@glacial As a “skilled tech geek” myself, I will concede that it’s possible that re-installing might be an overreaction. Then again, it might be a vast under-reaction.
Everyone seems to be assuming that this attack is a known virus, but there is no evidence in the OP to suggest that this is so. Even if there were, we can’t know that the current exploit isn’t something new cunningly disguised to look like an existing CVE.
Here’s what we know: the computer is compromised. Since the user is “locked out”, I assume that the attack has achieved a privilege escalation. We have no way of knowing what persistence measures the exploit uses. If @kylebrown94 is proficient in the use of debugger and stack traces and logfiles (assuming there are logs) then he might be able to glean some of this information. In the absence of that information we must assume that the exploit is active and in control of the OS. Therefore we cannot trust the OS and it needs to be reinstalled (since it could potentially corrupt any installed patches- but we’ll assume it can’t corrupt read-only install media from Microsoft, since if it can we’re hosed anyhow :^)
Since we also can’t know for sure when the attack began, any backup data must be carefully scanned before it’s restored, as we must assume that the exploit has corrupted it. No executables should be re-installed from the old system, and care should be taken that none of the restored data is executable (for example, attackers can attach runnable Java code to PDFs in a way that’s non-trivial to detect.)