M
Manny
I just did everything you mentioned in your previous
post. Found a few instances of netda, netdb and netdc.exe
deleted them. Also from the Reg Key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon.
Add the line to the hosts file as there was nothing in
there to begin with.
All in safe mode.
Rebooted, log in, and once again netdb.exe is running and
the key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon has netdc.exe in the Shell section.
I am begining to think I may have to format, which is the
last thing I want to do as I dont have the time to back
everything up and reinstal etc.
Any other ideas? Anyone?
This is a really nasty virus! I have removed many before
in my time but never before have I been given so much
grief!
Manny
post. Found a few instances of netda, netdb and netdc.exe
deleted them. Also from the Reg Key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon.
Add the line to the hosts file as there was nothing in
there to begin with.
All in safe mode.
Rebooted, log in, and once again netdb.exe is running and
the key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon has netdc.exe in the Shell section.
I am begining to think I may have to format, which is the
last thing I want to do as I dont have the time to back
everything up and reinstal etc.
Any other ideas? Anyone?
This is a really nasty virus! I have removed many before
in my time but never before have I been given so much
grief!
Manny
opens click to select the radio-----Original Message-----
The Hosts file is located in the folder:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Right click it, left click Open, and when the dialog box
to select and highlight Notepad,button for: Select Program From a List, and click the OK button. When the Open With
window opens scroll through the list of programs, click
Notepad. Edit the Hosts file withthen click the OK button. Hosts will the open in
made there can prevent you fromNotepad in Safe Mode leaving the only entry:
127.0.0.1 localhost
If that entry isn't there, put it there, and save.
Editing the Hosts file is VERY important because entries
being able to scan your hard driveupdating your antivirus definitions, and keep you from
the key mentioned, something in thewith the latest virus definitions.
As for not being able to find the Registry string for
Mode, open Regedit, click the EditRegistry is causing the file to be loaded. In Safe
Next button. When it string Ismenu, click Find, type: netda.exe. Then click the Find
click delete. Then press the F3 keyfound, right click it in the right pane and then left
FREE version of Zone Alarm standardto find the next instance of the file being mentioned in the Registry. Keep doing that
until the entire Registry has been searched.
Avoid reinfection. Have a decent firewall (even the
is better than the Windows XP native firewall)
--
T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply
It seems straight forward but does not work :-(
I did a search for all files containing the words "hosts"
in its title as it says on the symantec site.
The files found didnt resemble what the symantec
instructions suggested would occur. There was a file
called Hosts with no extension. When opened with notepad
it was empty.
As for the registry, i edited the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
from:
"explorer.exe %System%\netdc.exe"
to:
"explorer.exe"
However, in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
I couldnt find the value:
"load32"="%System%\netda.exe..."
I reboot, open task manager, and there once again i find
netda/b/c.exe and the registry i edited is the same as it
was before i edited it.
I have disabled system restore and everything else.
Followed instructions perfectly. Trying for 2 days to
repair. :-(
A desperate Manny :-(
http://securityresponse.symantec.com/avcenter/venc/data/b-----Original Message-----
I looked at:editedackdoor.nibu.e.html
It seems straight forward. Are you sure that you
your Host file with Notepad toWindowsdelete all entries but:
127.0.0.1 localhost
Are you sure that you edited the registry as directed?
If so, in what way is Backdoor.Nibu.E effecting your system?
--
T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply
I have disabled system restore, rebooted and run all the
anti-virus and spyware software at my disposal. All in
Safe Mode. Doesnt find anything! I have never been so
puzzled.
-----Original Message-----
The nasty little virus could be hiding in System Restore.
Turn off System Restore, reboot, and run a virus scan
again.
How to Turn On and Turn Off System Restore in
XP---http://support.microsoft.com/default.aspx? scid=kb;en-
us;310405&Product=winxp
--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/
---------------------------------------------------
--- wrote
intryingmessage:
| Sounds exactly like the problem I am having
toget
| rid of backdoor.coreflood. The file it is in,
| windows/system32/DS32GVXS.dll can't be deleted as it's
| always running! I've followed Symantec's advice and
| removed a link in the registry, in safe mode, and
after
| turning off the system restore function. I ran Ad-
| Aware...all to no avail. We both need similar help!
.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 7/5/2004
.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 7/5/2004
.