Possible virus -- D3DRM.EXE under Windows 2000

  • Thread starter Thread starter Dan Williams
  • Start date Start date
D

Dan Williams

October 28, 2004
Windows 2000 SP4

Yesterday my firewall caught an executable file trying to make an
outgoing connection. The executable is D3DRM.EXE and resides in the
Winnt\System32 directory. I denied the connection and didn't pay much
attention it. Yesterday, later in the day, I noticed that the system
was slowing to a crawl. Rebooting brought it back to normal. Before
leaving the house for the day, I set Forte Agent to download a ton of
binaries that would take several days to download.

Came back this morning, not much had been downloaded in Agent, system
was extremely slow, alt-tab between apps didn't work, couldn't bring
Task Manager forward to see what was eating the CPU, had to hit reset
button. Soon after rebooting, D3DRM.EXE makes an outgoing connection
attempt to port 80 of

lineAR50.velocom.com.ar

which I deny. Browsing to http://www.velocom.com.ar reveals an
apparently legit site of an telecom company in Argentina.

I then do a virus check with Syamantec Corporate 8.1.0825 with the
most recent definitions (10/27/04 rev 18) that comes up negative. Also
negative is a check for spyware using Ad-aware 6 with the most recent
defs (01R347 26.10.2004). The file D3DRM.EXE is in one of the Run keys
in the Registry so it loads at startup.

Searching Symantec virus list for D3DRM is negative. Google search for
D3DRM.EXE has zero hits, for D3DRM without the extension has many hits
that all seem to be about programming, the file is related to DirectX.

Checkinig the DirectX diagnostic tool reveals that D3DRM.DLL is a part
of DirectX, but D3DRM.EXE is not listed on the 'DirectX Files' tab.
When right-clicking D3DRM.EXE and choosing Properties, there is no
Version tab like with most/all the other EXE's, the file looks
suspicious.

I have been surfing to some semi-questionable sites recently and
suspect that this D3DRM.EXE is some kind of malware that is very new.
Going to remove the Run key in the Registry and see if everything is
back to normal.

Anyone know anything about D3DRM.EXE?
 
Dan Williams said:
Yesterday my firewall caught an executable file trying to make an
outgoing connection. The executable is D3DRM.EXE and resides in the
Winnt\System32 directory. I denied the connection and didn't pay much
attention it. Yesterday, later in the day, I noticed that the system
was slowing to a crawl. Rebooting brought it back to normal. Before
leaving the house for the day, I set Forte Agent to download a ton of
binaries that would take several days to download.
Click to expand...
Anyone know anything about D3DRM.EXE?
Click to expand...

Diagnosing (possible) malware by filename is generally pretty
pointless...

Send the file to the AV developers you trust to do a good job analysing
it (this may well be more than just Symantec whose product you use).
To save you having to look them all up, here is a list of the suspect
file submission addresses for the better-known AV products:

Authentium (Command Antivirus) <[email protected]>
Computer Associates (US) <[email protected]>
Computer Associates (Vet/EZ) <[email protected]>
DialogueScience (Dr. Web) <[email protected]>
Eset (NOD32) <[email protected]>
F-Secure Corp. <[email protected]>
Frisk Software (F-PROT) <[email protected]>
Grisoft (AVG) <[email protected]>
H+BEDV (AntiVir, Vexira engine) <[email protected]>
Kaspersky Labs <[email protected]>
Network Associates (McAfee) <[email protected]>
(use a ZIP file with the password 'infected' without the quotes)
Norman (NVC) <[email protected]>
Panda Software <[email protected]>
Sophos Plc. <[email protected]>
Symantec (Norton) <[email protected]>
Trend Micro (PC-cillin) <[email protected]>
(Trend may only accept files from users of its products)
 
Anyone know anything about D3DRM.EXE?
Click to expand...

zip it, password protect it with the word 'infected' but without the ''
and mail it (e-mail address removed) you should get a reply a few seconds later
with an automated sandbox analysis, or mail it over to
(e-mail address removed) and we will look at it and reply by return.

HTH
 
1) Download the following three items...

Trend Sysclean Package
http://www.trendmicro.com/download/dcs.asp

Latest Trend signature files.
http://www.trendmicro.com/download/pattern.asp

Adaware SE (personal free version)
http://www.lavasoftusa.com/

Create a directory.
On drive "C:\"
(e.g., "c:\New Folder")
or the desktop
(e.g., "C:\Documents and Settings\lipman\Desktop\New Folder")

Download sysclean.com and place it in that directory.
Dowload the signature files (pattern files) by obtaining the ZIP file.
For example; lpt220.zip

Extract the contents of the ZIP file and place the contents in the same directory as
sysclean.com.

2) Update Adware with the latest definitions.
3) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
4) Reboot your PC into Safe Mode
5) Using both the Trend Sysclean utility and Adaware, perform a Full Scan of your
platform and clean/delete any infectors/parasites found.
(a few cycles may be needed)
6) Restart your PC and perform a "final" Full Scan of your platform using both the
Trend Sysclean utility and Adaware
7) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),
8) Reboot your PC.
9) If you are using WinME or WinXP, create a new Restore point

You can also try some of the below online scanners.

