PDA

View Full Version : Viruses Reappear After OS Reload


Nextora
11-09-2008, 09:53 AM
I just read the Manual Virus Removal (http://www.technibble.com/forums/showthread.php?t=2946&page=3) thread and ended up reading the post by RoboGeek (aka Chris Bequeath). He seams to know his stuff so I was intrigued by his statement "Many of the malware variants out there save themselves in just the places you'll copy back over - especially if they have music or videos. Load the playlist and reinfect the PC."

It is actually quite ingenious, and a bit scary. Nowadays almost all computers have music & videos that I backup for my clients and copy back to the freshly loaded OS yet I have never had a problem with a reinfection. My question to you is how many of you have experienced a quick reinfection after a OS reload for a client?

Regardless I am going to make sure I listen to all 3 episodes on The Force Field podcast and per Chris's advice I have already started studying computer forensics. What is the world coming to when a good old fashion reload of the OS no longer solves the malware problem. :) . Touché malware coders.

nonchalant
11-09-2008, 08:06 PM
Only time Ive ever had a recurrence is when I once did a quick format instead of a full format.

Nextora
11-10-2008, 05:34 AM
Delete the partition which windows is on, create a new one, format windows onto it, and scan all backed up media before re-install, and of course, do NOT plug it in to the net until you have the latest patches/updates, and anti-virus updates.

Yep, this is pretty much the process I use. However, RoboGeek's post suggest that some new malware is undetectable by AntiVirus, AntiSpyware, and Rootkit Detectors and that it can infect music or videos which we usually backup then copy to the fresh OS. Thus, transferring the malware to clean computer.

I have never had this happen to me but was curious how many others are starting to see issues like this. It seems like this is a logical progression of where malware might be moving to because it ups the ante and makes it even harder to remove.

iptech
11-10-2008, 09:32 AM
Yes, virus infections are definitely changing and the writers are looking to find ways to circumvent the 'clean install' scenario so are increasingly embedding trigger files in the user's data that will be copied back onto a uses system. Before you reinstall you should do some forensic investigation as to the modus operadi of the virus & rootkit, by which time you will be well on your way to fixing the the original problem anyway an can often avoid the need to do a reinstall by simply(!) fixing the problem.

Blues
11-10-2008, 02:29 PM
I generally do not restore any .exe files to a clients PC and run scans on the backup files. I have had a hand full of reinfected PCs I think 3 total one of which was not a reformat job. The reformat job where it happened was becuase the user went out and basicly did the exact same thing a second time. The non reformat was I hadnt gotten the heart of it out so it resurfaced in about 2 or 3 days.

RoboGeek
11-12-2008, 11:15 PM
Just a hint.. if you guys ever wondered why combofix changes the clock settings, its because some malware/rootkits are sophisticated enough to know when they are under attack (being cleaned). They go dormant and hide for a certain timeframe, and reload after a certain time on the system clock. Combofix tricks them into reinstalling by changing the clock, then shows all the files created within the last 24 hrs.

Its not good at cleaning them, but it will at least detect them and warn you (to a point)

oh.. and beware the latest XP Antivirus malware. It contains a new rootkit that uses a file named Gkii52.sys - it runs as a hidden service, respawns all the files you remove, and instantly reinstalls the XPAV garbage on the next boot. The file is in the drivers dir as a dll and sys file. It hooks into explorer and the tcp/ip before windows boots

nonchalant
11-13-2008, 09:37 AM
oh.. and beware the latest XP Antivirus malware. It contains a new rootkit that uses a file named Gkii52.sys - it runs as a hidden service, respawns all the files you remove, and instantly reinstalls the XPAV garbage on the next boot. The file is in the drivers dir as a dll and sys file. It hooks into explorer and the tcp/ip before windows boots

Nice..

I can hear the phone ringing already.. :D