Hello, I'm from Microsoft......... (scam)

The version of this scam I am aware of, slightly different to yours I think, is where the bar-stewards rewrite the boot sector thus preventing access to all documents and image files. Could still boot into Windows as I recall.

A possible help prog would be Recuver, from the same nice people who supply CCleaner, also for free.

 

I think as a starting point, if you can get the hard drive out and mount it on another Linux machine as a secondary, then you should be able to recover all the data without risk of infecting the other machine. The trouble is, if you smash the file allocation table (or whatever its referred to post FAT32 days), anything you do on that machine while that drive is the primary may overwrite data. The OS says 'right, where is there some free space for my virtual memory.. oh the file allocation table says this range is free, I'll write to that', and then the data that was there is gone forever.

Another thing to watch out for, and I've totally forgotten its name, is where they actually infect the Windows kernel. If that happens, safe mode isn't safe, as the very core of Windows is affected. I'm annoyed at myself now because I've totally forgotten the term that would enable you to look it up. If I remember, I'll post again.

 

Are you perhaps thinking of DLL hooking?

More than likely the laptops drive/s have been formatted with NTFS.

My guess is that the Kernel (or other DLL files) have been tainted or alternatively one of the sectors on the boot drive have been tampered with to relocate some system calls to the nasty.
Since ( I assume) the basis of this scam is that Windows is held "captive" until the person pays up, means that one will still have access to Windows so as to be able to run the "fix" once the "ransom" has been payed.
In the old days, hackers would write nasties that whacked the MBR (Master Boot Record) rendering the OS useless.
These days they want money so they won't do that.

As @clueless1 has written, don't put the infected drive/s into another Windows machine as it may infect that one too.
Rather use a Linux machine to try and fix the problem (assuming it's a sector nasty).
If it's a case of infected Kernel or other DLLs, it will be more of a challenge.


BTW, make sure that whatever Linux machine you use has the NTFS drivers loaded as many flavours (distros) of Linux do not come with the NTFS drivers due to copyright restrictions imposed by Microsoft.
NTFS drivers for most distros are available as an add on.

 

Quickly checked on my Linux box.
The command you have to run to check for NTFS support is:

cat /proc/filesystems

On some Linux distros, you have to be logged in as "root" to be able to run that.

 

No, but I've remembered the term.

It's 'rootkit'. Rootkit types of malware prevent their own detection by modifying the operating system itself to simply not list it as existing. They can also modify what the operating system actually does when it thinks its behaving legitimately.

 

Rootkits use DLL hooking to intercept system calls, modify them then pass them on.
In this way they can effectively "control" any application that uses that specific DLL, even though each program runs in a separate memory space.

They also effectively hide themselves from any anti-virus software as the anti-virus itself also makes DLL calls.

Unfortunately it's all too easy to hook into a DLL.
Some anti-virus software can also be fooled by a simple technique where a nasty application can make use of LoadLibraryA and make calls via ordinal numbers instead of calling the DLL function directly by name.

 

Well done @fat controller

 

I'm surprised the Norton range still exists. Every spotty teenager in the world can get round that. It was great in its day, around 1990, but has fallen victim to its own success. It became the benchmark that all hackers would aim for.