using Macrium, ransomware threat, move from Windows 7 to Windows 10

I’m relatively new with posting on forums…I’m not sure whether or not this post should be 2-3 separate posts and possibly even to different forums so please bear with the convoluted situation I’ve gotten myself into:
I run Windows 7 Pro on Dell XPS (pre-2014 model, Version 6.1, build 7610 Service Pack 1) and I’m in the process of transitioning over to Windows 10 Pro (build 10.0.18363.418) on Dell XPS (7390 model). W7 machine only updated to Dec 2017 (group B).
Last week I got a Malwarebytes RTP detection alert and that it had blocked a ransomware (?) threat. I then made a backup image of all local drives on W7 laptop using Macrium Reflect Free Edition v5.2.6544, mistakenly with a non-bootable flash drive. My questions / concerns:
1. Is the backup image at all usable, for future restore or cloning? all drives including the OS or just the DATA partition?
2. Is there a chance for the image already made to be corrupted / infected by the blocked threat?
3. If I do have to make a backup image with a bootable flash drive, please give me instructions to do this. Also, is there a free edition of v7.2, which would allow me to do backups / cloning similar to older versions? Is there time limit to the free edition?
4. What can I do to ensure a clean image of the DATA partition on W7 machine to transfer / clone to DATA partition in W10 machine? Or should this question be posted to sevensforum?
5. What do I do to remove the threat on W7, as I’ve also got various alerts from WinPatrol of Windows Error Report Service (WERFAULT.exe) being stopped from running at Startup (but when checked, it showed manual start), then later another alert of Windows Error Report Service being added to run at Startup and when that was rejected, an caution message of along the line of “possible malware…..stating that the rejection failed and another component of the program is still trying to run the service at Startup to take control of computer’s Startup”. Unfortunately, I didn’t save any screenshots of WinPatrol alerts and is having trouble figuring out where to find the WinPatrol log files etc for more details of these alerts. Or should this question be posted to sevensforum?

The first thing I would do is make sure the system is clean -

Tools for that purpose -

Malwarebytes
Emsisoft Emergency Kit
Hitman Pro

Once that is assured, you can move forward with making a "clean" disk image backup.

1) Yes, the backup may be usable with some possible exceptions. You first need to determine if there is a REAL ransomeware threat. You may want to check with Malwarebytes regarding the positive detection you received. If it did successfully block the threat, then you should be good.

Even if you do have an infection, data files (not executables) should be no problem to restore. Remember that you can always mount a backup as if it was a drive and then simply copy files from it to another drive. This holds true for all partitions that you have backed up, not just the OS partition.

2) If the original partition was corrupted and you made an image backup of that partition, then that corruption will be present in the image as well. Again, note that you should still be able to recover data files.

3) To restore an image, you don't need bootable media unless you plan to restore the OS drive and related partitions. In that case you will need to have a bootable Macrium Reflect drive (thumb drive, CD, DVD, etc.) but the drive that you backed up your data to does not itself have to be bootable. You can always boot from a Macrium boot disk and then access the backups that are located on other drives or network locations. The free version does not have any time limit, only fewer capabilities than the paid version.

4) If your data partition is just that - data only, you do not need to do anything special. It would basically be just like taking that data disk and plugging it into a Windows 10 system. Windows 10 has no problem reading and writing disk that were previously used with Windows 7.

5) Forgive me for not being familiar with the particular malware / antivirus programs you are using, but when they detect a threat, do they not tell you whether they themselves were able to neutralize the threat and if not do they offer advice how how to remove the threat?

Another possible solution would be to simply start clean: Perform a clean install of Windows 10, followed by installation of your programs, then finally restore all your data files from your backup images.

Real-time protection is doing its job if it's telling you it blocked something.

However, the only way to know if there is malware already on your system is to do scans, which you should be doing on a regular basis, using more than one tool.

OldNavyGuy said:

The first thing I would do is make sure the system is clean -
Tools for that purpose -
Malwarebytes
Emsisoft Emergency Kit
Hitman Pro
Once that is assured, you can move forward with making a "clean" disk image backup.

Thank you! I am running Malwarebytes v4.1.2 (Premium), which gave me the alert to aproblem and that it blocked a threat. Three days after that, during daily schedule threat scan, MB detected "Malware.AI.792546367 C:\PROGRAMDATA\HITMANPRO.ALERT\EXCALIBUR.DB-SHM, Removal Failed" This info is extracted from MB's quarantine details report.Since then, I've added in another daily scan to check the DATA partition and a 2nd custom scan to daily check all of C:\ and so far, MB hasn't detected any threat.

Emsisoft Emergency Kit: I've check online and most of the 3rd-party search result links I got on this are 2+yrs old for some reason; Is it safe to download this from the company that makes it?

I use Hitman Pro Alert free edition for safe browsing; I recently updated to newest version with the Free Trial but when installed, the program immediately showed that free trial had expired even though I've not yet use this new version once. Do I need to completely uninstall the older version before attempting to download and run it again?

