July 9, 2021

Suspect I have a trojan that’s messing with windows defender and am planning to restore from a Macrium system image – i’ve never done this before though and could use some advice

I wanted to see if anyone in this sub has some tips for me before I give this a shot. I’ve never had to restore from a Macrium system image before. I created the image many months ago and have it saved in the cloud. The Trojan I’m supposedly dealing with is called trojan:Win32/Emali.A!cl and seemed to make its way onto my machine via an infected update from one of the open source software tools I use. There were two identical detections back to back, and while the first one is listed as successfully quarantined by Microsoft Defender, the second one is listed as failed/remediation might not be complete.

In addition to the system image, I have a real-time file backup running as well as a flash drive backup for my files (which hasn’t been updated for a little while). I manually copied and pasted my files to the flash drive backup just recently to make sure it’s up to date – everything looks normal, although I’m paranoid something has slipped in without me realizing it. I’m also scared the real time file backup is compromised somehow. When I check the list of backup targets, things seem to have been altered (some extra files have appeared that don’t look familiar to me).

I guess my questions are (1) what should I know beforehand when it comes to restoring from the Macrium image, and can I assume the Macrium image is unharmed (I need to move it from the cloud onto a flash drive). And (2), what should I do about my files? The worst case scenario I’m trying to avoid is that I restore from the old image, plug the flash drive in to transfer my files, and the files are somehow infected. Like I said, the files don’t seem to be infected, but I’ve never dealt with this situation before.

This is my first time dealing with a potential Trojan. Although Malwarebytes Pro scans and full system scans by Windows Defender both come back clean, my event logs for Windows Defender look very strange. Many, many new events that have been created over the past 24 hours (much more than usual), including many ID 5007 events (indicating Defender has been altered/updated somehow) as well as ID 2011 events (which say “Defender Antivirus used Dynamic security intelligence Service to discard obsolete security intelligence updates”). Microsoft safety scanner also detects infected files, although my understanding is that this could mean nothing more than old remnants of malware being detected.

If someone could help me out, I’d really appreciate it.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.