Despite having Norton Anti-Virus running, with live update and all definitions up to date, I have this year been zapped twice by computer viruses. I’m writing this to alert you to the dangers of placing complete faith in anti virus protection, and to the need for HDD backups. Most people do not have adequate backups of their systems.
I run a dual disk setup with WMe and Aces High plus all my big downloads on one HDD, and W2000 Pro with everything else on my other HDD. I alternate between the two by varying the boot sequence settings in the BIOS.
First virus – a really evil oneStarted up my computer one morning, and got a DOSsy looking screen with the message “DISK BOOT FAILURE – INSERT SYSTEM DISK”. I thought it might be something simple, like the IDE plug having come out. No such luck. I tried booting from my other HDD, and couldn’t do that either. So I tried booting up from a WMe diskette. Would you know it – the virus trashed the diskette. At that time, I didn’t know I was dealing with a virus. Luckily, I had a spare WMe boot diskette, and set the write protect tab on the protect its contents. When booting up, I could hear the read/write heads of the HDD moving, and it seemed to be trying to write to the diskette. After about 30 seconds it gave up, and I was able to complete the boot.
Horror or horrors, my W2000 disk was porked. I could not access any files on it, and although I recognised a few folder names, I could not access the data. I had hoped that the other HDD would be all right, but that was porked too, but not as badly as the other one. I was even able to reinstall WMe and I think I ran AH, but things were not right. By this time, I had realised that I would need to disconnect the porked W2000 drive, as the virus was preventing me from doing anything, and had taken control of my system. I knew I had a disk image backup (PowerQuest Drive Image 2002) of my W2000 HDD on the WMe HDD, and also had my email backed up to that HDD. But then a pattern emerged. I could open directories immediately below the root directory and even the files inside them. But any files in subdirectories were inaccessible due to what turned out to be directory structure porkage. As for the W2000 HDD, I could do nothing with it. I could not even reformat it – the virus prevented that. I even tried to boot from the diskette and then run FDISK to delete the DOS partition – but to do that, you have to type in the volume serial number which must match with the VSN stored on the drive. The virus had porked this, and converted it to a string of untypeable characters.
I could see no way forward but to buy a new HDD – a 60GB Maxtor. And I dare not reconnect that old W2000 disk again with any other drive present. I installed W2000 Pro on the new Maxtor and began the long job of reinstalling my software apps – these I had backed up onto CDs. With MS Outlook installed, I was able to reimport my email from a .PST backup that I had installed on my Aces High drive. That restoration worked perfectly, so now I had all my email back – well almost all; the .PST file was two weeks old, so I lost the last 2 weeks of email.
Also on CD was a backup of my personal and business data, but doh! I’d been rather remiss and my latest copy was already 5 months old. I needed to restore from that PowerQuest drive image. With my new system working again, I needed work space, so bought another Maxtor HDD. By that time, the shop had identified the virus as the OpaServ-L boot sector virus/BSV. Very nasty.
I tried restoring the backed up W2000 partition to the new drive, and the process seemed to alternate between telling me that the backup image file was porked, and that the process had run successfully when in fact it hadn’t. I tried browsing the directory folders containing the drive image backup. More bad news. This was when I discovered that the directory structure was porked, and whenever Windows got anywhere near the suspect directories, all the files within them were converted to 32K .TXT file stubs.
I was beginning to despair when Tomato came to the rescue with some recovery software which works by reading the disk without reading and relying upon the directories and directory structure. So began the long task of recovering my W2000 partition to the second new HDD I had bought. It took hours and hours – but it worked! Now I had a valid drive image recovery file.
I was then able to reformat what had been my AH HDD, and recover my data from the recovered image file – I know, it gets complicated. After putting all the data back in its proper place on my W2000 drive (the first new Maxtor HDD) I was all set. All that remained was to reformat the other Maxtor and then restore Aces High. I lost a screenshot of me landing 13 kills in a F4U-1C – I guess everything comes at a price...
I changed my backup/recovery strategy.I now had my old IBM Deskstar as a spare HDD – the WMe/AH one. So now I use that for backup purposes, and back up the other two drives to it using Drive Image 2002. It means a bit of recabling every time I do it, but my case is latched – I don’t bother with the screws, so access is easy. The day might come when DVD backups are the way to go, but right now a DVD burner costs £300, and a 60MB HDD about £90.
Second Virus – not nearly as bad as the firstI had gone out and bought Norton Anti Virus 2003 in the hope of booting from the CD and fixing the original problem. That had not worked, but at least I now had the latest version of NAV with all definitions up to date, and live update running in the background. All email is automatically screened. Then I began getting messages saying that NAV had detected and removed the Backdoor.Fluxay virus – originating from China. But this was a lie. The virus had got in and porked some of my files and deleted others. This virus is one that gueses your W2000 password. As the only user of my PC, I didn’t even have a password. Hehe, I do now! The virus had porked about 10 files. There came a point when I could not connect to the internet – my ADSL dialup had been deleted from my network and dialup connections. I tried reinstalling from the CD distributed by my ISP, but it was no good. One of the system files had been deleted – got an error gong on boot up every time, and clearly the intention of this virus had been to stop me going online. The virus does not affect WMe, so I was able to boot from the other drive and go online to do the necessary research.
After a few calls to my ISP, we agreed that the only way to get out of this was to reinstall W2000 – but that would have meant recustomising all my settings, and who knows if the virus might have some means of thwarting OS reinstall. Time to put my Drive Image recovery scenario to the test. I backed up my email to a .PST file, and put it and other data which had changed since April 6 onto a CD, April 6 being the date the drive image copy was made. The virus had not made its appearance till April 16, so I knew I would be free of it by restoring the drive image. It worked, and after reimporting the .PST I had all my email back, and then I replaced my recent data from the CD. I came away from this second attack unscathed!
Back up your drive(s)!The backup strategy I now have in place works perfectly. The old IBM Deskstar sits in the rack disconnected most of the time, and is only used during backups. I hope I won’t need it for recovery again, but you never know. This way is definitely better than having to reinstall OS, reinstall software, and then spend irritating moments recustomising all the personal settings.
So, a happy ending to a nerve wracking story! I think I was very fortunate that the only data I lost was two weeks worth of Outlook activity, and a few AH screenshots. Only one question remains: Is there anything I can doo with that porked HDD – the one with the virus on it? It has been on a shelf in an antistatic bag for the last three months. Not even IBM’s own utility program can do anything with it.
