Java Exploit / Trojan magically re-appears even with a system re-image

[partyvan]

I re-imaged my system hard drive the other day after getting infected with a google redirect virus, and a lot of other nasty malware that was apparently smart enough to be able to tell what you're doing and shuts your system down after making it unbootable. Seems to have been a Java exploit.

I re-imaged the drive with a system image I made when the computer was new, after I had installed all the programs I wanted, to make such things easier rather than always having to do a fresh install from discs.

However, this time, after doing the re-image, (and updating Windows, plus removing Java) I did a scan with MSE and it detected

Exploit:Java/Toniper (the same thing I had prior to the re-image) and
TrojanDownloader:Java/OpenConnection.OU

Both of these were detected on single files located in the Java 6 Cache, I assume from the Java SSV Helper browser plugin in IE9 since the Java 7+ cache was removed when uninstalling the actual Java program.

There aren't any symptoms of the redirect or any other infections so far, I've run TDSSkiller and it comes up with nothing, so I'm just wondering if these are false positives, or if these things can really infect a system so badly that they can just resurrect themselves even after a re-image.

There doesn't seem to be a whole lot of info out there on Java/Toniper, apparently these exploits are supposed to be old news, but MSE keeps letting stuff like this by, and by the time it does (or when a manual full scan is performed) the system to too compromised to salvage, and a re-image or fresh install is needed.

 

[Borg 386]

It is a possibility that you did inadvertently copy this virus to the image file.

You might want to do a clean install and see if the same problem presents itself. Since you stated that your system had multiple infections, this would be the safest course of action.

http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

Another option is to d/l & run MS Safety Scanner to see if it finds the same thing.

Microsoft Safety Scanner - Antivirus | Remove Spyware, Malware, Viruses Free

http://www.microsoft.com/security/p...?Name=TrojanDownloader:Java/OpenConnection.OU

 

[partyvan]

Is it possible for a system image file to be infected? That seems like a stretch to me, given the format it's in, but given how easy infection is these days, it does seem like anything is possible. Really these things fly by firewalls and antivirus/antimalware so easy it's amazing our rigs aren't just getting re-infected every few hours.

I'm trying to avoid a re-install since the other software I'd have to re-install is a real hassle and would take a long, long time. Hence the system image. If a system image can be infected, maybe I'll have to keep one on external media. My guess was that if it wasn't just a false positive on some old Java cache files, the malware had somehow managed to just re-appear. If system images and backup files can be infected, it seems like nothing is safe, short of keeping a computer off the internet, which doesn't make any sense given the online nature of almost all modern software.

Does the MS Safety Scanner do anything MSE or Windows Defender Offline doesn't?

 

[Britton30]

Yes an image is a copy of the drive when created, including crapware. I also recommend a full new install on a secure erased drive.
It is a huge hassle! I just did one one mine 2 days ago to correct some w7 corrupt files.

 

[Alejandro85]

Everything can get infected if you're not careful, that's the main problem with the systemwide images, they copy absolute EVERYTHING, no matter what. That includes all your programs, configuration, registry garbage and viruses, just everything. I generally am against imaging because that very reason. It's better to just backup the installers of all your programs (which you know you downloaded from safe sources) and your personal data, then reformat and install from scratch. While it's more time consuming, it's the safest option and in addition you get a fresh copy of Windows.

 

[partyvan]

Just to clarity, the system image I used was made when the computer was new, before it ever had any trace of malware or viruses on it. I'm well aware that a system image made when files are infected will still have those infected files. I'm wondering if there is actually malware that can inject itself into an exisiting non-infected hard drive image, since it was brought up. I don't think that's the case here, unless my rig has something truly nasty that is so tricky it can hide from anything, doesn't show any symptoms, and can jump into other drives and image files to stay alive.

My rig (Alienware notebook) has a factory recovery partition, so I could always use that to wipe and re-install back to the original as-shipped state rather than install from scratch, but the programs are still too much hassle to re-install and re-configure, short of no other alternative.

Part of the reason I got another hard drive was to have enough space and a seperate physical drive for recovery images for this kind of thing, rather than rely on restore points. If images and backup files on connected hard drives aren't safe, short of being on media that is disconnected from a computer until it's needed, what's the best option?

