Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Threat Name: Backdoor.graybird


  • Please log in to reply
9 replies to this topic

#1 alburnus

alburnus

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Location:Idaho
  • Local time:01:32 AM

Posted 20 February 2006 - 12:23 PM

It was last fall I was first infected and I regret to say I have misplaced the notes I took when I initially cleaned out the virus, but it seems to me it was entitled Vundo, or something very like that. The few notes I did find are as follows:

File name: mc2D.tmp
Threatname: Backdoor.Graybird
Original Location: C:\Windows\T... (sorry, this is all I wrote down of this line)
Status: Backup of an infection (I must have written this down after I quarantined the virus)
Quarantined: 9/16/2005, 9/17/2005, 9/18/2005 (but I don't understand these dates or why there are three different dates. My virus alert initially came up at 4:00 PM on 10/17/2005.

Here is the HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:03:35 AM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...ilion&pf=laptop
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/insta...staller_gmn.cab
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/share...83/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/share...,20/McGDMgr.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4BCFEE9-D582-4C4F-91B9-C43288464ADD}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Thank you so much for your help!

Deb

BC AdBot (Login to Remove)

 


m

#2 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 23 February 2006 - 08:17 AM

This log appears to be clean. Were you just checking or did you have a specific problem.

#3 alburnus

alburnus
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Location:Idaho
  • Local time:01:32 AM

Posted 24 February 2006 - 04:03 PM

Thank you so much for your reply - I appreciate it! The answer to your question is "yes," I was just checking, AND I have specific issues. Now that I have some confidence that my machine is clean, I am wondering what direction to go, and I bet you can help with that...

I think they might be Windows related issues - perhaps you can tell me what I have done wrong, or if it is just the result of some quirkiness in a Windows update or something else I have not considered. I will try to describe the two main weird things my computer is doing:

Whenever I attempt to open Windows Explorer, or in response to a command I have typed which requires Windows Explorer to open, this is what happens:

A box comes up entitled "Windows Installer," with the following message: "Please wait while Windows configures HPIZ402."

I eventually learned, through a fit of impatient frustration, that I need to click on the "cancel" button three times - always three times - the first and second time I click it, the message box comes right back, but the third time it will go away and Windows Explorer will open anyway.

Before I learned this, these were the other messages that came up: (in case you need this additional information to diagnose the problem):

"The feature you are trying to use is on a CD-ROM or other removable disk that is not available. Insert the HPIZ402 disk and click OK."

I would then click "cancel," since I knew I was getting this message in error, to be rewarded with the following additional message:

"Error 1706. No valid source could be found for product HPIZ402. The Windows Installer cannot continue."

I click "OK."

Windows Explorer opens anyway.

Regardless of how many or few times I attempt to access Windows Explorer in a day, I will consistently be confronted with the "Windows Installer..." box, though, as I explained previously, I did accidentally figure out I can just cancel the box 3 times and it will go away. It is annoying though, because sometimes it will take some time for that box to come up and I have to sit here and wait for it, unable to do anything further through Windows Explorer until I perform this little dance.

The second issue is this:

I didn't take notes on this one, so my information is not going to be that great, but I'll give you what I can here, and if you need better details, I'll provide them. I mention it here rather than adhereing to the "one problem or question at a time," because I suspect they are somehow related.

There's some kind of "user" box that comes up and says my computer is locked and I have to enter my user password to unlock it. This seems to happen whenever I step away from my computer for a few minutes, and it will come up whether or not I have been gone long enough for the screen saver to kick in. I can cancel it without entering the password, and it "unlocks," and the box goes away, and I am then able to use my computer, but it's annoying - but more than that, it indicates to me something's not working quite right and I don't like that.

Oh, there was one more thing that made me concerned I might still be infected OR might be dealing with an unresolved or undetected spyware issue, but I will save that for after I get this "Windows" problem fixed, because I believe it might be an unrelated issue.

Thanks again - it's so good to have you guys "out there."

Deb

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 25 February 2006 - 09:33 PM

The HPIZ402 is from the HP Image zone not being installed properly. If you do not use this software, I would uninstall it from add/remove programs and see if that fixes the problem.

For the second problem you probably have the screensaver set to require logon when it kicks in. Go into the display properties, click on screensaver and uncheck On resume, password protect. Then press apply and ok and you should be all set.

Let me know how all of this works out.

#5 alburnus

alburnus
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Location:Idaho
  • Local time:01:32 AM

Posted 25 February 2006 - 09:44 PM

Thank you - you were correct about the "on resume, password protect." I went in and unchecked that. Since the beginning of this post I have acquired even more challenging problems than the ones I have listed here, in fact, challenging enough that I am now unable to even navigate well enough to fix the problems. If you would be so kind as to read my post entitled "Ran CleanUp! Wish I hadn't" in the Windows XP section, and advise me in regard to that, I would be most grateful. I have been working on this all day and I just keep getting deeper into trouble, although I believe I am following intructions exactly.

