019, 07:27 AM
|
#8
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
Thank you all for the input. Here's what I can add:
- I checked the laptop against Dell's website, it came pre-installed with Win7.
- I found the recovery partition.
So (more) questions please:
- I'm not that techy but can I assume the recovery partition is mounted since I can view it in Disk Management?
- If it is, does it mean I need to reformat and do a fresh install?
|
|
|
|
|
11-19-2019, 08:29 AM
|
#9
|
|
Moderator
Security Team
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64
|
Ramnit is a file infector virus, not a trojan.
If infected, the only viable solution is to reformat.
Instructions for how to recover a Dell machine from its recovery partition on W7 machines can be found at ... https://www.dell.com/support/article...n-your-dell-pc
Once you have reinstalled Windows 7 it will need to be updated immediately, as the version you will now have installed will be a copy of the one that the machine originally had installed when it left the factory.
Do not browse the Internet until you are fully up to date.
__________________
|
|
|
|
|
11-19-2019, 10:46 PM
|
#10
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
I stand corrected.
That said, Ramnit is one 4 or 5 infections on the machine. Is the recovery partition safe from those?
Corday mentioned that if it's unmounted, it should be safe.
Since I cannot see it from My Computer and only through Disk Management, does it mean it's unmounted and safe to use?
Thanks.
|
|
|
|
|
11-19-2019, 11:09 PM
|
#11
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
BTW, since I connected the machine to my wifi at home, does this mean the rest of my machines have been infected as well?
|
|
|
|
|
11-21-2019, 06:55 AM
|
#12
|
|
Team Manager
Microsoft Support
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7
|
Depends on whether you share files etc.
__________________
The stability of an OS is in direct proportion to the stability of the user.
|
|
|
|
|
11-21-2019, 07:52 AM
|
#13
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
Quote:
Originally Posted by Corday
Depends on whether you share files etc.
|
No, none shared from that machine.
You mentioned something about the recovery partition being unmounted. I do not see it in File Explorer. Does this mean it is unmounted?
|
|
|
|
|
11-21-2019, 08:17 AM
|
#14
|
|
Moderator
Security Team
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64
|
An infection is only ever active when your OS is booted.
Your Recovery Partition can usually only be accessed when your OS is not booted.
So, the only time you can access your Recovery Partition is when your infection is inactive.
That means, that infected files do not usually transfer between the Partition on which the OS is located, and the Recovery Partition.
It's possible, but you really have to go out of your way to do it, and the chances are excellent that the files on your Recovery Partition are exactly as they were when the manufacturer put them there.
The same cannot be said about infected files transferring across a Network I'm afraid.
If you haven't already done so, disconnect your infected machine from your Network, and then scan all the other machines on your Network with an AV scan.
If anything is found on any of the other machines, post back here, and we'll talk you through what needs to be done.
__________________
|
|
|
|
|
11-21-2019, 11:07 PM
|
#15
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
Thank you Gary. I will do as advised.
I also read that Ramnit can affect the master boot record. Will the recovery process fix that as well?
|
|
|
|
|
11-21-2019, 11:16 PM
|
#16
|
|
Moderator
Security Team
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64
|
Quote:
Originally Posted by Wering1974
Thank you Gary. I will do as advised.
I also read that Ramnit can affect the master boot record. Will the recovery process fix that as well?
|
Yes it will.
__________________
|
|
|
|
|
11-21-2019, 11:57 PM
|
#17
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
Thank you Gary.
|
|
|
|
|
11-30-2019, 02:31 AM
|
#18
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
Quote:
Originally Posted by Gary R
|
I cannot pull up this screen so I followed the Windows 10 instructions instead:
https://www.dell.com/support/article...97920/en#WinRE
However, I do not have the option Factory Image Restore. I only have the following under Troubleshoot:
- Reset this PC
- Advanced options
- Startup Repair
- Startup Settings
- Command Prompt
- Uninstall Updates
- UEFI Firmware Settings
- System Restore
- System Image Recovery
When I try to activate Windows, I see this error code: 0x8007007B. And as expected, it is referencing a different product key. It also refers me to an "organization's active server."
I have the product key (for Windows 7) that came with the machine. Should I just use DBAN to wipe and reinstall Windows 7 then upgrade to Windows 10?
I also found this resource:
https://www.microsoft.com/en-us/soft...oad/windows10/
Does that still work?
Thanks in advance!
|
|
|
|
|
11-30-2019, 10:59 PM
|
#19
|
|
Moderator
Security Team
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64
|
If you want to follow the instructions for W10, then you could select the Reset this PC option in the Troubleshoot Window.
This should re-install Windows 10. If you use this method you should not normally need to re-activate W10, since it should self-validate itself during the reset process.
See ... https://www.lifewire.com/reset-this-pc-2626216 ... and ... https://www.lifewire.com/reset-this-...hrough-2624538
__________________
|
|
|
|
|
12-02-2019, 03:17 AM
|
#20
|
|
Registered Member
Join Date: Nov 2019
Posts: 13
OS:
|
Quote:
Originally Posted by Gary R
|
Is the Windows 7 OEM license already dead? I cannot use that anymore?
|
|
|
|
|
|
| Thread Tools |
Search this Thread |
|
|
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
|
|
