Problem with Dell Restore/True Image

Houston, I have a problem. I bought a Dell Inspiron 1300 with Windows XP (SP2) about three years ago. It came equipped with the Dell System Restore but no re-installation CD (of course). After a year or two of use I decided it was time to take my computer back to to its pristine, as-shipped-by-Dell condition. I booted up, waited for the blue www.dell strip across the top of my screen, pressed Ctrl + F11 and voila, everything was back to day zero. Great.

Almost straight afterwards I installed Acronis True Image and made a backup image of my almost-pristine hard drive, plus SP3, MS patches, new drivers, firewall etc. Now, instead of the blue www.dell strip at the top of the page on bootup, Acronis had taken its place as the ‘press F11’ option to restore backup. Still everything was okay.

However, one day last week my antivirus told me I had the Win32.virut virus. I tried to get rid of it but all the good advice on the internet seemed to suggest that only a system restore would properly solve the problem. No problem. I restored my healthy Acronis backup image. Yet five days later the Win32.virut virus reappeared in my antivirus scan and it occurred to me that the virus was possibly on the Acronis backup image itself. Now, I needed to get back to the original Dell System Restore image. But Acronis had changed the Master Boot Record and Dell System Restore was no longer accessible.

A bit of research sent me to www.goodells.net and by following the instructions, I made a DoS boot CD with 'dsrfix' on it and was able to change the MBR to how it should look if you want to boot from the Dell Restore partition.

However, on booting, although I had got back the old www.dell blue strip that is necessary if you are going to access Dell Restore (the Acronis F11 option was now gone), the laptop still wouldn’t boot from the Dell System Restore partition. Instead the screen just showed the www.dell blue strip plus a message ‘PBR…done’ in the top left with flashing cursor. The laptop attempted ad infinitum to boot from this but it failed, tried to boot again, failed, tried to boot again etc. It would still be doing this now if I hadn’t switched the damn thing off.

Just in case the Acronis Secure Zone partition was messing things up, I deleted it. This left me with just the three original shipped partitions: the Dell Utility Partition (78Mb), my ‘C’ drive (34GB) and the Dell System Restore partition (3GB). Even so, this changed absolutely nothing.

In desperation I created a new Acronis backup image (after all, the Win32.virut virus hadn’t shown up on any scans for a day or two so maybe my cocktail of antivirus/spyware scans/quarantines/deletions really had got rid of it - though I don’t believe this). But though the Acronis image itself seems to have been successful (despite the creation process not looking right: it sort of looked like it was doing everything in DoS and there was some kind of error message at the end), the Acronis F11 boot option hasn't come back. I still have just the unusable www.dell blue strip with ‘PBR…done’ when I try to boot from it, and a brief 'PBR2...done' when I let the laptop boot normally.

Though I can now boot up normally (by simply ignoring Ctrl + F11), I still have no access to a backup from bootup. Can anybody think of a way that I can access Dell System Restore or failing that, how to make Acronis F11 boot option reappear? I have an unwrapped, unused Windows 2000 installation CD that I’m seriously thinking of installing over the top of this possibly infected XP. After all, a clean W2K would be better than an infected Windows XP. Would this even work? (my computer knowledge is limited).

Any suggestion is welcome, as long as it isn’t ‘try re-installing XP OS from installation CD’ or ‘Try pressing Ctrl + F11’.

Thanks in advance. Keith

 

Keith,

Can you run the dsrfix CD and let us know the last group of lines (about 5 to 10 lines) that are present before the A: prompt. That should tell us why you can't use the Dell Restore function.

Edit: Let us know what partitions you see in Disk Management. Their order, capacity and file system. Any unallocated space?

 

The original Dell MBR of my laptop is long gone so, just the other day, I went through the manual restore procedure outlined on this page of Dan Goodell's http://goodells.net/dellrestore/recover.htm and it worked out fine. I never got the ctrl-F11 functionality back but I certainly have an image of my Dell out of the box that I restored using restore.exe on the DSR partition - I'm keeping it in an FD-ISR snapshot archive too. Since yours is 3 years old, it may well be the same, a DOS-DSR as opposed to the 32-bit, PE, version.

Point is, it's doable without the ctrl-F11 functionality. HOWEVER, Brian K certainly has you on the right track to check the results of the dsrfix report. You may actually be able to recover the functionality but, if not, all is not lost.

P.S. I'm not sure how just booting Goodell's CD will tell Keith what he needs to know, Brian. Won't he need to enter "dsrfix" at the A:\ prompt, without parameters, to see how his PBR checks out? I must confess I never paid much mind to what displays before the inital A:\.

 

When you installed the Secure Zone, you also installed the TI Recovery Manager. This is what replaced the Dell MBR with the TI Ctr.-F11 MBR. If you had uninstalled the Recovery Manager within TI, you would have gotten the Dell MBR back again. In fact, if you restore your TI image and then uninstall the Recovery Manager, I think you will have the Dell MBR back.

