Recovery after Virus, Worm, or Trojan

Discussion in 'Acronis True Image Product Line' started by gjc, Mar 29, 2006.

Thread Status:
Not open for further replies.
  1. gjc

    gjc Registered Member

    Joined:
    Mar 29, 2006
    Posts:
    1
    When a virus, worm, or trojan is present on a computer that prevents the machine from booting, will a recovery using a “disk image” ensure this type of code is overwritten. Since True Image 9.0 Home does not copy all drive sectors during the disk image creation, should additional steps be taken such as partitioning and formating the hard drive prior to copying the disk image back on the drive?
     
  2. TheWeaz

    TheWeaz Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    1,562
    This happened to me and all I did was restore from a partition image.
    I’m guessing that even with the virus/whatever data still on the disk, one of two things will happen during the restore.
    One – the data will be all or partially overwritten, making the virus DOA.
    Two – none of the data will be overwritten, but since those sectors are not flagged as "in use" by the OS, the virus would again be DOA.
    That's just my guess.
     
  3. TheWeaz

    TheWeaz Registered Member

    Joined:
    Jul 9, 2005
    Posts:
    1,562
    Addendum:
    I was able to boot – so my experience does not match the situation you asked about.
    Sorry.
    If the bad guy infected your MBR or the like, then I’m sure a partition restore would NOT help, since the MBR would NOT be replaced during the restore.
     
  4. Jbmoar

    Jbmoar Registered Member

    Joined:
    Aug 4, 2004
    Posts:
    112
    Location:
    San Jose,Costa Rica
    I was Infected With A Virus Over 2 Months Ago And All I Did was restore The Backup Image I Created And All Was Working Again.

    From What I've Been Told, True Image 9 Rescue CD Option Creates A Backup Image Of The Entire Primary Partition Including The MBR So If you are infected In The MBR A Restore Will fix everything, A Restore does not overright Anything on the hard drive, What it does is: It Deletes the entire primary partition and then replaces it with the backup image which is the entire partiion.
     
  5. Acronis Support

    Acronis Support Acronis Support Staff

    Joined:
    Apr 28, 2004
    Posts:
    25,885
    Hello gjc,

    Please note that the image of the entire hard drive created with Acronis True Image 9.0 (both in Windows and when booted from Rescue Mode) includes images of all disk partitions as well as the zero track with master boot record (MBR). Therefore when you restore this image the MBR will be replaced with the one from the image.

    Please note that if you have image of system partition only you can first format the hard drive, after that restore the image and use the following commands of Windows Recovery Console in order to recreate MBR and write a new partition boot sector to the system partition. "fixmbr" and "fixboot"

    In both this cases the MBR will be rewritten and you will get your system back to the moment of the image creation (without viruses).

    Thank you.
    --
    Aleksandr Isakov
     
  6. seekforever

    seekforever Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    4,751
    The MBR is part of the image only if the image is of the entire physical disk. If only a partition was selected to create the image then the MBR is not present whether or not the Windows version or the Rescue CD version was used.
    When doing a backup check the box beside Disk 1, not the partitions listed below it, to capture the MBR with the image.

    The MBR will be copied to the new disk in a clone operation as well.
     
  7. Menorcaman

    Menorcaman Retired Moderator

    Joined:
    Aug 19, 2004
    Posts:
    4,661
    Location:
    Menorca (Balearic Islands) Spain
    Just to add that the captured MBR wont be written back to the destination drive unless you also tick the Disk 1 checkbox during the restore process.

    Regards
     
Thread Status:
Not open for further replies.