Hi... I think I may have something alive in my minitower:
Each time PC boots, NAV message: infected file in c:\TEMP\MC21.TMP
with Backdoor.Graybird Trojan (C:\temp is my Windows 2000 temporary
directory) NAV then says the file was deleted, but in the next reboot
the file reappears in C:\temp and the warning is the same. To provide
the sample, I disabled NAV, zipped the file MC21.TMP in a zip file,
and attached it. I have NAV and NIS 2003, fully liveupdated, win2k SP4
also fully updated.
Sent a zipped sample of this file to Symantec and Antivir support
teams, and the strange thing is, Symantec replied:
C:\mc21.zip is an infected container file of type ZIP
mc21.tmp is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of
this email message to install the latest rapidrelease definitions.
This file is contained by C:\mc21.zip
But when I sent it to AntiVir PersonalEdition Support-Team
(Antivir is a competing freeware antivirus)
they said they didn't detect any virus:
Thank you for your recent inquiry.
We could not find a virus or virulent components in the attachment
you have sent us.
admittedly I forgot to give them the password for my zip file, I guess
they didn't need that to scan or something.
The problem began about the same time I had an issue with NAV where it
stopped receving liveupdates, with error messages LU1812, LU6004 and
LU1806 just before installation phase of the NAV definitions. I know it
is a NIS problem and not NAV because I used a symantec article
"LiveUpdate fails to install updates" and one of the DLLs it instructs
unreg and re-register (with regsvr32.exe) is NISLUCBK.DLL. When I try
to do a regsvr32 "C:\Program Files\Norton Internet Security
Professional\NISLUCBK.DLL"
It responds with:"DLLRegisterServer registration failed
Return code was 0x80020009". It will let me unreg it but not reg. So
it is possible that the above trojan found a way to disable NIS so it
can operate freely!
After I completely uninstalled NAV/NIS and liveupdate, with the
Rnav2003.exe and RnisUPG.exe utilities, liveupdate is successfull but
the above DLL still won't register.
Could this trojan have disabled NIS?
and how do I stop this Warning message every reboot?
Did a complete NAV scan, discoevered no viruses.
I tried scanning with the online scanner
http://www.windowsecurity.com/trojanscan/
with no relevant resutls (a few malware cookies and thats it)
could this be just some regular temp file with the same name as the
graybird trojan which confuses NAV?
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html
Use the following Multi Vendor AV Scanning Tool to scan the system. Please start with the
McAfee module.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE. It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line Scanners to
remove viruses, Trojans and various other malware.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file.
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
Sysinternals has RootKit Revealer. I can't say if this would be effective with this
Backdoor Trojan.
http://www.sysinternals.com/Utilities/RootkitRevealer.html
This identical problem started for me this morning.
I've tried RootkitRevealer - no difference.
Malcolm
After more inspection it is a False Positive on Symantec's part. They
are removing a temp file created by Spy Sweeper. I believe it is
related to the newest defs of each and should be fixed in the next
release.
:)
"Please be assured that Spyware Doctor does not contain a virus. This
appears to be a false detection resulting from the latest Norton
Antivirus Updates. We are currently investigating this. You may also
wish to contact Norton concerning this detection."
Over to Norton!!!
I posted earlier this am with regard to this issue; the only time I get a
notice from NAV about this trojan is when I open Webroot's Spy Sweeper.
I did the entire Norton removal procedure and when it came time to do the
last step and edit the registry, there was nothing to edit....go figure.
I am contacting Webroot. This shouldn't be happening. The file allegedly
afftected on my PC is :C\WINDOWS\temp\mc22.tmp. My pc is running fine, btw.
D.
>I posted earlier this am with regard to this issue; the only time I get a
>notice from NAV about this trojan is when I open Webroot's Spy Sweeper.
>
>I did the entire Norton removal procedure and when it came time to do the
>last step and edit the registry, there was nothing to edit....go figure.
>
>I am contacting Webroot. This shouldn't be happening. The file allegedly
>afftected on my PC is :C\WINDOWS\temp\mc22.tmp. My pc is running fine, btw.
I wouldnt worry about it. Its more of an annoyance than anything.
Sounds like a quarentined file. A piece of malware already removed by
Spysweeper. What seems to be happening is Norton is correctly
identifying malware located within SPysweeper quarentine. Just disable
norton termporarily and purge(delete) the entire spyspweeper
quarentine.
--
Ian Kenefick
http://www.ik-cs.com
http://antivirus.ik-cs.com
"Malcolm" <malcolm...@ntlworld.com> wrote in message
news:1126936846....@z14g2000cwz.googlegroups.com...
Wow -- 6 sentences with 7 poor assessments/recommendations. Yes it is/was
annoying; but that really couldn't be determined until the true culprit (NAV)
was identified and fixed.
As noted above by Malcolm, Norton has indeed issued (9/17) a virus
definition update which has apparently resolved the 'falsely positive' NAV
identification of a SpySweeper startup file. Both of my PCs are now OK.
Try to run a full online scan at: "Windows Live Safety Center"
http://safety.live.com/site/en-US/default.htm
Disable Norton while this scan is running...
It may be a False Positive. This situation with NAV and that infector has been reported to
be a False Positiver before.
The following tool can help diagnose the problem and remove the Trojan "if" present.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to allow it to download the needed AV vendor related files.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you can
download the files and perform a scan in Normal Mode. Once you have downloaded the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode [F8 key
during boot] and re-run the menu again and choose which scanner you want to run in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive PDF help
file. http://www.ik-cs.com/multi-av.htm
* * * Please report back your results * * *