Strange trojan (?) Backdoor.Graybird
develop...@walla.com
Hi... I think I may have something alive in my minitower:
Each time PC boots, NAV message: infected file in c:\TEMP\MC21.TMP
with Backdoor.Graybird Trojan (C:\temp is my Windows 2000 temporary
directory) NAV then says the file was deleted, but in the next reboot
the file reappears in C:\temp and the warning is the same. To provide
the sample, I disabled NAV, zipped the file MC21.TMP in a zip file,
and attached it. I have NAV and NIS 2003, fully liveupdated, win2k SP4
also fully updated.
Sent a zipped sample of this file to Symantec and Antivir support
teams, and the strange thing is, Symantec replied:
C:\mc21.zip is an infected container file of type ZIP
mc21.tmp is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of
this email message to install the latest rapidrelease definitions.
This file is contained by C:\mc21.zip
But when I sent it to AntiVir PersonalEdition Support-Team
(Antivir is a competing freeware antivirus)
they said they didn't detect any virus:
Thank you for your recent inquiry.
We could not find a virus or virulent components in the attachment
you have sent us.
admittedly I forgot to give them the password for my zip file, I guess
they didn't need that to scan or something.
The problem began about the same time I had an issue with NAV where it
stopped receving liveupdates, with error messages LU1812, LU6004 and
LU1806 just before installation phase of the NAV definitions. I know it
is a NIS problem and not NAV because I used a symantec article
"LiveUpdate fails to install updates" and one of the DLLs it instructs
unreg and re-register (with regsvr32.exe) is NISLUCBK.DLL. When I try
to do a regsvr32 "C:\Program Files\Norton Internet Security
Professional\NISLUCBK.DLL"
It responds with:"DLLRegisterServer registration failed
Return code was 0x80020009". It will let me unreg it but not reg. So
it is possible that the above trojan found a way to disable NIS so it
can operate freely!
After I completely uninstalled NAV/NIS and liveupdate, with the
Rnav2003.exe and RnisUPG.exe utilities, liveupdate is successfull but
the above DLL still won't register.
Could this trojan have disabled NIS?
and how do I stop this Warning message every reboot?
Did a complete NAV scan, discoevered no viruses.
I tried scanning with the online scanner
http://www.windowsecurity.com/trojanscan/
with no relevant resutls (a few malware cookies and thats it)
could this be just some regular temp file with the same name as the
graybird trojan which confuses NAV?
David H. Lipman
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html
Use the following Multi Vendor AV Scanning Tool to scan the system. Please start with the
McAfee module.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
ssro...@comcast.net
desktop. I also tried a complete system scan and found nothing. I also
tried a system scan with Spy Sweeper. I have the latest versions of
both NIS and Spy Sweeper, and both are up to date as of this morning. I
tried all of the steps suggested by Symantec for removing the graybird
trojan to no avail. I could find only one of the files mentioned in
their writeup, winlogon.exe, and none of the registry entries that they
said should be there. Winlogon appears to be a legitimate Microsoft
file. I'll try the multivendor scan tonight, but I am beginning to
think that Symantec has a problem that they have not yet acknowledged.
Either that, or this is a new version of graybird that installs itself
as a rootkit. Unfortunately, I had a rootkit remover at one time, but
now I can't find it. Any suggestions for a freeware version?
David H. Lipman
Sysinternals has RootKit Revealer. I can't say if this would be effective with this
Backdoor Trojan.
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Malcolm
This identical problem started for me this morning.
I've tried RootkitRevealer - no difference.
Malcolm
jam...@gmail.com
ejcor...@coopertire.com
to Spy Sweeper and the latest update. We're on the phone with support
and they know about the problem. I'm not sure if it is a false
positive or what. I hope that helps.
ejcor...@coopertire.com
After more inspection it is a False Positive on Symantec's part. They
are removing a temp file created by Spy Sweeper. I believe it is
related to the newest defs of each and should be fixed in the next
release.
:)
rod....@sierraclub.org
definitions. I was just about to contact Symantec, but it appears that
Webroot is on the case and should have better luck than me getting it
resolved.
Cheers.
Malcolm
I disabled it at start-up and the Norton reported virus of Backdoor
Graybird di not appear!
When I enabled Spyware Doctor after booting I got the Norton Alert!
Are Spyware Doctor and Spysweeper using the same databases?
I'll report my findings to Spyware Doctor.
Thanks,
Malcolm
shepar...@gmail.com
when NAV found it on both my laptop and desktop. It was not detected
on a 2nd desktop I have. Interestingly, the computers NAV detects it
on both run Spyware Doctor. The computer that boots cleanly does not
have Spyware Doctor on it. I am not going to worry about it for now
and hope the next NAV definitions fixes it.
Malcolm
"Please be assured that Spyware Doctor does not contain a virus. This
appears to be a false detection resulting from the latest Norton
Antivirus Updates. We are currently investigating this. You may also
wish to contact Norton concerning this detection."
Over to Norton!!!
Malcolm
Diane
<ejcor...@coopertire.com> wrote in message
news:1126895727.7...@g49g2000cwa.googlegroups.com...
I posted earlier this am with regard to this issue; the only time I get a
notice from NAV about this trojan is when I open Webroot's Spy Sweeper.
I did the entire Norton removal procedure and when it came time to do the
last step and edit the registry, there was nothing to edit....go figure.
I am contacting Webroot. This shouldn't be happening. The file allegedly
afftected on my PC is :C\WINDOWS\temp\mc22.tmp. My pc is running fine, btw.
D.
Ian Kenefick
<phonya...@invaliddomain.com> wrote:
>I posted earlier this am with regard to this issue; the only time I get a
>notice from NAV about this trojan is when I open Webroot's Spy Sweeper.
>
>I did the entire Norton removal procedure and when it came time to do the
>last step and edit the registry, there was nothing to edit....go figure.
>
>I am contacting Webroot. This shouldn't be happening. The file allegedly
>afftected on my PC is :C\WINDOWS\temp\mc22.tmp. My pc is running fine, btw.
I wouldnt worry about it. Its more of an annoyance than anything.
Sounds like a quarentined file. A piece of malware already removed by
Spysweeper. What seems to be happening is Norton is correctly
identifying malware located within SPysweeper quarentine. Just disable
norton termporarily and purge(delete) the entire spyspweeper
quarentine.
--
Ian Kenefick
http://www.ik-cs.com
http://antivirus.ik-cs.com
Charles Eaves
I am in the same boat like everyone else that has posted.
I set my computer back before the last update from norton.
The greybird problem went away.
I just updated my NAV defs today (different file size from the one the other
day).
I restarted my computer (I didn't need to but I did) and no virus message
shows.
Whenever I start or restart my computer days ago, I would always get the
greybird "detected" popup.
Everything is fine now.
Something is going on, Spy Sweeper and Symantec sending updates days after
their last update.
Hmmm!
Just a thought!
"Malcolm" <malcolm...@ntlworld.com> wrote in message
news:1126936846....@z14g2000cwz.googlegroups.com...
bpa_retired
"Ian Kenefick" wrote:
>
> I wouldnt worry about it. Its more of an annoyance than anything.
> Sounds like a quarentined file. A piece of malware already removed by
> Spysweeper. What seems to be happening is Norton is correctly
> identifying malware located within SPysweeper quarentine. Just disable
> norton termporarily and purge(delete) the entire spyspweeper
> quarentine.
>
>
> --
> Ian Kenefick
> http://www.ik-cs.com
> http://antivirus.ik-cs.com
>
Wow -- 6 sentences with 7 poor assessments/recommendations. Yes it is/was
annoying; but that really couldn't be determined until the true culprit (NAV)
was identified and fixed.
As noted above by Malcolm, Norton has indeed issued (9/17) a virus
definition update which has apparently resolved the 'falsely positive' NAV
identification of a SpySweeper startup file. Both of my PCs are now OK.
Aceyou
didn't start having it until last weekend, shortly after I upgraded from
Norton 2004 to Norton 2006 Internet Security. I also am running Spyware
Doctor as well as Counterspy - but neither of them has any quarantined
files. I've been trying to get an answer from Symantec but all they do is
refer me to their web site and hyperlinks that dont' discuss this
particular problem at all, or, they try to get me to pay them money to get
them to help me solve the problem. The last post on this before mine is
from Sept 2005. has there been anything since then that may be of help to
me?
Jurren Bouman
http://search.symantec.com/custom/update/query.html?filter=all&qt=Backdoor.Graybird&nh=10&hitsceil=100&st=1&context=gbh&x=14&y=7
Pick the one you have and there are manual removal instructions...
Try to run a full online scan at: "Windows Live Safety Center"
http://safety.live.com/site/en-US/default.htm
Disable Norton while this scan is running...
David H. Lipman
It may be a False Positive. This situation with NAV and that infector has been reported to
be a False Positiver before.
The following tool can help diagnose the problem and remove the Trojan "if" present.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *