Government Security
Network Security Resources

Jump to content

Photo

Still Unknown .... Keep Coming Back After Format

  • Please log in to reply
18 replies to this topic

#1 Lie8

Lie8

    Private First Class

  • Members
  • 41 posts

Posted 04 January 2008 - 08:59 AM

hi all ... dunno if these are new or not ... updated Nod/KAV already fails ... keeps coming back even after a format ... connects to net, now blocking only with Zonealarm ... any suggestions are welcome

Attached Files

  • Attached File  Viru.rar   98.71KB   45 downloads


#2 Glyph

Glyph

    General of the Army

  • GSO Management
  • 1,602 posts

Posted 04 January 2008 - 10:31 AM

KAV would catch it if it were really 'live'.
Are you sure you formatted the drive?
Try turning off your 'restore'.
It may be coming from there.

#3 Guest_DiabloHorn_*

Guest_DiabloHorn_*
  • Guests

Posted 04 January 2008 - 11:08 AM

WIN32/VB.NKL trojan


I think that's enough to figure the rest out....full up 2 date nod32.

you can also submit the file to sandboxes and online virusscanners.

#4 BilDos

BilDos

    Private First Class

  • Members
  • 66 posts

Posted 05 January 2008 - 08:43 AM

KIS detect this as Trojan.Win32.Agent.dcb
File contain malicious code.

My sugestion is:
Please run OS in safe mode, update AV signatures, enable in KAV settings option:"Detect potential dangerous sotware" and perform full scan.
If it fals than reset your settings fot AV and perform full scan once agian (maybe some of settigs are not correct set - or disbale)

#5 Lie8

Lie8

    Private First Class

  • Members
  • 41 posts

Posted 12 January 2008 - 09:30 PM

@Glyph,
ya did that twice, but it keeps coming back
@DiabloHorn
my nod32 is updated too and i got infected, very disappointed, i am hardcore nod fan
@BilDos
will try and let u know m8

#6 Ender

Ender

    Private First Class

  • Members
  • 96 posts

Posted 13 January 2008 - 07:20 AM

You sure that something that you install after format isnt infected with this? Or maybe your using one of those "custom" win cds. Becouse its highly unlikely to come back after format. And lets assume that it does, if so its still detected 26/32 avs on virus total including nod. So made clean format & install with "original" cd not some of those modded ones and first thing you install make sure to be AV. Update and then everything esle.

#7 Ignatius

Ignatius

    Private First Class

  • Members
  • 84 posts

Posted 13 January 2008 - 12:03 PM

Maybe try erasing your HD with DBAN then reinstalling.

#8 genxweb

genxweb

    Corporal

  • Members
  • 191 posts

Posted 15 January 2008 - 05:09 AM

how you do this

fdisk /mbr
fdisk the drive and recreate partions
format the drive and reinstall.
first thing you install av then go on from there. Highly doubt the virus can make it past a fdisk of the mbr and the drive.

#9 john9811

john9811

    Private

  • Members
  • 6 posts

Posted 15 January 2008 - 04:18 PM

You probably got a bootsector virus. Try reformatting all partitions and reinstalling windows.

#10 Blake

Blake

    Former Commander In Chief

  • Retired Admin
  • 7,334 posts

Posted 16 January 2008 - 08:52 AM

You sure that something that you install after format isnt infected with this? Or maybe your using one of those "custom" win cds. Becouse its highly unlikely to come back after format. And lets assume that it does, if so its still detected 26/32 avs on virus total including nod. So made clean format & install with "original" cd not some of those modded ones and first thing you install make sure to be AV. Update and then everything esle.



i would agree with Ender if you are using a pirated installation disk this could be your problem.

#11 kaishuoy

kaishuoy

    Private First Class

  • Members
  • 34 posts

Posted 23 January 2008 - 06:53 PM

th malware could've gotten in after your format

#12 Ryan M

Ryan M

    Global Moderator

  • Colonel
  • 1,741 posts

Posted 01 February 2008 - 11:36 AM

You can also reformat your MBR (master boot record) with

fdisk /mbr

Edit: Didn't see this was already suggested by genxweb

how you do this

fdisk /mbr
fdisk the drive and recreate partions
format the drive and reinstall.
first thing you install av then go on from there. Highly doubt the virus can make it past a fdisk of the mbr and the drive.


There is no security on this earth. Only opportunity.
-Douglas MacArthur

GSO Compiled Exploit Database
----------------------------------------
[b]Mod at GovernmentSecurity

#13 taknev19

taknev19

    Private

  • Members
  • 8 posts

Posted 04 February 2008 - 09:03 AM

Lie8, stupid question from me but - are you formating your complete harddrive or just the c drive? Also if you are formatting the complete hardrive did you take back up of other drive partitions and restored them? since if the malware is making copies of it in other drive partitions apart from c drive and you took backup of it which you are using to restore the system then that could be one of the reasons why the malware is still present.
If you are still bogged down by the malware check this very cool presentation from one of the defcon15 sessions given on how end users can protect themselves from a malware by Vitaliy Kamlyuk hxxp://video.google.com/videoplay?docid=-5856330670787297158&hl=en

#14 Sleepy

Sleepy

    Private First Class

  • Members
  • 80 posts

Posted 06 February 2008 - 12:22 PM

Lie8, stupid question from me but - are you formating your complete harddrive or just the c drive? Also if you are formatting the complete hardrive did you take back up of other drive partitions and restored them? since if the malware is making copies of it in other drive partitions apart from c drive and you took backup of it which you are using to restore the system then that could be one of the reasons why the malware is still present.
If you are still bogged down by the malware check this very cool presentation from one of the defcon15 sessions given on how end users can protect themselves from a malware by Vitaliy Kamlyuk hxxp://video.google.com/videoplay?docid=-5856330670787297158&hl=en


If nothing else I find the argument that he could be using a malware infected win cd to be a very valid one.

ps. try flashing cmos

#15 sjxx

sjxx

    Private

  • Members
  • 16 posts

Posted 19 February 2008 - 04:25 PM

it's a worm that spreads to every drive ( including USB ) and adds itself to autorun.inf

this worm spreads like crazy...

scanned it on jotti and it spread on the norman sandbox

so make sure to format EVERY drive , including removeable ones