Hi Persistant

You have a rootkit on your computer. A rootkit is a very dangerous thing to have. I would suggest that you save your important documents and head over to one of the sites you were recommended to use. The longer you have the rootkit in your computer, the worse off your computer will be. Reformatting a hard drive does not always remove the rootkit either. A rootkit can damage your hard drive and it can kill your computer also. If it was as easy as that to fix, don't you think people would be doing that rather than going thru all the things you have to go thru at one of those other sites to help you fix your computer.?

You don't have a Trojan, you have a rootkit.

Persistant,

As your image was taken prior to being infected I would restore the MBR. (normally you wouldn't bother as the MBR is already there) Yes, leave the Unknown Partition alone.

When you restore, choose...

Verify recovery point before restore
Check for file system errors after recovery
Partition type Primary
Set drive active (for booting OS)
Restore original disk signature
Restore Master Boot Record (MBR)

Please let us know the outcome.

floplot,

My experience with rootkits is zero. If formatting doesn't always remove a rootkit, what about wiping the HD? A DBAN type wipe?

Persistent,

I just read your other thread. My approach would be to restore your image. If the rootkit is still present, zero the HD with a Wipe app and restore your image again.

My kids computers get infected occasionally. I just restore an image taken "last week". Fixed.

Rootkits are a dangerous thing. I am not familiar with DBAN but I would recommend something which is a DOD (Dept. of Defense) approved wipe utility which means multiple passes and multiple write patterns.

Yes this will take time but if you perform a DOD approved WIPE you will ensure this rootkit is gone before you restore with Ghost.

Allen

Allen,

I've never used DBAN either but it seems to be the app folks refers to when they talk about "wiping". I use CopyWipe. Both apps can do a DOD wipe.

Here is an interesting comment from the man who introduced the multiple wipe concept, Prof. Peter Gutmann.

"

In the time since this paper was published, some people have treated
 the 35-pass overwrite technique described in it more as a kind of voodoo
 incantation to banish evil spirits than the result of a technical
 analysis of drive encoding techniques. As a result, they advocate
 applying the voodoo to PRML and EPRML drives even though it will have no
 more effect than a simple scrubbing with random data. In fact performing
 the full 35-pass overwrite is pointless for any drive since it targets a
 blend of scenarios involving all types of (normally-used) encoding
 technology, which covers everything back to 30+-year-old MFM methods (if
 you don't understand that statement, re-read the paper). If you're using
 a drive which uses encoding technology X, you only need to perform the
 passes specific to X, and you never need to perform all 35 passes. For
 any modern PRML/EPRML drive, a few passes of random scrubbing is the best
 you can do. As the paper says, "A good scrubbing with random data will do
 about as well as can be expected". This was true in 1996, and is still
 true now."