I just did everything you mentioned in your previous
post. Found a few instances of netda, netdb and netdc.exe
deleted them. Also from the Reg Key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon.
Add the line to the hosts file as there was nothing in
there to begin with.
All in safe mode.
Rebooted, log in, and once again netdb.exe is running and
the key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon has netdc.exe in the Shell section.
I am begining to think I may have to format, which is the
last thing I want to do as I dont have the time to back
everything up and reinstal etc.
Any other ideas? Anyone?
This is a really nasty virus! I have removed many before
in my time but never before have I been given so much
grief!
Manny
-----Original Message-----
The Hosts file is located in the folder:
C:\WINDOWS\SYSTEM32\DRIVERS\ETC
Right click it, left click Open, and when the dialog box
opens click to select the radio
button for: Select Program From a List, and click the OK button. When the Open With
window opens scroll through the list of programs, click
to select and highlight Notepad,
then click the OK button. Hosts will the open in
Notepad. Edit the Hosts file with
Notepad in Safe Mode leaving the only entry:
127.0.0.1 localhost
If that entry isn't there, put it there, and save.
Editing the Hosts file is VERY important because entries
made there can prevent you from
updating your antivirus definitions, and keep you from
being able to scan your hard drive
with the latest virus definitions.
As for not being able to find the Registry string for
the key mentioned, something in the
Registry is causing the file to be loaded. In Safe
Mode, open Regedit, click the Edit
menu, click Find, type: netda.exe. Then click the Find
Next button. When it string Is
found, right click it in the right pane and then left
click delete. Then press the F3 key
to find the next instance of the file being mentioned in the Registry. Keep doing that
until the entire Registry has been searched.
Avoid reinfection. Have a decent firewall (even the
FREE version of Zone Alarm standard
is better than the Windows XP native firewall)
--
T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply
It seems straight forward but does not work :-(
I did a search for all files containing the words "hosts"
in its title as it says on the symantec site.
The files found didnt resemble what the symantec
instructions suggested would occur. There was a file
called Hosts with no extension. When opened with notepad
it was empty.
As for the registry, i edited the
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
NT\CurrentVersion\Winlogon
from:
"explorer.exe %System%\netdc.exe"
to:
"explorer.exe"
However, in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
I couldnt find the value:
"load32"="%System%\netda.exe..."
I reboot, open task manager, and there once again i find
netda/b/c.exe and the registry i edited is the same as it
was before i edited it.
I have disabled system restore and everything else.
Followed instructions perfectly. Trying for 2 days to
repair. :-(
A desperate Manny :-(
-----Original Message-----
I looked at:
http://securityresponse.symantec.com/avcenter/venc/data/b
ackdoor.nibu.e.html
It seems straight forward. Are you sure that you
edited
your Host file with Notepad to
delete all entries but:
127.0.0.1 localhost
Are you sure that you edited the registry as directed?
If so, in what way is Backdoor.Nibu.E effecting your system?
--
T.C.
t__cruise@[NoSpam]hotmail.com
Remove [NoSpam] to reply
I have disabled system restore, rebooted and run all the
anti-virus and spyware software at my disposal. All in
Safe Mode. Doesnt find anything! I have never been so
puzzled.
-----Original Message-----
The nasty little virus could be hiding in System Restore.
Turn off System Restore, reboot, and run a virus
scan
again.
How to Turn On and Turn Off System Restore in
Windows
XPscid=kb;en-
us;310405&Product=winxp
--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User
Be Smart! Protect your PC!
http://www.microsoft.com/security/protect/
---------------------------------------------------
---
---
-----------------------------
wrote
in
message:
| Sounds exactly like the problem I am having
trying
to
get
| rid of backdoor.coreflood. The file it is in,
| windows/system32/DS32GVXS.dll can't be deleted as it's
| always running! I've followed Symantec's advice and
| removed a link in the registry, in safe mode, and after
| turning off the system restore function. I ran Ad-
| Aware...all to no avail. We both need similar help!
.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 7/5/2004
.
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (
http://www.grisoft.com).
Version: 6.0.716 / Virus Database: 472 - Release Date: 7/5/2004
.
