Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.

Windows 7: Java Exploit / Trojan magically re-appears even with a system re-image

11 Jan 2013   #1

Windows 7 Home Premium 64-bit
Java Exploit / Trojan magically re-appears even with a system re-image

I re-imaged my system hard drive the other day after getting infected with a google redirect virus, and a lot of other nasty malware that was apparently smart enough to be able to tell what you're doing and shuts your system down after making it unbootable. Seems to have been a Java exploit.

I re-imaged the drive with a system image I made when the computer was new, after I had installed all the programs I wanted, to make such things easier rather than always having to do a fresh install from discs.

However, this time, after doing the re-image, (and updating Windows, plus removing Java) I did a scan with MSE and it detected

Exploit:Java/Toniper (the same thing I had prior to the re-image) and

Both of these were detected on single files located in the Java 6 Cache, I assume from the Java SSV Helper browser plugin in IE9 since the Java 7+ cache was removed when uninstalling the actual Java program.

There aren't any symptoms of the redirect or any other infections so far, I've run TDSSkiller and it comes up with nothing, so I'm just wondering if these are false positives, or if these things can really infect a system so badly that they can just resurrect themselves even after a re-image.

There doesn't seem to be a whole lot of info out there on Java/Toniper, apparently these exploits are supposed to be old news, but MSE keeps letting stuff like this by, and by the time it does (or when a manual full scan is performed) the system to too compromised to salvage, and a re-image or fresh install is needed.

My System SpecsSystem Spec
11 Jan 2013   #2
Borg 386

Win 7 32 Home Premium, Win 7 64 Pro, Win 8.1, Win 10

It is a possibility that you did inadvertently copy this virus to the image file.

You might want to do a clean install and see if the same problem presents itself. Since you stated that your system had multiple infections, this would be the safest course of action.

Clean Install Windows 7

Another option is to d/l & run MS Safety Scanner to see if it finds the same thing.

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free
My System SpecsSystem Spec
11 Jan 2013   #3

Windows 7 Home Premium 64-bit

Is it possible for a system image file to be infected? That seems like a stretch to me, given the format it's in, but given how easy infection is these days, it does seem like anything is possible. Really these things fly by firewalls and antivirus/antimalware so easy it's amazing our rigs aren't just getting re-infected every few hours.

I'm trying to avoid a re-install since the other software I'd have to re-install is a real hassle and would take a long, long time. Hence the system image. If a system image can be infected, maybe I'll have to keep one on external media. My guess was that if it wasn't just a false positive on some old Java cache files, the malware had somehow managed to just re-appear. If system images and backup files can be infected, it seems like nothing is safe, short of keeping a computer off the internet, which doesn't make any sense given the online nature of almost all modern software.

Does the MS Safety Scanner do anything MSE or Windows Defender Offline doesn't?
My System SpecsSystem Spec

11 Jan 2013   #4
Microsoft MVP

Windows 7 Ultimate X64 SP1

Yes an image is a copy of the drive when created, including crapware. I also recommend a full new install on a secure erased drive.
It is a huge hassle! I just did one one mine 2 days ago to correct some w7 corrupt files.
My System SpecsSystem Spec
11 Jan 2013   #5

Windows 7 Ultimate x64

Everything can get infected if you're not careful, that's the main problem with the systemwide images, they copy absolute EVERYTHING, no matter what. That includes all your programs, configuration, registry garbage and viruses, just everything. I generally am against imaging because that very reason. It's better to just backup the installers of all your programs (which you know you downloaded from safe sources) and your personal data, then reformat and install from scratch. While it's more time consuming, it's the safest option and in addition you get a fresh copy of Windows.
My System SpecsSystem Spec
11 Jan 2013   #6

Windows 7 Home Premium 64-bit

Just to clarity, the system image I used was made when the computer was new, before it ever had any trace of malware or viruses on it. I'm well aware that a system image made when files are infected will still have those infected files. I'm wondering if there is actually malware that can inject itself into an exisiting non-infected hard drive image, since it was brought up. I don't think that's the case here, unless my rig has something truly nasty that is so tricky it can hide from anything, doesn't show any symptoms, and can jump into other drives and image files to stay alive.

My rig (Alienware notebook) has a factory recovery partition, so I could always use that to wipe and re-install back to the original as-shipped state rather than install from scratch, but the programs are still too much hassle to re-install and re-configure, short of no other alternative.

Part of the reason I got another hard drive was to have enough space and a seperate physical drive for recovery images for this kind of thing, rather than rely on restore points. If images and backup files on connected hard drives aren't safe, short of being on media that is disconnected from a computer until it's needed, what's the best option?

Too bad we can't just have a small system drive for just the OS and browsers, so when it all gets infected, we just restore it from a clean image and keep going, with the programs all on another drive.
My System SpecsSystem Spec
11 Jan 2013   #7

Windows 7 Professional x64

It could be possible that you were infected with a boot sector virus - in that case a system image will replace the contents of your hard drive, but it will not replace whatever is in the MBR.

I'm not great with this but I would try reinstalling Windows from the setup disk and allowing it to rewrite a new boot record. After this you can restore the system image if you want, assuming you're just running Windows with no other OS.
My System SpecsSystem Spec
11 Jan 2013   #8

Windows 7 Home Premium 64-bit

That'd really be something, though I doubt it's the case since boot sectors on such modern PCs are write-protected, aren't they? Everything this particular rig has had, or at least everything MSE has found is just java-related exploits and trojans, hence ditching java altogether is my new solution.

That's a GREAT idea for if it is a boot sector virus though, I'll keep that in mind if anything else magically appears.
My System SpecsSystem Spec
11 Jan 2013   #9
Layback Bear

Windows 10 Pro. 64/ version 1709 Windows 7 Pro/64

Just keep in mind that anything or everything that is or has been hooked to your computer or installed can be infected. MBR, modems, routers some printers with memory, CD's/DVD's, memory sticks, BIOS, recovery partitions, programs, restore points,ect. Don't under estimate the jerks that create these infections.
PS. I removed Java along time ago because of its problems with infections.
My System SpecsSystem Spec
15 Jan 2013   #10

Windows 7 Home Premium 64-bit

I was impressed years ago after getting Windows 7 when the first exploit made it's way in, disabled MSE, disabled the firewall, and basically took over. Had to re-image that time, too. In a lot of ways I miss the days of Windows XP when I had Norton and then Kaspersky, those seemed to catch anything.

I've been reading up on viruses that can jump drives, but can't find any exploits that do the same thing, unless they install a virus. Can't seem to find anything that shows a clean system image file can be compromised by a virus, either.
My System SpecsSystem Spec

 Java Exploit / Trojan magically re-appears even with a system re-image

Thread Tools

Similar help and support threads
Thread Forum
Restore: only one system image appears in list!
Hello everyone, First, the machines: 1. The oldest, a Getac B300; Windows 7 Professional 64-bit, running fine. 2. My main machine, a Dell Latitude E6420; Windows 7 Professional 32-bit, running fine. 3. My most recent purchase, a Toshiba Tecra R940 I bought less than a month ago. I...
Backup and Restore
look out for Exploit.drop.GSLAD trojan
looks like a "drive-by" Trojan - and it's a real nasty.. it hi-jacks your Windows installation and denies you access, it pops up with some message purporting to be from an official police site warning you that you've been downloading illegal music/film files and child porn.. it even has...
System Security
JAVA Exploit Remedy?
Scanning the web today I still do not see a credible "all clear" signal regarding the JAVA exploit. This team came up with a patch: Researcher Develops Patch for Java Zero-Day, Puts Pressure on Oracle to Deliver its Fix | threatpost but I don't see affirmative Greenlight from the major 3rd...
System Security
repeated start up prbs after Exploit and Java Trojan's 'removed'
hi there I'm not sure if this is the right place to post this plea... About a week ago i removed Explot:Java/CVE-20100840.JA and TrojanDownloader@Java/Openconnection using MSE. 3 days ago I was attaching a word document to a hotmail email and the system froze and never woke up. I used the...
System Security
Exploit:Java/CVE-2008-5353.B;Trojan:Java/Selace.A and B
Help! I ran the Windows Safety Scanner. It detected four issues, but apparently, the scanner cannot clean three: Exploit:Java/CVE-2008-5353.B Trojan:Java/Selace.A Trojan:Java/Selace.B There is no concrete information on how to get rid of these unwanted visitors and prevent them from...
System Security

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 00:35.
Twitter Facebook Google+