• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

Backdoor.Elpman, False Positive?

My Virus Scanner Detected Backdoor.Elpman over night in the following places

Appdata/local/temp (.tmp File)

Appdata/roaming/pdaappflex/localstore/#sharedobjects

Appdata/roaming/pdappflex/local store

appdata/roaming/pdappflex

Did some research and a lot of other people have got it overnight too? Any idea?

https://www.reddit.com/r/sysadmin/comments/4htply/symanteccloud_seeing_a...

Replies

Kudos0

Re: Backdoor.Elpman, False Positive?

Which Norton product and version?

What is your Operating System?

Thanks.

A little bit of knowledge is... well a little bit of knowledge.
Kudos0

Re: Backdoor.Elpman, False Positive?

Windows 7 and It Says Norton Antivirus, I think it's just the generic 3 Year Basic package.

How can i tell the version?

Kudos0

Re: Backdoor.Elpman, False Positive?

Found the Version 22.6.0.142 Norton Anti Virus

Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

Please see this KB article on the subject.

https://support.norton.com/sp/en/us/home/current/solutions/kb20100222230832EN_EndUserProfile_en_us

Here is the Symantec write-up for this malware.

https://www.symantec.com/security_response/writeup.jsp?docid=2016-030113-0625-99

From that Reddit report, it seems like the other users complaining about it are users of Symantec Corporate users programs which is probably the reason for Krusty's question.

You can submit the file to Virus Total for a quick analysis. You can also submit to Norton for a further analysis of the file.

To report a false positive, please use this link

https://submit.symantec.com/false_positive/

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

I Tried to respond with the version ect but it's not showing up?

Kudos0

Re: Backdoor.Elpman, False Positive?

I have also had this as well. I have submitted the quarantined files to Symantec for checking, as I'm sure also a false positive. How long to get a response or feedback?

The pdappflex folder I think is due to adobe creative cloud. Not sure if this will still be working correctly. There is now a creative cloud error in photoshop 

Kudos0

Re: Backdoor.Elpman, False Positive?

Happened on one of my PC as well yesterday. Norton asked me to reboot, but didn't think too much about it. Couldn't start the PC this morning, with a DPC_Watchdog error appearing on the blue screen. Eventually managed to restart the PC, where I discovered the apparent virus in quarantine. 

Currently backing up the PC, so will check if anything else is not working

Kudos0

Re: Backdoor.Elpman, False Positive?

The dpc_watchdog error is connected to a ssd drive if the computer isn't shut down properly. I am still hoping that this is a false positive.

Not sure how a trogen would have got on my computer otherwise as am really careful with attachments etc

Kudos0

Re: Backdoor.Elpman, False Positive?

Thanks for the info, the SSD is used as cache drive, which doesn't like to be shut-down dirty.

Norton Security with Backup has crashed twice now, both times with History being open. This is from the event the viewer:

Faulting application name: NSBU.exe, version: 13.1.0.74, time stamp: 0x56ba9bae
Faulting module name: SYMHTML.DLL, version: 10.1.0.91, time stamp: 0x56ce7f77
Exception code: 0xc0000005
Fault offset: 0x001aafe0
Faulting process id: 0x16d4
Faulting application start time: 0x01d1a6ce0e9b7813
Faulting application path: C:\Program Files (x86)\Norton Security with Backup\Engine\22.6.0.142\NSBU.exe
Faulting module path: C:\Program Files (x86)\Norton Security with Backup\Engine\22.6.0.142\SYMHTML.DLL
Report Id: 9b2faec8-a064-4c7f-9ff3-e44c71820aae
Faulting package full name: 
Faulting package-relative application ID: 

Have also attached the log from Norton history

File Attachment: 
Kudos0

Re: Backdoor.Elpman, False Positive?

