Backdoor.Trojan

Swampster · Jul 22, 2004

I am trying to help a friend with their computer. When they open a program (it really doesn't matter which), they get a Norton warning that it found a Backdoor.Trojan in LOGALEP.DLL. It cannot repair, remove, quarintine, or delete the file.

I have tried following the Norton directions for removing this trojan (update the definitions, turn off System Restore, scan from Safe Mode), and it doesn't find it. While the warning window is still open, the file is found in the Windows/System32 folder of his XP-Home system. The only way to close the warning window is with a three-finger salute, and then the file no longer exists . . . until you try to open another program.

Any ideas?????????

Aleksandar · Jul 22, 2004

first thing to try is go to my computer click on the tab tools folder options view make chure hidden files and folders is off make shure hide extentions for known file types is off and hide protected operating system files turn then all off then do a search (manuel) in %osdir% /system32

dclive · Jul 22, 2004

You can boot in recovery console and delete the program there - can you give that a shot?

mechBgon · Jul 22, 2004

What version of Norton is being used? Is it set to scan all files without exception, including within compressed files, heuristics enabled, etc?

Info on the Backdoor.Trojan

You might try the Panda and Symantec online scanners linked in my signature too. Also find out how this got in the door in the first place, and close the door

Swampster · Jul 22, 2004

Thanks for the help guys!

He is running Norton Systemworks 2003 and Norton Personal Firewall 2003 with the latest updates.

Explorer is set ot view everything, which is helpful as it it is a hidden file.

The problem seems to be that this file will seem to not exist once you close the warning window, but can be found in the System32 folder while it is active.

Nothing out of the way seems to be running based on looking at the Startup folder and checking with the various different RUN areas in the Registry.

'tis a mystery to me!!!!!

Swampster · Jul 22, 2004

Further Edit . . .

Norton Online Scan also finds nothing. I will try the Panda scanner in the morning, and I have also downloaded AVG and will temporarily disable NAV and install that and let it scan.

Something has got to find this darn thing!

mechBgon · Jul 22, 2004

Ok, three things:

1) run the antivirus scanners in my signature

2) since it's a pretty old threat, boot directly from the Norton CD itself and have it do a scan that way. The CD probably has recent-enough defs to pick it up.

3) figure out how it got in, and slam that door!

mechBgon · Jul 22, 2004

And one more thing: get it fully patched at Windows Update and also ensure that it has a firewall (hardware, software or both). Make sure that its Administrator password is a strong one. Microsoft Baseline Security Analyzer 1.2 can help you with some of this less-obvious stuff. Links to all of that: here.

dclive · Jul 23, 2004

Originally posted by: Swampster
Thanks for the help guys!

He is running Norton Systemworks 2003 and Norton Personal Firewall 2003 with the latest updates.

Explorer is set ot view everything, which is helpful as it it is a hidden file.

The problem seems to be that this file will seem to not exist once you close the warning window, but can be found in the System32 folder while it is active.

Nothing out of the way seems to be running based on looking at the Startup folder and checking with the various different RUN areas in the Registry.

'tis a mystery to me!!!!!

....which means it probably has a device driver that's hiding it from sight. Try booting to the recovery console and then deleting the file. Or boot in safe mode and see if you can remove it there.

Swampster · Jul 23, 2004

dclive,

What device driver could be causing this? The file is only visable in Explorer while the NAV warning window is active. Once you close it via Task Manager (it won't close on its own, but keeps going in an endless loop showing the file in lower case, then once it fails to do anything with it it shows it in upper case, then back to lower case, etc.)

In my exploring today, I found a number of files that had double extensions. In all cases, they were the same name as a Windows file, had an executable first extension, and had Manifest as the second extension. I deleted all of them, but the problem remains.

I have used the Panda, NAV, and AVG scans and none of them found the root cause . . . and none of them found these double extensions files either.

dclive · Jul 23, 2004

Originally posted by: Swampster
dclive,

What device driver could be causing this? The file is only visable in Explorer while the NAV warning window is active. Once you close it via Task Manager (it won't close on its own, but keeps going in an endless loop showing the file in lower case, then once it fails to do anything with it it shows it in upper case, then back to lower case, etc.)

