Results 1 to 13 of 13
  1. #1
    4 Star Lounger
    Join Date
    Mar 2002
    Location
    Sacramento, California, USA
    Posts
    509
    Thanks
    4
    Thanked 1 Time in 1 Post

    Recovering from a virus attack: system drive backup

    My XP system has been infected with a virus for ten days, and has been unusable for three days. All my attempts at recovering the system have failed. Today I'm going to buy a copy of Windows 7 and rebuild it.

    This thread concerns how to prevent the same thing from happening again. Specifically, it concerns how to back up a functioning system so that something does go wrong, I can simply blow away the affected partition and restore it. (I would not lose data by doing that, since I keep all of my data in other partitions -- about the only protective measure I took that has worked out as planned!)

    I used PartitionMagic to store two backups of my system disk in hidden partitions on the same drive -- one current, one older. Both turned out to be unusable. In each case when I tried to boot the restored partition I got a message that hal.dll was corrupted. With the current one I restored hal.dll from the cab file on the installation disk; when I tried to boot again Windows hung with no message. Evidently at least one other file was "corrupted"; probably many were.

    I tried to do a repair installation of Windows, but it failed because of an "extended I/O error." I assume this was a read error on the DVD drive, because I've had trouble reading this installation disk before, but the message did not say. I copied the installation disk to an ISO file on another computer and burned it to a new DVD, then tried again, but the installer thought it was half-way through the installation and tried to proceed from a point after the original failure. I restored the partition from the backup again, but this time the installer claimed that my system partition did not contain a valid copy of Windows, making a repair installation impossible.

    It appears that something has corrupted my backups, and they're getting worse the more I try to use them.

    I've got lots of theories about what happened. Unfortunately none of them are persuasive or easily testable.

    Is my hard disk failing? I've seen no other evidence of that, and it is hard to believe that a modern hard disk would fail in a mode that corrupts data with no warning... or that it would choose this precise time to do so.

    Did the virus do it? I can believe that a virus might corrupt hidden partitions, although I don't have knowledge that any virus actually does that. But I actually removed the virus from my active partition and was struggling to repair the damage it left behind when things really went south, and I deleted the infected partition before the last incident of apparent corruption happened.

    Did the partition table get infected, and did the virus remover miss that? I've heard of such things, but the partition table just isn't that big, and it would need a place to store code to bootstrap. Perhaps there is virus code in one of my data partitions, but my anti-virus program pronounced them clean, and so did the separate virus remover that I used to exterminate the infection. Again, this is possible but seems far-fetched.

    Were my backup partitions infected from the start? Maybe, but if so, they were infected with something that caused no trouble in the active partition for the better part of a year after I created the latest backup. Why should it make the system unbootable now? Again, this seems possible but far-fetched.

    So, I've got two questions: (1) What happened? (2) How can I prevent it from happening again?

    Please answer if you have knowledge that might bear on the situation. Theories without more won't be too helpful; I've got too many theories already.

  2. #2
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Calif
    Posts
    182
    Thanks
    0
    Thanked 14 Times in 13 Posts

    Lightbulb

    Perhaps the info in the topic "Preventing Malware and Safe Computing" on the Expert malware removal forum www.geekstogo.com/forum , specifically located at http://www.geekstogo.com/forum/topic...safe-computing might help !?
    For the BEST in what counts in Life :

    http://www.ctftoronto.com

  3. #3
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    Perhaps the info in the topic "Preventing Malware and Safe Computing" on the Expert malware removal forum.... specifically located at....
    That article does not address jsachs177 two questions:

    (1) What happened? (2) How can I prevent it from happening again?
    The symptoms described suggest a hardware error. It is difficult to comment from an informed position when there is not much hard data on your system spec and configuration.

    Viruses and other types of malware (a virus is only one type, so it might have been something else), are more often than not non-destructive. There is little payback to malware writers these days in writing the code and designing a delivery mechanism solely to damage data structures. Most often the real payload is designed to steal information in one way or another - either by direct interception or by social engineering techniques.

