Thursday, February 21, 2019

windows 7 - How to safely rescue data from a trojan infected system?




Thanks to my little brother, we got a nice selection of trojans on our home PC, one of which is W32/Murofet.A, a file infector that has spread across a good number of .exes already.
Since it isn't the only trojan, we decided to just entirely nuke the harddrive and reformat it. Sadly, there's still a lot of data that we want to save, like pictures, videos, personal documents, etc.
Now, I got a 2TB external harddrive, but I want to be sure not to carry over any of the malware that's on the home PC, because I also got personal stuff on the external (over 500gig, so I can't copy it elsewhere for some time.).



How would I best do this? I thought of a Linux live CD / USB stick to boot from, but how can I make sure not to copy any infected data / cleanse such data before copying it?
If any additional information is needed, I'll be glad to provide it. Thanks in advance.


Answer



Your idea of a Linux live CD is a good one.



What I'd do is a partial cleanup of the hard drive first to reduce the chance of getting anything infected.



First off delete any files that could contain a virus - EXE files, VBS, SCR, COM, BAT, CMD - basically anything that can be directly executed.




# find /path/to/hard/drive -iname '*.exe' -iname '*.vbs' -iname '*.scr' -iname '*.com' -iname '*.cmd' -delete


If there are any other file types you know you'll not be wanting to copy over you can delete those as well - files such as *.ocx, etc.



Then you can make a list of all the files that you think you might want to keep:



# find /path/to/hard/drive -iname '*.txt' -iname '*.jpg' -iname '*.png' [...] >/tmp/keepfiles



You can then manually work through that file (/tmp/keepfiles) removing any files you don't want to keep. You can pretty much remove anything that's not in the /Users directory. What's left can be copied over to the external with a reasonable amount of confidence that it's not infected. It's still not guaranteed though.



# rsync -avP --include-file=/tmp/keepfiles /path/to/hard/drive /path/to/external/disk


That should maintain your existing directory structure in the copy.1



Once that is all done you can then remove the external drive and clean your hard drive and install Windows a-fresh. Once you have done that you should install a good anti-malware program - I recommand [Malware Bytes][1], but there are many other good ones around. Only when one of these programs has been installed should you even consider plugging in the external drive.




Scan the external drive as the first thing you do, and scan it well.



1 I haven't tested this command, so you may need to tweak it to get it to work right. Read the man pages.


No comments:

Post a Comment

hard drive - Leaving bad sectors in unformatted partition?

Laptop was acting really weird, and copy and seek times were really slow, so I decided to scan the hard drive surface. I have a couple hundr...