Go Back   Tech Support Forum > Security Center > General Computer Security

User Tag List

Infected hand-me-down laptop

This is a discussion on Infected hand-me-down laptop within the General Computer Security forums, part of the Tech Support Forum category. I received an old Dell and noticed it was infected, including the Ramnit trojan. I am unable to complete a


Like Tree2Likes
Reply
 
Thread Tools Search this Thread
Old 11-18-2019, 12:35 AM   #1
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



I received an old Dell and noticed it was infected, including the Ramnit trojan. I am unable to complete a scan using either Defender or MBAM.


Two questions:
  1. Will restoring to factory settings purge the infections?
  2. It's currently running Windows 10, which I suspect is a cracked version. Will I still be restore the laptop to its original OS (Windows 7) then upgrade it again to 10?
Thanks!
Wering1974 is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old 11-18-2019, 06:39 AM   #2
Team Manager
Microsoft Support
 
Corday's Avatar
 
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7

My System


Start by restoring from the Recovery Partition. You'll know the whole story.
metawebit likes this.
__________________

The stability of an OS is in direct proportion to the stability of the user.
Corday is offline   Reply With Quote
Old 11-18-2019, 07:47 AM   #3
Elite Commander
 
VividProfessional's Avatar
 
Join Date: Apr 2009
Location: Merseyside Uk
Posts: 1,370
OS: Windows 10

My System

Send a message via MSN to VividProfessional

any new pc that comes into my possession I am to keep or sell on gets formatted (using dban) and a nice clean partition setup with the relevant version of windows.
Deejay100six likes this.
__________________
Boeing 787 Dreamliner Register
The worlds premier Dreamliner site
www.b787register.co.uk
VividProfessional is offline   Reply With Quote
Sponsored Links
Advertisement
 
Old 11-18-2019, 01:54 PM   #4
Team Manager
Microsoft Support
 
Corday's Avatar
 
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7

My System


VP & Deejay: The OP mentioned a cracked version. As an OEM unit he might or might not have a key sticker and if a recovery partition existed it would be a good start, After this he could upgrade and with V1909 available soon, it will take the same time as going clean with 1903 then upgrading. All this is assuming he can prove he has the right to a free copy of Windows 10.
__________________

The stability of an OS is in direct proportion to the stability of the user.
Corday is offline   Reply With Quote
Old 11-18-2019, 02:54 PM   #5
Moderator, Editor, Articles Team
 
Deejay100six's Avatar
 
Join Date: Nov 2007
Location: Doncaster, Great Britain
Posts: 11,594
OS: Windows 7 Professional SP1

My System


Ramnit pretty much disappeared back in the day but looks like it made a comeback.

If I remember rightly from malware training, Ramnit was unfixable and the only solution was to wipe the drive and start from scratch.
__________________
Regards, Dave.


Submit New Articles Here

Help us to help you by posting your System Specs
Deejay100six is offline   Reply With Quote
Old 11-18-2019, 03:44 PM   #6
Team Manager
Microsoft Support
 
Corday's Avatar
 
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7

My System


If the Recovery Partition is unmounted, Malware can't get to it.
__________________

The stability of an OS is in direct proportion to the stability of the user.
Corday is offline   Reply With Quote
Old 11-19-2019, 03:18 AM   #7
Elite Commander
 
VividProfessional's Avatar
 
Join Date: Apr 2009
Location: Merseyside Uk
Posts: 1,370
OS: Windows 10

My System

Send a message via MSN to VividProfessional

v1909 is available now, my machines at home downloaded it last night
__________________
Boeing 787 Dreamliner Register
The worlds premier Dreamliner site
www.b787register.co.uk
VividProfessional is offline   Reply With Quote
Old 11-19-2019, 07:27 AM   #8
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



Thank you all for the input. Here's what I can add:
  1. I checked the laptop against Dell's website, it came pre-installed with Win7.
  2. I found the recovery partition.
So (more) questions please:
  1. I'm not that techy but can I assume the recovery partition is mounted since I can view it in Disk Management?
  2. If it is, does it mean I need to reformat and do a fresh install?
Wering1974 is offline   Reply With Quote
Old 11-19-2019, 08:29 AM   #9
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Ramnit is a file infector virus, not a trojan.

If infected, the only viable solution is to reformat.

Instructions for how to recover a Dell machine from its recovery partition on W7 machines can be found at ... https://www.dell.com/support/article...n-your-dell-pc

Once you have reinstalled Windows 7 it will need to be updated immediately, as the version you will now have installed will be a copy of the one that the machine originally had installed when it left the factory.

Do not browse the Internet until you are fully up to date.
__________________
Gary R is offline   Reply With Quote
Old 11-19-2019, 10:46 PM   #10
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



I stand corrected.

That said, Ramnit is one 4 or 5 infections on the machine. Is the recovery partition safe from those?

Corday mentioned that if it's unmounted, it should be safe.


Since I cannot see it from My Computer and only through Disk Management, does it mean it's unmounted and safe to use?