The Recovery Manager isn't essential since you can do a restore by booting from the TI Rescue CD if Windows won't boot to start the restore process.

I doubt that the virus is on the TI image, but if you immediately update your antivirus and scan after restoring the image, you can be sure. If the virus is found, then the image isn't too useful except to restore the Dell MBR.

Did you try several antivirus products? The free Trend Micro scan is good: housecall.antivirus.com. Malwarebytes is also free and good. You can use these in addition to your regular antivirus and then uninstall any like Malwarebytes that would remain resident and cause conflicts.

 

crofttk,

I can be brief at times. You are correct. Type dsrfix at the first A: prompt. I'm interested in what is seen before the second A: prompt.

 

Thanks a lot guys for replying so quickly.

Just let me get you up to date with things I did before I saw your replies. I completely uninstalled TI and ran 'autoruns', unticking any startup items left there by TI to see if that would help me boot into DSR. It made no difference whatsoever. So I reinstalled TI and created an Acronis Secure Zone and this time the process went smoothly and now Acronis F11 is back on my boot screen. However, as you know, what I really want back is DSR so that I have a clean image of my HD.

So Brian, I ran ‘dsrfix’ again just now so that I could report what happens and this time was an exact replica of the previous time. When running dsrfix with TI installed and Acronis F11 functioning, dsrfix shows the following screen (sorry, I had to write and then type all this since there was no way to save it. I'm only including the first bit so that you can assure me I'm looking at the correct disk!):

Disk 80 found, master device at port 01F0
28-bit user secs: 78140160 (40GB)
28-bit max secs: 78140160 (40GB)
i13/48 user secs: 78140160 (40GB)
disk cyls/hds/secs: 4864/255/63

Okay, now the scan proper:

Alert: boot code does not match dell mbr.
Good: pbr descriptor 1 is type DE
Good: pbr descriptor 2 is type 07
Good: pbr descriptor 3 is type DB
Info: pbr descriptor 4 is type 05
Good: pbr is fat 16, label is DellUtility
Good: pbr is fat 32, label is DellRestore
Alert: reference partition table not in sync

I then run dsrfix /f

Ready to queue changes…
Restore Dell MBR boot code? (y/n) y
Refresh reference partition table? (y/n) y

Changes queued. Write changes to disk now? (y/n) y
Writing mbr rpt.

I then run dsrfix again:

Good: boot code matches dell mbr v3
Good: pbr descriptor 1 is type DE
Good: pbr descriptor 2 is type 07
Good: pbr descriptor 3 is type DB
Info: pbr descriptor 4 is type 05
Good: pbr is fat 16, label is DellUtility
Good: pbr is fat 32, label is DellRestore
Good: reference partition in sync

This all seems to be alright so I escape the only way I know how: eject the dsrfix boot CD from the CD drive and then press Ctrl + Alt + Del. This then boots into the screen with the blue www.dell.com strip. I press Ctrl + F11 and it endlessly tries to boot up. Sometimes it just says 'cannot restore' in front of the flashing cursor.

The only way to exit this endless cycle of attempted boots is to put the boot CD back into the CD drive so that it boots to that instead. I then run dsrfix again, more out of curiosity than anything else and I notice something strange. All entries are the same except descriptor 3 which has now changed:

Good: boot code matches dell mbr v3
Good: pbr descriptor 1 is type DE
Good: pbr descriptor 2 is type 07
Alert: pbr descriptor is type OC, not DB
Info: pbr descriptor 4 is type 05
Good: pbr is fat 16, label is DellUtility
Good: pbr is fat 32, label is DellRestore
Good: reference partition in sync

I now have two choices: whether to go into dsrfix /f and get it to correct the new alert or go to ptedit and change things manually. This time I chose to go into ptedit. I changed things from this:

DE 00
07 00
OC 80
05 00

to this:

DE 00
07 80
DB 00
05 00

I think '05' refers to the Acronis Secure Zone because when I erased it, all the other figures on the fourth row in the table were at zero.

So, I now click ‘save changes’ and exit via Ctrl + Alt + Del again.

But it’s the same old story with the non-functioning www.dell.com boot screen. So I go back in again to the CD and see that none of the changes I just made manually were saved. So, this time use dsrfix /f to fix things. After running it I check with dsrfix and yes, the changes have been made. I then exit and...nothing has changed.

Sometimes I go back in and I run dsrfix but everything looks exactly as it should i.e.

Good: boot code matches dell mbr v3
Good: pbr descriptor 1 is type DE
Good: pbr descriptor 2 is type 07
Good: pbr descriptor 3 is type DB
Info: pbr descriptor 4 is type 05
Good: pbr is fat 16, label is DellUtility
Good: pbr is fat 32, label is DellRestore
Good: reference partition in sync

So it appears that the changes I make generally are saved. It just seems to do no good. One time I ran the /PBR4 switch thinking that the partitions might have got the partitions mixed up but that didn't help either.

