Restoring Problem

Discussion in 'Acronis True Image Product Line' started by JMasterJ, Jul 3, 2009.

Thread Status:
Not open for further replies.
  1. JMasterJ

    JMasterJ Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    6
    I had a major virus, had the backup stored on an uninfected external drive... did a restore using the rescue CD. It did restore, HOWEVER, the virus was STILL on there! I even selected the sector by sector restore, which should have restored my clean PC state from 2 days ago. Just to confirm this process, I ran a backup through a clean PC and clean external drive. 2 days later I got a virus on my PC (my external drive is usually turned off btw). So I restarted my PC with the Acronis rescue disk and went through the 2 hour restore, sector by sector. When the PC rebooted with the restore, the virus was still there although the files were restored to the original pre-virus setting.

    I was real desperate at this point, so I decided to risk it and actually use my XP Pro CD again and reinstall XP from scratch after repartitioning and full reformatting the boot drive just to make sure I wipe everything out, and THEN retried the Acronis restore... THIS time it did restore properly to my clean pre-virus state.

    Now obviously this is a big inconvenience in that I have to waste at least another two hours or so making sure things are backed up and then redo XP and then run Acronis. The restore should work without having to do all those extra steps correct? Please advise, thank you.
     
  2. seekforever

    seekforever Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    4,751
    Was your archive created as a sector-by-sector archive? If it was't all of the sector information is not present and TI can't restore all the sectors in the partition to what they were.

    I wonder if you had a boot-sector virus. Restoring a partition normally does not do anything to the MBR. Your XP installatiion with repartitioning would have written a new MBR.

    I doubt that a virus left over on un-used sectors can be a problem since they have to get into a position where they are executed.
     
  3. JMasterJ

    JMasterJ Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    6
    As I said, I did a sector by sector for that exact purpose..... and that also rewrites the original MBR so that, I would think, should have taken care of anything else... this is why I am posting this question, because it doesnt make sense unless I am missing something... so I need to know in the future, any time I have a virus, to be sure, I have to reinstall XP and then restore Acronis? I never heard of anyone before needing to do this, but then again, its not like I have talked to hundreds of people using this software so thats why I am here...
     
  4. jehosophat

    jehosophat Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    428
    Location:
    UK
    Your experience does seem unexpected. How a virus could survive is puzzling.

    Do you know what the name of the virus was?

    Have you looked up the category of this type of virus? This might help understand what went on.
     
  5. JMasterJ

    JMasterJ Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    6
    Adaware and Spydoctor had located some type of trojan worm, but i could not look anything up because it also destroyed my online connection and i didnt have access to another pc at the time and i was getting fed up with it, and didnt care about fixing the virus, i just wanted to restore my pc, which i thought was what i was doing... so this is very unusual? But I guess with certain viruses you will have to go through the steps that I did?
     
  6. jehosophat

    jehosophat Registered Member

    Joined:
    Sep 29, 2008
    Posts:
    428
    Location:
    UK
    Well I am glad that you have your system back. That's all that matters.

    Thanks for reporting the issue. It is something we can watch out for in the future.
     
  7. seekforever

    seekforever Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    4,751
    Are you saying you originally restored the system and then 2 days later it reappeared?

    Is the sector-by-sector backup of the whole disk or just the C partition? Is there more than one partition on the disk?

    I am not aware of any virus that is known to reside in un-used disk space and then springs to life (it has to get into execution some how). Virus scan programs only check files not un-used space.

    Does anybody know for a fact that a sector-by-sector backup of partition C actually includes the MBR stuff. Acronis does not treat it as part of C for a normal image. If the whole disk was specified (assuming you can do that for a sector-by-sector) then it definitely should have done the MBR.
     
  8. JMasterJ

    JMasterJ Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    6
    Sorry, my diction may have not been clear in my haste.... to make it crystal, I'll give just use some specifics to help the visualization:

    June 1 - Everything is fine, clean, I make a complete/full backup with Acronis for my boot C: drive only
    June 3 - I get a nasty virus, try to clean it by all regular means, but it wont come out and XP System Restore wont work either... so I boot up with the Acronis rescue disk, go through the 2 hour SECTOR-BY-SECTOR restore process (with MBR rewrite to the boot drive), then computer restarts, and everything is back to the June 1 state, EXCEPT the virus is STILL THERE!

    This is when I got real frustrated, and decided to wipe out the C: with a reinstall of XP Pro with a repartitioning just to be safe and a full format, reinstalled completely, and as soon as the OS was up and running, I repeated the restore process described above and THEN it restored to my June 1 state but clean as it was then, no more virus.

