how to clean Backdoor.Win32.Lecna.b

Discussion in 'NOD32 version 2 Forum' started by nromy, Jun 30, 2006.

Thread Status:
Not open for further replies.
  1. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10
    Hi all,

    Lecna.b is now attacking my system (windows XP).

    This worm hides network connections in my system.
    Thus, I cant connect to internet thru my computer.

    When i check in hardware device, windows cant recognise network drivers.
    but when i turn to safemode (without network) windows recognise the drivers.

    in safe mode (with network), windows cant recognise network drivers.

    I just downloaded the trial version of NOD , then i tried to "deep" scan. This product can not recognise the worm.
    and the worm still in my system.


    i downloaded the trial version of " NOD32 Anti virus", then i tried to "deep" scan my system.
    Unfortunately, this product can not recognise the worm.
    and the worm still in my system

    pls somebody here help me.

    thanks
    romy
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi nromy,
    I'm looking up some info that may help you.

    While I'm doing that, I was wondering how it is that you are certain it is Lecna.b ?

    Cheers :)
     
  3. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi again,

    NOD32 has detected lecna.a by name since November 2005 and lecna.b by name since August 2005

    ...so if you have the latest version of the trial - you said you just downloaded it - then please reboot to safe mode and just to be sure, configure your on demand scanner as described from post #47 -->HERE<-- before perfoming a full scan with those settings and then post back and let us know how you got on so far.

    Cheers :)

    edit: Not having the ability to test any lecna infections I can not say for sure but it may be necessary to take additional action after this.
    edit:edit: I just noticed another very similar question with more detailed instructions on the steps so far -->HERE<--
     
    Last edited: Jun 30, 2006
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Off topic post removed ~ please remember which forum you are in.

    Quoted off topic post also removed.

    Blackspear.
     
  5. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    If you ever suspect that your TCP stack is screwy..only takes a few seconds to run this utility and restore it to virgin state
    http://www.snapfiles.com/reviews/WinSock_XP_Fix/winsockxpfix.html

    Any "tweaks" you've done will need to be reapplied, and custom network settings also like static IPs. So be aware of your setup before running this.
     
  6. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10

    Why I am sure that it is lecna.b? because symptom which my system has is the same as explanation on this following link:
    http://www.f-secure.com/v-descs/lecna_b.shtml
     
  7. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10
    hi YeOldeStonecat,

    I just downloaded this application. I will try to run it, i will tell you the result later,
    thanks...
    romy
     
  8. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10

    hi Blackspear,

    Would you pls advise me which forum i have to engage for this problem?
    I thought I were in the right forum, cos I asked about how to use NOD32 to clean lecna.b.

    Thnks
    romy
     
  9. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10
    hi NOD32 user,

    I just copy the information of NOD setting that you advised me (the links).
    And then, I will try re-scan my system.

    Fyi, I have done this :
    Reboot to safe mode and did on demand scanner to my system to all files in all drives.
    However I will check its setting again, and re-run on the scanner.

    Thanks
    romy
     
    Last edited: Jul 3, 2006
  10. snowbound

    snowbound Retired Moderator

    Joined:
    Feb 18, 2003
    Posts:
    8,723
    Location:
    The Big Smoke
    U are. What was removed was O/T by others.



    snowbound
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,

    please drop an email to support @ eset.com with a link to this thread, we'll try to help you out.


    Marcos
     
  12. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    You're in good hands now nromy :)

    It would be great if you could post back to let us know the result

    Cheers :)
     
  13. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10
    hi YeOldeStonecat,

    Yup I just run this application (WinsockxpFix), but it didn’t help.

    As 3rd step, I cannot find the following path on regedit window:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcp
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Dhcpoptions
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\MSTCP
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VXD\Winsock2​
    As the result, my system still doesn’t have network connection. And in hardware device, the Lan card still has no drivers.
    The error says windows cannot load the drivers.

    I usually install the driver automatically with "Lan-driver setup application" provided by my Toshiba laptop.

    I also tried to refresh the operating system (windows XP) by re-install the system from Installation-CD. But it still failed.