Thanks.
Wering1974 is offline   Reply With Quote
Old 11-19-2019, 11:09 PM   #11
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



BTW, since I connected the machine to my wifi at home, does this mean the rest of my machines have been infected as well?
Wering1974 is offline   Reply With Quote
Old 11-21-2019, 06:55 AM   #12
Team Manager
Microsoft Support
 
Corday's Avatar
 
Join Date: Mar 2010
Location: Midlands of South Carolina
Posts: 25,185
OS: Windows10. In the past CP/M, DOS, Windows 95, 2000, 98SE, ME, Vista & Windows 7

My System


Depends on whether you share files etc.
__________________

The stability of an OS is in direct proportion to the stability of the user.
Corday is offline   Reply With Quote
Old 11-21-2019, 07:52 AM   #13
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



Quote:
Originally Posted by Corday View Post
Depends on whether you share files etc.
No, none shared from that machine.

You mentioned something about the recovery partition being unmounted. I do not see it in File Explorer. Does this mean it is unmounted?
Wering1974 is offline   Reply With Quote
Old 11-21-2019, 08:17 AM   #14
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



An infection is only ever active when your OS is booted.

Your Recovery Partition can usually only be accessed when your OS is not booted.

So, the only time you can access your Recovery Partition is when your infection is inactive.

That means, that infected files do not usually transfer between the Partition on which the OS is located, and the Recovery Partition.

It's possible, but you really have to go out of your way to do it, and the chances are excellent that the files on your Recovery Partition are exactly as they were when the manufacturer put them there.

The same cannot be said about infected files transferring across a Network I'm afraid.

If you haven't already done so, disconnect your infected machine from your Network, and then scan all the other machines on your Network with an AV scan.

If anything is found on any of the other machines, post back here, and we'll talk you through what needs to be done.
__________________
Gary R is offline   Reply With Quote
Old 11-21-2019, 11:07 PM   #15
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



Thank you Gary. I will do as advised.

I also read that Ramnit can affect the master boot record. Will the recovery process fix that as well?
Wering1974 is offline   Reply With Quote
Old 11-21-2019, 11:16 PM   #16
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



Quote:
Originally Posted by Wering1974 View Post
Thank you Gary. I will do as advised.

I also read that Ramnit can affect the master boot record. Will the recovery process fix that as well?
Yes it will.
__________________
Gary R is offline   Reply With Quote
Old 11-21-2019, 11:57 PM   #17
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



Thank you Gary.
Wering1974 is offline   Reply With Quote
Old 11-30-2019, 02:31 AM   #18
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



Quote:
Originally Posted by Gary R View Post
Instructions for how to recover a Dell machine from its recovery partition on W7 machines can be found at ... https://www.dell.com/support/article...n-your-dell-pc


I cannot pull up this screen so I followed the Windows 10 instructions instead:
https://www.dell.com/support/article...97920/en#WinRE


However, I do not have the option Factory Image Restore. I only have the following under Troubleshoot:
  1. Reset this PC
  2. Advanced options
    • Startup Repair
    • Startup Settings
    • Command Prompt
    • Uninstall Updates
    • UEFI Firmware Settings
    • System Restore
    • System Image Recovery


When I try to activate Windows, I see this error code: 0x8007007B. And as expected, it is referencing a different product key. It also refers me to an "organization's active server."




I have the product key (for Windows 7) that came with the machine. Should I just use DBAN to wipe and reinstall Windows 7 then upgrade to Windows 10?


I also found this resource:
https://www.microsoft.com/en-us/soft...oad/windows10/


Does that still work?

Thanks in advance!
Wering1974 is offline   Reply With Quote
Old 11-30-2019, 10:59 PM   #19
Moderator
Security Team
 
Gary R's Avatar
 
Join Date: Jul 2008
Posts: 479
OS: W8.1 x64, Mint Cinnamon 19.2 x64, MX Linux x64



If you want to follow the instructions for W10, then you could select the Reset this PC option in the Troubleshoot Window.

This should re-install Windows 10. If you use this method you should not normally need to re-activate W10, since it should self-validate itself during the reset process.

See ... https://www.lifewire.com/reset-this-pc-2626216 ... and ... https://www.lifewire.com/reset-this-...hrough-2624538
__________________
Gary R is offline   Reply With Quote
Old 12-02-2019, 03:17 AM   #20
Registered Member
 
Join Date: Nov 2019
Posts: 13
OS:



Quote:
Originally Posted by Gary R View Post
If you want to follow the instructions for W10, then you could select the Reset this PC option in the Troubleshoot Window.

This should re-install Windows 10. If you use this method you should not normally need to re-activate W10, since it should self-validate itself during the reset process.

See ... https://www.lifewire.com/reset-this-pc-2626216 ... and ... https://www.lifewire.com/reset-this-...hrough-2624538
Is the Windows 7 OEM license already dead? I cannot use that anymore?
Wering1974 is offline   Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:48 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2019 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts