Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Backdoor.graybird


  • Please log in to reply
10 replies to this topic

#1 James Heilman

James Heilman

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 16 January 2008 - 08:03 PM

I have been infected with the backdoor.graybird virus. Norton 360 detects it and removes it but it comes back.

File c:\program files\common files\microsoft shared\speech\wab64.dll

3 services ravmond, winlogin, windows

19 Registry entries

BC AdBot (Login to Remove)

 


#2 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:07:04 AM

Posted 17 January 2008 - 05:35 AM

Your problem seems serious. Please click here and follow all steps that you have not already completed.

Do not alter your computer before you receive a reply for the HijackThis Log. This is because fixes will be based on the information you supply when you made the log.

Also be patient, as there are only a limited number of helpers and a large demand. If you receive no reply within 5 days, please post the link to your thread in the thread here

Good luck :thumbsup:
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 PM

Posted 17 January 2008 - 08:15 AM

Get a second opinion on that file.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.

You can also do this:

Please download ATF Cleaner by Atribune & save it to your desktop. DO NOT use yet.
Please download Sysclean Package & save it to your desktop.
  • Create a new folder on drive "C:\" and rename it Sysclean - (C:\Sysclean).
  • Place the sysclean.com inside that folder.
  • Then download the latest Virus Pattern Files - (Pattern files are usually named lptxxx.zip, where xxx is the pattern file number)
  • Extract (unzip) the lptxxx.zip pattern file into the Sysclean folder where you put sysclean.com. (Click here for information on how to extract a file if your not sure how to do this. DO NOT scan yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

Scan with Sysclean as follows:
  • Open the Sysclean folder and double-click on sysclean.com to start the scanning process.
  • Put a check mark on the "Automatically clean or delete infected files" option by clicking in the checkbox.
  • Click the Advanced >> button.
  • The scan options appear. Select the "Scan all local fixed drives".
  • Click the "Scan button" on the Trend Micro System Cleaner console.
  • It will take some time to complete. Be patient and let it clean whatever it finds.
  • Another MS-DOS window appears containing the log file (sysclean.log) generated in the same folder where the scan is completed - C:\Sysclean.
  • To view the log, click the "View button" on the Trend Micro System Cleaner console. The Trend Micro Sysclean Package - Log window appears.
    • The Files Detected section shows the viruses that were detected by System Cleaner.
    • The Files Clean section shows the viruses that were cleaned.
    • The Clean Fail section shows the viruses that were not cleaned.
  • Exit when done, reboot normally and re-enable your anti-virus program.
Instructions with screenshots are here if you need them.

When using Sysclean its best to use the Administrator's account or an account with Administrative rights otherwise you will not have access rights to scan some locations. You can also Use the "Run As" Command to Start a Program as an Administrator. Even when doing that, the scanning process may result in "Access Denied" messages for some files. This is normal because these files are protected by the system.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 James Heilman

James Heilman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 31 January 2008 - 09:36 PM

I did a scan with the stuff you suggested. Norton 360 still finds copies of backdoor.graybird but the scans found a different thing. Here is a copy of the scan log.



/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2008-01-29, 20:37:01, Auto-clean mode specified.
2008-01-29, 20:37:01, Running scanner "C:\Sysclean\TSC.BIN"...
2008-01-29, 20:38:01, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2008-01-29, 20:38:01, TSC Log:

2008-01-29, 20:38:16, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\*.*": Access is denied.
2008-01-29, 20:38:16, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\*.*": Access is denied.
2008-01-29, 20:39:03, An error was detected on "C:\System Volume Information\*.*": Access is denied.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2008-01-29, 21:31:20, Auto-clean mode specified.
2008-01-29, 21:31:20, Running scanner "C:\Sysclean\TSC.BIN"...
2008-01-29, 21:32:10, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2008-01-29, 21:32:10, TSC Log:

2008-01-29, 21:32:29, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\*.*": Access is denied.
2008-01-29, 21:32:29, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\*.*": Access is denied.
2008-01-29, 21:33:22, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2008-01-29, 22:47:01, Operation was aborted.


/--------------------------------------------------------------\
| Trend Micro System Cleaner |
| Copyright 2006, Trend Micro, Inc. |
| http://www.antivirus.com |
\--------------------------------------------------------------/


2008-01-30, 18:15:11, Auto-clean mode specified.
2008-01-30, 18:15:11, Running scanner "C:\Sysclean\TSC.BIN"...
2008-01-30, 18:16:09, Scanner "C:\Sysclean\TSC.BIN" has finished running.
2008-01-30, 18:16:09, TSC Log:

2008-01-30, 18:16:26, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\Quarantine\*.*": Access is denied.
2008-01-30, 18:16:26, An error was detected on "C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\*.*": Access is denied.
2008-01-30, 18:17:17, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2008-01-30, 19:52:31, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 1/30/2008 18:17:47
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 967 (253649 Patterns) (2008/01/28) (496700)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll [TROJ_HUPIGON.LAD]
50880 files have been read.
50880 files have been checked.
50857 files have been scanned.
521508 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/30/2008 19:52:29
---------*---------*---------*---------*---------*---------*---------*---------*
2008-01-30, 19:52:31, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 1/30/2008 18:17:47
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 967 (253649 Patterns) (2008/01/28) (496700)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

Success Clean [TROJ_HUPIGON.LAD]( 1) from C:\Program Files\Common Files\Microsoft Shared\Speech\Wab64.dll
50880 files have been read.
50880 files have been checked.
50857 files have been scanned.
521508 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/30/2008 19:52:29 1 hour 34 minutes 23 seconds (5662.86 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2008-01-30, 19:52:31, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 1/30/2008 18:17:47
VSAPI Engine Version : 8.500-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 967 (253649 Patterns) (2008/01/28) (496700)
Command Line: C:\Sysclean\VSCANTM.BIN /NBPM /S /CLEANALL /DCEGENCLEAN /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Sysclean

50880 files have been read.
50880 files have been checked.
50857 files have been scanned.
521508 files have been scanned. (including files in archived)
1 files containing viruses.
Found 1 viruses totally.
Maybe 0 viruses totally.
Stop At : 1/30/2008 19:52:29 1 hour 34 minutes 23 seconds (5662.86 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2008-01-30, 19:52:31, Scanner "C:\Sysclean\VSCANTM.BIN" has finished running.

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 PM

Posted 31 January 2008 - 10:55 PM

Where is Norton find these copies of backdoor.graybird?

Your log indicates System Clean found and removed wab64.dll.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 James Heilman

James Heilman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 08 February 2008 - 08:56 PM

C:\program files\common files\microsoft shared\speech\wab64.dll

This is where it is found. It reinstalls itself somehow and I haven't been able to get rid of it.


C:\program files\common files\microsoft shared\speech\wab64.dll

This is where it is found. It reinstalls itself somehow and I haven't been able to get rid of it.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 PM

Posted 11 February 2008 - 01:55 PM

Get a second opinion.

Go to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file(s) and submit (upload) it for scanning/analysis.
Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 James Heilman

James Heilman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 15 February 2008 - 07:54 PM

I can't send the file to get a second opinion. When it gets reinstalled Norton 360 deletes it immediately.

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 PM

Posted 16 February 2008 - 09:19 AM

Please read the instructions "How to submit a file to Symantec Security Response using Scan and Deliver". There is no charge for the service. After Symantec responds please post the results back here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 James Heilman

James Heilman
  • Topic Starter

  • Members
  • 54 posts
  • OFFLINE
  •  
  • Local time:04:04 PM

Posted 22 February 2008 - 05:09 PM

That is only for Norton Corporate Versions.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,128 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:04 PM

Posted 22 February 2008 - 06:31 PM

Try searching for an alternate link here. I'm getting ready to log off now so I don't have time until later tonight maybe or tomorrow.

Edited by quietman7, 22 February 2008 - 06:34 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users