In my exploring today, I found a number of files that had double extensions. In all cases, they were the same name as a Windows file, had an executable first extension, and had Manifest as the second extension. I deleted all of them, but the problem remains.

I have used the Panda, NAV, and AVG scans and none of them found the root cause . . . and none of them found these double extensions files either.

OK, so you know that the DLL is infected or has an issue. So go in there with Recovery Console (you might try safe mode first too) and rename it, and reboot and see how things look.

Again, a device driver can be running (a HIDDEN device driver) that causes the filesystem to no longer see virus/malware files. Hacker Defender and its' variants do exactly this. It's fairly well known. Just boot in RC and take a look for that DLL and rename it, then reboot and see if you get any further - it's worth a quick test.

As far as what device driver - bear in mind that on an infected system it can hide itself, so you won't see it normally. You might try safe mode, then look at your services.msc and see if you see anything unusual...

mechBgon · Jul 23, 2004

I would also suggest setting the antivirus software to autonomously clean-else-delete or simply delete-on-sight-no-questions-asked. Don't have it ask for permission or judgement calls by the user. "no no, I was downloading that file on purpose! :Q" ...yeah.

Swampster · Jul 24, 2004

Safe Mode and Services show nothing, so I will give it a look tomorrow with RC and see if it shows up there.

Swampster · Jul 24, 2004

mechBegon,

It is set to quarintine, and it reports that it tried to fix it and failed, tried to quarintine it and failed, tried to delete it and failed, access to file denied.

There are no other symptoms other than this pesky message, which will stay off, once you get it dismissed, for the rest of the session. I'm wondering . . . could NAV itself be corrupted and giving me a false report? Maybe I should uninstall it, clean out its remnants, and then reinstall it and see what happens?

ScrapSilicon · Jul 24, 2004

find it easier to slave the goobered up harddrive to another known good protected system(I prefer USB 2.0

) and scan from that point..faster and more efficient ..gl

mechBgon · Jul 25, 2004

^ this guy's thinking

Also Swampster, did you try booting from your Norton CD itself? Since the threat is circa 2002, your Norton CD may be able to deal with it using its original set of definitions. Couldn't hurt to try...

HKSturboKID · Jul 25, 2004

Wow...this is the exact problem that I have, can't find the file in safe mode but once boot up normally Norton picks it up and can't clean it. Check out the other thread as mechBgon sugguested that I created a file in the same name and dump it into the directory where Norton pickup the variant and hopefully it will prevent the file from being created.

Mem · Jul 25, 2004

You could also try A Squared Personal anti-trojan software and see if that can remove it,don`t give up.

Swampster · Jul 25, 2004

Problem Solved! Thanks guys!!!!!!!!!!

I booted from my install CD and opted for the RC and deleted the file from there, and it seems to have gone away for good.

dclive · Jul 25, 2004

Originally posted by: Swampster
Problem Solved! Thanks guys!!!!!!!!!!

I booted from my install CD and opted for the RC and deleted the file from there, and it seems to have gone away for good.

Way cool. Glad it worked for you.

So, synopsis:

Sometimes if a virus or spyware plants itself on a machine in stealth mode, it isn't detectable or deletable while the Windows OS is running. So, we can go into the machine in Recovery Console (or by attaching it to another PC and booting from the other PC's hard drive) and we can then see and delete (or rename) the offending file.

Backdoor.Trojan

Senior member

Senior member

Elite Member

Super Moderator<br>Elite Member

Senior member

Senior member

Super Moderator<br>Elite Member

Super Moderator<br>Elite Member

Elite Member

Senior member

Elite Member

Super Moderator<br>Elite Member

Senior member

Senior member

Lifer

Super Moderator<br>Elite Member

Golden Member

Lifer

Senior member

Elite Member