OK to Restore Files From a Possibly Hacked Computer?

Topic

New Reply

A friend let a scam “Microsoft technician” have access to his PC. I scanned the computer with five different antivirus tools and deleted any files they found suspect. As a precaution, he is replacing the hard disk drive (HDD) that was in the computer when he gave the “technician” access with a new solid state drive (SSD), and will be installing a new copy of Windows 11 on it.

He asked about copying his documents and photos from the hacker-compromised HDD to the SSD. He also has his files backed up in the cloud via the Backblaze service. Are these two sources safe to use to restore his files?

Reply | Quote

Replies

Guess that depends on the type of files. What I would do is freeze Backblaze until it’s sorted. Then I normally copy data files and such that are needed immediately after re-install and after scanning with multiple programs. Then after a bit of time passes and scanning again I move everything back. Also note that if he or Backblaze have copies of files from BEFORE the suspected hack, those should be safe, but I’d still scan them to be sure.

Never Say Never

Reply | Quote

Depending on what information he had stored on his drive he may want to also consider possible identity theft and freeze access to his credit reports. Hopefully, he did not have his social security number in plain text on the drive anywhere.

Custom desktop Asus TUF X299 Mark 1 16GB RAM i7-7820X
4 27" 1080p screens 2 over 2.
Laptop Clevo/Sager i7-9750H - 17.3" Full HD 1080p 144Hz, 16GB RAM Win 10 Pro 22H2 all

1 user thanked author for this post.

kc27

Reply | Quote

Why replace hard drive after hack? The recommendation would be that the users files should be copied to external hard drive. Format the hard drive at least 2 two times and run free space wipe. After that, clear the TPM chip since hackers are using that now to hide malware. Once that is done, remove the RAM sticks and leave them out of computer for 48 hours or more to clear any ram viruses or malware that might have been uploaded into RAM exploit that is currently being used. After that, install any other OS (ie Linux, Mac, Unix) than Windows.

2 users thanked author for this post.

lorenzok1, kc27

Reply | Quote

As you copy the files across the antivirus program will react if there is any malicious files/content.

Susan Bradley Patch Lady/Prudent patcher

1 user thanked author for this post.

kc27

Reply | Quote

lotus wrote:

Why replace hard drive after hack?

He wanted to make the move to a solid state drive prior to this incident. Since the PC is getting a fresh install of Windows, this seemed like a good time to make the switch to a solid state drive.

lotus wrote:

After that, clear the TPM chip since hackers are using that now to hide malware. Once that is done, remove the RAM sticks and leave them out of computer for 48 hours or more to clear any ram viruses or malware that might have been uploaded into RAM exploit that is currently being used.

I was not aware of the need to isolate RAM for 48 hours before proceeding with the reinstall – thanks

 

 

Reply | Quote

I would use a backup program / migration utility that lets you clone the HDD to the SSD (disk manufacturers often have a clone utility).

Connect the new disk, boot from the clone program, clone, shutdown.
Remove the old disk and connect the new one to the same cable as the old.
Boot.

You have a full backup because the old disk has not been touched.

cheers, Paul

1 user thanked author for this post.

kc27

Reply | Quote