|
Posted by on September 16, 2005, 10:24 am
If you were Registered and logged in, you could reply and use other advanced thread options
Hi... I think I may have something alive in my minitower:
Each time PC boots, NAV message: infected file in c:\TEMP\MC21.TMP
with Backdoor.Graybird Trojan (C:\temp is my Windows 2000 temporary
directory) NAV then says the file was deleted, but in the next reboot
the file reappears in C:\temp and the warning is the same. To provide
the sample, I disabled NAV, zipped the file MC21.TMP in a zip file,
and attached it. I have NAV and NIS 2003, fully liveupdated, win2k SP4
also fully updated.
Sent a zipped sample of this file to Symantec and Antivir support
teams, and the strange thing is, Symantec replied:
C:\mc21.zip is an infected container file of type ZIP
mc21.tmp is non-repairable threat. Please delete this file and
replace it if necessary. Please follow the instruction at the end of
this email message to install the latest rapidrelease definitions.
This file is contained by C:\mc21.zip
But when I sent it to AntiVir PersonalEdition Support-Team
(Antivir is a competing freeware antivirus)
they said they didn't detect any virus:
Thank you for your recent inquiry.
We could not find a virus or virulent components in the attachment
you have sent us.
admittedly I forgot to give them the password for my zip file, I guess
they didn't need that to scan or something.
The problem began about the same time I had an issue with NAV where it
stopped receving liveupdates, with error messages LU1812, LU6004 and
LU1806 just before installation phase of the NAV definitions. I know it
is a NIS problem and not NAV because I used a symantec article
"LiveUpdate fails to install updates" and one of the DLLs it instructs
unreg and re-register (with regsvr32.exe) is NISLUCBK.DLL. When I try
to do a regsvr32 "C:\Program Files\Norton Internet Security
Professional\NISLUCBK.DLL"
It responds with:"DLLRegisterServer registration failed
Return code was 0x80020009". It will let me unreg it but not reg. So
it is possible that the above trojan found a way to disable NIS so it
can operate freely!
After I completely uninstalled NAV/NIS and liveupdate, with the
Rnav2003.exe and RnisUPG.exe utilities, liveupdate is successfull but
the above DLL still won't register.
Could this trojan have disabled NIS?
and how do I stop this Warning message every reboot?
Did a complete NAV scan, discoevered no viruses.
I tried scanning with the online scanner
http://www.windowsecurity.com/trojanscan/
with no relevant resutls (a few malware cookies and thats it)
could this be just some regular temp file with the same name as the
graybird trojan which confuses NAV?
|
|
Posted by David H. Lipman on September 16, 2005, 10:30 am
If you were Registered and logged in, you could reply and use other advanced thread options
|
| Hi... I think I may have something alive in my minitower:
|
| Each time PC boots, NAV message: infected file in c:\TEMP\MC21.TMP
| with Backdoor.Graybird Trojan (C:\temp is my Windows 2000 temporary
| directory) NAV then says the file was deleted, but in the next reboot
| the file reappears in C:\temp and the warning is the same. To provide
| the sample, I disabled NAV, zipped the file MC21.TMP in a zip file,
| and attached it. I have NAV and NIS 2003, fully liveupdated, win2k SP4
| also fully updated.
|
| Sent a zipped sample of this file to Symantec and Antivir support
| teams, and the strange thing is, Symantec replied:
|
| C:\mc21.zip is an infected container file of type ZIP
| mc21.tmp is non-repairable threat. Please delete this file and
| replace it if necessary. Please follow the instruction at the end of
| this email message to install the latest rapidrelease definitions.
| This file is contained by C:\mc21.zip
|
| But when I sent it to AntiVir PersonalEdition Support-Team
| (Antivir is a competing freeware antivirus)
| they said they didn't detect any virus:
|
| Thank you for your recent inquiry.
|
| We could not find a virus or virulent components in the attachment
| you have sent us.
|
| admittedly I forgot to give them the password for my zip file, I guess
| they didn't need that to scan or something.
|
| The problem began about the same time I had an issue with NAV where it
| stopped receving liveupdates, with error messages LU1812, LU6004 and
| LU1806 just before installation phase of the NAV definitions. I know it
| is a NIS problem and not NAV because I used a symantec article
| "LiveUpdate fails to install updates" and one of the DLLs it instructs
| unreg and re-register (with regsvr32.exe) is NISLUCBK.DLL. When I try
| to do a regsvr32 "C:\Program Files\Norton Internet Security
| Professional\NISLUCBK.DLL"
| It responds with:"DLLRegisterServer registration failed
| Return code was 0x80020009". It will let me unreg it but not reg. So
| it is possible that the above trojan found a way to disable NIS so it
| can operate freely!
| After I completely uninstalled NAV/NIS and liveupdate, with the
| Rnav2003.exe and RnisUPG.exe utilities, liveupdate is successfull but
| the above DLL still won't register.
|
| Could this trojan have disabled NIS?
|
| and how do I stop this Warning message every reboot?
| Did a complete NAV scan, discoevered no viruses.
| I tried scanning with the online scanner
| http://www.windowsecurity.com/trojanscan/
| with no relevant resutls (a few malware cookies and thats it)
|
| could this be just some regular temp file with the same name as the
| graybird trojan which confuses NAV?