A few minutes ago i got a that virus warning to.
The following was detected

http://i.imgur.com/R1o94Tu.png

Dateiname: Backdoor.Elpman
Vollständiger Pfad: Nicht verfügbar

____________________________

____________________________


Auf Computern ab 
Nicht verfügbar

Zuletzt genutzt 
05.05.2016 um 18:23:40

Startobjekt 
Nein

Gestartet 
Nein

Art der Bedrohung: Virus. Programme, die andere Programme, Dateien oder Computerbereiche infizieren, indem sie sich einfügen oder anhängen.

____________________________


Backdoor.Elpman
Suchen


Unbekannt
Es ist nicht bekannt, wie viele Benutzer in der Norton Community diese Datei verwendet haben.

Unbekannt
Diese Dateiversion ist nicht bekannt.

Hoch
Das Risiko dieser Datei ist hoch.


____________________________


Quelle: Externer Datenträger


____________________________

Dateiaktionen

Datei: c:\users\appdata\local\temp\ jet10b6.tmp entfernt
Datei: c:\users\appdata\local\temp\ wct1837.tmp Bedrohung entfernt
Datei: c:\users\appdata\local\temp\ wct3d5d.tmp Bedrohung entfernt
Datei: c:\users\appdata\local\temp\ wct75cd.tmp Bedrohung entfernt
Datei: c:\users\appdata\local\temp\ wct9b42.tmp Bedrohung entfernt
Datei: c:\users\appdata\local\temp\ wctdfb8.tmp Bedrohung entfernt
Verzeichnis: c:\users\appdata\roaming\pdappflex\local store\ #sharedobjects Bedrohung entfernt
Verzeichnis: c:\users\appdata\roaming\pdappflex\ local store Bedrohung entfernt
Verzeichnis: C:\Users\AppData\Roaming\ PDAppFlex Bedrohung entfernt
____________________________

Registrierungsaktionen

Registrierungsänderung: HKEY_USERS\S-1-5-21-3101452190-1557573530-4177054012-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\Start Menu\Programs\ Startup Repariert
Registrierungsänderung: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\Start Menu\Programs\ Startup Repariert
Registrierungsänderung: HKEY_USERS\S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\Start Menu\Programs\ Startup Repariert
Registrierungsänderung: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\Start Menu\Programs\ Startup Repariert
Registrierungsänderung: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\Start Menu\Programs\ Startup Repariert
____________________________


Dateiabdruck - SHA:
Nicht verfügbar
Dateiabdruck - MD5:
Nicht verfügbar
 

Should i reinstall my computer or is that a false positive?

Kudos0

Re: Backdoor.Elpman, False Positive?

if you opened my text file, you would see that it contains the same info, except yours is in German, mine in English. I am not sure if this is a false positive, only Symantec can tell. I have already submitted samples

Kudos0

Re: Backdoor.Elpman, False Positive?

Mine is pretty much the same. Text file attached. I have done extensive scans on my machine including Power Eraser and seems to be clean.

How long for Symantec to comment on submitted files?

Apparently lots of people claiming to have the same, I am still hoping this is a false positive.

Not sure if better just to do a factory reset. Not wanting to as it would take a day probably to load all programs back on

File Attachment: 
Kudos0

Re: Backdoor.Elpman, False Positive?

Yeah if it isn't a false positive, I'd do a fresh install as I'm paranoid.

Hence wanting to know :)

Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

Have any of you submitted the file to Virus Total? They give you the results quickly. I would suggest that you take your computers to one of the free malware removal sites. Please pick 1 site and stick with them and have them test your computers to see if they are clean or not. If it isn't clean, then the site will help you to clean it up safely. If it's clean then you will have peace of mind. Here is the list of sites.

Please see this link for an up to date description of these sites plus the addition of a newly listed site formed by one of our successful malware remover users who unfortunately has passed away. That site is still being run by a good expert who happens to be one of the other Gurus.  The new site is listed first in this link.

https://community.norton.com/en/forums/malware-removal-forum-recommendations

Please come back and let us know how you made out.

Thanks.




 

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

I also noticed the same thing on May 4, 2016 at 2:49AM.  A few things to note aside from the Reddit article and everyone posting here that makes me think it may be a false positive.