    Can you describe a little about the infection you encountered and the recovery processe you used? Perhaps it was the recovery process that damaged the system, rather then the malware, anyway, that speculation does not help as per your defined request for help:
    Theories without more won't be too helpful; I've got too many theories already.
    Therefore, I'll restrict myself for now to an observation based on your description:

    The Partition Magic backups were on the same drive as the data they backed up. They should have been located on a different media that could have been independently verified as clean and intact on an isolated system. Backups that are not tested and verified are not backups at all.

  4. #4
    4 Star Lounger
    Join Date
    Aug 2011
    Posts
    460
    Thanks
    1
    Thanked 33 Times in 33 Posts
    The Partition Magic backups were on the same drive as the data they backed up. They should have been located on a different media that could have been independently verified as clean and intact on an isolated system. Backups that are not tested and verified are not backups at all.
    That's the main thing, get them off the system, to an external drive or to external drive and DVD for multiple media type backup, and also only use image software that allows for verification of the backup, and if you really want to be sure, use another disk and restore that backup to be sure it functions as advertised.

  5. #5
    5 Star Lounger
    Join Date
    Mar 2011
    Posts
    820
    Thanks
    16
    Thanked 62 Times in 57 Posts
    I presume you mean that the backups were made with the free application that comes with PartitionMagic, not PartitionMagic itself. Incidentally, PartitionMagic is excellent but it is not compatible with Win 7 (which has some of the capability built in). You make no mention of having any antivirus or malware protection whatever, which will delight the audiences of the furious debates on the finer points and costs and benefits of such protection (which is available free of charge).

    Whatever it is, one rule is to boot from an external drive when something like this goes wrong. In that way, your computer's drive is a slave and it can't compound whatever trouble there is. Antivirus programs normally let you create boot drives and can themselves be used as a boot drive if you bought it 'boxed', and your original PartitionMagic CD can be used as a boot drive. Chances are you are going to want something more extensive than that, but even they will let you rule out certain possibilities.

  6. #6
    Gold Lounger
    Join Date
    Oct 2007
    Location
    Johnson City, Tennessee, USA
    Posts
    3,202
    Thanks
    37
    Thanked 215 Times in 202 Posts
    Quote Originally Posted by jsachs177 View Post
    This thread concerns how to prevent the same thing from happening again. Specifically, it concerns how to back up a functioning system so that something does go wrong, I can simply blow away the affected partition and restore it. (I would not lose data by doing that, since I keep all of my data in other partitions -- about the only protective measure I took that has worked out as planned!)

    So, I've got two questions: (1) What happened? (2) How can I prevent it from happening again?
    jsachs,
    Hello... Your plan to keep your "backups" on a different partition (same Hard Drive) is a flawed one ...as you have unfortunately discovered. How to prevent that from happening again is easy ...

    1. Place your backups on a separate Hard Drive, either internal (if you have the room, and a spare port on your Motherboard) or external ..EX flash drive , DVD disks, or a Hard Drive in a docking cradle. Then Burn a recovery disk from whatever Imaging software you choose, and test it ...EX: Boot from it and see if the program "sees" the Images that you have made.

    2. "What Happened?" and don't give me any theories? You must be joking .. How could anyone give you the exact answer to the problem, without much more information? (what your looking for is the... "Oh yes ...press F-4 when booting and all will be well"... "not-happin-in" )

    3. If you want help your going to have to try suggestions (theories) as to what might have happened. Regards Fred
    PlainFred

    None are so hopelessly enslaved as those who falsely believe they are free (J. W. Von Goethe)

  7. #7
    4 Star Lounger
    Join Date
    Mar 2002
    Location
    Sacramento, California, USA
    Posts
    509
    Thanks
    4
    Thanked 1 Time in 1 Post
    I appreciate the great interest this topic has generated. Here are responses to a variety of questions.