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html
Use the following Multi Vendor AV Scanning Tool to scan the system. Please
start with the
McAfee module.
Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe
It is a self-extracting ZIP file that contains the Kixtart Script Interpreter {
http://kixtart.org Kixtart is CareWare } three batch files, five Kixtart
scripts, one Link
(.LNK) file, a PDF instruction file and two utilities; UNZIP.EXE and WGET.EXE.
It will
simplify the process of using; Sophos, Trend and McAfee Anti Virus Command Line
Scanners to
remove viruses, Trojans and various other malware.
C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode. This
way all the components can be downloaded from each AV vendor’s web site.
The choices are; Sophos, Trend, McAfee, Exit the menu and Reboot the PC.
You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.
When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file.
To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close
Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }
NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.
* * * Please report back your results * * *
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by on September 16, 2005, 11:40 am
If you were Registered and logged in, you could reply and use other advanced thread options
desktop. I also tried a complete system scan and found nothing. I also
tried a system scan with Spy Sweeper. I have the latest versions of
both NIS and Spy Sweeper, and both are up to date as of this morning. I
tried all of the steps suggested by Symantec for removing the graybird
trojan to no avail. I could find only one of the files mentioned in
their writeup, winlogon.exe, and none of the registry entries that they
said should be there. Winlogon appears to be a legitimate Microsoft
file. I'll try the multivendor scan tonight, but I am beginning to
think that Symantec has a problem that they have not yet acknowledged.
Either that, or this is a new version of graybird that installs itself
as a rootkit. Unfortunately, I had a rootkit remover at one time, but
now I can't find it. Any suggestions for a freeware version?
|
|
Posted by David H. Lipman on September 16, 2005, 11:48 am
If you were Registered and logged in, you could reply and use other advanced thread options
| I started having the same problem this morning on both my laptop and my
| desktop. I also tried a complete system scan and found nothing. I also
| tried a system scan with Spy Sweeper. I have the latest versions of
| both NIS and Spy Sweeper, and both are up to date as of this morning. I
| tried all of the steps suggested by Symantec for removing the graybird
| trojan to no avail. I could find only one of the files mentioned in
| their writeup, winlogon.exe, and none of the registry entries that they
| said should be there. Winlogon appears to be a legitimate Microsoft
| file. I'll try the multivendor scan tonight, but I am beginning to
| think that Symantec has a problem that they have not yet acknowledged.
| Either that, or this is a new version of graybird that installs itself
| as a rootkit. Unfortunately, I had a rootkit remover at one time, but
| now I can't find it. Any suggestions for a freeware version?
Sysinternals has RootKit Revealer. I can't say if this would be effective with
this
Backdoor Trojan.
http://www.sysinternals.com/Utilities/RootkitRevealer.html
--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm
|
|
Posted by Malcolm on September 16, 2005, 1:46 pm
If you were Registered and logged in, you could reply and use other advanced thread options
David H. Lipman wrote:
>
> | I started having the same problem this morning on both my laptop and my
> | desktop. I also tried a complete system scan and found nothing. I also
> | tried a system scan with Spy Sweeper. I have the latest versions of
> | both NIS and Spy Sweeper, and both are up to date as of this morning. I
> | tried all of the steps suggested by Symantec for removing the graybird
> | trojan to no avail. I could find only one of the files mentioned in
> | their writeup, winlogon.exe, and none of the registry entries that they
> | said should be there. Winlogon appears to be a legitimate Microsoft
> | file. I'll try the multivendor scan tonight, but I am beginning to
> | think that Symantec has a problem that they have not yet acknowledged.
> | Either that, or this is a new version of graybird that installs itself
> | as a rootkit. Unfortunately, I had a rootkit remover at one time, but
> | now I can't find it. Any suggestions for a freeware version?
>
> Sysinternals has RootKit Revealer. I can't say if this would be effective
with this
> Backdoor Trojan.
> http://www.sysinternals.com/Utilities/RootkitRevealer.html
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
This identical problem started for me this morning.
I've tried RootkitRevealer - no difference.
Malcolm
|
| Similar Threads | Posted | | backdoor.trojan | April 25, 2006, 1:43 pm |
| Backdoor Trojan? | March 2, 2007, 11:12 am |
| irc backdoor trojan | May 9, 2008, 8:28 am |
| trojan horse backdoor irc/sdbot.myx | December 15, 2005, 5:29 pm |
| trojan horse IRC/backdoor.sdbot.myx | December 15, 2005, 5:35 pm |
| Trojan horse BackDoor.Generic3.EKW | September 9, 2006, 10:14 pm |
| Graybird | July 10, 2005, 10:25 am |
| Strange one | October 17, 2007, 12:39 am |
| Strange virus | October 3, 2006, 9:16 pm |
| Strange AVG behavior. | March 31, 2007, 3:41 pm |
|
XML site map