1. The pdappflex directory is a directory that is installed by adobe Photoshop or adobe creative cloud.  Many users have noted this directory structure. I confirmed also through some scripts that I use on my system for these sorts of occasions that this directory structure has existed on my PC since September which was when I installed Photoshop/creative cloud. The directory was always empty per my looking into it and at my scripts.

2. I had a full system scan run per schedule on May 4th that completed at 1:45AM and found no threats. At 2:00AM Adobe ran it's nightly check for updates, log files indicate no updates or changes found. At 2:45AM Norton ran live update and based on the logs downloaded virus definitions. At 2:49AM a quick scan kicked off and detected the threat as identified above in the initial posting and placed it in quarantine.  My text file that shows what was done to remedy and quarantine is the same as the ones above only does not include the temp files so I won't be posting it as well.

3. I am the only user of this PC and do not visit sites other than a few that are bookmarked and that I have used for years. I do not download files onto this PC via web or email thus if this is a Trojan I am not sure where it would have come from since I would think Norton would block something if it detected it and when I do put files on this pc, even if I send them to myself, I always scan them with Norton.

4. Any removable media that I use on this PC is solely used on this PC and not shared with other PC's or family members.

5. This PC has had Norton installed on it since day one.

6. I am behind 2 firewalls, 1 from my modem/router and the other from my personal router plus Norton's firewall, both have been tested to ensure they are not responding to certain ports and appear invisible to the web.

7. Many people are posting here and at Reddit, the article that Symantec posted was from Late March thus for many users to all of a sudden have the issue at the same time makes it seem like it is possibly a false positive and related to recent definitions released as per item #2 above.

8. I checked event logs, registry, scheduled tasks and a few other places for anomalous behavior and I found nothing.

9. All my PC's on my home network (2) are set to Restricted Trust so they cannot see each other for further protection.

10. After Norton's finding and cleaning/quarantine, I ran a full system scan again and all is good.

Based on the close proximity of my full system scan then Norton virus defs download then the quick scan finding this issue, it immediately made me think it was a false positive.  I will not be releasing the files from quarantine just to be safe but it would be nice if someone at Symantec/Norton could research this and confirm if it was indeed a false positive or not.  It would help give us some peace of mind or help us determine if we should wipe our systems or restore to an earlier version.  Considering Trojan's are usually brought in by file downloads/attachments and I have not done any in a long while, it would seem odd for it to have been obtained by a drive by or something of that nature.  I was also not online at the time of the issue and the PC seemed fine from previous quick scans and from the full system scan one hour before.

Any insight would be greatly appreciated.

Thanks,

RM

Kudos0

Re: Backdoor.Elpman, False Positive?

Hello All

Please send the file to Virus Total to get a quick response as to whether this file is clean or not.

www.virustotal.com

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

It's very odd as there is no file to submit via the Norton interface. Usually I've seen on other pc's when it finds a threat there's a submit to Norton button but none on this one. It doesn't even show a file name or type other than Backdoor.Elpman. If there's a way to get the file to submit I would do but I don't want to use the restore option since it's in quarantine. Hope that makes sense. Is there a way to get the file from the file system? I imagine Norton would have that locked down.

Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

Have you checked the quarantine dropdown in the History Logs?

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

Yes. It says it's quarantined but does not give an option to send the file to Symantec nor does it show the actual file it thinks it found. All it shows is Backdoor.elpman One of the other posters in the chain above posted the clipboard portion of the findings, mine looks the same. Just shows the directories it deleted but no actual file name nor a submission ability.
Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

Then I would still recommend going to 1 of the free malware removal sites and let them tell you what scans to run that would be able to tell if you have any malware in your system and can tell what was done. Your other choice is to contact the Norton Customer Support at www.norton.com/chat. They will most likely want to access your computer whereas the free malware removal sites don't.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

How can I submit the file to Virus Total, without restoring it from quarantine first? Submitted the sample to Norton yesterday, which has also removed the ability to resubmit

Kudos0

Re: Backdoor.Elpman, False Positive?

Copy to Clipboard and paste SHA at Virus Total
For second opinion choose File and / or Search hash at VirusTotal. 

