Virus Question - d3dnea.dll

[Robert Brugman]

Hello,
I am having a huge problem with a particular file. I have Norton Corporate
7.6 on Windows 2000 SP4 and the real time scan keeps popping up saying
Backdoor.Trojan was found in d3dnea.dll. I updated NAV, tried to
quarantine, but access was denied. I then went into safe mode and tried to
look for it. It doesn't even exist under safe mode. This led me to believe
that it was being created on boot.
I went into the registry and searched for anything I didn't recognize in all
the run keys. I then searched for the filename, and deleted everything that
was there. I rebooted, and real time found it again. I've run two full
system scans, installing the updates manually off Symantec's site in
between. I also installed AVG Free and have run that with no success.
Doesn't even detect it. Does anyone know how I can get rid of this virus?
The full filename is C:\Winnt\system32\d3dnea.dll
I also tried posting this in the anti-virus newsgroups, but my quest there
ended with people arguing back and forth about posting binaries.


Thanks in advance for everyone's help!
Robert

 

[Kenny Wood]

Hello,

Without having any more details, I would think that you have a rootkit on your system, or a kit
that is blocking your ability to see this file (and possibly others).

There are several scanners or products on the web that can help detect these files.

Below is some basic information on the subject:
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Rootkit_Too
ls_in_a_Windows_Environment.html

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation
--

This posting is provided "AS IS" with no warranties, and confers no rights. Use of included
script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

Note: For the benefit of the community-at-large, all responses to this message are best
directed to the newsgroup/thread from which they originated.
--------------------
| From: Robert Brugman <[email protected]>
| Newsgroups: microsoft.public.win2000.security
| Subject: Virus Question - d3dnea.dll
| Date: Sat, 24 Jul 2004 19:00:59 -0400
| Organization: Posted via Supernews, http://www.supernews.com
| Message-ID: <BD28626B.F72%[email protected]>
| User-Agent: Microsoft-Entourage/11.0.0.040405
| Mime-version: 1.0
| Content-type: text/plain;
| charset="US-ASCII"
| Content-transfer-encoding: 7bit
| X-Complaints-To: (e-mail address removed)
| Lines: 21
| Path: cpmsftngxa06.phx.gbl!TK2MSFTNGP08.phx.gbl!news-out.cwix.com!newsfeed.cwix.com!
news.maxwell.syr.edu!sn-xit-03!sn-xit-06!sn-post-01!supernews.com!corp.supernews.com!not-
for-mail
| Xref: cpmsftngxa06.phx.gbl microsoft.public.win2000.security:30004
| X-Tomcat-NG: microsoft.public.win2000.security
|
| Hello,
| I am having a huge problem with a particular file. I have Norton Corporate
| 7.6 on Windows 2000 SP4 and the real time scan keeps popping up saying
| Backdoor.Trojan was found in d3dnea.dll. I updated NAV, tried to
| quarantine, but access was denied. I then went into safe mode and tried to
| look for it. It doesn't even exist under safe mode. This led me to believe
| that it was being created on boot.
| I went into the registry and searched for anything I didn't recognize in all
| the run keys. I then searched for the filename, and deleted everything that
| was there. I rebooted, and real time found it again. I've run two full
| system scans, installing the updates manually off Symantec's site in
| between. I also installed AVG Free and have run that with no success.
| Doesn't even detect it. Does anyone know how I can get rid of this virus?
| The full filename is C:\Winnt\system32\d3dnea.dll
| I also tried posting this in the anti-virus newsgroups, but my quest there
| ended with people arguing back and forth about posting binaries.
|
|
| Thanks in advance for everyone's help!
| Robert
|
|

 

[Robert Brugman]

Hello,

Without having any more details, I would think that you have a rootkit on your
system, or a kit
that is blocking your ability to see this file (and possibly others).

There are several scanners or products on the web that can help detect these
files.

Below is some basic information on the subject:
http://www.windowsecurity.com/articles/Hidden_Backdoors_Trojan_Horses_and_Root
kit_Too
ls_in_a_Windows_Environment.html

Thank you for your post.

Kenny Wood
CISSP, MCSE (+S, +M)
PSS Security
Microsoft Corporation

I am in utter confusion now. I downloaded the programs mentioned in that
link, but my success has been absolutely terrible. I renamed my regedit and
taskmgr applications as administrator as mentioned, and looked through the
processes and registry. I deleted a couple of registry keys (which have
since came back because I deleted them before too), but there is nothing
running. I then used Process Explorer to shut down all the processes I
could without making windows crash. I also ran drivers.exe and
listdlls.exe. I would think since the infected file is a dll, and it can't
be deleted because it's "running" that it would be on the list. Not the
case. Nothing even related to it. I'm almost at the point where I'm going
to have to reinstall windows if I can't figure out how to get rid of this
pest.

Robert

 

[Benn Wolff]

Hello Robert.
Give these a try.
TrendMicro also has a Damage Clean up Tool.
I would check that out ASAP.
Not to be rude, but why are you using norton ?
Norton is the worst software there is.

http://www.pandasoftware.com/activescan/
http://housecall.trendmicro.com/

 

[Benn Wolff]

I forgot this link.
http://www.trendmicro.com/download/dcs.asp
http://www.trendmicro.com/ftp/products/pattern/lpt945.zip

you need both files, in one folder. click sysclean, let her rip.

 

[Robert Brugman]

I figured it out. Norton finally told me something other than
Backdoor.Trojan. This morning it called it Backdoor.Agent.B, and I was able
to get the removal took from AVG and everything is back to normal.

Thanks for all your help!
Robert