Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Question about ADS & Reinstalling Files after OS clean install


  • Please log in to reply
8 replies to this topic

#1 smak451

smak451

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 20 July 2010 - 12:08 AM

I've contracted a RK from hell & am doing a clean OS install of Win 7 from XP. I've backed up a lot of critical work files to CD/DVD's am and thinking about the best ways of ensuring these files are clean (I've been given a number of file extensions NOT to bring back in from people here, so thanks again).

Can I rely on a barrage of scans from Antivirus programs? I've just read your article on ADS which succeeded in scaring the s*it out of me -- what should I do about this? I think it was LADS that was recommended to see hidden extensions (though the article was dated 2004 so not sure what still applies), or can I rely on scans to pick these up? The thought of these ADS attached to Word files, etc. worries me again, as this RK was very sophisticated and tricky. Please help me with this, thanks again, -- S PS There's no emoticon for crying!

BC AdBot (Login to Remove)

 


#2 the dummy

the dummy

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:10:42 AM

Posted 20 July 2010 - 11:00 PM

Wilders security forums maybe able to help if no one here shows up soon. :thumbsup:

#3 jdbaker82

jdbaker82

  • Members
  • 103 posts
  • OFFLINE
  •  
  • Local time:02:42 PM

Posted 21 July 2010 - 12:07 AM

As long as you are only backing up data and not cloning or imaging the drive the chances that a rootkit or nasty virus will reinfect your machine is not very likely unless you are executing a file that caused the problem in the first place.

#4 smak451

smak451
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 21 July 2010 - 10:39 AM

Thanks guys, I know I sound paranoid but my computer buddies to a look and said you had to be impressed with the level of sophistication this thing had; I was worried it would start to morph around and attach itself to my files with a bunch of guys in Moscow toasting my stupidity with bottles of Dom after draining my bank accounts.

Not sure what the best approach here is; any advice much appreciated. Maybe sandbox my work environment?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 PM

Posted 21 July 2010 - 10:49 AM

Alternate Data Streams (ADS) are a feature of the Windows NTFS File System that helps support the Macintosh Hierarchical File System (HFS) which used resource forks to store icons and other information for a file. This hidden stream is used to tell the system how to use the data contained in the file. For more information on ADS and how they can be a security risk, please refer to:Reformatting a hard disk deletes all data. If you are considering reformatting and a clean install or doing a factory restore with a Recovery Disk/Recovery Partition due to malware infection, you can back up all your important documents, personal data files, photos to a CD or DVD drive, not a flash drive or external hard drive as they may become compromised in the process. The safest practice is not to backup any executable files (*.exe), screensavers (*.scr), autorun (.ini) or script files (.php, .asp, .htm, .html, .xml ) files because they may be infected by malware. Avoid backing up compressed files (.zip, .cab, .rar) that have executables inside them as some types of malware can penetrate compressed files and infect the .exe files within them. Other types of malware may even disguise itself by hiding a file extension or adding to the existing extension as shown here (click Figure 1 to enlarge) so be sure you look closely at the full file name. If you cannot see the file extension, you may need to reconfigure Windows to show file name extensions. Then make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.

If your CD/DVD drive is unusable, another word of caution if you are considering backing up to an external usb hard drive as your only alternative. External drives are more susceptible to infection and can become compromised in the process of backing up data. I'm not saying you should not try using such devices but I want to make you aware of all your options and associated risks so you can make an informed decision if its worth that risk.Again, do not back up any files with the following file extensions: exe, .scr, .ini, .htm, .html, .php, .asp, .xml, .zip, .rar, .cab as they may be infected.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 smak451

smak451
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 21 July 2010 - 10:44 PM

Thanks Quietman -- I've printed out your post for reference. Last question though -- most of my work files are .xls files that I'll need to access after I do a clean install/reformat. I plan on backing them to dvd and assailing the files with every known malware scanner I can find, but I guess I can't be sure.

Maybe after a month or so I can run a RK scan and check it out? Also thought about copying the files to dvd and leaving the infected computer on for awhile to see if the file sizes change. Other than I'm at a loss as to how to have peace of mind. Any suggestions really appreciated. Thanks a lot, -- S

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 PM

Posted 22 July 2010 - 06:38 AM

Just make sure you scan the backed up data with your anti-virus prior to to copying it back to your hard drive.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 smak451

smak451
  • Topic Starter

  • Members
  • 59 posts
  • OFFLINE
  •  
  • Local time:01:42 PM

Posted 22 July 2010 - 12:03 PM

Quietman -- How on earth did you know my CD ROM drive would be unusable? You're like Morpheus in the Matrix. I managed to copy some of my more important files to cd & DVD and then my computer didn't recognize the drive and my burner "encountered an unexpected problem and has to close." Have you seen this before?

Please have some pity on me and let me know where to go from here...should I throw in the towel as far as trying to retrieve anything else? I've been reading everything on this whole site and then some trying to figure out what to do how to prevent this in the future but getting ahead of this is just way over my head. I've never admitted defeat easily, but I feel pretty hamstrung. My programmer friends take a quick look and just say "this is bad dude, sorry to tell you but you're in a spot of trouble here." Every turn I take toward picking myself up I get slammed.

Losing everything would mean losing 1.5 years of work on a new business that is just barely starting to show some fruit. I regularly backup to 2 separate internal drives (using Acronis) if that matters -- some say it makes it easier for cyberthieves. I can try to get my excel/word files out of that pit of darkness and disable all macros but that seem like child's play to these guys.

I'm stuck, no where to go from here. Only other thought is to extract those files by copying them to an external drive (maybe hooking them up to another computer) or using the Unbutu method you gave me above and use them in a sandbox, or carry on after a clean install and devise decoy accounts of some kind; but I'm a rookie at this, just brainstorming.

What would you do in my situation short of throwing yourself in front of a bus? Sorry to be so long-winded, just a lot of despair. I won't keep bothering you, but if and when you have time if you could let me know the best course of action to take I'll just go with it. Thanks so much, and if there's anything I can do to return the favors you have my word as a gentleman you will be repaid with all the goodwill you guys have shown me and then some. Cheers -- S

Edited by smak451, 22 July 2010 - 12:06 PM.


#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,395 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:42 PM

Posted 22 July 2010 - 12:29 PM

If you have that much important data, then maybe it would be worth the effort to try disinfection.

Please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". If you cannot complete a step, then skip it and continue with the next. In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users