Register    Login    Search    FAQ     Articles & downloads     Who We Are    Donate

Board index » Technical Forums » Microsoft Windows




Post new topic Reply to topic  [ 12 posts ] 
Author Message
 Post Posted: Sat Feb 29, 2020 5:52 am 
Offline
welcoming committee
User avatar

Joined: Sun Apr 15, 2012 6:56 pm
Posts: 294
Despite running Malwarebytes Premium and Defender, it appears that my wife's computer has received an unwelcome guest that has pretty much screwed things up, and I am going to have to reset it,something I have never done before. What are the chances that her Documents, Pictures and Downloads will survive such a reset? It says you may keep your personnel files. Can you rely in that?

_________________
Gerry


Top 
 Profile  
Reply with quote  
 Post Posted: Sat Feb 29, 2020 10:45 am 
Offline
Moderator
User avatar

Joined: Thu Apr 05, 2012 3:25 pm
Posts: 1763
Location: Pembrokeshire, South Wales, UK
Sorry I can't help you there Gerry but I'm sure you'll get an answer from one of the boys shortly who will be able to tell you.

_________________
Joan Archer
http://crossstitcher.webs.com
Image


Top 
 Profile  
Reply with quote  
 Post Posted: Sat Feb 29, 2020 12:42 pm 
Offline
Site Admin
User avatar

Joined: Tue Apr 10, 2012 9:48 pm
Posts: 2341
Location: New Jersey
When you perform a reset and choose to keep personal files, the process *should* actually keep your personal files. Programs and apps will be removed and need to be reinstalled.
https://www.wikihow.com/Reset-Windows-10

However, I recommend that you backup all of your personal files -- which everyone should be doing normally because a hard drive failure isn't going to save your files. If the data is important, back it up!

-steve

_________________
stephen boots
Microsoft MVP 2004 - 2020
"Life's always an adventure with computers!"


Top 
 Profile  
Reply with quote  
 Post Posted: Sat Feb 29, 2020 7:50 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 8064
Location: The state of confusion; I just use Wyoming for mail.
Would be nice to know why it is believed that the system has become compromised as there could be another possible cause. Sorry but I just always like to know the symptoms. ;)

I've done one or two Windows 10 resets keeping personal data and it went fine. It's been quite a while since I've done this but I seem to remember that there were some quirks as to the preserved personal data. You MAY get some access denied alerts on data folders. If this happens just click on 'Continue' within the alert. If any folders fail when Continue is clicked go to https://computerhaven.com/downloads.html and select the automated registry hack to automate the permissions process. After applying the hack just right click on any such folder and select to 'Take Ownership'. I believe this only happens if personal data is on a different drive/partition than the operating system.

As Steve noted you WILL lose ALL programs/apps except, possibly, such as came with the system if there is a recovery partition on the drive. I have read that this is the case but have never tested. I would advise looking through Programs and features in the Control Panel and making a list of what is installed and making sure that you have the proper installers and product keys.

If there is a recent backup of personal data that is before the issue you MAY be better off selecting to remove everything during the reset process. After the reset is complete copy everything back from the backup. The reason I suggest this is that, if the system has been compromised, it is possible that the current data is also compromised. Probably not a high chance of this but possible. Still backup the current data as Steve suggested but do it to another destination than any already existing data backup.

You will lose all stored passwords and cookies depending on the browser used and where it stores its info. I would export favorites, passwords and cookies if possible. If some passwords are no longer known it is not a big deal. Use the forgotten password option that is available on just about any site that requires a log in. You will want to change all passwords anyway as they may be compromised by the infection.

Any chance that there is a system image from before the compromise? If so you could just restore the image instead of doing a reset. This would prevent the need to install all programs/apps. If an image can be restored it is probably the quickest solution.

You MAY even be able to just clean the system. By default MBAM will do a threat scan which is pretty good but, I believe, not everything on the system is included. In MBAM select 'Advanced scanners' from the scan tab. Select to configure scan after selecting a custom scan and check all installed drives and the option to check for root kits. In defender select 'Custom scan' and select all installed drives. This WILL possibly take a really long time depending on the abilities of the system and how much used space is on the drive/s.

