How can a Reformatted Drive get so infected so quickly?

Discussion in 'malware problems & news' started by RCGuy, Feb 15, 2012.

Thread Status:
Not open for further replies.
  1. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Could someone please explain to me how a computer can get infected, right after reformatting the hard drive? Although, actually, with the type of computer that I have, I performed what is called a "Full System Restore (Destructive)."

    But anyway, after only opening up Microsoft sites unsanboxed and Mozilla Firefox site and browers unsandboxed, and while creating my Option settings and also getting tons of Microsoft updates...and after performing an emsisoft free online scan, emsisoft detected and neutralized an ftpattack, which wiki explains as:

    http://en.wikipedia.org/wiki/FTP_bounce_attack

    And emsisoft's site describes it like this:

    http://www.emsisoft.com/en/malware/?Trace.Registry.FTPAttack

    Well, from the second description, I do have a better idea as to where the infection came from.

    However, in a post in another thread, I had mentioned how:

    Therefore, I really don't see how my newly reformatted hard drive could have landed a trojan horse. However, the thought did come across my mind that with the plethora of Windows Updates getting installed, perhaps the malware could have entered my system by means of Windows Updates.

    Also, I found this information:

    http://www.pcworld.com/article/171331/microsoft_iis_servers_vulnerable_to_ftp_attack.html

    Additionally, I wanted to mentioned that I did install Firefox, however, I noticed they seemed to have offered a lot more Extensions and Plugins and I kind of played around with them and chose a few new ones. But after I installed the latest version of Firefox, I looked at their Extensions and Plugins and noticed that Metastream 3 Plugin has been disabled due to secrurity. . .issues.

    Therefore, that seems to be the only other security issue that would have allowed the attempted trojan attack on my limited account.

    Any comments would be appreciated.
     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,728
    Location:
    localhost
    Did you actually checked the detection with emsisoft? If not please do so.
    It sounds like a false positive... ;)
     
  3. Dezaxa

    Dezaxa Registered Member

    Joined:
    Sep 23, 2011
    Posts:
    6
    Speaking hypothetically, there are several possible answers to your question.
    1. Your drive might have a hidden partition that was infected and was not wiped by the restore. Many computer manufacturers install a copy of the OS in a hidden partition to simplify recovery in the event that the user messes up and deletes or corrupts everything. This hidden partition will be unaffected by a restore or a reformat.
    2. You might possibly have a piece of malware in your BIOS. This kind of thing is rare but not impossible.
    3. You might have been attacked over the Internet while downloading all the updates and security patches. The SANS Institute published some tests a few years ago in which they connected a vanilla XP box to the Internet and timed how long it took to be attacked and compromised. They found the answer was just a few minutes: not long enough to download and install the security patches. Admittedly, they were using XP sp1, which does not have the Windows firewall enabled by default.
    4. It is conceivable that your installation media are infected. This shouldn't happen with genuine MS media, but there have been cases of computer manufacturers issuing their own media, and you just never know how careful they are.
     
  4. badkins79

    badkins79 Registered Member

    Joined:
    Dec 23, 2011
    Posts:
    60
    Location:
    Maryland
    From the attacks you are describing, it sounds like you are getting attacked from the internet. Are you using a router? If not, all the script kiddies in the world can send exploits and port scans all day long. Eventually the will get you.
     
  5. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Thanks, Dezaxa, for all the good information.

    Also, I think that my problem was most likely No. 1. and No. 3. Plus, in case it was No. 1, I'm assuming that it might be a wise idea to perhaps wipe the hard drive entirely clean with something like D-Ban and reformat the hard drive with a recovery disc.

    Additionally, as far as No. 3 goes, if one's copy of the OS in a hidden partition and/or recovery disc is from a computer that was manufactuerer in 2006...wouldn't that computer by default first intall the sp1 OS and then download and install the security patches that update the OS to sp3? And if so... then that within itself sounds problematic. Plus, if that is true, wouldn't the only way to really resolve that problem would be to get a new computer which intially installs the sp3 OS...or a more advanced Windows OS(if there is one...sorry about my ignorance ;) )?
     