Kudos0

Re: Backdoor.Elpman, False Positive?

Same as Vienna10 I also submitted the sample to Norton yesterday, which has also removed the ability to resubmit. There is no file available to submit to virustotal without first restoring the files (not recommended).

Copy to clipboard is only a text file of folder names etc. No details of actual virus file as my previous attachment.

I have run malewarebytes, search and destroy and Norton power eraser all is showing system is clean. Also based on Massos comments I am still of the opinion that this is a false positive.

How long for Symantec to check the files submitted to them.

Kudos0

Re: Backdoor.Elpman, False Positive?

lee crease:  Copy to clipboard is only a text file of folder names etc.

Oh, no hash reported.  Restore item to desktop and upload.  Or, not.  

Kudos0

Re: Backdoor.Elpman, False Positive?

I am tempted to restore the files to submit them to virustotal. Is there any chance Symantec will comment back on files already submitted to them by a couple of people in this post?
Kudos0

Re: Backdoor.Elpman, False Positive?

I too ran Norton Power Erase along with rootkit scan and the other scan tools it had and all came back green/good. Lee Crease, please let us know if you restore file and submit and if you see a file or just folders. RM
Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

I think  you can restore the file, copy the file and send to virus total and then put it back into Quarantine until you get back report from Virus Total.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

Hi Everyone,

Sorry for the inconvenience. Let's not jump into conclusion that the reported files are false positive. Could you please submit the files to Norton.com/submit. Any temp files or files being flagged as "Backdoor.Elpman" please submit them for further analysis. If files are already moved into quarantine, please restore them and submit to Norton.com/Submit site. Once the submission is completed please add files back to quarantine and provide the tracking numbers for submission to speed up the process.

Sunil_GA | Norton Forums Administrator | Symantec Corporation
Kudos0

Re: Backdoor.Elpman, False Positive?

Mine were submitted by Norton as a statistical submission. Should I still do as directed above? However on my quarantine report it never shows temp files just the directory structure.
Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

Norton Community Watch submits everything to Norton. I think Sunil would prefer you to submit it the way he said. You will get a tracking  number and post it here. Then either I can submit them to him or he will check himself. Once he gets the tracking numbers the process will get sped up. Send any files connected with this malware.

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

I still haven't had the nerve to restore the files to be able to submit. However the more I look into it, it doesn't add up. On the Norton technical details for backdoor.elpman it states the following:

The Trojan then creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\"Startup" = "%AppData%\Roaming\PDAppFlex"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"SavedLegacySettings" = "[BINARY DATA]"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"AutoDetect" = "1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"AutoDetect" = "1"

These registry keys were not affected in fact the only registry changes were

Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\admin\Start Menu\Programs\ Startup Repaired (+ 3 other similar entries)

it was changed from

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Startup which is essentially the same string. It does not make sense why these registry items were changed 4 no. in total and nothing to do with the registry entries that are meant to change with backdoor.elpman

I think we are going to have to draw short straws to see who restores the files first to be able to submit.

Kudos0

Re: Backdoor.Elpman, False Positive?

Just had an idea. Have almost the same install on my notebook, with Adobe and all other programs. Once I get home, will check all relative files and registry entries on both PC and notebook. Theoratically, they should all be the same. Will report back
Kudos0

Re: Backdoor.Elpman, False Positive?

@lee crease: that is one of the points I've been trying to make. I checked my registry keys by exporting them so I can see the change date.  None were changed recently except for the 4 startup ones but those show the time and date that Norton did it's supposed repair.  The one thing worries me is that on my work laptop and my other laptop those show the original %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Startup string rather than the C:\Users string.  But what I don't know is if for some reason the Adobe CC install changed those.

@vienna10: does your notebook have Norton on it? if so did it trigger as well or not? does it have the latest Norton virus defs? check to see if you have the latest defs then run a quick scan. But before doing so, if it has not run live update and a quick scan check if those registry entries are the c:\user ones which could indicate that the adobe install changed those.  I know for a fact that the \PDAppFlex\Local Store\#SharedObjects was installed by Adobe Photoshop/creative cloud.  So if this is a Trojan, is it only targeting adobe users?

