Backdoor.Graybird problem.

Welcome to Major Geeks!

Please read ALL of this message including the notes before doing anything.

Please follow the instructions in the below link:

READ & RUN ME FIRST. Malware Removal Guide

and attach the requested logs when you finish these instructions.

• **** If something does not run, write down the info to explain to us later but keep on going. ****
• Do not assume that because one step does not work that they all will not. MGtools will frequently run even when all other tools will not.

• After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!

Helpful Notes:

1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
   
   • Starting your computer in Safe mode
2. If you have problems downloading on the problem PC, download the tools and the manual update Malwarebytes ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
3. If you cannot seem to login to an infected user account, try using a different user account (if you have one) in either normal or safe boot mode and running only RogueKiller and Malwarebytes while logged into this other user account. Then reboot and see if you can log into the problem user account. If you can then run the rest of the READ & RUN ME FIRST instructions on the infected account.
4. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
   • Don't Bump! It Only Hurts You!!!

Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
​

 

You can either give me an exact file or folder that it is flagging, or if it cannot do this, you need to follow my instructions.

 

No worries! Take your time.

 

Not a problem at all.

 

Hi.

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 3 detections:

• [SERVICE][BLVALUE] HKLM\[...]\CCSet\[...]\Services : IBUpdaterService (C:\Windows\System32\dmwu.exe [7]) -> FOUND
• [SERVICE][BLVALUE] HKLM\[...]\CS001\[...]\Services : IBUpdaterService (C:\Windows\System32\dmwu.exe [7]) -> FOUND
• [SERVICE][BLVALUE] HKLM\[...]\CS002\[...]\Services : IBUpdaterService (C:\Windows\System32\dmwu.exe [7]) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Reboot the machine.


Delete this file if you see it:

• C:\Windows\System32\dmwu.exe

Re run Hitman and have it delete Potential Unwanted Programs



Please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Is Norton still alerting you about Graybird??

 

Skip RK then if it does not find those entries and continue on with other instructions.

 

I need all this gone, which Hitman finds:

 

Just continue with the rest of the instructions then.

 

...and is Norton still alerting you about Graybird or not at this point?

 

Then as previously explained, I need much more information that Norton is supplying you with. usually, when an antivirus finds what it considers to be a threat, it gives a file or folder name, and a location where it resides....

Unfortunately, Norton finds Backdoor.Graybird is not helping us much. Check carefully, is what it found supposed to be in quarantine or can Norton not even fix what it finds? See if it gives us more info please. It could just be a false positive but we cannot tell at this stage.

 

So Norton is finding a keygen you installed for the sims. Delete it, these things will invite in troubles!

 

Did you ever, at any point actually have a keygen for the sims? :confused

 

When you search your machine for keygen.exe does anything crop up?

 

Then you need to tell Norton to "ignore" the threat. Most times antivirus gives the user a chance to intervene, make a choice whether the AV quarantines it, deletes it, or leaves it alone.

Can you interact with Norton at all in this way? :confused

 

Empty the quarantine please.

 

From the unresolved problems section you mentioned, can you do anything with it there?

 

I really think you ought to post about this in the symantec forums. Best of luck!

 

No problem!

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
3. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
4. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
5. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
   
6. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
   
   
7. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!