Too bad we can't just have a small system drive for just the OS and browsers, so when it all gets infected, we just restore it from a clean image and keep going, with the programs all on another drive.

 

[M4dn3ss]

It could be possible that you were infected with a boot sector virus - in that case a system image will replace the contents of your hard drive, but it will not replace whatever is in the MBR.

I'm not great with this but I would try reinstalling Windows from the setup disk and allowing it to rewrite a new boot record. After this you can restore the system image if you want, assuming you're just running Windows with no other OS.

 

[partyvan]

That'd really be something, though I doubt it's the case since boot sectors on such modern PCs are write-protected, aren't they? Everything this particular rig has had, or at least everything MSE has found is just java-related exploits and trojans, hence ditching java altogether is my new solution.

That's a GREAT idea for if it is a boot sector virus though, I'll keep that in mind if anything else magically appears.

 

[Layback Bear]

Just keep in mind that anything or everything that is or has been hooked to your computer or installed can be infected. MBR, modems, routers some printers with memory, CD's/DVD's, memory sticks, BIOS, recovery partitions, programs, restore points,ect. Don't under estimate the jerks that create these infections.
PS. I removed Java along time ago because of its problems with infections.

 

[partyvan]

I was impressed years ago after getting Windows 7 when the first exploit made it's way in, disabled MSE, disabled the firewall, and basically took over. Had to re-image that time, too. In a lot of ways I miss the days of Windows XP when I had Norton and then Kaspersky, those seemed to catch anything.

I've been reading up on viruses that can jump drives, but can't find any exploits that do the same thing, unless they install a virus. Can't seem to find anything that shows a clean system image file can be compromised by a virus, either.

 

[HammerHead]

Adobe PDF Reader

Some time ago I got a virus through PDF reader. It was nasty it corrupted my OS and the MBR. At first I tried just reloading an image to a clean disk. No go, one boot and it was all over again. I found out the culprit file had installed itself on a data disk and it would just wait till I booted a clean image. I don't know if you could call that jumping disks but I know it was on a data disk instead of the operating disk.

 

[Jacee]

Download TFC by Old Timer TFC - Temp File Cleaner by OldTimer - Geeks to Go Forums and save it to your desktop.
Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB). Before running, it will stop Explorer and all other running apps.

Next, if you are using Java and have not updated to JRE 7U11 (curret version) .... follow these instructions:

Update Java:

• Download the latest version of Java Runtime Environment (JRE) 7u 11.
  Java SE Downloads
• Scroll over to the right (JRE)
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  [*]Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  [*]Click the Remove or Change/Remove button.
  [*]Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-7u11-windows-i586-p.exe to install the newest version.

After you have done all the above, run an online scan with ESET:

1. Hold down Control and click on the following link to open ESET OnlineScan in a new window.
   ESET OnlineScan
2. Click the
   
   button.
3. For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
   1. Click on
      
      to download the ESET Smart Installer. Save it to your desktop.
   2. Double click on the
      
      icon on your desktop.
4. Check
   
5. Click the
   
   button.
6. Accept any security warnings from your browser.
7. Check
   
8. Push the Start button.
9. ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
10. When the scan completes, push
    
11. Push
    
    , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
12. Push the
    
    button.
13. Push
    

One thing to mention about TrojanDownloader:Java/OpenConnection.OU, is that it is a backdoor Trojan. Backdoor Trojans provide the author or ‘master’ of the Trojan with remote ‘administration’ of victim machines. Unlike legitimate remote administration utilities, they install, launch and run invisibly, without the consent or knowledge of the user. Once installed, backdoor Trojans can be instructed to send, receive, execute and delete files, harvest confidential data from the computer, log activity on the computer and more.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.

They should be changed by using a different computer and not the infected one, if not an attacker may get the new passwords and transaction information.
Banking and credit card institutions should be notified of the possible security breech.

I would suggest that you make a new, clean image of your system when you have done all of the above and toss the old re-image disk away!

 

[azasadny]

Malware impersonates Java patch | PCWorld

 

[Britton30]

Norton sent out emails on this exploit saying they have it covered. It must have been serious, I don't recall such an email from them in the past.