Question : Problem: Can't boot or retrieve files - oddball Norton GoBack 4.0 problem suspected

This one's complicated. Bear with me.

The family computer (I have a separate computer at home for work) is a Pentium IV-3GHz, 1GB RAM, 120GB HD, Windows XP Pro (PowerSpec model 9340). It contains the (large) family photo archive, music collection (also large), the kids' schoolwork, and the family checkbook. The kids use it to play online games, and over time operation had become erratic - the system locked up during gameplay, etc. I suspected malware and decided I'd offload all the data, reload the original files using the "emergency recovery" CDs that came with the system, then reload the files. That done, I installed Norton GoBack 4.0 ("GB"), thinking that if problems arose in the future, I'd simply revert to an earlier system state.

GB never worked right. In early January 2006 I tried to disable GB by pressing the spacebar during the GB splash screen on bootup. Something went wrong; after that the system wouldn't boot. During boot, GB would display a message saying the system was unstable (or something like that) and that it was restarting, a process that would repeat indefinitely. If I tried pressing the spacebar to disable GB, I'd get a message saying GB was already disabled. Frustrated, I decided I'd start all over again, reloading the the original files using the emergency recovery disks. This time I didn't load GB. However - important point - I also didn't precede all this by wiping the drive or using FDISK /mbr to reload the master boot record, which I now believe was a significant omission.

Anyway, the computer worked fine and was in regular use for most of 2006. I installed a second HD, thinking I might use it for backup, but never got around to actually doing this. Then last August my work computer's D drive ("work-D") died. While attempting to diagnose the problem I swapped work-D with the D drive on the family computer ("family-D"). To my surprise, the family computer would no longer boot, even though I'd done nothing to the bootable C drive ("family-C"). A splash screen would flash past, then I'd get a message saying "reboot and select proper boot device." I reinstalled family-D in its original location. That didn't help at first, but after a couple of restarts the system booted and everything seemed back to normal.

OK, I know now I should have realized the system was flaky and backed up all my data. I didn't do that. I know, I know, I'm an idiot.

The crashed work-D drive turned out to have mechanical problems and a data recovery firm after several attempts pronounced the data unrecoverable. Determined not to let this happen again, I bought a new work computer with dual HDs and RAID capability on the motherboard, and set up disk mirroring (RAID 1). This was easy, so I decided I'd do the same thing on the family computer. RAID capability wasn't built in, so I installed a RAID controller card, hooked up the cables from the family-C and family-D drives, booted the computer, got into the RAID BIOS, and proceeded to replicate family-C to the (previously empty) family-D. This concluded uneventfully, but afterward the system wouldn't boot. Instead something flashed past and I got the message "reboot and select proper boot device." I removed the RAID controller card and hooked up family-C and family-D the way they'd been pre-RAID. Same result, "reboot and select..." Looking more closely at the screen flashing past during boot, I was startled to realize it was the GB splash screen, telling me I should press spacebar to disable GB. Pressing spacebar produced no result, only the "reboot-and-select" message.

Realizing that GB (or a subset thereof) had somehow remained installed on family-C despite my reinstalling the original files from the recovery CD, I bought a new HD, installed Windows, then hooked up family-C as a slave. Family-C was accessible but there were no files on it other than (I think) an empty "TMP" directory. Using Recover My Files from getdata.com, I was able to extract thousands of files from family-C, but without the original filenames or folders. Not wishing to go through each file individually, I sent the disk to a data recovery firm. They were able to recover thousands of files, complete with filenames and folders. However - key point - no files later than December 2005. Instead, they found an 8GB file called GOBACKIO.BIN dated 12/14/05, the approximate date of the original GB install.

So that's where we are. To summarize:

1. Family-C is physically intact and data can be recovered from it, just nothing later than December 2005. Please understand that up till my unfortunate experiment with the RAID card a few weeks ago, the family computer was in regular use and all recent files were available. I'm pretty sure they're still there but GB has disguised them.

2. Whatever the "emergency recovery" CDs did, they didn't wipe family-C clean, since the pre-12/05 files are still there, as is GOBACKIO.BIN.

3. The only thing I have done to family-C is duplicate it to family-D while attempting to install the RAID card. I don't think this destroyed any data on family-C. I did not attempt to reinstall GB on it or mess with the master boot record. I did trying installing GB on my new drive and hooking up family-C as a slave, but could find no data.

4. All I did to stop family-C from working in the first place was mess around with family-D. I deduce from this that GB won't let the system boot if it detects any change to the hardware configuration. I was able to restore the original hardware configuration the first time GB acted up, but not the second time. I halfway believe if I could put things back exactly as they were pre-RAID, I could get family-C to boot, although repeated attempts to do that have failed.

5. GoBack apparently is resident on family-C, certainly in the form of GOBACKIO.BIN, probably also in the master boot record, and maybe elsewhere. The data recovery firm found a "Norton GoBack" directory under "Program Files"; this includes various executable files. You'd think a fresh install from the recovery disks would have rendered these files inoperable but maybe not.

6. I have been in touch with several people at Symantec customer support but they are baffled by my problem and do not seem to have a good grasp of how GB works (probably not surprisingly, since I understand the product was originally developed by another company).

So: how can I retrieve my critical files? I have found some online advice about using a bootable Win98 disk with gb_prog.exe loaded on it, and using that to rehook GB into the MBR. However, (a) this advice refers to earlier versions of GB than the one I have (4.0), and (b) my problem is so wacky, with GoBack apparently operational even though it's not officially installed, that I have low confidence rehooking GB will work. I'm also reluctant to do anything that involves writing to family-C for fear I'll hose things once and for all.

While we're on the subject, can anybody explain to me how GB works, and why my files are invisible? Does GB stash files in binary form in GOBACKIO.BIN? (Symantec tech support says no, but can't say where the files are.) Info online suggests GOBACKIO is where GB stores "snapshots" of the system at various points, but it's not clear why you'd need 8GB for that.

Any help greatly appreciated. At the moment family-C is at the data recovery firm; I can get it back in a couple days. I do have in my possession all the recovered files, including GOBACKIO.BIN, on DVD. Before proceeding I'd ideally like to get a coherent idea of what went wrong. -Ed

Answer : Problem: Can't boot or retrieve files - oddball Norton GoBack 4.0 problem suspected

Rule #1 for data recovery: STOP !!! Do NOT use the drive you need to recover data from for ANYTHING.

Your best likelihood for recovery here is to first buy a NEW hard drive; install ONLY it on the system; and reload the system from the recovery disks. Fortunately you did that, BUT you've apparently done some things that may have written to the family-C drive => if so, you MAY be out of luck (more in a minute).

Now a few thoughts on GoBack before I continue ...

-> First, gobackio.bin is the disk log maintained by GoBack that keeps track of all disk writes. GoBack does NOT track changes to files; it tracks changes to physical disk sectors => and can then "undo" those changes as needed whenever you do a revert to a previous time. The information about file modifications; the ability to recover previous version; etc. is all done by code that analyzes this information and extracts the necessary sectors to do what you've asked. GoBack also "hooks" the disk I/O and modifies the boot sector to ensure this happens before anything else on the disk ==> THAT is the change that's important and that may need to be undone for you to properly see all of your data. An "outside of GoBack" view of the disk will NOT "see" the actual partition structure correctly.

-> IF GoBack was not active on your system, the old gobackio.bin file was from last year => so it contains NOTHING that's changed since then. It simply was never deleted when you reloaded the system (probably because of the failed "Disable GoBack" attempt). ==> But since it MAY have been active all along, there may very well be structural info that will allow you to restore the files. You're apparently not certain (but if there was a "GoBack bar" when you booted the system, then it was active).

-> GoBack v3.0 worked very well ... but after Symantec purchased it (from Roxio) they unfortunately did what they've done to many other excellent software packages: made them worse !! [Norton A/V, Partition Magic, Drive Image, Ghost, etc. all come to mind] There are some major issues with GoBack v4.0 (I tried it, but do NOT and will not use it], and I've seen it "mess up" several systems.

==> Having said that, however, your best likelihood of success here, IF family-C has NOT been written to in any way (All good recovery software does NOT write to the disk ... hopefully the recovery firm has not either), is to Install GoBack on your system !!

Do this:

(a) Be sure family-C is NOT installed in the system (that's apparently the case since it's at a recovery firm).

(b) Install GoBack v4 on the system [this is going to be temporary];

(c) Boot a couple of times to confirm GoBack is working okay;

(d) Shut down, and connect family-C to the system (obviously you need to get it back first);

(e) boot the system.

IF you were indeed using GoBack during the past year; AND IF you have not written to the drive since then (this sounds unlikely, since the aborted RAID attempt probably did so); then GoBack will recognize the "hooks" on the drive and will re-activate them when the system reboots. IF this works .... you will "see" all of the data correctly. If not, you are almost certainly out of luck ==> the data recovery processes you've already been through have most likely recovered all of the data you can from that drive.

In either event, I would then do:

(f) Uninstall GoBack (and never use it again !!)

A few other thoughts/questions:

-> Did you install the 2nd hard drive before or after you reloaded the system? ... and before or after you had attempted to disable GoBack ??

-> Your abortive attempt to replicate family-C onto family-D may very well have caused a lot of data loss. You should NEVER built a new RAID array with disks that contain un-backed-up data !!

-> A RAID array is a TERRIBLE "backup" strategy. A mirrored array protects you against a physical drive failure; but does NOTHING to protect against system corruption (bad updates; viruses; malware; etc.) or accidental deletion or modification of files (those events are simply replicated along with everything else). A MUCH BETTER strategy is to (a) separate your system and data onto different partitions; and (b) maintain a current IMAGE of the system; and current backups of the data on a 2nd hard drive. You might want to read what I wrote some time ago here: http://www.experts-exchange.com/Hardware/Desktops/Q_21582113.html

Random Solutions

Problem: Thin Micro ATX 400W case

Problem: How to reformat Hard Drive?

Problem: How to replace a CDROM drive in Toshiba Satellite 2805-S503

Problem: PalmOS Treo 755p HotSync Issues

Problem: How do I acces my Ubuntu machine with VNC over the internet? what am I donig wrong?

Problem: Cisco Router - Static DHCP Mappings with an Origin File

Problem: Generate a report to identify data growth.

Problem: Powerbook G4 not powering on

Problem: Is a TPM a good thing to have

Problem: Running cat5 outside between two buildings