Windows 10: How to find file history/detect if changes have been made to recovery partition?

I have a real mfker of a bootkit. It's infected my last 3 windows 8/8.1/10 laptops, seems to be on my formerly winXP/now Peppermint OS machine, and based on McAfee suspicious traffic logs and my gut, may even be on my android phone.

I got a new W10 laptop days ago. Immediately it began getting hundreds of 'suspicious incoming connection requests' on high ports from random IPs and IPs in my home network, and my phone/router ran a UDP scan on it.

By yday, 3 days in, a GMER scan confirmed TSD4@MBR code. Have the rootkit already.

On my last Win8.1 laptop, one of the features of this infection was that one day I noticed that all of the files in my recovery partition were replaced or modified, so that they showed a creation date that was logically inconsistent and different than before, and many other files showed a timestamp set six hours in the future.

Now, I'm new to Win10 and haven't had a chance to get familiar with this machine, so I can't know just by looking at the files in a terminal if they have been affected, and I am reluctant to perform a fresh install from the recovery partition (along with replacing the MBR) lest it affect the ability of my various system analysis/rootkit detector programs to analyse the roots of the infection.

I'm also not yet at the point where I would be comfortable with reinstalling from a clean iso based USB as I'm not familiar with the process and worry that I would be left with a nonfunctional machine.

So is there anyway for me to analyse the history of those files? Some way to run a hash check on them, or maybe shadow volume copies or something?

submitted by /u/Serpinfold
[link] [comments]

:)

 

How To: Create recovery partition.

it worked when i copied all the files of the disk to the recovery partition i created, but i had to use WinPE tab to add the entry.

Type: WIM Image (Ramdisk)
Name: Recovery
Path: Z:\Sources\boot.wim
and hit Add Entry
I tried it in VirtualBox and it worked.
At first, it would add a second "Windows 7" entry to the list, but when the installation is finished, the old one is deleted. (I formatted only C: partition)

 

File history won't detect external HHD

Hi Simon,

Thank you for posting in Microsoft Community.

I appreciate the troubleshooting steps you have tried to resolve your issue,

What is the make and model of your computer and hard drive?

Follow the Methods below and check if that helps.

Method 1: Run the Hardware and Devices Troubleshooter.

Windows 10 has a built-in troubleshooter to check and fix issues with hardware and devices. I would suggest you to run this troubleshooter to check if the issue is with the Bluetooth adapter. Refer these steps:

• 
  Press Windows key +X, select
  Control panel.
  
• 
  Change the view by option on the top right to
  Large icons.
  
• 
  Click on troubleshooting and click on the
  view all option on the left panel.
  
• 
  Run the Hardware and devices troubleshooter.
  
• 
  Restart your computer and check if the issue is resolved.
  

Method 2: I suggest you to uninstall and reinstall the latest USB drivers from manufacturer's website.


Follow these steps to un-install the drivers:

• On the search bar type “ Device Manager”
• On the left pane locate “Universal Serial Bus Controllers” and expand by clicking on it.
• Right on all the USB adapters and click “Uninstall’
• Download the latest USB adapter setup file from the manufacturer’s website and install it.

Refer the Microsoft articles below and perform the steps suggested.

What if something goes wrong in File History?

http://windows.microsoft.com/en-US/windows-8/what-something-goes-wrong-file-history

Set up a drive for File History.

http://windows.microsoft.com/en-US/windows-8/set-drive-file-history

Applies to Windows 10.

Hope this information is helpful. Please do let us know if you need further assistance, we’ll be glad to assist you.

Thanks

 

[HELP]Image recovery issues

Guys i am trying to fix my cousins Asus Eee netbook. It has a backup image file that is partitioned on the hard drive but when I go to use it the app will run through a few steps and stop. It is running Vista . Any suggestions?