How-to handle a rootkit invasion

IF you had a rootkit installed on your system and try to "ignore" it by installing a TI9 image backup, will that work?… i.e. does the installation of a TI9 partition image backup onto C: drive erase those parts of the partition that the rootkit is clinging to?? Am I even phrasing this so it makes sense what I am asking? Would you need to format the drive completely?

 

Restoring an image performs the essentially the same functions as a format, so if that would eliminate a rootkit, restoring an image will also.

Unless someone creates a new super rootkit, restoring an image of the boot drive will eliminate it. That's why image backups are so valuable.

By the way, backups are usually at least a few days or weeks old and restoring one will delete all data created since the backup. If this is a problem, make an image immediately BEFORE retoring the older image.

You can safely retrieve your data files from the image without worrying about the rootkit reactivating.

 

Thank you for that speedy reply JMK! I am assuming from your reply that it does not matter that I am only restoring the C partition from an image archive of just the C Drive… Basically I keep all my data on my D partition, I used TweakUI to relocate the various important folders such as MyDocs and such to that partition when I built up the system, and various registry hacks where needed, also tell Firefox to locate the Bookmarks.htm file on that drive as well. I only use webmail interfaces for mail.

I then pretty much just surf with just a name brand anti-spyware and firewall software (no anti-virus software), and if (it actually has not happened in a long while) I suddenly find some malware doing the funky chicken on my desktop then I can put in the TrueImage Boot CD, reboot and restore from the image of the C Drive without hesitating to think if I am losing something – the restored OS immediately is "linked" back up to the data because the data was on D all along.

My question came from reading a PCMag story about how some of the newer viruses were combining rootkits (new versions Bagel apparently), and I wanted to be sure that my strategy was still valid in the face of those threats.

Anywho thanks for the input!

 

Unless something gets stored on D which doesn't make much sense since a rootkit needs to load at bootup and would be expected to be only on C, your procedure should be fine.

As a precaution, you could image both C and D to protect both the system and your data.

 

10-4, and thanks again...