what is C:\WINNT/SYSTEM32\d3ddmbdll

jamminjamaica

i need some serious help I have run grisoft anti virus but it has detected trojan horse back door agent in the above file and it cannot fix it. what do I do

StrikeEagle

Try deleting the file?

I imagine it will say 'Cannot Delete, File in Use'. In which case you may have to restart the pc in Safe Mode, and delete it there.

Oh might be worth making a copy of the file (browse to the File in My Computer, Right click on the file, click copy, and then up top click Edit, Paste). At least if something goes wrong, you still got a copy of the file, but because it is only a copy, nothing will be referencing it, so it cant run unless u rename it back to the original filename.

jamminjamaica

ALSO when I type the above file in the search for files folders I get a mesage saying:

you are attempting to open a file type 'Application Extention' (.dll)  these files are used by operating systems and various programs.  editing or modifying them could damage your system.

help what do I do? can I delete this file? does anyone know what it is?

StrikeEagle

I did google the file, but it didnt recognise it.

I recommend downloading Hijackthis: http://www.spychecker.com/program/hijackthis.html

Run the program, press Scan PC, then Press Save log, and copy and paste the contents of that log file into a reply. Hopefully then we can understand the problem more.

jamminjamaica

what do I do after running the above program

StrikeEagle

Open Hijackthis.

Press 'Scan', Bottom left of screen.

Press 'Save Log' Bottom left of Screen.

Popup comes up, save file wherever.

Notepad opens. Go Edit (top of notepad), click Select All, Go Edit, click Copy. Close Notepad.

Close Hijackthis. Then Reply to this message, and Press CTRL + V on your keyboard when typing your reply.

jamminjamaica

Logfile of HijackThis v1.97.7
Scan saved at 21:53:23, on 24/08/2004
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v5.00 SP2 (5.00.2920.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Compaq\EAB\EabServr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4BUJKXMH\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yahoo.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\Compaq\EAB\EabServr.exe /Start
O4 - HKLM\..\Run: [Cpqset] c:\compaq\cpqsetup\cpqset.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKCU\..\Run: [Internat.exe] internat.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [BestPopUpKiller] C:\Program Files\BestPopUpKiller\BestPopupKiller.exe /startup
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0000000A-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

StrikeEagle

Ok, that actually looks like a pretty well maintained pc. I was hoping for some piece of spyware, or something referencing that d3dm..... file with the trojan.

So it could be that, that file is dormant, but it's best to get rid of it. Can you just double check the file name for me? - Of that d3dxxxx file I mean.

jamminjamaica

how do I do that? the file that the virus software detected that wans infected was c:\WINNT\SYSTEM32\D3DDMB.DLL

is that what you mean?

jamminjamaica

when I click of the anti virus software I get the message Trojan horse back door . agents. BA found in file C:\WINNT\SYSTEM32\d3ddmb.dll

StrikeEagle

Ye that's right.

Normally if you get a weird file you can type it into google.com and you can pretty quickly see if it is friend or foe, but there is no info on that filename. Bit odd...

I was hoping you made a typo, coz I know there is a file called D3DB.dll which lives in the System32 folder, and that is a Backdoor trojan.

If you can, it might be worth getting another virus scanner to confirm there is a virus there. Do you use Panda Antivirus as well?