Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Java Exploit / Trojan magically re-appears even with a system re-image

11 Jan 2013   #1

Windows 7 Home Premium 64-bit
 
 
Java Exploit / Trojan magically re-appears even with a system re-image

I re-imaged my system hard drive the other day after getting infected with a google redirect virus, and a lot of other nasty malware that was apparently smart enough to be able to tell what you're doing and shuts your system down after making it unbootable. Seems to have been a Java exploit.

I re-imaged the drive with a system image I made when the computer was new, after I had installed all the programs I wanted, to make such things easier rather than always having to do a fresh install from discs.

However, this time, after doing the re-image, (and updating Windows, plus removing Java) I did a scan with MSE and it detected

Exploit:Java/Toniper (the same thing I had prior to the re-image) and
TrojanDownloader:Java/OpenConnection.OU

Both of these were detected on single files located in the Java 6 Cache, I assume from the Java SSV Helper browser plugin in IE9 since the Java 7+ cache was removed when uninstalling the actual Java program.

There aren't any symptoms of the redirect or any other infections so far, I've run TDSSkiller and it comes up with nothing, so I'm just wondering if these are false positives, or if these things can really infect a system so badly that they can just resurrect themselves even after a re-image.

There doesn't seem to be a whole lot of info out there on Java/Toniper, apparently these exploits are supposed to be old news, but MSE keeps letting stuff like this by, and by the time it does (or when a manual full scan is performed) the system to too compromised to salvage, and a re-image or fresh install is needed.


My System SpecsSystem Spec
.

11 Jan 2013   #2

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1 Pro
 
 

It is a possibility that you did inadvertently copy this virus to the image file.

You might want to do a clean install and see if the same problem presents itself. Since you stated that your system had multiple infections, this would be the safest course of action.

Clean Install Windows 7

Another option is to d/l & run MS Safety Scanner to see if it finds the same thing.

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free

http://www.microsoft.com/security/po...nConnection.OU
My System SpecsSystem Spec
11 Jan 2013   #3

Windows 7 Home Premium 64-bit
 
 

Is it possible for a system image file to be infected? That seems like a stretch to me, given the format it's in, but given how easy infection is these days, it does seem like anything is possible. Really these things fly by firewalls and antivirus/antimalware so easy it's amazing our rigs aren't just getting re-infected every few hours.

I'm trying to avoid a re-install since the other software I'd have to re-install is a real hassle and would take a long, long time. Hence the system image. If a system image can be infected, maybe I'll have to keep one on external media. My guess was that if it wasn't just a false positive on some old Java cache files, the malware had somehow managed to just re-appear. If system images and backup files can be infected, it seems like nothing is safe, short of keeping a computer off the internet, which doesn't make any sense given the online nature of almost all modern software.

Does the MS Safety Scanner do anything MSE or Windows Defender Offline doesn't?
My System SpecsSystem Spec
.


11 Jan 2013   #4
Microsoft MVP

Windows 7 Ultimate X64 SP1
 
 

Yes an image is a copy of the drive when created, including crapware. I also recommend a full new install on a secure erased drive.
It is a huge hassle! I just did one one mine 2 days ago to correct some Windows 7 corrupt files.
My System SpecsSystem Spec
11 Jan 2013   #5

Windows 7 Ultimate x64
 
 

Everything can get infected if you're not careful, that's the main problem with the systemwide images, they copy absolute EVERYTHING, no matter what. That includes all your programs, configuration, registry garbage and viruses, just everything. I generally am against imaging because that very reason. It's better to just backup the installers of all your programs (which you know you downloaded from safe sources) and your personal data, then reformat and install from scratch. While it's more time consuming, it's the safest option and in addition you get a fresh copy of Windows.
My System SpecsSystem Spec
11 Jan 2013   #6

Windows 7 Home Premium 64-bit
 
 

Just to clarity, the system image I used was made when the computer was new, before it ever had any trace of malware or viruses on it. I'm well aware that a system image made when files are infected will still have those infected files. I'm wondering if there is actually malware that can inject itself into an exisiting non-infected hard drive image, since it was brought up. I don't think that's the case here, unless my rig has something truly nasty that is so tricky it can hide from anything, doesn't show any symptoms, and can jump into other drives and image files to stay alive.

My rig (Alienware notebook) has a factory recovery partition, so I could always use that to wipe and re-install back to the original as-shipped state rather than install from scratch, but the programs are still too much hassle to re-install and re-configure, short of no other alternative.

Part of the reason I got another hard drive was to have enough space and a seperate physical drive for recovery images for this kind of thing, rather than rely on restore points. If images and backup files on connected hard drives aren't safe, short of being on media that is disconnected from a computer until it's needed, what's the best option?

Too bad we can't just have a small system drive for just the OS and browsers, so when it all gets infected, we just restore it from a clean image and keep going, with the programs all on another drive.
My System SpecsSystem Spec
11 Jan 2013   #7

Windows 7 Professional 64-bit
 
 

It could be possible that you were infected with a boot sector virus - in that case a system image will replace the contents of your hard drive, but it will not replace whatever is in the MBR.

I'm not great with this but I would try reinstalling Windows from the setup disk and allowing it to rewrite a new boot record. After this you can restore the system image if you want, assuming you're just running Windows with no other OS.
My System SpecsSystem Spec
11 Jan 2013   #8

Windows 7 Home Premium 64-bit
 
 

That'd really be something, though I doubt it's the case since boot sectors on such modern PCs are write-protected, aren't they? Everything this particular rig has had, or at least everything MSE has found is just java-related exploits and trojans, hence ditching java altogether is my new solution.

That's a GREAT idea for if it is a boot sector virus though, I'll keep that in mind if anything else magically appears.
My System SpecsSystem Spec
11 Jan 2013   #9

Windows 7 Pro. 64/SP-1
 
 

Just keep in mind that anything or everything that is or has been hooked to your computer or installed can be infected. MBR, modems, routers some printers with memory, CD's/DVD's, memory sticks, BIOS, recovery partitions, programs, restore points,ect. Don't under estimate the jerks that create these infections.
PS. I removed Java along time ago because of its problems with infections.
My System SpecsSystem Spec
15 Jan 2013   #10

Windows 7 Home Premium 64-bit
 
 

I was impressed years ago after getting Windows 7 when the first exploit made it's way in, disabled MSE, disabled the firewall, and basically took over. Had to re-image that time, too. In a lot of ways I miss the days of Windows XP when I had Norton and then Kaspersky, those seemed to catch anything.

I've been reading up on viruses that can jump drives, but can't find any exploits that do the same thing, unless they install a virus. Can't seem to find anything that shows a clean system image file can be compromised by a virus, either.
My System SpecsSystem Spec
Reply

 Java Exploit / Trojan magically re-appears even with a system re-image




Thread Tools



Similar help and support threads for2: Java Exploit / Trojan magically re-appears even with a system re-image
Thread Forum
look out for Exploit.drop.GSLAD trojan System Security
JAVA Exploit Remedy? System Security
Yet another Java exploit thread. System Security
Exploit:Java/CVE-2010-0840.IO help. System Security
repeated start up prbs after Exploit and Java Trojan's 'removed' System Security
Malicious RTF Files Exploit Office Flaw to Install Trojan Security News
Exploit:Java/CVE-2008-5353.B;Trojan:Java/Selace.A and B System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 05:27 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33