Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

View Poll Results: Have you experienced a quick reinfection of a PC after a backup & OS reload?
Yes 5 25.00%
No 15 75.00%
Voters: 20. You may not vote on this poll

Reply
 
Thread Tools Display Modes
  #1  
Old 11-09-2008, 08:53 AM
Nextora's Avatar
Nextora Nextora is offline
 
Join Date: Oct 2008
Location: San Diego, California
Posts: 48
Nextora is an unknown quantity at this point
Default Viruses Reappear After OS Reload

I just read the Manual Virus Removal thread and ended up reading the post by RoboGeek (aka Chris Bequeath). He seams to know his stuff so I was intrigued by his statement "Many of the malware variants out there save themselves in just the places you'll copy back over - especially if they have music or videos. Load the playlist and reinfect the PC."

It is actually quite ingenious, and a bit scary. Nowadays almost all computers have music & videos that I backup for my clients and copy back to the freshly loaded OS yet I have never had a problem with a reinfection. My question to you is how many of you have experienced a quick reinfection after a OS reload for a client?

Regardless I am going to make sure I listen to all 3 episodes on The Force Field podcast and per Chris's advice I have already started studying computer forensics. What is the world coming to when a good old fashion reload of the OS no longer solves the malware problem. . Touché malware coders.
__________________
[FONT="Verdana"] Shaun Barney
Systems Engineer
San Diego Computer Repair

[/FONT]

Last edited by Nextora; 11-09-2008 at 08:56 AM.
Reply With Quote
  #2  
Old 11-09-2008, 07:06 PM
nonchalant's Avatar
nonchalant nonchalant is offline
 
Join Date: Oct 2007
Location: Oz
Posts: 611
nonchalant is on a distinguished road
Default

Only time Ive ever had a recurrence is when I once did a quick format instead of a full format.
Reply With Quote
  #3  
Old 11-10-2008, 04:34 AM
Nextora's Avatar
Nextora Nextora is offline
 
Join Date: Oct 2008
Location: San Diego, California
Posts: 48
Nextora is an unknown quantity at this point
Default

Quote:
Originally Posted by AdvancedComputerGroupInc View Post
Delete the partition which windows is on, create a new one, format windows onto it, and scan all backed up media before re-install, and of course, do NOT plug it in to the net until you have the latest patches/updates, and anti-virus updates.
Yep, this is pretty much the process I use. However, RoboGeek's post suggest that some new malware is undetectable by AntiVirus, AntiSpyware, and Rootkit Detectors and that it can infect music or videos which we usually backup then copy to the fresh OS. Thus, transferring the malware to clean computer.

I have never had this happen to me but was curious how many others are starting to see issues like this. It seems like this is a logical progression of where malware might be moving to because it ups the ante and makes it even harder to remove.
__________________
[FONT="Verdana"] Shaun Barney
Systems Engineer
San Diego Computer Repair

[/FONT]
Reply With Quote
  #4  
Old 11-10-2008, 08:32 AM
iptech iptech is offline
Banned
 
Join Date: Sep 2008
Location: PC Biz
Posts: 2,069
iptech is on the way
Default

Yes, virus infections are definitely changing and the writers are looking to find ways to circumvent the 'clean install' scenario so are increasingly embedding trigger files in the user's data that will be copied back onto a uses system. Before you reinstall you should do some forensic investigation as to the modus operadi of the virus & rootkit, by which time you will be well on your way to fixing the the original problem anyway an can often avoid the need to do a reinstall by simply(!) fixing the problem.
Reply With Quote
  #5  
Old 11-10-2008, 01:29 PM
Blues's Avatar
Blues Blues is offline
 
Join Date: Jun 2006
Location: Tennessee, US
Posts: 1,685
Blues is on a distinguished road
Default

I generally do not restore any .exe files to a clients PC and run scans on the backup files. I have had a hand full of reinfected PCs I think 3 total one of which was not a reformat job. The reformat job where it happened was becuase the user went out and basicly did the exact same thing a second time. The non reformat was I hadnt gotten the heart of it out so it resurfaced in about 2 or 3 days.
Reply With Quote
  #6  
Old 11-12-2008, 10:15 PM
RoboGeek's Avatar
RoboGeek RoboGeek is offline
 
Join Date: May 2006
Location: Middle of a cornfield in Illinois..
Posts: 39
RoboGeek is on a distinguished road
Default

Just a hint.. if you guys ever wondered why combofix changes the clock settings, its because some malware/rootkits are sophisticated enough to know when they are under attack (being cleaned). They go dormant and hide for a certain timeframe, and reload after a certain time on the system clock. Combofix tricks them into reinstalling by changing the clock, then shows all the files created within the last 24 hrs.

Its not good at cleaning them, but it will at least detect them and warn you (to a point)

oh.. and beware the latest XP Antivirus malware. It contains a new rootkit that uses a file named Gkii52.sys - it runs as a hidden service, respawns all the files you remove, and instantly reinstalls the XPAV garbage on the next boot. The file is in the drivers dir as a dll and sys file. It hooks into explorer and the tcp/ip before windows boots

Last edited by RoboGeek; 11-12-2008 at 10:19 PM.
Reply With Quote
  #7  
Old 11-13-2008, 08:37 AM
nonchalant's Avatar
nonchalant nonchalant is offline
 
Join Date: Oct 2007
Location: Oz
Posts: 611
nonchalant is on a distinguished road
Default

Quote:
Originally Posted by RoboGeek View Post
oh.. and beware the latest XP Antivirus malware. It contains a new rootkit that uses a file named Gkii52.sys - it runs as a hidden service, respawns all the files you remove, and instantly reinstalls the XPAV garbage on the next boot. The file is in the drivers dir as a dll and sys file. It hooks into explorer and the tcp/ip before windows boots
Nice..

I can hear the phone ringing already..
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 10:19 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.