BackDoor.Greybird Virus & more - help needed

tim_ver · 02-28-2008, 06:43 PM

I just ran a scan on my PC (Symantec Internet Security) and it found 6 items (Backdoor.Greybird, Downloader, Trojan Horse x4) I tried to remove the Backdoor.Greybird item but with no luck I booted in safe mode and went in to Regedit like the instructions said and search for the strings but did not find them and on this second scan I still get found 6 items. Arghhh. Help please. I have XP SP2.

Instructions I followed for the first one were these found at Symantec's website.

Click Start, and then click Run. (The Run dialog box appears.)

Type regedit

Then click OK. (The Registry Editor opens.)

Navigate to each of these the keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

NOTE: All the keys do not exist on all the systems.

For each one, in the right pane, delete any of the following values:

"svchost" = "%System%\Svch0st.exe"
"winlogon" = "%System%\Winlogon.exe"
"system" = "%System%\Explorer.exe"
"ravmond" = "%System%\Explorer.exe"

If you are running Windows NT/2000/XP, navigate to the key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

In the right pane, delete the value:

"run" = "%system%\svch0st.EXE"
"run" = "%system%\ravmond.exe"

Exit the registry editor.

tetonbob · 02-28-2008, 07:46 PM

If you think your computer is infected....

tim_ver · 02-28-2008, 08:25 PM

Ok so How do I fix this issue?

tetonbob · 02-28-2008, 08:28 PM

If you want help here in removing infection, read the link from my last post, follow the steps, post the logs in the correct forum (indicated when you read the information), and wait for help.

It may take some time to receive a reply in the HijackThis Log Help forum, as like all forums, we're swamped.

tim_ver · 02-29-2008, 09:18 AM

Ok thanks.

Here are the two files from DSS scanner.

tetonbob · 02-29-2008, 09:21 AM

Quote:

If you want help here in removing infection, read the link from my last post, follow the steps, post the logs in the correct forum (indicated when you read the information), and wait for help.

Follow this link, please:

http://www.techsupportforum.com/newt...newthread&f=50

Here's why:

http://www.techsupportforum.com/secu...here-span.html

Thanks, I'll be removing that last post shortly.

tim_ver · 02-29-2008, 09:31 AM

Ok if you want kill the whole thread. I have reposted as instructed above as a new post with txt files and HJT log pasted also.

Thanks Much

tetonbob · 02-29-2008, 09:46 AM

I think there's one more bit of pertinent information you can add to the new thread.

Quote:

I tried to remove the Backdoor.Greybird item but with no luck I booted in safe mode and went in to Regedit like the instructions said and search for the strings but did not find them and on this second scan I still get found 6 items

What exactly is Symantec finding....registry locations, file names and paths...all this is helpful.

tim_ver · 02-29-2008, 11:14 PM

Ok, I will add that in to the post in a bit. I have to get back on that pc and rerun the scan to get that info.

Thanks

tim_ver · 03-01-2008, 02:03 AM

I looked after a rescan and it gives nothing more then the name of the infection and the I can hit review which launches a webpage to tell me about it.

http://securityresponse.symantec.com...040217-2506-99

Should I post it in the message also or not?

Thanks

02-28-2008, 06:43 PM	#1 (permalink)
tim_ver Registered User Join Date: Nov 2007 Posts: 29 OS: XPSP2	BackDoor.Greybird Virus & more - help needed I just ran a scan on my PC (Symantec Internet Security) and it found 6 items (Backdoor.Greybird, Downloader, Trojan Horse x4) I tried to remove the Backdoor.Greybird item but with no luck I booted in safe mode and went in to Regedit like the instructions said and search for the strings but did not find them and on this second scan I still get found 6 items. Arghhh. Help please. I have XP SP2. Instructions I followed for the first one were these found at Symantec's website. Click Start, and then click Run. (The Run dialog box appears.) Type regedit Then click OK. (The Registry Editor opens.) Navigate to each of these the keys: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ RunServices HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NOTE: All the keys do not exist on all the systems. For each one, in the right pane, delete any of the following values: "svchost" = "%System%\Svch0st.exe" "winlogon" = "%System%\Winlogon.exe" "system" = "%System%\Explorer.exe" "ravmond" = "%System%\Explorer.exe" If you are running Windows NT/2000/XP, navigate to the key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows In the right pane, delete the value: "run" = "%system%\svch0st.EXE" "run" = "%system%\ravmond.exe" Exit the registry editor.

02-28-2008, 07:46 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: BackDoor.Greybird Virus & more - help needed If you think your computer is infected.... __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

02-28-2008, 08:25 PM	#3 (permalink)
tim_ver Registered User Join Date: Nov 2007 Posts: 29 OS: XPSP2	Re: BackDoor.Greybird Virus & more - help needed Ok so How do I fix this issue?

02-28-2008, 08:28 PM	#4 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,564 OS: 2000 Pro; XP Pro; XP Home	Re: BackDoor.Greybird Virus & more - help needed If you want help here in removing infection, read the link from my last post, follow the steps, post the logs in the correct forum (indicated when you read the information), and wait for help. It may take some time to receive a reply in the HijackThis Log Help forum, as like all forums, we're swamped. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

02-29-2008, 09:18 AM	#5 (permalink)
tim_ver Registered User Join Date: Nov 2007 Posts: 29 OS: XPSP2	Re: BackDoor.Greybird Virus & more - help needed Ok thanks. Here are the two files from DSS scanner. Last edited by tim_ver; 02-29-2008 at 09:27 AM.

02-29-2008, 09:31 AM	#7 (permalink)
tim_ver Registered User Join Date: Nov 2007 Posts: 29 OS: XPSP2	Re: BackDoor.Greybird Virus & more - help needed Ok if you want kill the whole thread. I have reposted as instructed above as a new post with txt files and HJT log pasted also. Thanks Much

02-29-2008, 11:14 PM	#9 (permalink)
tim_ver Registered User Join Date: Nov 2007 Posts: 29 OS: XPSP2	Re: BackDoor.Greybird Virus & more - help needed Ok, I will add that in to the post in a bit. I have to get back on that pc and rerun the scan to get that info. Thanks

03-01-2008, 02:03 AM	#10 (permalink)
tim_ver Registered User Join Date: Nov 2007 Posts: 29 OS: XPSP2	Re: BackDoor.Greybird Virus & more - help needed I looked after a rescan and it gives nothing more then the name of the infection and the I can hit review which launches a webpage to tell me about it. http://securityresponse.symantec.com...040217-2506-99 Should I post it in the message also or not? Thanks