My Father-In-Law had his laptop infected a few days ago. He sent the laptop to me to take a look at it. Before he did this he had someone else look at it and they said reimage the system and that nothing could be done. I have a spare machine with a SATA HDD Dock that I use for cleaning machines so I pulled the drive from the laptop and mounted it to the spare machine not on my network. Here is what I discovered.
With the exception of the Windows Directory and most of the Program Files directory, every file has been renamed GODdidThisXXXX. The XXXX is a unique HEX number. The directory structure is intact but every file is replaced. No files have extensions and they are all exactly 98KB in size. No matter what the original file size was.
I ran a fully updated version of malware bytes on the volume and it found nothing. I ran a virus scan and it also came back clean. Since the windows files were intact I tried to put the HDD back in the laptop to boot it up expecting to see some app pop up trying to extort money from him to decrypt the hard drive. I couldn't see any strange programs on the computer. I ran Malware bytes again on the computer with it booted up. This also came back clean.
It is possible that the computer has been partially cleaned by the other person but I really don't know what the computer looked liked when he got it and what he did.
I uploaded a couple samples to and they all checked out clean. Not sure what else to try on this system before just dumping it. I am shocked that is seems to boot up fine and run fine with everything in the Users folders messed up.
Any ideas?
Thanks
With the exception of the Windows Directory and most of the Program Files directory, every file has been renamed GODdidThisXXXX. The XXXX is a unique HEX number. The directory structure is intact but every file is replaced. No files have extensions and they are all exactly 98KB in size. No matter what the original file size was.
I ran a fully updated version of malware bytes on the volume and it found nothing. I ran a virus scan and it also came back clean. Since the windows files were intact I tried to put the HDD back in the laptop to boot it up expecting to see some app pop up trying to extort money from him to decrypt the hard drive. I couldn't see any strange programs on the computer. I ran Malware bytes again on the computer with it booted up. This also came back clean.
It is possible that the computer has been partially cleaned by the other person but I really don't know what the computer looked liked when he got it and what he did.
I uploaded a couple samples to and they all checked out clean. Not sure what else to try on this system before just dumping it. I am shocked that is seems to boot up fine and run fine with everything in the Users folders messed up.
Any ideas?
Thanks