Can a virus reinfect your PC even if you do an Acronis restore from a clean image while in...

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Can a virus reinfect your PC even if you do an Acronis restore?

I suppose there are two answers:  a theoretical and practical, the
latter being something you've actually seen or heard about. Please
feel free to share both.

I am more concerned with practical answers.  Assuming somehow a virus
can jump (or stay) on your HD even after you do an Acronis or Symantec
Ghost image restore onto your HD, from a clean, virus free image,
while under Windows 7 (that is, you do the restore while running
Acronis from inside of Windows 7), how do you prevent this?  Boot from
the CD before doing the restore?

RL

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

Use Macrium Reflect.


RayLopez99 <raylopez88 gmail.com> wrote:

Quoted text here. Click to load it


Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

On 8/16/2011 1:07 AM, John Doe wrote:
Quoted text here. Click to load it

Macrim's good, but any decent backup/image app that also has a bootable
media option should do just fine in this situation.


Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

wrote:
Quoted text here. Click to load it

Thanks for your opinion Nobody.

One problem with your suggestion:  the malware in question does not
allow (when it is active--it's weird malware that is either on or off,
and sometimes often off for days) you to view your hard discs when
booting from the Acronis Bootable Disc.  That is--and it's possible
that my Acronis disc was improperly made (I'll double check)--when I
boot from Acronis bootable recovery disc no hard discs are seen and
nothing can be done (I've not plugged in an external USB hard drive,
I'll have to test that next time the malware is "on").  But fear not:
I have a solution (I'm still trying to catch this virus--if it's a
virus, and BTW I suspect it's a rogue program that I downloaded and
not a virus) if I was to do a reboot:  that solution is exactly the
same as yours ("If I suspect any malware like that, I delete at least
the active partitions on the target drive before restoring the
image") , but I thought of it independently that's why I say it's
mine! :-)

BTW, a great program to catch malware and rogue programs (and it
caught this problem, and since the removal of a rogue program
identified by the program the problem has not reoccurred--hence I'm
putting off restoring from an old, clean drive image until --if and
when- the problem reappears) is this one: Hitman Pro 3.5.  This
program is so good, I might actually buy it.

RL

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?


Quoted text here. Click to load it

I spoke too soon.  While I like Hitman Pro 3.5--it's very aggressive
in labeling stuff malware which I like since it forces you to think
whether you really use the program and wish to keep it--the program
that Hitman identified as malware and which I removed from my system
did not stop the 'virus' (if it's a virus; i might be some hardware
acting up or some software driver acting badly).

RL

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

Quoted text here. Click to load it

That's malware and does not work.  Paragon or Acronis (cracked copy
from Piratebay.org) are the way to go.

RL

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?


Quoted text here. Click to load it

Malware that resides in the MBR such a Mebroot and TDL4 are trojans and thus
can't readily
re-infect anything.  One must run the installer to re-infect the MBR and
reinsert the
loading points.

Restoring an image via externally booted media negates any problems or
reinfection.  That
is assuming there is no other external media that is infected when inserted into
the now
clean computer re-infects said computer.



--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp



Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

wrote:

Quoted text here. Click to load it

OK, I think I see where this is going.  The old trojan vs virus
distinction you are fond of.  The installer must be what loaded the
trojan into the MBR, and presumably the installer is not a virus that
replicates by itself but needs a human to install it, as in a rogue
software package.

Quoted text here. Click to load it

That seems to be contrary to what FromTheRafters wrote, from my
reading of his post, but I'll let you and him decide that, if you
want.

Quoted text here. Click to load it

OK, now you change it. So the issue is:  can malware/badware/virus-
ware infect a USB HD?  And if so, the minute you insert your USB HD
that you keep the "clean" Acronis disc image into your infected PC,
you will infect this USB HD and therefore, infect your "clean" HD
image, even if you were to boot to a CD then try loading Acronis?
Unless I'm being too paranoid.

So if the preceding paragraph I wrote is correct, the only way to not
infect your backup HD that keeps the Acronis disc images (snapshots)
or Ghost equivalent, if this hypothetical malware/badware/virus-ware
exists, is to make the backup HD "read only" after writing a clean
disc snapshot to it (there must be such a way), or, burn the clean HD
image to DVD (Blu-ray?  any other way would take 100 discs or more)
and make these DVDs 'read only' after burning them?  Probably however
this hypothetical malware that I posit does not in fact exist in the
wild yet, but is just a theoretical construct.

RL

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

RayLopez99 wrote:
Quoted text here. Click to load it

It matters. Your subject line asks about a virus. There are things a
virus can do that other malware can't, and things that other malware can
do that a virus can't. This persistence vs. reinfection scenario within
the MBR is one of them.

Quoted text here. Click to load it

Something like that. The human aspect is not a differentiating factor
between the trojan and the virus - both may require a human choosing to
execute a program. It is the 'true worm' that leaves the human out of
the loop.

Quoted text here. Click to load it

I think he's talking about reinfection and the part of my post you refer
to is about persistence. Plus, I don't think Mr. Lipman is into the
theoretical stuff, but he knows the real-world stuff.