    Can you describe a little about the infection you encountered and the recovery processe you used?
    The infection was Cloud Protection (technically a Trojan, not a virus). I tried to eliminate it first by running AVG 9, the version I had installed, with current database updates. When that didn't work I purchased a copy of Trojan Killer, which removed the infection, or claimed to. However, my system was left in a damaged state, which I was trying to repair when everything fell apart.

    The Partition Magic backups were on the same drive as the data they backed up. They should have been located on a different media that could have been independently verified as clean and intact on an isolated system. Backups that are not tested and verified are not backups at all.
    Understood -- now. When I started doing this money was very tight, and I simply couldn't afford an external drive that was big enough to use for this purpose. Now I can, and I expect to have one within a week.

    I can't understand the notion of backing up a system partition on DVDs -- not when about seven of them are needed to hold the data, as in my case. The process is too time consuming to be practical, and the media are too delicate to be safe.

    PartitionMagic is excellent but it is not compatible with Win 7...
    I'm aware of that, and finding a replacement is one of the tasks that face me. Based on reviews I'm leaning toward MiniTool, but I'm open to suggestions.

    You must be joking. How could anyone give you the exact answer to the problem, without much more information?
    Perhaps my request wasn't clear. I don't expect clairvoyance; I'd simply appreciate responses that are based on fact rather than pure speculation. As for information, I'm happy to provide anything I'm asked for, short of passwords.

  8. #8
    Lounge VIP
    Join Date
    Apr 2011
    Location
    Scotland
    Posts
    1,168
    Thanks
    44
    Thanked 134 Times in 115 Posts
    OK, fair enough. It seems that it was a classic Fake Antivirus infection.

    AVG 9 almost certainly would not be able to remove the underlying infection which is likely (without additional analysis) to be a rootkit. The infection is not easy, but by no means impossible to remove.

    I'm skeptical about the Trojan-Killer app, better to ask in places such as here in The Lounge for assistance, all of which will be offered free of any charge. Others may advise to go to other forums, but I don't buy the kind of advice that suggests people here are not qualified enough to assist in these circumstances. I suspect, as you do, that Trojan-Killer damaged the XP installation: unlikely that the scareware did the damage - it's sole purpose is to scare you into paying for a "fix". It is entirely possible that Trojan-Killer may be not entirely stable (or indeed much worse -but that's for you to surmise). A quick look on Whois indicates a large number of changes to hosting and nameservers, plus a few drops. There is a contact given so that's reassuring, but the profile suggests an unstable company and hence unstable product to me.

    OK, so turning to backup. In terms of cost, a second drive can be fitted into a desktop PC for less than 40. If you configured a tool to backup your system partition, it would not need to be a large drive. Then take incremental backups of you data partition. A moot point now, but perhaps one to consider if you are going down the route of Win7. Yes, you are correct, no point in trying to backup system partitions to DVDs, just buy the hard drive and be done with it.

    For partition tools, Win7 has some built in tools that perform most tasks. However if you wanted a more developed set of tools, you could look at EASUS Partition Manager.

    I think the key thing for the future is to install a decent antivirus package (a whole lot of people will jump on the bandwagon to offer advice on that one), but I suggest to start with Microsoft Security Essentials, Avast or AVG. Stay away from the paid-for services unless you have a specific need. Add a software firewall if you feel the need, but try to make sure your broadband router / modem has a firewall too. Make sure your OS is fully patched. Update Adobe Reader and Flash Player together with Java as soon as the updates become available. And perhaps one that a lot of people overlook; run the machine from a Standard Account, not an account with Admin privileges.
    Last edited by Tinto Tech; 2011-10-25 at 17:22.

  9. #9
    4 Star Lounger
    Join Date
    Mar 2002
    Location
    Sacramento, California, USA
    Posts
    509
    Thanks
    4
    Thanked 1 Time in 1 Post
    I had just succeeded in installing AVG 12 on the XP system when it fell apart. (There were problems... leftover bits of an ancient version of Norton AV, or something like that.) I was planning to install it on Win7, but the sysadmin where I work recommended AVAST, so I'll take a look at that first.

    Running from a standard account when possible is a good idea. I never bothered to do it before, and I went ten years with only one minor infection before this disaster happened, but one disaster is enough to make a believer out of me.

