Gotki

Quote:

I'm no *rootkit* expert--but a simple restore to an existing drive that is already partitioned will not effect any code that is stored in the first 63 boot sectors of a HDD, i.e. absolute sectors 0 through 62--total of 63--so if there's any chance that malicious code has been stored in the boot region, you need to use a program that will zero out or wipe the code in those first 63 sectors.  A restore will not effect those sectors--even re-partitioning or a re-format will not touch those first 63 sectors!

Almost any DOS disk editor could do it for you (Download PTS Disk Editor here:).  

This program will work:   MBRWizard - The MBR utility you've been looking for!.

If you have all the Ghost 2001 files, then you may have Ghost's *gdisk*--Symantec's command line partitioning tool--a substitute for *fdisk*--but it also has a wiping function that will wipe the first 63 sectors along with the rest of the drive.

These are powerful disk editing tools--make sure you are comfortable with their use, make sure you have a good backup of important data, and make sure you are editing the correct HDD--possibly disconnect any others until the editing is done, and make sure you're ready to proceed!

Quote:

Well, did you create the backup files?  Do you know what's on them--obviously, we don't!!!

*ghostpe.exe* is the Ghost program file.

It looks like you have two different backups:  1.  *old.gho* which takes up less than 2 GB of data, and 2.  *setup.gho* which is a two file set--the first one being probably about 2 GB and the second spanned file is *setup001.ghs* with something less than 2 GB of data--so these two are a pair of a single backup image set.

Restoring either one of those will result in the data that was present when those files were made to be restored.

Use *Local > Disk > from Image* as the restore command.

If you have zeroed out the first 63 sectors, Ghost will have the Master Boot Sector from the original HDD stored in the image file and will restore that along with all the other data stored in the image file.

Quote:

This may help: Guide to Norton Ghost

Gotki

Quote:

If you were doing an *Integrity* check--it's never a good thing if Ghost will not successfully finish the integrity check saying the image passes the test!

Quote:

Does the *analyzer* have the ability to clean or remove the rootkit problems it finds?

Woohoo, Finally I have got sophos anti rootkit and deleted the runtime2.sys file once but there are also some other files which I need to remove and it will take sometime. Thanks buddy for the help though. But if there will be any more problem then you won't be able to resist me.