  6. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Thanks for the info, badkins79. Also, yes I am using a router, however, I am also using the Windows XP firewall, where I recently read an article that said that the Windows XP firewall isn't really an adequate firewall because it allows unauthorized communication to go out of the firewall.

    Although, I guess that's not really related to the issue we are talking about...unless unauthorized outgoing information could provide the 'baddies' with information about your computer, which would enable them to launch an attack on your computer.

    P.S. And by the way, I wish people would stop saying that Windows XP firewall is adequate, even though it's not the best firewall. Because in reality, if it allows such problems as described above, then it is not an adequate firewall.

    Also, I did just recently read the Firewall Questions for beginners sticky in the other firewalls forum(even though it' been around since August 1st, 2006 :oops:) where Paranoid2000 said:

    Therefore, I think that I need to get a better firewall, which would apparently improve my security. ;)
     
  7. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    Don''t sell the inbound Windows Firewall short. It is very good! It's all I use on dial up (a direct connection to the web!) and it keeps things nice and clean.

    2-way firewalls are great and can give us good control over what leaves our computers. But to me, that means control over privacy or programs calling home to momma. Not more security.

    I clearly don't know what has caused your issue you are dealing with. But IMO, an outbound firewall would not have prevented it.
     
  8. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Oh, wow. Thanks for that, Han.
     
  9. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Are you really infected? Sounds like data mining stuff.

    Did you run a full AV scan?
     
  10. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    No, I was really infected. Also, I ran F-Secure's online scanner..and they found 16 infections.....that they didn't know how to cure. :eek:

    And some of them were infections related to the Firefox browser. :eek:

    Well, the bad news is that the infections jammed up my Avast AV software.

    But the good news is that I called Avast's toll free Customer Support number at their site...and their techinians were able to get rid of all of the malware that was on my computer through remote access. It was really cool. :cool:

    Also, I rescanned with F-Secure and zero infections showed up on my computer. :D
     
  11. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    Glad you're sorted. Now what was the hole in the setup that allowed this to happen? And what new security are you implementing so it won't happen again?
     
  12. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    Not one of the people mentioned on the link below
    https://www.wilderssecurity.com/showthread.php?t=320199
     
  13. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Read what was said in post #5. Also, when Avast's security people fixed what they found, they showed me where some leftover stuff from some McAfee Security programs that I had deleted from my computer were functioning as malware.(The eMachine computer that I have came with a trial version of a McAfee Security Suite that I had deleted.)

    Also, I either forgot what the other items of the 16 peices of malware was...or they didn't explain to me what they were.

    But as far as what new security that I am implementing...I really haven't implemented any new security. The remnants of the McAfee malware are now finally gone(which have actually been on my computer since I first had it). Also, I uninstalled Firefox and don't intend on installing it again.(I had always suspected that I had gotten infected from something related to Firefox. And apparently, that browswer must have some known security issues.)

    Additionally, I plan to implement the LUA + SRP + KAFU combination. Although, it was either SRP or KAFU that I had a problem understanding, but I had planned to sit down and figure it out.

    But other than that, none other....however, did you have some suggestions?
     
  14. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
    Holy smoke! :eek: But yes, it was those people. :eek:

    Also, I posted about my experience about the iYogi support that I received on March 14th(which means that the service that I got from iYogi was prior to that)...and noticed that the thread that you referred to me was also started on March 14th.

    Although I just went to Avast's download page:

    http://www.avast.com/en-us/free-antivirus-download

    and noticed that the iYogi toll free number isn't there anymore.

    Also, I will admit that they tried to sell me a year's worth of technical support serive for $169, however, I had told them that I really didn't have the money to pay for the service right now....but the person that I was talking to on the phone said that he would still give me a one time complimentary service. Plus, they did get rid of all of the 16 infections that the F-Secure scan had revealed.
     
  15. RCGuy

    RCGuy Registered Member

    Joined:
    Aug 7, 2005
    Posts:
    541
Loading...
Thread Status:
Not open for further replies.