Hello,
I am having a huge problem with a paticular file. I have Norton Corporate
7.6 and the real time scan keeps popping up saying Backdoor.Trojan was found
in d3dnea.dll. I updated NAV, tried to quarantine, but access was denied. I
then went into safe mode and tried to look for it. It doesn't even exist
under safe mode. This led me to believe that it was being created on boot.
I went into the registry and searched for anything I didn't recognize in all
the run keys. I then searched for the filename, and deleted everything that
was there. I rebooted, and real time found it again. I've run two full
system scans, installing the updates manually off Symantec's site in
between. Does anyone know how I can get rid of this virus?

Thanks!

Robert Brugman wrote:
> Hello,
> I am having a huge problem with a paticular file. I have Norton
> Corporate
> 7.6 and the real time scan keeps popping up saying Backdoor.Trojan
> was found in d3dnea.dll. I updated NAV, tried to quarantine, but
> access was denied. I then went into safe mode and tried to look for
> it. It doesn't even exist under safe mode. This led me to believe
> that it was being created on boot. I went into the registry and
> searched for anything I didn't recognize in all the run keys. I then
> searched for the filename, and deleted everything that was there. I
> rebooted, and real time found it again. I've run two full system
> scans, installing the updates manually off Symantec's site in
> between. Does anyone know how I can get rid of this virus?
>
> Thanks!

What OS do you have? When NAV displays the virus warning, what is the EXACT
path of the file?

On 7/20/04 1:32 AM, in article 482Lc.61740$od7.6862@pd7tw3no, "The Prophecy"
<(E-Mail Removed)> wrote:

> Robert Brugman wrote:
>> Hello,
>> I am having a huge problem with a paticular file. I have Norton
>> Corporate
>> 7.6 and the real time scan keeps popping up saying Backdoor.Trojan
>> was found in d3dnea.dll. I updated NAV, tried to quarantine, but
>> access was denied. I then went into safe mode and tried to look for
>> it. It doesn't even exist under safe mode. This led me to believe
>> that it was being created on boot. I went into the registry and
>> searched for anything I didn't recognize in all the run keys. I then
>> searched for the filename, and deleted everything that was there. I
>> rebooted, and real time found it again. I've run two full system
>> scans, installing the updates manually off Symantec's site in
>> between. Does anyone know how I can get rid of this virus?
>>
>> Thanks!
>
> What OS do you have? When NAV displays the virus warning, what is the EXACT
> path of the file?
>
>
I have Windows 2000 with all the security updates. The exact path of the
file is C:/Winnt/System32/d3dnea.dll

The file doesn't exist when in safe mode. Only when I boot in normal mode.

Thanks,
Robert

Robert Brugman wrote:
> On 7/20/04 1:32 AM, in article 482Lc.61740$od7.6862@pd7tw3no, "The
> Prophecy" <(E-Mail Removed)> wrote:
>
>> Robert Brugman wrote:
>>> Hello,
>>> I am having a huge problem with a paticular file. I have Norton
>>> Corporate
>>> 7.6 and the real time scan keeps popping up saying Backdoor.Trojan
>>> was found in d3dnea.dll. I updated NAV, tried to quarantine, but
>>> access was denied. I then went into safe mode and tried to look for
>>> it. It doesn't even exist under safe mode. This led me to believe
>>> that it was being created on boot. I went into the registry and
>>> searched for anything I didn't recognize in all the run keys. I then
>>> searched for the filename, and deleted everything that was there. I
>>> rebooted, and real time found it again. I've run two full system
>>> scans, installing the updates manually off Symantec's site in
>>> between. Does anyone know how I can get rid of this virus?
>>>
>>> Thanks!
>>
>> What OS do you have? When NAV displays the virus warning, what is
>> the EXACT path of the file?
>>
>>
> I have Windows 2000 with all the security updates. The exact path of
> the file is C:/Winnt/System32/d3dnea.dll
>
> The file doesn't exist when in safe mode. Only when I boot in normal
> mode.
>
> Thanks,
> Robert

Download this patch for the LSASS exploit for Windows 2000:

http://download.microsoft.com/downlo...32-x86-ENU.EXE

Then download this removal tool for the Sasser worm.


--
Virus Removal Tools:

Sasser: http://securityresponse.symantec.com...r/FxSasser.exe

Run the removal tool first, then the patch. After running the patch, reboot
your computer.

On 7/20/04 3:33 PM, in article fseLc.70462$ek5.46170@pd7tw2no, "The
Prophecy" <(E-Mail Removed)> wrote:

> Robert Brugman wrote:
>> On 7/20/04 1:32 AM, in article 482Lc.61740$od7.6862@pd7tw3no, "The
>> Prophecy" <(E-Mail Removed)> wrote:
>>
>>> Robert Brugman wrote:
>>>> Hello,
>>>> I am having a huge problem with a paticular file. I have Norton
>>>> Corporate
>>>> 7.6 and the real time scan keeps popping up saying Backdoor.Trojan
>>>> was found in d3dnea.dll. I updated NAV, tried to quarantine, but
>>>> access was denied. I then went into safe mode and tried to look for
>>>> it. It doesn't even exist under safe mode. This led me to believe
>>>> that it was being created on boot. I went into the registry and
>>>> searched for anything I didn't recognize in all the run keys. I then
>>>> searched for the filename, and deleted everything that was there. I
>>>> rebooted, and real time found it again. I've run two full system
>>>> scans, installing the updates manually off Symantec's site in
>>>> between. Does anyone know how I can get rid of this virus?
>>>>
>>>> Thanks!
>>>
>>> What OS do you have? When NAV displays the virus warning, what is
>>> the EXACT path of the file?
>>>
>>>
>> I have Windows 2000 with all the security updates. The exact path of
>> the file is C:/Winnt/System32/d3dnea.dll
>>
>> The file doesn't exist when in safe mode. Only when I boot in normal
>> mode.
>>
>> Thanks,
>> Robert
>
> Download this patch for the LSASS exploit for Windows 2000:
>
> http://download.microsoft.com/downlo...9284-c3536e9f2
> e6e/Windows2000-KB835732-x86-ENU.EXE
>
> Then download this removal tool for the Sasser worm.
>
>
> --
> Virus Removal Tools:
>
> Sasser: http://securityresponse.symantec.com...r/FxSasser.exe
>
> Run the removal tool first, then the patch. After running the patch, reboot
> your computer.
>
>
>
I already had the exploit patched, but I patched it again after running the
removal tool. It didn't work though, because the removal tool said that
sasser was not found on my computer. I tried it in both safe mode and
regular mode.

Robert

On Wed, 21 Jul 2004 16:20:49 GMT, "The Prophecy"
<(E-Mail Removed)> wrote:

><snip>
>
>Download the attached file and run it.

This is not a binaries newsgroup!


Art
http://www.epix.net/~artnpeg

(E-Mail Removed) wrote:
> On Wed, 21 Jul 2004 16:20:49 GMT, "The Prophecy"
> <(E-Mail Removed)> wrote:
>
>> <snip>
>>
>> Download the attached file and run it.
>
> This is not a binaries newsgroup!
>
>
> Art
> http://www.epix.net/~artnpeg

I know this is not a binaries group but it was necessary to post that file
here in order to help solve the problem. I only post binaries here if
absolutly necessary and I'm not about to post a file to a different group,
then post here saying that the file the OP needs in in newsgroup X and have
them download it from there. If I post it here it is much easier to get to,
however I apologize for posting that file and will refrain from doing so in
the future.

"The Prophecy" <(E-Mail Removed)> wrote in
news:t_ILc.78277$od7.41485@pd7tw3no:

> (E-Mail Removed) wrote:
>> On Wed, 21 Jul 2004 16:20:49 GMT, "The Prophecy"
>> <(E-Mail Removed)> wrote:
>>
>>> <snip>
>>>
>>> Download the attached file and run it.
>>
>> This is not a binaries newsgroup!
>>
>>
>> Art
>> http://www.epix.net/~artnpeg
>
> I know this is not a binaries group but it was necessary to
> post that file here in order to help solve the problem. I
> only post binaries here if absolutly necessary and I'm not
> about to post a file to a different group, then post here
> saying that the file the OP needs in in newsgroup X and
> have them download it from there. If I post it here it is
> much easier to get to, however I apologize for posting that
> file and will refrain from doing so in the future.
>
>
>
>
Yeah, well, maybe. :-/

Please keep 1n mind that some ISPs will kill binaries posted to
non-bin. newsgroup. So, an OP in dire need is still in trouble.
OTOH, "a few" other people will be p*'d.

J
--
Replies to: Njk04s_130_p(at)Ojuno(dot)Tcom

The Prophecy wrote:
> (E-Mail Removed) wrote:
>>On Wed, 21 Jul 2004 16:20:49 GMT, "The Prophecy"
>><(E-Mail Removed)> wrote:
>>
>>
>>><snip>
>>>
>>>Download the attached file and run it.
>>
>>This is not a binaries newsgroup!
>
> I know this is not a binaries group but it was necessary to post that file
> here in order to help solve the problem.

no, it was not necessary... it is never necessary to post a binary...

if the file is of use to the general public then it should be on a web
page or ftp site, in which case you could have posted the URL instead...

further, asking people to run binaries from people they don't know
promotes UNsafe hex...

--
"maxwell can tell he's in hell
just wants you to visit him there
same old game that he's playin'
his rules are never fair"

On 7/22/04 11:23 AM, in article MZQLc.1169$(E-Mail Removed),
"kurt wismer" <(E-Mail Removed)> wrote:

> The Prophecy wrote:
>> (E-Mail Removed) wrote:
>>> On Wed, 21 Jul 2004 16:20:49 GMT, "The Prophecy"
>>> <(E-Mail Removed)> wrote:
>>>
>>>
>>>> <snip>
>>>>
>>>> Download the attached file and run it.
>>>
>>> This is not a binaries newsgroup!
>>
>> I know this is not a binaries group but it was necessary to post that file
>> here in order to help solve the problem.
>
> no, it was not necessary... it is never necessary to post a binary...
>
> if the file is of use to the general public then it should be on a web
> page or ftp site, in which case you could have posted the URL instead...
>
> further, asking people to run binaries from people they don't know
> promotes UNsafe hex...

This is all find and dandy, but so far, the only person to attempt to help
solve my problem was The Prophecy. Oh yeah, by the way...I still haven't
found a solution. Maybe someone knows the answer.

Robert