Emsisoft Emergency Kit -

Emsisoft | Emergency Kit: Free Portable Malware Scan and Removal

We've used it for several years.

I use the free version of Hitman Pro. It continues to update when needed.

I would uninstall any previous version using Revo Uninstaller Portable, which does a good job of removing leftover items.

Revo Uninstaller Free - Remove unwanted programs easily

OldNavyGuy said:

Emsisoft Emergency Kit -
Emsisoft | Emergency Kit: Free Portable Malware Scan and Removal
We've used it for several years.
I use the free version of Hitman Pro. It continues to update when needed.
I would uninstall any previous version using Revo Uninstaller Portable, which does a good job of removing leftover items.
Revo Uninstaller Free - Remove unwanted programs easily

Many thanks for the links (and they're freeware too!) - how would you rate IOBit Uninstaller? Could you direct me to instructions on how to use "quotes" or "multiple quotes" in my replies? Specifically, on some of the longer responses, I have questions or need further clarification on different paragraphs of the respones. How do I quote just the 3rd or 5th paragraph?

- - - Updated - - -

dalchina said:

- not sure why that was a mistake- the disk on which you save image files doesn't need to be bootable. I prefer to keep my bootable Macrium disk separate from my image files so I could use it with different disks containing images for different PCs for example.
You can restore the partition(s) imaged at any time whether they are O/S or data partitions. They are just partitions.
If a partition includes a virus, the image of that partition also includes it. Image files could potentially be affected by viruses after their creation. Macrium R (paid) includes anti-ransomware protection.
.

I thought it was a mistake in using a non-bootable flash drive because my understanding is that I needed to use a bootable Macrium disk to make the backup image files which includes OS drive and related partitions.

dalchina said:

Winpatrol: note this has been discontinued, but may well still be useful.

It still works and with this case, I think still useful. Would you know of a similar freeware utility that's still supported?

As I had already planned to transition to W10, this just brought that plan up sooner and with more complications for a just-above-basic end-user like me to tackle without experienced users’ help, prompting me to reach out with my post. I really appreciate help in directing me to tutorials and threads that will help me with steep learning curve changing to W10, particular on security aspects [with Window Sandbox, recommended settings for Windows Defender (is this replacing MS Essentials?), whatever else as I don't know enough to list].

- - - Updated - - -

hsehestedt said:

1) Yes, the backup may be usable with some possible exceptions. You first need to determine if there is a REAL ransomeware threat. You may want to check with Malwarebytes regarding the positive detection you received. If it did successfully block the threat, then you should be good.
Even if you do have an infection, data files (not executables) should be no problem to restore. Remember that you can always mount a backup as if it was a drive and then simply copy files from it to another drive. This holds true for all partitions that you have backed up, not just the OS partition..

Thank you but I had omitted to share (in trying to keep my post from being too long) that my Outlook.exe was zapped to 0kB when that threat alert came up – I was using Outlook under Sandboxie and was doing “quick recovery” (to pass files outside of the sandbox) of PDFs I’ve sent to myself from a shared desktop. It does seem that MB has successfully blocked the threat but when WinPatrol (“a free security utility that allows you to get a closer look under the hood of Windows so that you can detect programs that should not be running”) started to also give several alerts, it just feels as if something is still trying to run undetected.
So if my backup image can be mounted as a drive, then would it be safer to use Malwarebytes Premium on my W10 computer to scan this image for possible infection (vs on W7 machine) of all drives or at least of the DATA drive?

hsehestedt said:

3) To restore an image, you don't need bootable media unless you plan to restore the OS drive and related partitions. In that case you will need to have a bootable Macrium Reflect drive (thumb drive, CD, DVD, etc.) but the drive that you backed up your data to does not itself have to be bootable. You can always boot from a Macrium boot disk and then access the backups that are located on other drives or network locations. The free version does not have any time limit, only fewer capabilities than the paid version.
5) Forgive me for not being familiar with the particular malware / antivirus programs you are using, but when they detect a threat, do they not tell you whether they themselves were able to neutralize the threat and if not do they offer advice how how to remove the threat?

I’ve not been diligent with making backup (my bad) so it’s a bit muddled when I get back to using MR in emergencies such as now. Please excuse these basic questions on using MR: a) Do I need a bootable media to make a backup image that would include the OS drive and related partitions? b) Also would a 4G be enough or an 8G drive be needed for making a bootable Macrium Reflect drive? c) Would I be able to use MR latest version 7.2 to restore the backup images I’ve made with earlier versions (5.2 and older)?

I use Malwarebytes (Premium) and Microsoft Essentials on the W7 machine along with security utilities such as WinPatrol and HitmanPro/Alert (both are freeware so limited functions but still useful enough for extra peace of mind).

I personally am not a fan of IObit anything.

dpwoodpecker said:

I thought it was a mistake in using a non-bootable flash drive because my understanding is that I needed to use a bootable Macrium disk to make the backup image files which includes OS drive and related partitions.

You need the Macrium boot disk ONLY if you can't run Macrium from your hard drive--as when Windows has gone south or your hard drive has failed.

I can't recall hearing anything good about IObit either.