  10. #10
    4 Star Lounger
    Join Date
    Aug 2011
    Posts
    460
    Thanks
    1
    Thanked 33 Times in 33 Posts
    I can't understand the notion of backing up a system partition on DVDs -- not when about seven of them are needed to hold the data, as in my case.
    If you read it again DVD was only mentioned in conjunction with also using an external hard drive; as a extremely cheap and easy means to get a second copy off site. Most don't do that or use an additional portable hard drive or flash drive, but then you're talking more cost and the need to return that hard drive or flash drive for additional updating...no need to with DVDs, just burn off a new set and mail them out.

  11. #11
    Bronze Lounger DrWho's Avatar
    Join Date
    Dec 2009
    Location
    Central Florida
    Posts
    1,501
    Thanks
    30
    Thanked 205 Times in 163 Posts
    I've been at this 'backup your stuff' game almost 30 years now.
    I have set up backup schemes for home users, banks and corporations over the years.
    One reason that some folk's backups take up so much space is because they don't dump the junk before doing a backup.

    When I'm doing a backup on my own PC, like I did today, I first run several Batch Files that delete all the junk off of my C: drive, so that stuff never winds up in my backup. Included in that junk is all my temp files, Temp Internet Files, and other typical junk files, to include old Restore Points and the Pagefile (over 4 gig's on my PC). So I wind up dumping over 5 gig's of junk, typically.

    I use Ghost 2003 or Ghost 11.5, run from a DOS boot disk, which allows me the option of doing either NO compression, FAST Compression or HIGH Compression.
    Today, after the cleanup, my FAST compressed backup files took up about 9 gig's of disk space on my backup drive. That's a 1TB drive and I can store a bunch of backups on there, before I need to start making space.

    When I do a backup to DVD's, I use HIGH Compression to save space.
    It's the slowest backup, but the DVD's can be taken Off Premises for safe storage.
    The best backup is the one NOT left sitting right next to your PC.

    Now, in the original post, I believe AVG 9 was mentioned. That was a good program in its day, but that day has been past for several years and several generations of the program.
    It costs companies like AVG a lot of money to develop and release new versions of their software, but it's necessary, to fight off the latest Viruses, Trojans, Worms, Rootkits and destructive Spyware.
    So, your AV and AS software should always be up to the minute.

    Partition Magic never was designed as Backup Software, and it's totally unable to deal with Windows 7 (and now Windows 8). However, Ghost 11.5 CAN handle 7 and 8 with no problem.
    When you backup C: to D: on the same drive, watcha gonna do when that drive goes up in fire and smoke on you? Your backup of C: had better be someplace else. The possibilities are almost too numerous to even list them here.

    Cheers Mates!
    Last edited by DrWho; 2011-11-03 at 22:15.
    Experience is truly the best teacher.

    Backup! Backup! Backup! GHOST Rocks!

  12. #12
    4 Star Lounger
    Join Date
    Aug 2011
    Posts
    460
    Thanks
    1
    Thanked 33 Times in 33 Posts
    When I do a backup to DVD's, I use HIGH Compression to save space.
    It's the slowest backup, but the DVD's can be taken Off Premises for safe storage.
    The best backup is the one NOT left sitting right next to your PC.
    Thanks for having my back!
    Curious, where do you take them; seeing as Earth always seems to be threatened; off premises seems to indicate off world.

  13. #13
    5 Star Lounger
    Join Date
    Mar 2011
    Posts
    820
    Thanks
    16
    Thanked 62 Times in 57 Posts
    You mentioned MiniTool (Partition Wizard Home) and I recommend that, but I might equally recommend Easus (Partition Master Home), both of which are free. More importantly, I recommend that you browse both sites for other freebies, some of which may be helpful to you in diagnosing or recovering from hard drive corruption. You may have to invest some money (and a lot of time) if that is your problem. They have other free (for home users) utilities that are a bit more general and that you may like as well (Easus has a free backup program).

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •