Can't get rid of virus - Need Suggestions

[Robert Brugman]

Hello,
I am having a huge problem with a paticular file. I have Norton Corporate
7.6 and the real time scan keeps popping up saying Backdoor.Trojan was found
in d3dnea.dll. I updated NAV, tried to quarantine, but access was denied. I
then went into safe mode and tried to look for it. It doesn't even exist
under safe mode. This led me to believe that it was being created on boot.
I went into the registry and searched for anything I didn't recognize in all
the run keys. I then searched for the filename, and deleted everything that
was there. I rebooted, and real time found it again. I've run two full
system scans, installing the updates manually off Symantec's site in
between. Does anyone know how I can get rid of this virus?

Thanks!

 

[The Prophecy]

Hello,
I am having a huge problem with a paticular file. I have Norton
Corporate
7.6 and the real time scan keeps popping up saying Backdoor.Trojan
was found in d3dnea.dll. I updated NAV, tried to quarantine, but
access was denied. I then went into safe mode and tried to look for
it. It doesn't even exist under safe mode. This led me to believe
that it was being created on boot. I went into the registry and
searched for anything I didn't recognize in all the run keys. I then
searched for the filename, and deleted everything that was there. I
rebooted, and real time found it again. I've run two full system
scans, installing the updates manually off Symantec's site in
between. Does anyone know how I can get rid of this virus?

Thanks!

What OS do you have? When NAV displays the virus warning, what is the EXACT
path of the file?

 

[Robert Brugman]

What OS do you have? When NAV displays the virus warning, what is the EXACT
path of the file?

I have Windows 2000 with all the security updates. The exact path of the
file is C:/Winnt/System32/d3dnea.dll

The file doesn't exist when in safe mode. Only when I boot in normal mode.

Thanks,
Robert

 

[The Prophecy]

I have Windows 2000 with all the security updates. The exact path of
the file is C:/Winnt/System32/d3dnea.dll

The file doesn't exist when in safe mode. Only when I boot in normal
mode.

Thanks,
Robert

Download this patch for the LSASS exploit for Windows 2000:

http://download.microsoft.com/downl...c3536e9f2e6e/Windows2000-KB835732-x86-ENU.EXE

Then download this removal tool for the Sasser worm.


--
Virus Removal Tools:

Sasser: http://securityresponse.symantec.com/avcenter/FxSasser.exe

Run the removal tool first, then the patch. After running the patch, reboot
your computer.

 

[Robert Brugman]

Download this patch for the LSASS exploit for Windows 2000:

http://download.microsoft.com/download/f/a/a/faa796aa-399d-437a-9284-c3536e9f2
e6e/Windows2000-KB835732-x86-ENU.EXE

Then download this removal tool for the Sasser worm.


--
Virus Removal Tools:

Sasser: http://securityresponse.symantec.com/avcenter/FxSasser.exe

Run the removal tool first, then the patch. After running the patch, reboot
your computer.

I already had the exploit patched, but I patched it again after running the
removal tool. It didn't work though, because the removal tool said that
sasser was not found on my computer. I tried it in both safe mode and
regular mode.

Robert

 

[null]

<snip>

Download the attached file and run it.

This is not a binaries newsgroup!


Art
http://www.epix.net/~artnpeg

 

[The Prophecy]

This is not a binaries newsgroup!


Art
http://www.epix.net/~artnpeg

I know this is not a binaries group but it was necessary to post that file
here in order to help solve the problem. I only post binaries here if
absolutly necessary and I'm not about to post a file to a different group,
then post here saying that the file the OP needs in in newsgroup X and have
them download it from there. If I post it here it is much easier to get to,
however I apologize for posting that file and will refrain from doing so in
the future.

 

[me]

I know this is not a binaries group but it was necessary to
post that file here in order to help solve the problem. I
only post binaries here if absolutly necessary and I'm not
about to post a file to a different group, then post here
saying that the file the OP needs in in newsgroup X and
have them download it from there. If I post it here it is
much easier to get to, however I apologize for posting that
file and will refrain from doing so in the future.

Yeah, well, maybe. :-/

Please keep 1n mind that some ISPs will kill binaries posted to
non-bin. newsgroup. So, an OP in dire need is still in trouble.
OTOH, "a few" other people will be p*'d.

J

 

[kurt wismer]

I know this is not a binaries group but it was necessary to post that file
here in order to help solve the problem.

no, it was not necessary... it is never necessary to post a binary...

if the file is of use to the general public then it should be on a web
page or ftp site, in which case you could have posted the URL instead...

further, asking people to run binaries from people they don't know
promotes UNsafe hex...

 

[Robert Brugman]

no, it was not necessary... it is never necessary to post a binary...

if the file is of use to the general public then it should be on a web
page or ftp site, in which case you could have posted the URL instead...

further, asking people to run binaries from people they don't know
promotes UNsafe hex...

This is all find and dandy, but so far, the only person to attempt to help
solve my problem was The Prophecy. Oh yeah, by the way...I still haven't
found a solution. Maybe someone knows the answer.

Robert