GetFlash.exe.manifest - Dumaru.ai.dll , netda.exe, netdb.exe, netdc,exe ,

Discussion in 'malware problems & news' started by wesleytheant, May 25, 2004.

Thread Status:
Not open for further replies.
  1. wesleytheant

    wesleytheant Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    9
    When I visit www.FrontPagePortal.com McAfee reports a virus has been cleaned; then it reoprts that W32/Dumaru.ai.dll virus has been detected and cleaned. I clean it and it repeats over and over again. When I do the virus scan it doesn't find anything.

    I'm running GoBack and I can revert to a state when I don't have the virus.

    I tried visiting the site 2 more times and both times the virus starts to infect. I then roll back to my safe state. the frontpageportal.com site is my site; is it possible that someone hacked my site to install a worm/virus on all of it's visitors?

    Attached is a log file showing which files that are created just before and after that point.

    McAffe doesn't find any viruses when I search. Neither does Trojan Hunter, or Sophos. Any ideas?

    Thanks and standing by..
     

    Attached Files:

    • log.txt
      File size:
      5.3 KB
      Views:
      97
    Last edited: May 25, 2004
  2. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Wesley,

    We keen to know at which file(s) Macfee reported the W32/Dumaru.ai.dll virus ? Are they still exist in your machine ?

    Apart from that, netda.exe, netdb.exe, netdc.exe all are worms file. Please proceed in this way :

    1) Open Windows Task Manager. On Windows 95/98/ME systems, press
    CTRL+ALT+DELETE while on Windows NT/2000/XP systems, press
    CTRL+SHIFT+ESC, and click the Processes tab.
    2) In the list of running programs, locate the following processes:
    NETDA.EXE ; NETDB.EXE ; NETDC.EXE
    3) Select the processes, then press either the End Task or the End Process
    button, depending on the version of Windows on your system.
    4) To check if the malware process has been terminated, close Task
    Manager, and then open it again. Now, Close Task Manager.

    5) Go to CONTROL PANE->TOOLS-> FOLDER OPTIONS -> VIEW, and clicked on "show hidden files" and deactivated "Hide extensions for known file types" and "Hide protected operating files".

    6) Search for netda.exe ; netdb.exe ; netdc.exe under C. If found, delete all the instances of the all the files.

    7) Now, we needs to remove autostart entries from the registry prevents
    the malware from executing at startup.

    6) Open Registry Editor. To do this, click Start>Run, type Regedit, then
    press Enter.

    7) In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run

    In the right panel, locate and delete the entry:
    load32 = %system%\netda.exe"

    In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>WinLogon

    In the right panel, locate and replace the entry:

    Shell = "Explorer.exe %System%\netdc.exe"
    with: Shell = "Explorer.exe"

    Close Registry Editor.

    Now, Empty Recycle bin and then Restart machine.

    Now, Go here and do an online virus scan:

    http://housecall.trendmicro.com/

    Be sure and put a check in the box by Auto Clean before you do the scan. If it finds anything that it cannot clean have it delete it or make a note of the file location so you can delete it yourself.

    IMPORTANT!: I highly recommend that you go to Windows update and install all "Critical Updates and Service Packs" ASAP!. This will patch numerous security holes in IE and Windows.

    At last, you need to clear your IE cache. Removes all contents of Temp/ Temp. Internet files folder.

    Hope, it will sort your issue. But do inform us.

    With thanks !
    Newkid
     
  3. wesleytheant

    wesleytheant Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    9
    Thanks for the help. I have been able to rid my computer of the virus as I said before. But the odd thing is that if I visit this website frontpageportal.com I will instantly get the virus again. I can then revert to my pc's previous state to clean.

    Do you know of any "website scanning" software that could scan the site for malicious code?

    Does anything happen when you visit the site www.FrontPagePortal.com .

    Thanks and standing by..
     
  4. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    Hello Wesley,

    I have no such issue on browsing the mentioned URL. It was the sole reason to suggests you the fix.

    As you said, in your first thread that you keeps getting the same virus warning when you browse the particular webpage. So we keen to know at which file you got the same error message ? Were the files name same always ? Were you infected with the same virus everytimes ?

    If answer to any of the above mentioned question is Yes then you need to follow the advice as mentioned below.

    With thanks !
    Newkid !
     
  5. wesleytheant

    wesleytheant Registered Member

    Joined:
    Jan 7, 2004
    Posts:
    9
    McAffee reports the dumaru virus is in the prntsvr.dll file.

