Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Is A Full System Backup Useful In Curing Malware?


  • Please log in to reply
8 replies to this topic

#1 ucanfixit

ucanfixit

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 10 March 2008 - 08:07 AM

Hello all,

I noticed (in browsing your solutions) that reverting to a previous System Restore Point does no always work; however, I'm guessing that a "restore from a full system backup" might work more often. Of course, the first requirement would be to have a "know good" full backup available but why is that question, "do you have a full backup available", not asked more often when attempting a resolution? In my opinion, the full backup/restore would work better because it offers a "total disconnect" of the registry from the infection and might leave the infected files "harmlessly resident" on the hard drive.

Now, here's my real question. Have you ever tried a full backup that did not work or at least get the user to a better point to clean up the remnants of malware? I would really appreciate you sharing your experiences in this area because I do not have any experience in malware removal because I have never had an infection on my PC.

BC AdBot (Login to Remove)

 


m

#2 ruby1

ruby1

    a forum member


  • Members
  • 2,375 posts
  • OFFLINE
  •  
  • Local time:10:12 PM

Posted 10 March 2008 - 01:54 PM

correct me if I am wrong, but are you confusing the System Restore facility with the Full system back up of what ,say Norton Ghost or Acronis true image can do ?

also, when infected, it is surely best to have A System restore point available even if it IS infected than to have none available at all if things go pear shaped and scew wiff when trying fixes etc

Acronis True Image, as I understand it, ( but have NEVER used it )is a snap shot of your System (contained on a CD I beleive)that can be applied TO the system if necessary after nasties have struck to rebuild the system for you;

also , with system restore , it is well-known that nasties like to hide IN it to keep themselves alive and kicking to reinfect you; this is one reason why the System restore has to be 'cleared out' at SOME point when cleaning a comp from infection and one will be advised to turn OFF system restore,reboot and turn restore back ON; unfortunatley you thus loose ALL your restore points BUT you hopefully GAIN a cleaned computer and a cleaned system restore too

does this kinda give you food for thought or make you confuuuusedPosted Image

#3 ucanfixit

ucanfixit
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 10 March 2008 - 02:14 PM

Hello ruby1,

I am referring to a full sytem backup that can be completed and stored on an external hard drive; for example, using a program like the Microsoft backup utility for windows which is included on every XP disc and availabe for subsequent installation. I have personally opted to use a full backup as an emergency restoral method and I have totally disabled the XP system restore function in favor of a full backup instead.

Also, I fully understand your reply and I appreciate your elaboration on the pros and cons of the system restore capabilities. I also appreciate your honesty when you implied that you (personally, I assume) never tried using/restoring a full backup as a malware corrective action. So, if anyone has tried this method, I would like to hear how they made out and how the full backup/restoral compares with other methodologies that are more commonly used.

Again, thank your for your detailed response.

#4 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:12 PM

Posted 10 March 2008 - 04:06 PM

MSBACKUP cannot back your whole system up. MSBACKUP can only backup files or folders, but not the entire operating system. So if MSBACKUP is all you're using, use it on your personal data, dont worry about Program Files, Windows, or anything else on the root of the C drive. Generally, backing up the "Documents and Settings" folder will do ya fine.

If, on the other hand, you want a full (bare metal) backup and restore package, you need a program such as Acronis True Image or Norton Ghost or DriveImage XML.

I like TrueImage, as it has features that the other 2 lack, which are useful for malware problems. Mainly, you can go to one of your backups, and instead of restoring the entire system to that point, you can simply mount the backup as a drive letter, and get read/write access to it.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#5 ucanfixit

ucanfixit
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 10 March 2008 - 06:21 PM

Hello Billy O'Neil,

First I strongly disagree with you opinion that Microsoft Backup cannot backup your whole system because it most certainly can do that without question. See here: http://www.microsoft.com/windowsxp/using/s...t_03july14.mspx
In fact the "backup everything on my computer" option is quite comprehensive and not only includes all files and folders, but all programs and associated registry entries, plus the current system state as well. Moreover, if you are running XP PRO, you also have the option to create a recovery floppy disk that can be used in the event of a major failure. The only thing that you can't do with the XP Home version is create the recovery from floppy. And finally, in my opinion, there is nothing that works faster or better than this program. Even, if I encountered a situation where my OS was so corrupted that I couldn't boot, I would simply do a quick HD format, a basic OS install, and then a backup reinstall from my external hard drive. All of this can be completed in less than 40 minutes on my PC (I've done this many times) and I would be done much more quickly than any backup program trying to load on boot from a CD, DVD, or tape drive (I did use a tape drive a few years back but it took hours to do a full system restore).