Brian, I have been using Easeus Partition Master (I can never remember where Disk Manager is) to monitor my partitions, not to change anything. It now shows the following:

Disk 1

Type Size Used Unused status pri/log
* FAT16 78.41MB 7.56 70.85MB none primary
C NTFS 22.15GB 9.79 12.36 system primary
* FAT32 3GB 2.04GB 985.40MB none primary
*Acronis SZ FAT32 12.03 10.01 2.01 none logical

Any ideas guys? Crofttk, I'd be very interested to know how you restored your DSR without using F11. It's not that I'm particularly enamoured of Ctrl + F11. I just want a clean HD any way I can get it.

John, I think it's too late to recover the original MBR that was possibly kept in TI Recovery Manager. I have uninstalled TI twice and reinstalled it so that the original Dell MBR won't be in the TI Recovery Manager that I now have.

I have run all of the antivirus software you suggested. The problem with this virus is that when you delete it you delete important executibles with it. I really can't be sure if it's gone or lying doggo. However, when I run a scan by say, Ad-Aware, NOD32, etc. Avira Premium (my resident antivirus) often alerts me that the scanning software is trying to access some virus/trojan, though the antivirus software that is actually doing the scanning doesn't seem to find anything. Neither does Avira when I run a scan. It's as if Avira has a sensitive tooth (the virus) that only aches when touched by a third party antivirus.

 

Keith,

Thanks for all the info. Interesting. I think crofttk has provided the best suggestion. The link is http://goodells.net/dellrestore/recover.htm

I feel you need to delete the Acronis SZ and put the partitions back to their original sizes. How was the SZ created? Did it remove space from the OS partition? If so, the Dell restore won't work until the OS partition is returned to its factory size.

 

Brian,

I am about to do just that: delete the Acronis Secure Zone and merge it with the rest of the hard drive. This should make things easier, though I'm not sure that it's necessary. I think that as long as there is room on the hard drive for the original image, it doesn't matter that it's changed.

Anyway, after that I'm going to try to restore DSR manually as you and crofttk suggested. I just needed someone to egg me on a bit to give me the courage. I've read through the instructions and it doesn't look too daunting.

Anyway, wish me luck. If you never hear from me again you know it's all gone horribly awry. (I am in Japan and this is my only computer until I get back to England in three months!)

Goodbye, cruel world...

 

I found that, for me, it was not necessary to have my 2nd partition back to factory size, it was at 65GB versus OOTB at 87 or so. The DSR result is only 4 GB or so.

Anyways, if you haven't already taken the leap, or even if you have, hopefully you found the link to http://goodells.net/dellrestore/manualrestore/index.htm

This set of step-by-step is what I printed out in hard copy to step me through the manual restore and everything worked exactly as Dan has it and, sorry, it's the page I meant to point you to from the start. The one I gave you earlier is where I found the link to the manual step-by-step.

I hope to see your report of success!

P.S. In fact, my DSR partition was at PBR4 position and rather than take the time to totally restore the drive partitions so that DSR was at PBR3, I just manipulated the PBR descriptor and boot bytes as instructed with DSR in PBR4 and it worked out fine. Hopefully other folks who get in this situation find their Dell setup as resilient as mine was.

 

Gentlemen,

The Eagle has landed! Crofttk, yes, I found the step-by-step instructions that you were referring to. It was much easier than I had thought it would be. Almost idiot-proof, in fact. As you said, it was just a question of following Dan Goodells clear instructions. My next job will be to make a copy of the DSR image, as you did. Then I'll feel safer about the whole thing if it happens again. And once I get to a printer I will print out the instructions that I wrote out in rough. Only a very desperate man could have decyphered my spider-like writing and next time I may not be so desperate.

I have spent the evening getting rid of all the rubbish Dell puts on its computers. I was going to use pcDeCrapifier but I wanted to make sure most of the registry entries were gone along with the actual programs so I laboriously uninstalled them one by one with RevoUninstall. I needed McAfee's special uninstall tool to get rid of its many programs. In fact it's taken me the best part ten hours to get all my MS patches and service packs, plus other software, some of which needed registration numbers installed. Still, it was a labour of love and I now feel fantastic that I have a clean computer.

Thanks a lot for your help Brian, Crofttk and John.

Keith

 

Welcome back!

I'm glad we could help out! LOL, now you're ahead of me on the "cleaned" clean install. I'll do the "cleaning" too, so I can have an OOTB install and a true bare bones Dell install.

 

Keith, that's great news and thanks for providing such detailed posts on what you did. I'm sure we've all learned a lot. I have.