Thank you -

Deb

#6 alburnus

alburnus
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Location:Idaho
  • Local time:01:32 AM

Posted 25 February 2006 - 09:47 PM

Oh, I meant to tell you that uninstalling programs is only one of the many things I am unable to do since my new problems began after running CleanUp! earlier today. I also am unable to read anything requiring Adobe, so my attempts to download the Windows XP tweaking manual I read about in one of your tutorials failed.

Deb

#7 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 26 February 2006 - 08:31 PM

Hmm...do you know what exactly you did in cleanup that may have caused these problems? I am unfamiliar with that program...are you able to revert any changes?

#8 alburnus

alburnus
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Location:Idaho
  • Local time:01:32 AM

Posted 27 February 2006 - 08:53 AM

Thank you for your reply! In response to your question, I have pasted the text from my posting in the "Ran CleanUp! Wishing I hadn't" topic. It is as follows:

"An hour ago I ran CleanUp! and rebooted. While certain Windows issues I had been experiencing seem to have been resolved, I immediately noticed that new and slightly more crippling issues took their places.

In an attempt to resolve this, I inserted my Windows XP Home SP2 Operating System CD that came with my laptop. This is the message I immediately received when I tried to proceed:

(Windows Setup)
"The option to upgrade will not be available at this time because setup was unable to load the file D:\i386\WINNTUPG\NETUPGRD.DLL The system cannot find the file specified."

I don't know if this missing (?) file is the same file responsible for my invisible (?) icons and other necessary images required for navigating my system. I can't assume anything, because I don't have sufficient knowledge to safely assume anything. I barely have enough computer savvy to make educated guesses, but I don't suppose this is news to you folks by now. I can only hope that I am at least a source of amusement to some.

Anyway...after I had been given this message, I was allowed to choose to just do a completely new install (I don't remember the exact wording and I forgot to write it down - sorry). As I have backups of all my important data, and have a recovery disk and so on, I decided to "go for it." I was then prompted to enter a 25 digit number ( I think it was 25 digits) which I was told was on my certificate of authenticity, which I cannot find in my very organized but apparently incomplete "laptop file." By the way, nothing I have is pirated - everything is puchased.

It may be relevant for you to know that after the CleanUp! completed its download and run, I was given a message informing me that some files that were apparently "cleaned" (again, I can't remember the exact wording, but I am hoping this is a familiar enough scenario to you) in such a way that my computer was asking for a disk, but since this seemed to be related to recurring issues I have been having for weeks now with other similar Windows messages, I made the choice to override that, because I thought that doing what I was being asked to do would "undo" the CleanUp!. (I am so glad I at least cannot hear you all laughing.)

How should I proceed from here? Please advise! Thank you kindly!"

(end text)

I am trying to figure out what I did wrong, but I didn't think inserting the disk it was asking for was the right thing to do, but I might be wrong about that. Is that normal procedure when one is running a cleaning program, to be asked to insert the Windows XP Home SP2 Operating System CD? I felt like that was going to "undo" what I had just done by running cleanup, but actually, as I am typing this to you, and thinking it over yet again, maybe CleanUp! removed more than it should have, and Windows was trying to get back what it needed in order to function properly. Was that it? I was trusting the CleanUp! program to not take out anything that should be left in, but I am beginning to believe that was probably really naive.

What is your opinion?

Thank you!

Deb

#9 alburnus

alburnus
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Location:Idaho
  • Local time:01:32 AM

Posted 27 February 2006 - 09:04 AM

Oh, I meant to ask you another question - you told me that my HP Image Zone is not installed properly, and that's what was causing those particular problems I wrote you about. I don't like that program, for lots of reasons, but it was already installed on this laptop when I bought it 7 months ago. I have used it a little bit, but as I have said, I don't like it, so there isn't much in there.

My question is, what I have done along the way that has caused it to start doing this? Although the program itself seems to be unstable in a variety of ways while it is being used, wy should it suddenly start affecting my computer in seemingly unrelated ways, such as when I have not opened HP Image Zone for weeks?

I guess what I'm really asking is, what do I need to know in order to prevent similar future weirdnesses on my computer?

Thank you -

Deb

#10 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:04:32 AM

Posted 27 February 2006 - 08:43 PM

As for the HP imzage zone software, I really do not know why it does that. I think it feels that there is an unfinished installation routine. Usually uninstalling and reinstalling the software fixes that.

As for the rest of the situation, I would probably advise you reinstall. I have no idea what cleanup removed and what could be causing this instability. As for the code for your windows xp install, look at the bottom of the laptop. Is there a key there?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users