The other thing is a Trojan is usually downloaded by piggy backing another file.  So unless an adobe update had a hijacked file that Norton caught then what would have caused the file to appear on my system at 2:49AM.  Lastly if everyone read my post above, what doesn't add up to me is why my full system scan ran with clean results at 1:45AM, then at 2:45 AM I had Norton virus defs from live update then my quick scan at 2:49AM triggered the alert/quarantine.  Since Symantec discovered this Trojan in March with modifications to the defs in April, why would my full system scan that completed an hour earlier not have caught this?  Lastly, the Norton write up indicates that the Trojan would put a winword.exe file in the \PDAppFlex\ directory, the quarantine logs show nothing related to that as everyone else has stated here and shown via the clipboard attachments.  I too am nervous to un-quarantine and re-quarantine to send. As I mentioned before in my lengthy post above, I am very careful what I do on this particular PC, it is quite locked down network wise, it is a desktop so it is only ever on my home network.  All my devices on my network are set to restricted via Norton so they can't see each other and I don't do much surfing on that pc nor downloading and if I do, it is always scanned with Norton even if it is a word doc or excel file I send to myself.  So I am not sure how I could have gotten that sort of virus.  Had Norton triggered something while I was on a website, I would not think it was a false positive, but per my writings above and the things we're seeing here plus the reddit folks with their systems makes me think maybe it is a set of defs that triggered this.  In 2+ years since this PC was new it has had Norton on it and I have never had any alerts or quarantined items so if this is real what has me more concerned is where it would have come from.

vienna10, looking forward to your findings.  Maybe they can help us understand what happened. 

Kudos0

Re: Backdoor.Elpman, False Positive?

yes, of course Norton is installed on the notebook, else the suggestion wouldn't have been made. Same version, same updates. 

Ran a full system scan (on the notebook), which found nothing, not even a tracking cookie.

The folder \PDAppFlex does not exist on the notebook, even though Adobe Creative Cloud (latest update) is installed, with Adobe CC 2015 and CS6 Photoshop installed (on both)

The User Shell Folders are different in that on the PC they show as:

C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

an the notebook:

%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The remaining registry entries are:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\"Startup" = "%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\"ProxyEnable" = "0"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\"SavedLegacySettings" = "[BINARY DATA]"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"UNCAsIntranet" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\"AutoDetect" = "0"

From what I found, I wouldn't restore the file, especially since there are no error messages from Adobe, or anything else

Hope this helps

Kudos0

Re: Backdoor.Elpman, False Positive?

I have just gone into work and checked on my laptop which is also running all the same software including creative cloud. I have exactly the same as Vienna 10. I have checked latest adobe updates are installed and no pdappflex folder exists.

My registry data is exactly as the same on the laptop as vienna10

Now based on this I am also not going to restore files.

I will probably factory reset computer tomorrow.

What a pain

Kudos0

Re: Backdoor.Elpman, False Positive?

Just had another brainwave..

My last full system backup was after the apparent trojan, but I still have the previous from April 25. In this, the folders C:\users\admin\appdata\roaming\pdappflex\local store\ #sharedobjects exists, with the last directory empty.

I don't know how I could check the contents of the registry from the backup (Acronis True Image). This goes beyond my knowledge 

Kudos0

Re: Backdoor.Elpman, False Positive?

I just had another thought, If you right click c: then click properties you can look at previous versions of folders. There is a restore point from 1 week ago which did have the folder appdata/roaming/pdappflex\local store\ sharedobjects all of which was empty. Therefore on this computer which had the trogan detected 1 week previous the folder was there but empty. Not sure why it doesn't appear on the laptop.

Can anyone else check this

Kudos0

Re: Backdoor.Elpman, False Positive?

Is it possible Norton deleted an empty C:\users\admin\appdata\roaming\pdappflex\local store\ #sharedobjects folder? as the backdoor.elpman virus targets pdappflex

Kudos0

Re: Backdoor.Elpman, False Positive?