So again, thank you for your opinion but that was not the intent of my original post. As I am far from a beginner, there are still things to be learned and explored and one of the things that I never had a chance to participate in was the removal of malware using a full backup recovery as a tool; simply because I was never infected.

However, you did include a single sentence that has satisfied my curiosity about the potential usefulness of a Backup Utility in resolving malware issues and that was "Mainly, you can go to one of your backups, and instead of restoring the entire system to that point, you can simply mount the backup as a drive letter, and get read/write access to it." And, since the Microsoft Backup file can be mounted and selectively restored, then you have answered my question.

Thanks to all for answering my question.

#6 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:12 PM

Posted 10 March 2008 - 08:58 PM

But it cannot restore the operating system itself. (That feature was added in Windows Vista's version, and is called Complete PC Backup) Windows XP's version cannot do that. It will store your data, yes, but your applications, etc. will have to be manually reinstalled. It can copy all of the files from one volume to another, but it does not backup the boot sector, the partition table, nor does it backup any files that are inuse when it is running. Vista's version uses Volume Shadow Copy to acomplish the backup operation on locked files, and is able to backup the MBR, bootsector, and partition table, etc.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#7 ucanfixit

ucanfixit
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 10 March 2008 - 09:59 PM

You are absolutely incorrect in your assumption that the applications will have to be reinstalled. I have done a full restore so many times that I don't have enough fingers and toes (counted five times each) and I have never, ever had to reinstall a program. And, the reason I have done so many reinstalls is that I like to restore my system to pre-alpha and pre-beta testing condition. This is really simple to verify. Just do a backup of an XP PC, wipe the hard drive clean, do a base install of the OS, and then restore from backup. No further action will be required and all programs (and everything else) will work exactly as it did before you wiped your hard drive clean. Now, if you are trying to base your conclusions on some Microsoft technicality, then I have no interest in that. So maybe Vista does a full image restore and the lowly XP version does it in pieces but who cares if the results are the same? Oh, and one more thing it also restores all the XP updates so it has to be doing the system as well if you use the "overwrite all files" option. Now, we can dispute this all day but until you try to duplicate what I do routinely with success, and you get different results, then we'll just keep going back and forth at a stalemate, so why don't you give it a try on a spare PC? Although I may not have any experience in malware removal (as previously stated), I do have a fair amount of knowledge when it comes to XP functionality so I would really appreciate your efforts to prove me wrong...

Edited by ucanfixit, 10 March 2008 - 09:59 PM.


#8 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer


  • Malware Response Team
  • 12,301 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:03:12 PM

Posted 10 March 2008 - 10:40 PM

True, but you are implying reinstalling a base version of the os for the restore, which was my main point.

And now I want to kick myself: http://en.wikipedia.org/wiki/Ntbackup

Oh well... looks like they added Volume Shadow Copy earlier than I thought.

In the past I have had issues with that particular tool not restoring the registry correctly, and causing crash and burn of the resultant system. I'm glad that you can get the damn thing to work correctly. It also (because of aforementioned reasons) cannot help you if you have a boot sector or MBR virus, but for most everything else it's good.

It is also worth noting that if you have a windows file that is corrupted, usually this run command will fix it:
sfc /scannow
that should be easier than manually digging out from your backups.

Oh well, good luck.

Billy3
Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#9 ucanfixit

ucanfixit
  • Topic Starter

  • Members
  • 144 posts
  • OFFLINE
  •  
  • Local time:06:12 PM

Posted 10 March 2008 - 10:54 PM

Hello Billy O'Neal,

Thank you for your candid response, and as far as XP goes, I can get myself out of any situation because I have prepared for the worst; however, the one area that I was interested in exploring further was malware infestations, so if I ever contract an infestation, I'll look you up because I want to see how long it takes to clear my PC the way most others do it.

Respectfully,

ucanfixit




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users