How to Remove Encryption Virus?

Infopackets Reader 'Frank' writes:

" Dear Dennis,

I was wondering if I can hire you to fix a laptop with a ransom virus infection. The reason I'm asking is because as soon as the system boots up, the virus is there [with a message stating the computer has been locked down]. There is no desktop, meaning I can't open anything. What can I do? "

My response:

Unfortunately, if you cannot boot into the Windows desktop, then I cannot dial into the laptop to fix it via remote desktop support. The virus you have may be repairable depending on what you're infected with, and whether or not the virus is in fact scareware designed to scare you with a fake warning message. On the other hand, you may be infected with the real thing (such as CryptoLocker) and if that is the case, it may be impossible to fix.

As such, I believe you have the following options:

1. Try to remove the virus from the system by using a clean environment.

2. Attempt to repair Windows if the virus removal doesn't work. This may get you back into the system, but your files may still be encrypted.

3. Attempt a disk image restoration failing Steps #1 and #2 above, but only if you have made disk image backups previously. If you don't have disk image backups, I highly recommend you set up a proper backup schedule using a disk image backup program; if anyone reading this article needs help getting it done, I am more than happy to help - simply contact me for support.

4. As a last resort, you can format the drive and reinstall Windows, but you would lose all your data in the process and would have to reinstall all your programs.

How to Remove a Virus using a Clean Environment

Below are step by step instructions that may help you to remove the encryption virus from your laptop. Note that you will need to use a secondary desktop PC to attempt to remove the virus using a clean environment. Also note that attempting to clean the virus and decrypt your files may not work if you are in fact infected with a real encryption virus that has encrypted all your files. In that case, only Step #3 or #4 (previously mentioned above) will resolve your problem.

Here are the steps to attempt to clean the virus from the system:

a) Burn a virus rescue CD using the clean system (refer to Step #3 in the article). You may also be able to write a rescue CD to a USB drive if you don't have a CD / DVD drive.

b) Power down the infected laptop, remove the battery, and take the 2.5 inch hard drive out (located underneath the laptop).

c) Power down the clean desktop PC, open up the case, and unplug ALL hard drives; do not unplug your DVD / CD drive.

d) Attach the infected laptop hard drive to the motherboard of the clean desktop PC.

e) Power on the clean PC, boot from the virus rescue CD, and scan the system. Note that you may need to adjust your BIOS boot order so that the CD / DVD boots first and not from the infected hard drive. If it does boot from the infected hard drive, power off the system completely (and wait 5 seconds) before attempting to power it on / start it back up, as the virus may remain dormant in RAM.

f) When the virus scan is complete, quarantine / delete any infected files found on infected laptop hard drive.

g) Power down the clean PC and take out the infected laptop hard drive; hopefully it is now clean.

h) Insert the 'infected' hard drive back into laptop; attach the battery, and power on the system; hopefully you can get into the Windows desktop.

i) If that doesn't work and/or your files are still encrypted, then you can try Steps #3 or #4 mentioned above (using a disk image restore or reinstall windows).

If some or all of this is over your head, please take your computer to a professional.

Additional Help From Dennis

As I have stated previously, disk images are by far the best way to protect yourself from this type of an infection, as it would allow to revert Windows back to the way it was before the virus encryption took place. You could also recover most (if not all) of your files from encryption, but that largely depends on many factors, including: how often you backup, the space available to backup, what is being backed up, and the backup strategy being used. If anyone reading this article needs help setting up a bullet-proof backup plan, you are welcome to contact me for remote desktop support.

Got a Computer Question or Problem? Ask Dennis!

I need more computer questions. If you have a computer question -- or even a computer problem that needs fixing -- please email me with your question so that I can write more articles like this one. I can't promise I'll respond to all the messages I receive (depending on the volume), but I'll do my best.

About the author: Dennis Faas is the owner and operator of Infopackets.com. With over 30 years of computing experience, Dennis' areas of expertise are a broad range and include PC hardware, Microsoft Windows, Linux, network administration, and virtualization. Dennis holds a Bachelors degree in Computer Science (1999) and has authored 6 books on the topics of MS Windows and PC Security. If you like the advice you received on this page, please up-vote / Like this page and share it with friends. For technical support inquiries, Dennis can be reached via Live chat online this site using the Zopim Chat service (currently located at the bottom left of the screen); optionally, you can contact Dennis through the website contact form.