Jump to content


Photo

Need Help Removing Backdor.Trojan LOGOJFK.DLL


  • Please log in to reply
6 replies to this topic

#1 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 July 2004 - 06:26 PM

My son's PC appears to have caught a trojan that I can't seem to get rid of.

Symantec Corp. Antivirus reports the follwing when starting almost any program:

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Backdoor.Trojan
File: C:\WINDOWS\System32\logojfk.dll
Location: C:\WINDOWS\System32
Computer: JOSH
User: Jim
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Sun Jul 18 18:18:22 2004

This .dll does not appear in Windows\system32 (even in Safe mode), and yes I have set the file options to show all files including system files. I have scanned with S. Corp. AV, Ad-Aware, SpyBot S&D, and Trojan Remover 6.2.7, and I also found a registry entry referring to this .dll. When I try to delete this reg entry it immediately re-appears.

Here's the HijackThis log:

Logfile of HijackThis v1.98.0
Scan saved at 6:04:25 PM, on 7/18/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\dudez\protowall\ProtoWall.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: (no name) - {965A592F-8EFA-4250-8630-7960230792F1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [Ad-watch] "C:\Program Files\Lavasoft\Ad-aware 6\Ad-watch.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ProtoWall] C:\Program Files\dudez\protowall\ProtoWall.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: (no name) - {237AA178-C3BC-4f67-A8BB-D8BC14BA0B89} - (no file) (HKCU)
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} - http://download.over...com/WildApp.cab
O20 - AppInit_DLLs: C:\WINDOWS\System32\logojfk.dll

Any help is greatly appreciated!

#2 NuckinFuts

NuckinFuts

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 July 2004 - 06:32 PM

I had a similar problem with another dll called COMA.DLL.
You should be able to move the file to another location (i moved mine to the desktop) then reboot. As soon as the desktop reopened I managed to delete the file. Once is has gone you should be able to clear out the registry setting.
:D

#3 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 July 2004 - 06:37 PM

I had a similar problem with another dll called COMA.DLL.
You should be able to move the file to another location (i moved mine to the desktop) then reboot. As soon as the desktop reopened I managed to delete the file. Once is has gone you should be able to clear out the registry setting.
:D

Nip said:
<<This .dll does not appear in Windows\system32 (even in Safe mode), and yes I have set the file options to show all files including system files>>

The file in question does appear anywhere on the HDD ... how would you suggest I move or delete?

#4 NuckinFuts

NuckinFuts

    Member

  • New Member
  • Pip
  • 2 posts

Posted 18 July 2004 - 06:39 PM

Sorry - forgot to say I had the exact same problem. So i removed my network connection and suspended antivirus and the file appeared in system32

#5 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 July 2004 - 07:44 PM

Sorry - forgot to say I had the exact same problem. So i removed my network connection and suspended antivirus and the file appeared in system32

Thanks, I'll give that a try.

#6 Nip

Nip

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 18 July 2004 - 08:06 PM

Well, that didn't work. I disabled the LAN and DSL connection, and unloaded S. Corp. AV, then rebooted ... the file still did not appear (even in Safe Mode, Command Prompt) but the registry entry was gone. However, when I reconnected the LAN and reloaded the AV it re-appeared. Thanks for the effort, any other ideas?

#7 ejosh87

ejosh87

    Member

  • Full Member
  • Pip
  • 22 posts

Posted 19 July 2004 - 03:00 AM

posted fix for this at:

http://forums.spywar...=15




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button