    I visited my site again without a problem this time. I'm happy that I'm not having the problem but I'm left with the empty feeling of an unsolved problem.

    Just a little advice; if you install ZoneAlarm don't ever try to uninstall it; it is a nightmare. If you have the choice install Kerio's free firewall. Seems to run smoother too.

    Thanks for your help.
     
  6. Newkid

    Newkid Spyware Fighter

    Joined:
    Apr 29, 2004
    Posts:
    225
    Location:
    Memphis
    You're Welcome ! :)
     
  7. Ramza

    Ramza Registered Member

    Joined:
    Jun 2, 2004
    Posts:
    7
    Hello, I'm a new member here.. I was searching Google as I have had the same problem with the netda/db/dc.exe problem. Now I have another problem..

    I followed the intructions to eliminate the registries and files from the computer related to the worm, but now I get a popup everytime I start up that says it cannot run netdc.exe and to make sure it hasn't been move or deleted. Anything that might fix this?

    Note: I've been able to follow ALL the steps in getting rid of the worms, EXCEPT for the

    I think this is what is causing it. I cannot find the registry entry named "WinLogon".
     
  8. RayT

    RayT Guest

    (sorry no time to register in here...)

    I got the same problem, and with ZoneAlarm installed, i can see when any app wanna acces the internet.
    I already deleted the keys (or fixed) mentionned above, I killed the netda/b/c.exe files, cleaned the cache, etc etc, , then I "reload" windows by leaving my session and enter again, then it's cool, no problem, nothing more, perfect... unless I boot again my comp... THEN there is the "load32...netda.exe" and "shell ..." registry keys back again, over and over... (and i got IE wanting to connect at some times, can be once a hour or 3 times in 30 seconds...)
    So i'm wondering WHAT and WHERE is the thing that regenerate it each time, but only the reg. keys, not the exe (impossible to find it again anywhere), even if I believe that there is still some "exe" left somewhere to do so...
    (i also noticed that these troj like to "bother" with wmplayer.exe (media player) and even notepad...)

    So my question is : What can, in windows, modify the registry keys since before the start ?
    (maybe something like and INI or SYS or whatever like that...)
     
  9. re2005

    re2005 Registered Member

    Joined:
    Jun 21, 2004
    Posts:
    1
    I had the netdc.exe also, I was able to delete it out of task manager(actually it didn't show up there, but in Security Task Manager, a shareware program), then ran into the same problem as above,,no Winlogon in the registry(using lavasoft's RegHance). Also I have not been able to view notepad files and in media player the first download of a file will play normally but subsequent downloads will not have sound. Is this similar to the above reference to notepad and mediaplayer problems?
    NAV tells me the shell may be compromised, i have run adaware and S&D and deleted all that is recommended. Just thought I would add my 2 pennies worth to this thread. o_O
     
  10. in case of windows nt/2k/xp you might wanna look for the winlogon under

    [HKLM]\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    in my case at start iexplore.exe creates an error at start, however the regkeys repopup every reboot. (no solution found as yet)
     
  11. Manny

    Manny Guest

    I am experiencing many difficulties getting rid of this netda/b/c.exe. I have followed all suggestions/advice/instructions but all to no avail. Whenever I reboot my machine one of the above mentioned processes is running once again and it has reappeared again in my registry. Is there something I am not doing or is there a reason why this keeps recreating itself? It is stressing me out as I am worried that if I cannot remove it I will have to format and that is the last thing I want.
     
  12. Manny

    Manny Guest

    One problem I encountered during trying to repair was that when I did this step:
    7) In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>Windows>CurrentVersion>Run

    In the right panel, locate and delete the entry:
    load32 = %system%\netda.exe"

    I could not find load32 = %system%\netda.exe" in the right panel anywhere.
     
  13. Lindyhopper

    Lindyhopper Registered Member

    Joined:
    Jul 13, 2004
    Posts:
    1
    I was able to get rid of netda,b,c by using Security Task Manager (3rd party product). It showed that the netd.exe was a hidden process, which I could not see either in Windows Task Manager or see the .exe file in File Manager, and was able to delete it.

    http://www.neuber.com/taskmanager/index.html

    It has a 30-day trial period.

    I was unhappy that I had to download a 3rd party tool to see what I think I should have been able to see in the operating system, but happy that such a tool existed. I also saw that I had other hidden programs running, such as one left over from TurboTax.
     
Loading...
Thread Status:
Not open for further replies.