Backdoor.Nibu.E.

From: Manny (anonymous_at_discussions.microsoft.com)
Date: 07/08/04 

Date: Wed, 7 Jul 2004 20:56:27 -0700

I just did everything you mentioned in your previous
post. Found a few instances of netda, netdb and netdc.exe
deleted them. Also from the Reg Key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon.
Add the line to the hosts file as there was nothing in
there to begin with.
All in safe mode.
Rebooted, log in, and once again netdb.exe is running and
the key
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVer
sion\Winlogon has netdc.exe in the Shell section.
I am begining to think I may have to format, which is the
last thing I want to do as I dont have the time to back
everything up and reinstal etc.
Any other ideas? Anyone?
This is a really nasty virus! I have removed many before
in my time but never before have I been given so much
grief!

Manny

>-----Original Message-----
>The Hosts file is located in the folder:
>
>C:\WINDOWS\SYSTEM32\DRIVERS\ETC
>
>Right click it, left click Open, and when the dialog box
opens click to select the radio
>button for: Select Program From a List, and click the
OK button. When the Open With
>window opens scroll through the list of programs, click
to select and highlight Notepad,
>then click the OK button. Hosts will the open in
Notepad. Edit the Hosts file with
>Notepad in Safe Mode leaving the only entry:
>
>127.0.0.1 localhost
>
>If that entry isn't there, put it there, and save.
>
>Editing the Hosts file is VERY important because entries
made there can prevent you from
>updating your antivirus definitions, and keep you from
being able to scan your hard drive
>with the latest virus definitions.
>
>As for not being able to find the Registry string for
the key mentioned, something in the
>Registry is causing the file to be loaded. In Safe
Mode, open Regedit, click the Edit
>menu, click Find, type: netda.exe. Then click the Find
Next button. When it string Is
>found, right click it in the right pane and then left
click delete. Then press the F3 key
>to find the next instance of the file being mentioned in
the Registry. Keep doing that
>until the entire Registry has been searched.
>
>Avoid reinfection. Have a decent firewall (even the
FREE version of Zone Alarm standard
>is better than the Windows XP native firewall)
>--
>
>T.C.
>t__cruise@[NoSpam]hotmail.com
>Remove [NoSpam] to reply
>
>
>"Manny" <anonymous@discussions.microsoft.com> wrote in
message
>news:28bea01c46423$b7ef6910$a301280a@phx.gbl...
>> It seems straight forward but does not work :-(
>> I did a search for all files containing the
words "hosts"
>> in its title as it says on the symantec site.
>> The files found didnt resemble what the symantec
>> instructions suggested would occur. There was a file
>> called Hosts with no extension. When opened with
notepad
>> it was empty.
>> As for the registry, i edited the
>> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
>> NT\CurrentVersion\Winlogon
>> from:
>> "explorer.exe %System%\netdc.exe"
>> to:
>> "explorer.exe"
>> However, in
>>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersi
>> on\Run
>> I couldnt find the value:
>> "load32"="%System%\netda.exe..."
>>
>> I reboot, open task manager, and there once again i
find
>> netda/b/c.exe and the registry i edited is the same as
it
>> was before i edited it.
>>
>> I have disabled system restore and everything else.
>> Followed instructions perfectly. Trying for 2 days to
>> repair. :-(
>>
>> A desperate Manny :-(
>>
>>
>> >-----Original Message-----
>> >I looked at:
>> >
>>
>http://securityresponse.symantec.com/avcenter/venc/data/b
>> ackdoor.nibu.e.html
>> >
>> >It seems straight forward. Are you sure that you
edited
>> your Host file with Notepad to
>> >delete all entries but:
>> >
>> >127.0.0.1 localhost
>> >
>> >Are you sure that you edited the registry as directed?
>> >
>> >If so, in what way is Backdoor.Nibu.E effecting your
>> system?
>> >--
>> >
>> >T.C.
>> >t__cruise@[NoSpam]hotmail.com
>> >Remove [NoSpam] to reply
>> >
>> >
>> >
>> >
>> >"Manny" <anonymous@discussions.microsoft.com> wrote in
>> message
>> >news:2742001c463ea$95a74140$a601280a@phx.gbl...
>> >> I have disabled system restore, rebooted and run all
>> the
>> >> anti-virus and spyware software at my disposal. All
in
>> >> Safe Mode. Doesnt find anything! I have never been
so
>> >> puzzled.
>> >>
>> >>
>> >> >-----Original Message-----
>> >> >The nasty little virus could be hiding in System
>> Restore.
>> >> >Turn off System Restore, reboot, and run a virus
scan
>> >> again.
>> >> >
>> >> >How to Turn On and Turn Off System Restore in
Windows
>> XP
>> >> >http://support.microsoft.com/default.aspx?
scid=kb;en-
>> >> us;310405&Product=winxp
>> >> >
>> >> >--
>> >> >Carey Frisch
>> >> >Microsoft MVP
>> >> >Windows XP - Shell/User
>> >> >
>> >> >Be Smart! Protect your PC!
>> >> >http://www.microsoft.com/security/protect/
>> >> >
>> >> >--------------------------------------------------- 

---
>> ---
>> >> -----------------------------
>> >> >
>> >> >"Bram L." <anonymous@discussions.microsoft.com> 
wrote
>> in
>> >> message:
>> >> > news:278c701c463a2$87e52650$a501280a@phx.gbl...
>> >> >
>> >> >| Sounds exactly like the problem I am having 
trying
>> to
>> >> get
>> >> >| rid of backdoor.coreflood. The file it is in,
>> >> >| windows/system32/DS32GVXS.dll can't be deleted as
>> it's
>> >> >| always running! I've followed Symantec's advice 
and
>> >> >| removed a link in the registry, in safe mode, and
>> >> after
>> >> >| turning off the system restore function. I ran 
Ad-
>> >> >| Aware...all to no avail. We both need similar 
help!
>> >> >
>> >> >.
>> >> >
>> >
>> >
>> >---
>> >Outgoing mail is certified Virus Free.
>> >Checked by AVG anti-virus system
>> (http://www.grisoft.com).
>> >Version: 6.0.716 / Virus Database: 472 - Release Date:
>> 7/5/2004
>> >
>> >
>> >.
>> >
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system 
(http://www.grisoft.com).
>Version: 6.0.716 / Virus Database: 472 - Release Date: 
7/5/2004
>
>
>.
>