@Lee crease and @Vienna10: I agree with all your last posts.  That is what I've been thinking.  Remember I noted that I have some scripts that I run that show the structure of my entire c: drive with date stamps.  The appdata\roaming\pdappflex\local store\ #sharedobjects folder was set up and empty on the day I installed Adobe Photoshop Elements  13.  I remember many times manually looking in that folder and it was always empty.  Since I normally run checks on my machine, I see that the folder was always empty, at least up until the point Norton thinks it found something.  So one thing I did as a test today was to recreate that folder structure manually and run a quick scan, Norton didn't do anything with it, the scan came out clean.  So that worries me a bit.  I still remain puzzled with two concerns. 1. Why did my full system scan 1 hour earlier not find anything, but then after a LiveUpdate it found something with the quick scan a mere hour later. 2. If there was nothing there at the 1:45AM scan but then at 2:49AM scan it found something, what happened in that hour window? other than new definitions loaded?  Also, why would the few of us here encounter it around the same time, including the folks on reddit who were running the enterprise version of Norton.  Also, I wonder if the registry settings were actually changed by Norton when it did its supposed fix, as my registry settings are time stamped from that time.

I did the previous folders check and on 4/28/2016 the folder structure was there and empty. As I remember it.

Vienna10, can you check if Norton had run live updates on or around May 4th and a scan near that time? What if a set of the definitions was downloaded and then later overwritten by a new set of definitions if they found an issue with them?  the odd thing is that your registry settings are different.  Do you have the same versions of Adobe on both machines? What is still perplexing is that the Norton quarantine does not show us the exact name of the file it thinks it found. I too am worried about doing a restore but what I keep going back to is why did my full system scan not find anything and a mere hour later after new defs had downloaded it triggered the find.  It is also odd that you do not have the directory on your notebook, again unless it is to a specific version.  And lastly, if this was a true virus, for me where did it come from within that hour after my full system scan? aren't Trojans supposed to be piggy backing a file not just randomly inserting themselves onto a pc? And again multiple full system scans later and multiple NPE scans including rootkit scans it finds nothing.

Kudos0

Re: Backdoor.Elpman, False Positive?

I have the same version of adobe on both machines. Its a subscription to creative cloud which has photoshop and lightroom. Not sure why the pdappflex folder was on the pc but not the laptop. Both machines running win 7 pro 64bit. Both with Norton and all windows updates so should be mirrored software.

On checking Norton security history mine did a live update at 10.50am on 4th the virus was detected at 12.50pm on the 4th then did another live update at 13.01pm

It seems the only way we are going to find out what the file was if any is to risk a restore.

Kudos0

Re: Backdoor.Elpman, False Positive?

I think you're all forgetting something. If you read my text file, you would realise that Norton deleted other files as well:

File: c:\users\admin\appdata\local\temp\ cr_sdk_00741847.tmp Removed
File: c:\users\admin\appdata\local\temp\ ~df041fe4282a03c16c.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df06f98c2655ef4f8b.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df0b5332fe3c0a1c0b.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df0e2c8431d2c3d1de.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df12be8684034b324d.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df416d11f75c13d047.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df4449e1b3d17a9e1b.tmp Removed
File: c:\users\admin\appdata\local\temp\ ~df4c617f1a377e79fa.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df5e5c4e1157e01762.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~df7ec0b74d5599f88d.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~dfbb4fad3e7a94a49b.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~dfc01a621e16ef48c7.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~dfc590560ce94834d0.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~dfcf25182303a55f3f.tmp Threat Removed
File: c:\users\admin\appdata\local\temp\ ~dff20f5ae3982391a8.tmp Threat Removed

Go figure!

Kudos0

Re: Backdoor.Elpman, False Positive?