    Yes in the end that worked, but I just would like to know from someone who experienced this or someone technically knowledgeable enough to explain why this happened and do I have to do it like that again in the future... and I guess the only thing I can think of is a boot sector virus, but even then, shouldnt the restore rewrite that as well??

    I did try running the Kaspersky boot sector scan before the final restore, but it was freezing all the time, so I dont know if that was also the virus or if Kaspersky's utility just sucks... any other alternatives for that also would be appreciated for future boot scans. Thanks!
     
  9. seekforever

    seekforever Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    4,751
    Thanks for the clarification. Since this seems to be rather unusual, I'm going to ask you for a bit more clarification just to make sure we are all on the same page.

    You said you made a complete/full backup but you don't say you made a sector-by sector backup. In TI parlance they aren't the same thing. A Full backs up all the used sectors but not the unused ones whereas the sector-by-sector includes all the sectors in the partition, used or not. What I'm wondering is that if you did a Full and then tried to restore it as sector-by-sector what did it really do? The amount of time taken does suggest you did restore a lot of data. What is the used space and the total size of your C partition?

    You said "with MBR rewrite to the boot drive". So you actually looped back in the restore wizard and checked the box to restore the MBR. Unless TI2009 is changed you can't select both the MBR and a partition to be restored in a single pass through the wizard.

    Very strange and I don't recall ever hearing of a case like this. I would say that anytime a post has been about a restore not replacing a partition to its proper state has been due to restoring the wrong archive or the backup was not what was originally thought. Too bad you didn't catch the name of the virus so we could see where it normally hides.
     
  10. JMasterJ

    JMasterJ Registered Member

    Joined:
    Jul 3, 2009
    Posts:
    6
    Boot drive: WD Vraptor 150GB, running at about 70% capacity for a while

    Ok, I can't be 100% sure of what I did a couple of weeks ago since I have just started using this program... but here it goes:

    June 1 - Everything is fine, clean, I make a backup with Acronis for my boot C: drive only with the following options:
    --- My Computer
    --- Back up sector by sector (about 80% sure I checked this box)
    --- Pretty sure I did NOT check the "...unallocated space" box
    --- Create New Backup Archive
    --- Do not schedule
    --- Full
    --- No password or encryption
    --- Task name....
    --- Run task now - Proceed
    DONE

    June 3 - I get the virus
    --- I boot up with the Acronis rescue disk
    --- 2 hour restore SECTOR-BY-SECTOR restore process (with MBR rewrite to the boot drive, I remember selecting this option, not exactly sure when or where but it made me select the drive where MBR is so I remember that for sure)
    --- Computer restarts, and everything is back to the June 1 state (data, desktop, etc...) but virus is still there.

    If you need any other details let me know... thanks.
     
  11. seekforever

    seekforever Registered Member

    Joined:
    Oct 31, 2005
    Posts:
    4,751
    Thanks. It sounds like and the size and time seems to support that you indeed did a sector-by-sectore backup and restore. Also, I'd say you did the MBR restore.

    After all of this, I'm at a loss but I feel (and that is all it is) that your repartitioning is what got rid of it. A full format only sets up the filesystem structure and does a read-check of all the sectors. It doesn't write anything into them which is why data can be recovered after a format. The other missing piece is what was not overwritten by the TI sector-by-sector and the MBR write that we assume was overwritten.

    Hopefully we may get some more advice from others and perhaps, Acronis, on this question.
     
  12. alan_b

    alan_b Registered Member

    Joined:
    Nov 13, 2008
    Posts:
    100
    Location:
    Lancashire, England
    Just because you were unaware of any malware at the time you created a backup does NOT mean that malware had not already got on-board.

    Perhaps your archive image contains malware which came from www.shop-a-lot etc., and to conceal its origin it deliberately waits 2 days before it misbehaves.
    Or perhaps it is a back-door into your computer that cautiously trickle downloads evil companions and after 2 days they combine and destroy your world.
     
  13. MrMorse

    MrMorse Registered Member

    Joined:
    Jun 12, 2008
    Posts:
    737
    Location:
    Germany
    Your Signature:
    You have more than one HDD. What's about these other hdds during you restore the boot-hdd?

    What kind of data are on the other hdd's?
    Applications?
    How many partitions do you have?

    Why I ask this:
    The virus can reside on another partiton than on the boot MBR.
     
Thread Status:
Not open for further replies.