Computer Hijacked, safe to reinstall from Factory Image Partion?

[sprtfan]

Not sure exactly what happened, but I have a relative that had his computer remotely accessed and gone though. I think he actually fell for one of those phone scams. There are some files with the name MatrixIdea on it that looks like a bill receipt.

Anyway, they had remote access to his computer for several hours he said. He asked me to wipe and reinstall his computer for him. I'm not used to prebuilt systems and this one has a partition marked Factory_Image with a recovery program on it. It would be easier to use this to reinstall from but I was not sure if it could have been compromised or not. I thought recovery partitions were normally hidden and this one is not.

Thanks

 

[seepy83]

I wouldn't rely on that. The entire disk should be wiped/overwritten (with DBAN or similar).

 

[corkyg]

Before wiping the drive, why not copy and save the factory restore partition?

 

[SlickR12345]

Probably just reformat several times and reinstall windows just to be on the safe side.

 

[seepy83]

Before wiping the drive, why not copy and save the factory restore partition?

Because we don't have enough information to know what was done while some unknown person had remote access to the system.

That being said - knowing a little about the types of schemes that people are running when they call up and tell you they need to fix your PC - Do I think it's likely that they screwed around with the files on the recovery partition? No. Do I think they would have gone so far as to install a rootkit? Probably not, but it wouldn't be a stretch.

Disconnect the system from any network immediately, If there isn't already a good backup of the data, copy any important files to a USB drive. Overwrite the entire disk with DBAN and reinstall the OS.

 

[Captante]

Before wiping the drive, why not copy and save the factory restore partition?

I wouldn't trust that drive in my own system till it was wiped. Of course I am a little on the paranoid/cautious side but better safe then sorry!

 

[inachu]

Had a client that would say, Oh don't worry about that just use the built in RESTORE feature of windows.

Funny thing how I told them that viruses like to use the restore feature also so when they get removed so that they can auto install themselves afterwards.

To be 100% sure your system is clean always wipe hard drive. Microsoft went after these companies who did not supply pc owners with a windows restore cd. Those windows restore CD's are available by request when you call support.

Sales people of the now dead company circuit city would tell customers they do not need the CD but by them saying that means circut city was breaking the contract with microsoft.

 

[WT]

That OS restore image is just that - a custom created image for when the machine needs a fresh wipe and reinstall of the OS. I really don't think anyone who had access to the PC would care to replace that custom image with an identical image of the OS that has a backdoor loaded into it. The image needs to be unpacked during install and isn't likely to have been tampered with. They dumped the data from the boot partition to an offsite location so they can disseminate at their leisure.

 

[xgsound]

Of course, a wipe and reinstall is the most foolproof.

I would find it useful to run AdwCleaner and TDSSkiller (they each take about 5/ 10 minutes and produce logs) just to get a general idea of what malware you are working with and decide from there.

I assume all ids, passwords, and accounts are compromised and must be closely monitored immediately.

Jim

 

[Ketchup]

I have never seen a virus come back from a factory restore. I have seen a virus that appeared to make the factory image unusable, but a factory reset has never shown signs of bringing a virus back with it, in my experience.

 

[sprtfan]

Thanks for all of the help. Luckily for him, he didn't have any banking, tax, or other personal info on the computer other than his ebay and email password. I had him disconnect it right away and I ran identity finder to make sure he didn't have any passwords or other info he had forgot about. I may end up just replacing the drive with an old one I have so I can retrieve any data he might need later.