    If we suspect that it is not because of worm/virus, why:
    • If I reboot to safe mode (without network), and then windows recognise all drivers of LAN card successfully?
    • When I re-boot the system to safe mode (with network) or in normal mode, and then windows DOESN’T recognise all drivers of LAN card successfully.
    • When I “ctrl-alt-del” I can see iexplorer.exe is running simultaneously? Sometime running and sometime not.
    • And then I rename this iexplorer.exe to iexplorer.xee in safe mode (without network) via dos prompt.

    When booting process:
    o before entering to windows XP, why my computer can recognise the IP Address provided by the server? Why the led of LAN port was blink/turn on?
    o When entering to windows XP, The led of LAN port suddenly turn off?


    My computer is still offline, so I cannot scan it via online scanner.

    Regard
    Romy
     
    Last edited: Jul 3, 2006
  14. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10

    Yup I did everything what that manual advises.
    and after doing scanning. the anti virus only found nothing ;(

    anyway
    thanks for helping me ;)
    romy
     
  15. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10

    Hi marcos,

    Okay I will.

    ~ removed personal email communication ~ Blackspear.


    ok, thanks

    regard
    romy
     
    Last edited by a moderator: Jul 3, 2006
  16. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10
    Hi everyone,

    I have tried to contact "NOD32 Technical support" since 07/09/06
    He suggested to run the following programs:
    1. http://eset.zftp.com/utils/hijackthis.exe
    2. http://www.sysinternals.com/Files/Autoruns.zip

    the result is the logs didn't reveal an infection.

    Again , my question is:

    If we suspect that it is not because of worm/virus, why:
    • If I reboot to safe mode (without network), and then windows recognise all drivers of LAN card successfully?
    • When I re-boot the system to safe mode (with network) or in normal mode, and then windows DOESN’T recognise all drivers of LAN card successfully.

    •When booting process:
    o step before entering to windows XP, why my computer can recognise the IP Address provided by the server? Why the led of LAN port was blink/turn on?
    o step When entering to windows XP, The led of LAN port suddenly turn off?


    pls help me. Because until now, my computer can not connect to internet. ;(

    rgd
    romy
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi nromy,

    Have you checked that the card isn't simply disabled?

    Right-click on 'My Network Places' --> Left-click 'properties' -->Right-click on the LAN card --> Left-click on 'Enable' o_O
     
  18. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Romy, try the following commands from the Command Prompt in Safe Mode to reset TCP/IP and Winsock:

    netsh int tcpip reset
    reboot
    netsh winsock reset
    reboot

    Here are some articles about how these commands work:

    http://support.microsoft.com/kb/299357/
    http://support.microsoft.com/kb/811259/

    For the iexplorer.exe starting up when the network is enabled, it could be that the worm has injected itself into the Active Desktop. In Safe Mode, go to Control Panel --> Display --> Desktop --> Customize Desktop --> Web. If there are any webpages present, uncheck or remove them, then hit OK.
     
  19. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
  20. nromy

    nromy Registered Member

    Joined:
    Jun 30, 2006
    Posts:
    10


    ur advice is what I always say to my friend if they have troubles with windows network :)

    anyway thanks a lot for your help.

    in my case, after I do this :
    Right-click on 'My Network Places' --> Left-click 'properties'

    there are no connection at all. so I can set up No thing.

    the problem is in device hardware by right clicking the icon of my computer -> click device manager.
    And I see All hardware related to network do not work properly. It says windows can not load the driver.

    Maybe you say it is because the drivers. I dont think it is. Because I always tried to install the driver but always failed.

    However, if I run windows in safe mode (without network), my computer has no problem related to network drivers.

    thanks..

    rgd
    romy





    But when I run the
     
  21. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    I assume you mean that the network hardware has question marks next to it?

    This I have seen as I've understood your description with certain video cards when changing from one to another. Customers PC was presented to me with the new card already fitted. Tried for AGES to get the new cards driver installed before the solution struck me (no too hard though :D)
    Removed the new card and put the old one back in
    uninstalled it's drivers from add/remove programs and then used device manager to remove the hardware. Rebooted with the new card installed and the drivers loaded first go...

    Did you try what alglove and izi suggested above - how did that go?

    Cheers :)
     
Thread Status:
Not open for further replies.