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Mon Mar 02, 2020 5:18 am 
Offline
welcoming committee
User avatar

Joined: Sun Apr 15, 2012 6:56 pm
Posts: 294
I appreciate your suggestions, Steve and Jay. I did have a Macrium Reflect image of her computer, but I wasn't sure if it might also be infected, so I did as Steve suggested and backed up up all the data and picture folders manually just in case. I ran the reset function and after about an hour, it returned the advisory that there had been an error and nothing has been reset. The curious thing is that the computer appears now to be running as it should. Programs I could not open yesterday now open. No program was removed and all data folders are intact. I'll watch this closely to see if that holds.

Jay, what happened is my wife received an email in Outlook that looked phony. She did not open it, but it was showing in the preview pane. It purported to be from the Trump campaign asking for money, so she tried to delete it but it would not delete, and in fact, it froze the computer. I closed Outlook using Task Manager and rebooted. Things were not acting right, e.g. in File Explorer, none of the shortcuts to Pictures, Documents, etc. opened. Quicken would not open and froze up on trying. I called in a local "fixer" who worked with it for 30 minutes and gave up, suggesting that I reset it. Right now all those things that weren't working are working again -- fingers crossed!

_________________
Gerry


Top 
 Profile  
Reply with quote  
 Post Posted: Mon Mar 02, 2020 5:45 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 8064
Location: The state of confusion; I just use Wyoming for mail.
It concerns me that the reset failed. Keep a close eye on things if you are going to try to let it go. I still think that you should do the full security scans as I outlined but let's see what Steve thinks as the full scans are likely to take hours to complete.

Did the failed reset give any kind of error number?

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Mon Mar 02, 2020 9:27 pm 
Offline
Site Admin
User avatar

Joined: Tue Apr 10, 2012 9:48 pm
Posts: 2341
Location: New Jersey
I've seen failed resets where a second try works. However, a full scan is a good idea.

_________________
stephen boots
Microsoft MVP 2004 - 2020
"Life's always an adventure with computers!"


Top 
 Profile  
Reply with quote  
 Post Posted: Mon Mar 02, 2020 10:16 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 8064
Location: The state of confusion; I just use Wyoming for mail.
sboots wrote:
I've seen failed resets where a second try works. However, a full scan is a good idea.

I would also wish to know why the Macrium Reflect image backup is suspect. Sorry, this was supposed to be in my last post but I forgot. Is it due to being done on an internal drive rather than an external?

When doing image backups having an internal drive as the destination is fine for scheduled images but there should also be an external destination drive that is not normally connected to the system. Doing an image to the external would be done manually any time a serious change is done and proven on the system. The advantage here is that the external is mostly immune to any infection corrupting the backup as the drive is only connected to the system when doing or restoring an image. When doing a restore of an external image, with an infection suspected, it should never be started via Windows. You should have created a CD/DVD/USB recovery disk through Macrium. You would then do the image restore by booting to the recovery CD/DVD/USB which helps to prevent an infection from interfering as it all happens before Windows is loaded.

I don't use Macrium but figure the boot media should pretty much work as does my Acronis boot CD. I don't even have Acronis installed on my system anymore as it puts other things that are resource heavy. I do my images strictly from the boot CD. I also clone my system drive to a second M.2 SSD but do this manually also. I could probably set up a mirror RAID array to do it in real time but that would sort of defeat my purpose. Say that I had my two M.2 drives set up as a RAID mirror array. The drives would be made exactly the same in real time. This is great in the case of a drive failure but not so much when thinking of an infection. Using RAID for this, and an infection happened, I'm toast as both drives are now infected. While not perfect doing the clones manually gives me a bit more of a security level as an infection would have to find the second drive involved in the cloning to infect. Since I removed the drive letter from the drive I clone to it is harder for an infection to find the thing. Not perfect but better as to security than RAID Mirror.

