My fully loaded and updated Norton Internet Security 2009 allowed a trojan horse virus to penetrate its defenses and now my HP Notebook's infected. I am about to use a Ghost 12 backup to restore the drive and I can use all your advice:

1. Drive is infected and I want to minimize chance of virus surviving the Ghost Recovery.
2. Drive is bootable Primary "C" Drive, 55 GB, with a small 212 MB "Unknown Partition" for HP recovery files.
3. I'm restoring the bootable "C" Drive, and want to keep the Unknown Partition alone.

Would checking the "Restore MBA" option (default is unchecked) be advised?

Any other things to watch out for in regards to my number one above?

Persistant,

As your image was taken prior to being infected I would restore the MBR. (normally you wouldn't bother as the MBR is already there) Yes, leave the Unknown Partition alone.

When you restore, choose...

Verify recovery point before restore
Check for file system errors after recovery
Partition type Primary
Set drive active (for booting OS)
Restore original disk signature
Restore Master Boot Record (MBR)

Please let us know the outcome.

floplot,

My experience with rootkits is zero. If formatting doesn't always remove a rootkit, what about wiping the HD? A DBAN type wipe?

Persistent,

I just read your other thread. My approach would be to restore your image. If the rootkit is still present, zero the HD with a Wipe app and restore your image again.

My kids computers get infected occasionally. I just restore an image taken "last week". Fixed.

Rootkits are a dangerous thing. I am not familiar with DBAN but I would recommend something which is a DOD (Dept. of Defense) approved wipe utility which means multiple passes and multiple write patterns.

Yes this will take time but if you perform a DOD approved WIPE you will ensure this rootkit is gone before you restore with Ghost.

Allen

Allen,

I've never used DBAN either but it seems to be the app folks refers to when they talk about "wiping". I use CopyWipe. Both apps can do a DOD wipe.

Here is an interesting comment from the man who introduced the multiple wipe concept, Prof. Peter Gutmann.

"

In the time since this paper was published, some people have treated
 the 35-pass overwrite technique described in it more as a kind of voodoo
 incantation to banish evil spirits than the result of a technical
 analysis of drive encoding techniques. As a result, they advocate
 applying the voodoo to PRML and EPRML drives even though it will have no
 more effect than a simple scrubbing with random data. In fact performing
 the full 35-pass overwrite is pointless for any drive since it targets a
 blend of scenarios involving all types of (normally-used) encoding
 technology, which covers everything back to 30+-year-old MFM methods (if
 you don't understand that statement, re-read the paper). If you're using
 a drive which uses encoding technology X, you only need to perform the
 passes specific to X, and you never need to perform all 35 passes. For
 any modern PRML/EPRML drive, a few passes of random scrubbing is the best
 you can do. As the paper says, "A good scrubbing with random data will do
 about as well as can be expected". This was true in 1996, and is still
 true now."

My fully loaded and updated Norton Internet Security 2009 allowed a trojan horse virus to penetrate its defenses and now my HP Notebook's infected. I am about to use a Ghost 12 backup to restore the drive and I can use all your advice:

1. Drive is infected and I want to minimize chance of virus surviving the Ghost Recovery.
2. Drive is bootable Primary "C" Drive, 55 GB, with a small 212 MB "Unknown Partition" for HP recovery files.
3. I'm restoring the bootable "C" Drive, and want to keep the Unknown Partition alone.

Would checking the "Restore MBA" option (default is unchecked) be advised?

Any other things to watch out for in regards to my number one above?