Quoted text here. Click to load it

It's hard when you lump them all together like that, but -yes, a USB HD
containing the image file can be infected by an infected computer. If it
is infected by an autorun/autoplay worm, it wont be "infecting" any
programs or program files on the disk - so your image will still be good
and so will any other program files stored on that disk (like the image
restoring program). You won't suffer any ill effects from that new
infection until you attach that USB HD to another computer and *it* runs
the malware program.

If it is infected with a true virus, your restoring program may well be
infected and you shouldn't execute it (the image file should still be okay).

However, proceeding to load that good image onto a disk from an
environment that may be tainted is not a good idea. Boot from a known
clean drive, and navigate to the image restoring program, execute it
(unless it is a virus we are talking about), and choose the image to
restore (preferably from a non-infected drive, or from an environment
perhaps Linux or a Windows environment with autoplay turned off) that
doesn't support the autorun/autoplay worm's method.

If it is a virus we are talking about, you should boot with a known
clean boot device, and execute a known clean image restoring program,
and choose the image file (which should *still* be okay if as above).

IMO the best way to restore an image is to have the image restoring
program on a read only disc (cd/dvd) and the image file that you want to
restore from on a known clean drive.

[...]

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?


Quoted text here. Click to load it


OK--so for a true virus the protocol is this:  use DBAN to wipe the
infected PC HD 100% clean (reformat it).  Install Windows 7. Install
an AV program.  Then install Acronis (clean, from the installation
discs for Acronis). *Scan the USB drive using the AV program, remove
any virsuses on the USB drive*. Then, on this clean PC, install, using
Acronis, from the (perhaps tainted but now clean) USB Drive the
original 'clean' HD image file.  Correct me if I'm wrong.  This
protocol should also work for malware.

Quoted text here. Click to load it

I just checked--and thanks for the reminder--Windows 7 has a helpful
menu for autoplay and I've made sure (as was the case before) that
"Ask me before..." is checked. So I have and had AutoPlay turned OFF.

Quoted text here. Click to load it

A known clean USB drive?  That would mean, to modify my protocol
above, that before running Acronis on the DBAN -nuked clean PC, you
should make sure your AV program scans the USB.  I' ve added this step
above.

Thanks for your help.

RL

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

RayLopez99 wrote:
Quoted text here. Click to load it

That sounds about right, but installing Windows 7 just so that you can
scan the media that the image is stored on seems a little over the top.

As long as autorun/autoplay is not enabled, just accessing the drive so
that you can restore the image that is stored there will not infect the
machine. The image is a data file and won't be infected by a virus, and
the autorun.inf file is the only vector for that type of worm.

If you want to use a USB enclosure for a harddrive to house your
toolkit, you could encrypt the executables so that they can't get
infected by a true virus (they then become data files to be consumed by
the decrypting program, and as such are not infectable). You could then
include the decrypting program on the read-only CD or DVD. If the drive
only has data files, you don't have to worry about file viruses.

[...]

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

RayLopez99 wrote:
Quoted text here. Click to load it

If you are talking about a clean image being written to disk, then no
*virus* will be able to be persistent.

Theoretical - it is possible now I believe. The one thing preventing it
in the past was that there wasn't enough room in firmware to put the
entire virus. Code from the firmware had to be displaced to somewhere on
the harddrive to make the virus work. Removing (overwriting) the
displaced code would make the virus not work, resulting in a case of
corruption rather than a viral infection.

Quoted text here. Click to load it

Aside from the *virus*, it now seems possible (though unlikely) that
malware can reside in firmware and be persistent even when the harddrive
is outright replaced.

(if lojack for laptops can be persistent in this manner, so can malware)

There's no current malware doing this to the best of my knowledge.

Quoted text here. Click to load it

Yes, IMO you shouldn't restore an image from a possibly tainted
environment. I think you run the risk of having the fresh image tainted
if you do, though I haven't heard of this actually happening.


Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

Quoted text here. Click to load it

if i take your question literally then the answer is obviously yes.
there is nothing that would stop a virus from *reinfecting* the system
after it's removed, regardless of how it's removed. if you are exposed
to the infection vector a second time then you can expect to become
infected a second time. it would be absurd to think that just because
you removed it once your system became magically immune to it upon
subsequent exposures.

but i don't think that's what you really meant to ask.

Quoted text here. Click to load it

if you're concerned about malware persisting then make sure you're
restoring the entire disk, not just the drives, or you'll miss
sections of the disk that are outside the scope of C: drive, D: drive,
E: drive, etc.

if you're concerned about the malware coming back then make sure you
don't come into contact with it again - make sure you eliminate it
from all removable media in your possession, make sure you remove it
from all removable media that comes into your possession, make sure
drive-by downloads can't happen anymore, etc. as you can imagine this
is verging on the realm of impossible. there really isn't any way to
guarantee with 100% assurance that some arbitrary piece of malware
won't be encountered a second time after you cleaned it off the first
time. there may well be steps you can take for specific cases, mind
you, but those involve knowing how the malware infested your system in
the first place and taking steps to prevent that particular entry
point from being usable in the future.

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?

On 08/16/2011 03:27 AM, RayLopez99 wrote:
Quoted text here. Click to load it


Known troll ... don't waste your time people.

John

Re: Can a virus reinfect your PC even if you do an Acronis restore from a clean image while inside Windows?


Quoted text here. Click to load it

Projection noted.  Azz whole.

RL

Site Timeline