Mine had the following temp files also

File: c:\users\admin\appdata\local\temp\ adolixsplitmergepdf.tmp Threat Removed

File: c:\users\admin\appdata\local\temp\ ahi6817.tmp Removed

File: c:\users\admin\appdata\local\temp\ wctc610.tmp Threat Removed

File: c:\users\admin\appdata\local\temp\ wctf1ef.tmp Threat Removed

File: c:\users\admin\appdata\local\temp\ ~df50e0330a8f60a5d8.tmp Removed

File: c:\users\admin\appdata\local\temp\ ~dfdae9db39b8ee3ee0.tmp Removed

Kudos0

Re: Backdoor.Elpman, False Positive?

Right, mine only deleted directories, no temp files.  So that has me concerned.  If any of you is going to do a full system wipe and restore, maybe before you do it would be a good idea to restore and send to Norton. But I am still concerned how a Trojan gets on a PC at that time of morning when I am not on my machine.  Behind two firewalls and Norton firewall you would think it would have necessitated my actions of downloading a file for it to be attached/piggy backing it. 

Since my Norton found no temp files, my biggest concern is i restore and all I see is a set of folders... then what do I submit? empty folders?

Also, does anyone see the following statistical submissions on theirs?

5/4/2016 2:49:19 AM,Info,Statistical Submission: Backdoor.Elpman (Presence),Submitted,No Action Required,5/4/2016 4:37:09 AM,Norton Internet Security,Statistical Submission: Backdoor.Elpman (Presence),"CSIDL_PROFILE\appdata\roaming\pdappflex

5/4/2016 2:49:19 AM,Info,Statistical Submission: Backdoor.Elpman (Presence),Submitted,No Action Required,5/4/2016 4:37:10 AM,Norton Internet Security,Statistical Submission: Backdoor.Elpman (Presence),"CSIDL_PROFILE\appdata\roaming\pdappflex\local store\#sharedobjects

5/4/2016 2:49:19 AM,Info,Statistical Submission: Backdoor.Elpman (Presence),Submitted,No Action Required,5/4/2016 4:37:09 AM,Norton Internet Security,Statistical Submission: Backdoor.Elpman (Presence),"CSIDL_PROFILE\appdata\roaming\pdappflex\local store

What does it mean by: Backdoor.Elpman (Presence) ? What did it detect? as you can see, no files, just folders.  The timestamp is the exact same timestamp of the quarantine.

Kudos0

Re: Backdoor.Elpman, False Positive?

And if Norton states the threat has been removed and no further action is necessary should we still be concerned? Other than me wondering what file triggered it and where did it come from?

Kudos0

Re: Backdoor.Elpman, False Positive?

I am still concerned even though Norton is stating no action necessary. All of the other people posting and on the reddit site are also stating temp files detected/ removed

The plot thickens. Is there any chance Norton will respond to the files already submitted

Kudos0

Re: Backdoor.Elpman, False Positive?

Hello

I have a possible idea. Since you are all afraid to restore the files, I don't know if this is possible. I'm wondering if Norton accessed your computers, if they could some how get the necessary files that way?

Would it be possible for you all to wait before restoring and wait till next week? I realize that is a lot to ask of you. I would like Sunil to see all of what you have posted. Maybe there is some way that Symantec can get those files without you having to restore from quarantine in order to submit. I don't know if Sunil will be online over the weekend.

I am going to tell Sunil to check out this thread and see if there is a way that Symantec can get these files and also to see the temp files you are mentioning.

Is there anything in the resolved security risks in the Security History Logs?

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

I wouldn't bother with a full restore, even though I'm paranoid.

Based on the knowledge I have one this subject, I'd say it's a false positive, until proven otherwise.. Leaving it in quarentine though.. I'd recommend just waiting to see what they say before doing that.

Kudos0

Re: Backdoor.Elpman, False Positive?

Both my Quarantine History and my Resolved Security Risks History logs contain the exact same thing. Those are the only entries in there as Norton has never triggered an issue on this machine.  Below is the output, no temp files or anything, just the directories with the registry changes and the name of the malware/virus, but no file name that I can tell unless the name of the virus is the file name which would seem odd and revealing.