Sorry... I've found myself going to 'teach mode'. Not always a good thing but I find it hard to not put out info... :(

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Thu Mar 05, 2020 5:47 pm 
Offline
welcoming committee
User avatar

Joined: Sun Apr 15, 2012 6:56 pm
Posts: 294
I'm finally getting enough time to report on what's been going on. The last seemingly-stable computer didn't last very long. I closed it down and when I rebooted, none of the settings that I had just spent hours re-doing were there. The first thing that came up was the white Edge page that comes up after an update welcoming me to Windows. I ran the reset your PC function a second time and again after several minutes, a blue rectangle appeared reading: "There was a problem resettting your PC. No changes were made." I rebooted and began once again setting up her program requirements (default folders, printer, etc.). I had set a restore point before, but it was now gone so I set a new one. In File Manager, I changed location folders for Documents, Pictures, Desktop and Downloads again so those links pointed to the right folders. Quicken again froze up when booted, but using Task Manager, I was able to work with it and finally get it to load properly. The computer was once more working properly.

I rebooted the computer and everything I had just done was wiped out again as the white Edge screen again greeted me and all of her task bar icons were gone again. I reset everything one more time, then noticed in Updates that Windows wanted to update from version 1903 to 1909 and that required a reboot, which again wiped out all my settings. Again I setup her computer and set a restore point. I rebooted with apprehension, but everything came up this time as status quo. Regardless, to play it safe, we are going to leave her computer on. This is now the second day that everything is functioning as they should, including Quicken. It's difficult to type this way, but I have my fingers crossed!

Jay, my Macrium backups are to an external hard drive. If this setup eventually fails, I will try restoring one of those images.

_________________
Gerry


Top 
 Profile  
Reply with quote  
 Post Posted: Thu Mar 05, 2020 6:19 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 8064
Location: The state of confusion; I just use Wyoming for mail.
Hope things stay good.

If the images are on an external drive, and that drive is only connected or turned on when an image is being done, the images should be totally safe. If you decide to do an image restore I suggest that you do it by booting to a recovery medium such as a CD/DVD or flash drive. The reason that I'd prefer to see it done this way is to protect the images. There is stuff out there that can hit a drive as soon as it's put in which could, potentially, put your images at risk.

Windows 10 ver. 1909 is current but there may be another update involved. What you installed was most probably the spring 2019 feature upgrade. The fall upgrade may show up if you check for updates. This one is minor and goes quick.

I really have no idea but wonder if the upgrade to ver. 1909 pending may not have caused the reset failures...

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
 Post Posted: Tue Apr 07, 2020 4:58 pm 
Offline
welcoming committee
User avatar

Joined: Sun Apr 15, 2012 6:56 pm
Posts: 294
Well, its been about a month since my last report on this problem. The computer ran well so long as it didn't reboot; after a reboot, it was as though another update had occurred -- all of my previous adjustments were gone and the task bar was left with just four icons. The desktop was also minimized with most of her icons missing. We couldn't live with this disruptive activity, so I decided to attempt restoration of an image from 02/02/20, which is before the malware entered her system.

Macrium Reflect allows you to create rescue media on the computer so you can boot into Reflect before Windows boots. This appears on the boot menu and when you select it, it opens a version of Reflect outside of Windows. Using this I was able to restore that 02/02/20 version of her computer. When fully booted, it looked exactly like it used to and everything worked perfectly with the speed greatly improved. It reverted to Windows version 1903, but the update to 1909 was waiting to be installed, which I did along with several other updates that had occurred since early February.

I should have done this way back when and saved a lot of frustration, but I had never before restored an image and I was a little afraid of it. Not to worry -- it worked perfectly and I now have made my wife's computer work much faster and easier. Thanks again, Jay and Steve, for your coaching. This forum is worth it's weight in gold and I'm happy to make another donation.

_________________
Gerry


Top 
 Profile  
Reply with quote  
 Post Posted: Tue Apr 07, 2020 6:32 pm 
Offline
Resident Geekazoid Administrator
User avatar

Joined: Wed Mar 21, 2012 5:09 am
Posts: 8064
Location: The state of confusion; I just use Wyoming for mail.
Glad all seems well Gerry and that the image restore worked out OK.

_________________
Image
Free sites from jaylach.com
I NEVER forget... I just remember late.


Top 
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
 
Post new topic Reply to topic  [ 12 posts ] 

Board index » Technical Forums » Microsoft Windows


Who is online

Registered users: Google [Bot]

 
 

 
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:

Similar topics


Jump to: