Acronis Scheduler2 Service (bug) changes computer date
Basically I have done a Clean Boot and disabled half of the services etc as I searched by elimination for the culprit that was changing the date on my computer and either making or allowing any updates to be installed and a restore point created on the future date which the computer had been changed to. I do believe that Acronis has some backdoors in which hackers or employees looking for fun can get inside your computer and drive you crazy as you fight to gain control of your computer. I have had to deal with ransomware issues in which I had been locked out of my administrative privileges and unable to control things including the internet time sync. These hackers may not be entirely using Aconis to get in, but Acronis seems to have a major backdoor for these hackers.
Kurt, thanks for raising this as a separate topic.
I agree with Rob in many aspects of this issue, that we have never heard of or seen any suggestions from any other users that the Acronis software itself has been targetted or used by malware of any kind, and have not seen any users posting about it being responsible for changing the system time.
Ransomware and any other form of malware is a constant worry for all users, and something that I know that Acronis themselves are concerned about protecting against and would take very seriously if you can show that any components of their software is vulnerable to this threat, so I would strongly recommend that you open a Support Case directly with Acronis on this issue and have them work with you to diagnose it in more depth.
The approach that I take when I am dealing with any malware infections, which I have done on a number of occasions for friends, is to totally isolate the system with the infection from any network and use standalone tools to help diagnose, identify and disinfect the system.
The first step is to use a standalone boot tool such as the AVG Rescue CD (this can be build on CD or USB stick - the latter is best as it allows for antivirus updates to be downloaded and stored on the stick). Running this type of tool from boot media eliminates any malware from interfering with the analysis of the internal drives. Having more than one tool scan the system is well worth the time this can take.
Once you are as sure as you can be that the system is free of known virus / malware infection, then boot into Windows Safe Mode initially, and run the Malwarebytes Chameleon utility and any other available tools.
Take a look at the Cybereason RansomFree program which can protect against multiple ransomware threats including unknown ones - this is a free tool.
Steve,
Can Cyberreason RansomFree run alongside of MB3?
Also, DATE CHANGE problem solved with Acronis NG update
Kurt, not sure as to the question about Cybereason being used alongside Malwarebytes 3 latest version with its own malware protection mechanisms - I only have their Anti-Exploit installed plus the older Antimalware for on-demand scanning. I've not hit any issues so far with having these all installed and there have several updates for CR as it matures.
Ok, Thanks BTW any license you have for MB Exploit ..if it is premium; or MB2 will work to validate MB3 and you should be able to renew at the old price, I hear the new price will be 39.95 per computer so I feel fortunate having 3 lifetime Licenses. I also have a couple of retail MB2 licenses for 3x computers for 1 yr.(retail box ever opened) which I may end up selling for $100.00 each if the prices go up to $40.00 for each computer. Anyway they would only be useful to people who actually have 3 computers. Kept that in mind if you need one.
Thank you very much for all your help, Kurt
Basically the way that I determined it was Acronis was by process of elimination on the MSCONFIG Turning half on etc until I narrowed it down to Acronis Scheduler2. When I turn on Scheduler2 then within two or three hours my computer's date would change, mostly 1 day forward but sometimes up to a week or more, once the computer time was put back 10 days. Anyway no doubt it was Acronis and I have a Copy of the entire Computer with this issue in it so the answer is there enclosed for anyone who has the technical know how to delve into the abyss and identify the exact way this occurs. Amazingly updating to Acronis NG solved the problem and of course over the time of this entire problem I had MB3 installed and MB3 didn't catch this nor did it catch the ransomware which was taking away all of my administrative privileges, including not letting me into the program to sync my computer with windows or any other time, it also downloaded ransomware on two other drives one a 4TB Seagate the other a 480SSD sandisk I ended up having to format them both in order to protect my new install, which also had the time change after Acronis was installed again. I was somewhat fortunate as I back-up immediately after the windows updates and had a clean copy of windows before any Acronis install to restore from. I was working with MBytes forum to try to get this problem addressed however they basically said they are working on it and told me to update to their newest release which I did but none solved the issue.. only uninstalling the other Acronis downloaded from the A. online site. and reinstalling the NG fixed the date change issue.
Kurt, this certainly is a worrying issue, especially having the malware / ransomware infection and it not being stopped by any of your installed security programs.
Unfortunately, once any such infection has taken a hold, then it is very difficult to prevent it from spreading and inviting its friends to come join the party. After that point then only a reformat and clean restore or install is going to help.
Hello Kurt,
Thank you for raising the concern. As the New Generation release introduces the anti-ransomware module, we start dealing with computer security issues more and more. I am happy to see that the problem that you have reported has gone after installing Acronis True Image 2017 New Generation.
For what it worths for you, I would like to clear up your concerns about Acronis Scheduler2 Service. According to the Development Team, Acronis Scheduler2 Service does not even have any code/instructions inside it for writing/setting the system time. It reads it, but there is no single line of code in the scheduler that potentially could modify the system time.
Taking into account your observations on how disabling the service influences on the issue, we can only suspect that the malicious software that was on your computer at that time changes its behavior based on many software environmental factors and is one of other programs/software that influence how the malware/virus/ransomware behaves in various situations. Other actions performed by the "infection" could be provoked by other programs without bringing your attention to them and that could be less noticeable compared to what happened with system date/time.
If you send us the backup where the problem with the date/time chaning reproduces, we could investigate the issue in more details. I will send you FTP connection details in PM. If you agree to proceed with the investigation, I would open a support ticket for you.
Regards,
Slava
I will be happy to supply the back-up(s) that I have with the date change issue.
I have two different back-ups which I am checking out right now to make sure I have the correct password and that they are still changing the date, I am going to do this without network first since I don't know if this thing connects outside the computer or not and I have changed the names of my networks and also the passwords as I have attempted to stop this issue.
One of the back-ups has a trojan called ( PoweLiks) and the other is after this trojan is removed by Norton,... but the date change still happens on both.
Since I was changing my password every few days ...IF you really need a password I will as I stated above check and see which one works.
And if you have a preference as to which back-up above you want or if you want both.
I will read your instructions about how to upload/send the file.
Thank you for your help,
And I would really like to know your resulting diagnois.
Kurt
Hello Kurt,
Thank you for deciding to go for the investigation. Development Team has just confirmed me one more time they would analyze the system image once we have it.
I have opened a support ticket for you and sent the ticket number in PM. One of our experienced support engineers will contact you and will take over the communication with the Development Team.
We do not need the password itself, we just need to be able to get to the Desktop, see the problem reproducing just like you did, install our diagnostic tools, attach the required monitoring system and througly investigate the link between starting Acronis Scheduler2 service and system date/time changing.
We neither need precisely 2 backups, one should suffice, supposing that the problem will reproduce after we recover the backup on our side.
I see that the system image is currently being uploaded. Once the upload finishes, please let us know: either reply to me in PM, or in this public thread, or reply to our technician who will contact you.
Regards,
Slava
Hi Slava, Well the system image upload has finished. 19.5 hours to complete, Is there a way to compress a file before sending so it takes less time?
Anyway, The copy I sent should have no problem reproducing the problem unless somehow it is computer specific. The copy I sent was changing the date a couple times a day and with me running it on 02/02 or 02/03 -it changed the date several times to 02/06 and I saved several screen shots to show this occuring, it would even save the files as created on the future date unless I turned back to correct date first.
I am eager to here what the engineers find.
Thank you very much, Kurt
P.S. The date was changing even with no internet connected and with the Time sync Off
The *.tib is already comperessed. Not sure that the level of compression chosen has much impact on the time to upload - the main problem is that speeds are asynchonis - upload speeds are much slower.
Thanks for the input I am an amateur at some of this stuff.