Trend:
http://housecall.antivirus.com
http://housecall.trendmicro.com

F-Secure:
http://support.f-secure.com/enu/home/ols.shtml

McAfee:
http://www.mcafee.com/myapps/mfs/default.asp

Panda:
http://www.pandasoftware.com/activescan/

Kaspersky:
http://www.kaspersky.com/de/scanforvirus

Symantec:
http://security.symantec.com/

BitDefender
http://www.bitdefender.com/scan/license.php

Freedom Online scanner
http://www.freedom.net/viruscenter/index.html


* * * Please report your results ! * * *

Dave






| October 28, 2004
| Windows 2000 SP4
|
| Yesterday my firewall caught an executable file trying to make an
| outgoing connection. The executable is D3DRM.EXE and resides in the
| Winnt\System32 directory. I denied the connection and didn't pay much
| attention it. Yesterday, later in the day, I noticed that the system
| was slowing to a crawl. Rebooting brought it back to normal. Before
| leaving the house for the day, I set Forte Agent to download a ton of
| binaries that would take several days to download.
|
| Came back this morning, not much had been downloaded in Agent, system
| was extremely slow, alt-tab between apps didn't work, couldn't bring
| Task Manager forward to see what was eating the CPU, had to hit reset
| button. Soon after rebooting, D3DRM.EXE makes an outgoing connection
| attempt to port 80 of
|
| lineAR50.velocom.com.ar
|
| which I deny. Browsing to http://www.velocom.com.ar reveals an
| apparently legit site of an telecom company in Argentina.
|
| I then do a virus check with Syamantec Corporate 8.1.0825 with the
| most recent definitions (10/27/04 rev 18) that comes up negative. Also
| negative is a check for spyware using Ad-aware 6 with the most recent
| defs (01R347 26.10.2004). The file D3DRM.EXE is in one of the Run keys
| in the Registry so it loads at startup.
|
| Searching Symantec virus list for D3DRM is negative. Google search for
| D3DRM.EXE has zero hits, for D3DRM without the extension has many hits
| that all seem to be about programming, the file is related to DirectX.
|
| Checkinig the DirectX diagnostic tool reveals that D3DRM.DLL is a part
| of DirectX, but D3DRM.EXE is not listed on the 'DirectX Files' tab.
| When right-clicking D3DRM.EXE and choosing Properties, there is no
| Version tab like with most/all the other EXE's, the file looks
| suspicious.
|
| I have been surfing to some semi-questionable sites recently and
| suspect that this D3DRM.EXE is some kind of malware that is very new.
| Going to remove the Run key in the Registry and see if everything is
| back to normal.
|
| Anyone know anything about D3DRM.EXE?
|
 
Dan Williams said:
October 28, 2004
Windows 2000 SP4

Yesterday my firewall caught an executable file trying to make an
outgoing connection. The executable is D3DRM.EXE and resides in the
Winnt\System32 directory. I denied the connection and didn't pay much
attention it. Yesterday, later in the day, I noticed that the system
was slowing to a crawl. Rebooting brought it back to normal. Before
leaving the house for the day, I set Forte Agent to download a ton of
binaries that would take several days to download.

Came back this morning, not much had been downloaded in Agent, system
was extremely slow, alt-tab between apps didn't work, couldn't bring
Task Manager forward to see what was eating the CPU, had to hit reset
button. Soon after rebooting, D3DRM.EXE makes an outgoing connection
attempt to port 80 of

lineAR50.velocom.com.ar

which I deny. Browsing to http://www.velocom.com.ar reveals an
apparently legit site of an telecom company in Argentina.

I then do a virus check with Syamantec Corporate 8.1.0825 with the
most recent definitions (10/27/04 rev 18) that comes up negative. Also
negative is a check for spyware using Ad-aware 6 with the most recent
defs (01R347 26.10.2004). The file D3DRM.EXE is in one of the Run keys
in the Registry so it loads at startup.

Searching Symantec virus list for D3DRM is negative. Google search for
D3DRM.EXE has zero hits, for D3DRM without the extension has many hits
that all seem to be about programming, the file is related to DirectX.

Checkinig the DirectX diagnostic tool reveals that D3DRM.DLL is a part
of DirectX, but D3DRM.EXE is not listed on the 'DirectX Files' tab.
When right-clicking D3DRM.EXE and choosing Properties, there is no
Version tab like with most/all the other EXE's, the file looks
suspicious.

I have been surfing to some semi-questionable sites recently and
suspect that this D3DRM.EXE is some kind of malware that is very new.
Going to remove the Run key in the Registry and see if everything is
back to normal.

Anyone know anything about D3DRM.EXE?
Click to expand...

Try using AdAwareSE instead of AdAware6.(free version)
Also try SpyBot.(also free)
Update both before running.
 
Apparently I've got the same problem but with a different name. I'm running
xp pro. My firewall stopped it and then manually renaming it and removing it
from the msconfig startup has seemed to completely stop it. Mine was named
webclnt.exe and was located in c:\windows\system32\webclnt.exe. It appears
that the developer is naming these files after dll files. I have not noticed
any problems or any slow down what so ever. Google searches are coming up
empty on this.

Here is what Kerio Personal Firewall stopped:
'WEBCLNT.EXE' from your computer wants to connect to
lineaAR50.velocom.com.ar [200.59.49.50], port 80

Searching my registry I found this:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared
Tools\MSConfig\startupreg\webclnt
 
Back
Top