Jump to content
User_Hostile

Continuing the rebuild of my network from possible rootkit infection

Recommended Posts

I posted earlier about a possible rootkit infection on one of computers on my network, which per the results indicated that one did not exist.

Now I'm ready to go after the machine where the alleged rootkit resides.  After much frustration, I finally restored my main machine back to mid-January which I believe is malware free. 

Now, I have backups all the way to early February and I would like to restore the computer to this image, because I lost a critical design & BOM list I need for a project.  However, I expect the malware resides on this particular image and start the whole debacle over again.  This time around, however, I can isolate the rest of the network while I battle the beast.

But before I start, I have two-and-half questions:  

1) Just to ensure that the current image is malware free, should I scan "clean" image first to provide an instruction baseline to work from?  From there, I can then mount the suspected malware image (the very last backup) using the same instructions to begin the removal of the alleged rootkit

2) While uploading the "FRST.txt" and "Addition.txt" files is supposedly safe with respect to privacy, I use people's names for each account, which given my name and others can be Googled very quickly and result in very specific information as to my identity. Can I send you the aforementioned files as is, but keep them publicly inaccessible?

2.5) Failing that, I can map the account names one-for-one with a more neutral generic name?  If I receive a "fix" file from you, I can restore the original names to ensure compatibility when running the FRST application again.

Thanks.

 

Share this post


Link to post
Share on other sites

Just extract and restore the file or folder of files you need. Not the entire image. Almost every backup software out there has the ability to extract single files.

What program was used to back up the computer?

 

Share this post


Link to post
Share on other sites

No, you don't restore the C:\ drive. Just browse the image and locate the file you want to restore.

Is this the Free or Paid version you're using?

 

Share this post


Link to post
Share on other sites

Here is the User Guide for Macrium Reflect 7.2

https://updates.macrium.com/reflect/v7/user_guide/macrium_reflect_v7_2_user_guide.pdf

 

Here is some older documentation on how to do it. Hopefully the newer version is very similar

Browse files in backups

http://reflect.macrium.com/help/v5/how_to/restore/browse_files_in_backups.htm

Restore Files and Folders

http://reflect.macrium.com/help/v5/how_to/restore/browse_files_in_backups.htm

 

 

Share this post


Link to post
Share on other sites

Also, Reflect is paid for.

I believe the alleged rootkit is located on the C:\ drive, and I wish to restore to the last backup and engage in a battle of wits with said malware.  

Share this post


Link to post
Share on other sites

There is simply zero reason to reimage the disk to restore a couple of files to work on your project. Especially if that image is of an infected computer.

 

Share this post


Link to post
Share on other sites

Sorry but I don't have time to engage in a learning class. Playing with malware can be a dangerous issue. If you somehow released an encryption type infection you could potentially lose all your data and your backups too. Just restore the files you want and don't tempt fate would be my advise.

 

Share this post


Link to post
Share on other sites

Fair enough; I finally caught on to what you actually stating.  Toss me a "duh, that was obvious" token--I deserve it. 

My hope was to 1) identify what is was that hit me, 2) determine approximately what time the infection occurred, and 3) where it came from, to ensure it doesn't happen again.

This is literally the first time I've ever been infected and I've used personal computers for 40 years.*   So, I guess my number finally came up. : > (

But per your recommendation, I'll cherry-pick the files I need, and forgo the TRONing against the malware.

Thanks for your help and effort---truly appreciate it,

User Hostile

*This is called Cybergeezerhood when you reach this milestone.

Share this post


Link to post
Share on other sites

I understand your desire but unfortunately there is only so much time we have to help users with ongoing live malware threats. If you're really bent on doing then do the restore and before rebooting remove the external backup drive and do not connect it back until you know for certain the computer is clean and cannot infect the external drive.

Then you can play with it at will and still  have the backup if something does go wrong

 

Share this post


Link to post
Share on other sites

I've got a three-tier backup system.  The last tier is air-gapped and never connected to a computer being restored unless the recovery disk is running.   

As for why I have three-tier backup rather than just one? 

College senior project report.  In those days, floppies were the USB sticks of their day.  I made two backups against the original because my gut told me to (and floppies were cheap).   When I got ready to print out my report (100 pages or so), I found the original was bad, so I went to the first backup and ... it too, was bad.  Sweating, I found the 2nd backup was still good and made two more copies.  My printout was good, and I graduated.   Good lesson to learn,  since then in the last 35 years, I've five or six cases where the a backup has gone wrong and that second copy saved my skin. 

Anyway, I'll skip the battle, my project awaits.   Thanks.

Share this post


Link to post
Share on other sites

That's excellent. Glad you had the foresight to do so back then. I've been doing computer support for about 30 years. If you have time you can read the following which I wrote back in 2013 about backups. I actually have 5 backups for some data I consider very important to me.

 

Edited by AdvancedSetup
Updated information

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.