I've only changed my user name to xxxx in the entries below, other than that both files diffed show the exact same thing for resolved and quarantine, there is no other logging anywhere in Norton or as I mentioned in my checking registry, event logs, services, etc... I ran NPE (with rootkit scan) and multiple full system scans since and all have come back clean.

The big thing to recall which still strikes me as very odd is that on the same morning (5/4/2016), my scheduled full system scan ran from 12:30AM to 1:45AM (it came back clean, no issues detected) then at 2:00AM there was the nightly Adobe update check, it's log files indicate nothing was downloaded and I verified this too by checking all of those locations, at 2:45AM new Norton virus definitions were downloaded: (Norton Virus Definitions X64 Success (1.76MB)) then at 2:49AM a quick scan ran and detected the issue as noted in the Quarantine/Resolved Security Risks output below.  Again, I checked histories and previous versions of the pdappflex folder and on 4/28/2016 which is the nearest pre-incident backup windows has, those folders were still empty.  So I then traced back all I have done on this machine lately, which has not been a lot, and no downloads occurred no email attachments, I checked my files by date etc... So what still bothers me the most, is that if this was a real threat, where did it come from?

File details below:

Filename: Backdoor.Elpman
Full Path: Not Available

____________________________

____________________________


On computers as of
Not Available

Last Used
5/4/2016 at 2:49:19 AM

Startup Item
No

Launched
No

Threat type: Virus. Programs that infect other programs, files, or areas of a computer by inserting themselves or attaching themselves to that medium.


____________________________


Backdoor.Elpman
Locate


Unknown
It is unknown how many users in the Norton Community have used this file.

Unknown
This file release is currently not known.

High
This file risk is high.


____________________________


Source: External Media


____________________________

File Actions

Directory: c:\users\xxxx\appdata\roaming\pdappflex\local store\ #sharedobjects Threat Removed
Directory: c:\users\xxxx\appdata\roaming\pdappflex\ local store Threat Removed
Directory: C:\Users\xxxx\AppData\Roaming\ PDAppFlex Threat Removed
____________________________

Registry Actions

Registry change: HKEY_USERS\S-1-5-21-380843036-1408501763-44654547-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\xxxx\Start Menu\Programs\ Startup Repaired
Registry change: HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\xxxx\Start Menu\Programs\ Startup Repaired
Registry change: HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\xxxx\Start Menu\Programs\ Startup Repaired
Registry change: HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\->Startup:C:\Users\xxxx\Start Menu\Programs\ Startup Repaired
____________________________


File Thumbprint - SHA:
Not available
File Thumbprint - MD5:
Not available

Kudos0

Re: Backdoor.Elpman, False Positive?

Hello Masso

Do you have an external drive or have you used something like a pen drive? What sometimes happens is that a new antivirus definition could find something in your computer that has been there. The new definitions were not available when you did the full system scan an hour earlier. This is just my opinion and I am not a malware expert. I have asked Sunil to read this thread when he comes back to work. Don't know, but perhaps those logs you provided may help. They may want to access your computer to get more logs or something. Don't know for sure, but it is a possibility if you give them permission..

Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit Norton Core Security Plus 22.17.2.47 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: Backdoor.Elpman, False Positive?

No pen drives. Ran full system scan on external backup drive today as well and all came back clean. That drive btw is only connected minutes at a time when I manually back up files. But according to the article on that particular virus it had updated defs by end of April and i make sure my defs are updated daily. But that's what made me think if it was a false positive based on new defs because as of April 28th, last known Windows backup those directories were still empty and I usually check the appdata/local and appdata/roaming directories daily as well and the timestamps for the pdappflex had not changed since September which was when I had installed Photoshop. Windows backup check also confirmed those dates. And I had not downloaded anything on that pc in over a week with almost no web usage as well. Hence why I jumped to the conclusion that it might have been a false positive. The reddit article also seemed to indicate it could have been the definitions. I'd be happy to send any necessary files but don't feel comfortable granting access to pc nor restoring from quarantine.

This thread is closed from further comment. Please visit the forum to start a new thread.