backdoor graybird trojan alerts

My Norton Antivirus is identifying two dll files (rver.dll and rver.hook.dll) as being infected with backdoor.graybird trojan. I am wondering first if this is a false positive and then second how in the world to get rid of it (whether false or positive).

I have Windows XP. I had been running Norton Internet Security 2004 and updating the virus definitions every week. The day the first alert appeared many other people reported on the computer forums that they also got that alert (but not to the same file as me) and theirs turned out to be a false positive to software I did't have and Norton next update fixed their problem. Norton antivirus wouldn't let me delete or quarantine the file. I ran several free virus scanners that didn't find the problem but AVG did. AVG would quarantine the file and since I ran it, now Norton will delete the file but it comes back frequently.

I did all the "read & run me first before asking for support." none of those programs found anything that seemed related to backdoor.graybird. I also ran Stinger.

I followed the directions on Norton to get rid of the trojan. I don't know if it's my ignorance but I didn't find any of the things I was supposed to change in the registry. The svch0st.exe that Symantac says usually would be in the system processes if I had this trojan, isn't there. The only thing that I have that might be related is I do have winlogon.exe in system32; Symantac says the trojan might create system32/winlogon.exe

I haven't had any known problems from this trojan.

Can someone help? Thank you.

 

Download this trial version of Ewido Security Suite

• Install ewido security suite
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will have a window come up. One of the buttons on the left is to Update. Click the Update button.and then Start the Update. The update will start and a progress bar will show the updates being installed.
• After it completes the update, click the Scanner button

Now exit Ewido. Now print the below instructions or save them locally because I want you do have no browsers opened and also have no connection to the internet (unplug your cable) while doing the below.

Okay, reboot into safe mode and follow the steps below. (If you have any problems at all trying to get into safe mode to complete these steps, just run them in normal boot mode and make sure you tell me when you come back.)

Open up Ewido and do the following:

• Click on Scanner
• Then click Settings
• Under What to Scan? Select Scan every file
• Then click OK
• Click on Complete System Scan and the scan will start.
• Let the program scan the machine

While the scan is in progress you will be prompted to clean files that are infected. Leave the defaults selections (to Remove and backup) and click OK. To save yourself some time, you can select Perform action with all infections and then click OK. With the option to scan every file, a lot of cookies will be removed.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

• Click Save report
• Save the report to your desktop or anyplace you will be able to find it to upload here.

Reboot into normal mode and reconnect to the internet.

Come back here and post the Ewido Scan Report along with a fresh HJT log.

 

Thank you for your help. Here's the two logs.

Inline log attached!

• Edit by bjgarrick: Inline HJT log removed!

 

Please download Spy Sweeper

• Click the link above to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into notepad and save it as spysweeper.txt and attach it to your next post along with a fresh HJT log.

 

Thank you. Here is the logs.

Inline logs attached!

 

Scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

O4 - HKLM\..\Run: [WinsSystem] C:\Program Files\Internet Explorer\syssmss.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\Program Files\Internet Explorer\syssmss.exe

NEXT:
Run CCleaner to clean up cookies and temp files.

Run full scans with Ad-Aware SE & Spybot S&D and have both programs fix what they find.
Note: Remember to get all updates before doing the scans.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


After you complete the above, reboot into normal mode...

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you complete the above, reboot and attach a fresh HJT log and let me know how things are running.

 

Thank you for your help. I have followed all the instructions. Everything looks okay so far. here is the log.

Inline log attached!

 

Have HJT fix the below entry:

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

After you complete the above, your log will be clean.

Are you having any further problems?

 

Thank you so much for your help! No sign of any problems!

Kserl

 

Your Welcome!

You should see this article on How to Protect yourself from malware!

Surf Safely!

 

It's Back! Norton is identifying Backdoor Graybird again after a couple of weeks without any problems.

I updated all the definitions and re-followed all your instructions from before (although Spysweeper has expired). Adaware is the only one to find anything and it didn't seem to find anything to do with graybird.

I scanned all the homemade music or data CDs that I've used this week with Norton and didn't find anything.

Can you help again? Thank you!


Inline log attached!

 

Can you let me know exactly what norton is detecting, file or registry entry?

Do you still have Spy Sweeper installed? If so, click on the link below and download the updates manually, save to your desktop. Once download is complete move the file into the folder...

C:\Program Files\Webroot\SpySweeper\Masters

After you do the above, run a full sweep and attach the log.

SpySweeper Update

 

The same two dll files as before are being identified as being infected with backdoor graybird (rver.dll and rverhook.dll).

I do still have the spysweeper installed but it won't open at all now that it is expired.

 

Do you have the lastest version installed (4.5.7.656)??

 

I don't know what version it is since it won't open enough to tell me and the expired message doesn't say, but I downloaded it Nov 14.

 

Let's make sure you have the latest version...

Download Spy Sweeper

 

If the user installed on Nov 14th they have the previous version as version 4.5.7.656 didnt release until Nov 18th.

New version will give 14 more days.

 

I tried it several times, but after downloading spy sweeper again and reinstalling it, it still is saying it is expired. As it installs it says it's version 4.5.5.604.

Any other ideas?

 

You have the old version, you need to download from MajorGeeks not Webroot.

Spy Sweeper 4.5.7.656

 

I've downloaded it today from majorgeeks which makes it 4 times now. it says it's 4.5.5.604 and that it's expired.

 

I'm not sure what's going on with Webroot, they haved changed some things.

Download here!

 

That link doesn't work. When I searched for Spysweeper on the main page of the web site, it didn't find it.

Thanks again for your continuing help.

 

Try this link http://www.webroot.com/land/freescan.php?rc=257&ac=417&wt.srch=1&wt.mc_id=417

 

Webroot only allows the old version for trial now for some reason, the only way we can get the updated version 4.5.7.656 is to download it from someone who has it uploaded.
download

 

Hey, that worked -- though it was 4.5.7.642, but it allowed me to scan. But guess what! The new version won't let you save a log or delete any infected files unless you subscribe!

All it found was three cookies:

2o7. net cookie
tribalfusion cookie
zedo cookie

 

All of this SS stuff I have gotten off track, what are you current problems?

 

Norton is identifying Backdoor Graybird trojan again in two dll files after a couple of weeks without any problems. In November, you helped me get rid of it and it seemed gone but it came back. I never knew if I ever really had it in the first place or if it was a false detection (Norton made false positives according to other web sites the same day I got my first message).

 

Can you give me the file name and locations for both DLL files Norton is detecting?

 

c:/windows/rver.dll
c:/windows/rverhook.dll

They aren't visible in c:/windows even with the hidden files showing.

 

Download Pocket KillBox

Locate PocketKillbox
(Procede with this step even if they do not show in blue)


Now, Copy and Paste C:/WINDOWS/rver.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:/WINDOWS/rverhook.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES and allow your PC to reboot.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you computer has rebooted let me know if NAV still detetcs them.

 

I have dialup and downloading a 65 kb program was really enjoyable!

So far so good. A full scan didn't find backdoor graybird and it hasn't come up with the last few rebootings.

Thank you so much for all of your help!

 

Now please attach a current HJT log from normal mode.

 

Inline log attached!

 

Your log is clean, are you having any further problems?

 

The backdoor graybird trojan is back after another month being gone (c:/windows/rver.dll and c:/windows/rver_hook.dll)! Where does it keep coming from? I followed all the instructions you gave me before and I didn't get any notices about it for a week and then followed all your instructions again, including ewido and ccleaner. Killbox has been saying it isn't there since the first time it deleted it successfully. My spysweeper trial has long ago run out. Could you help? Thank you.

Inline log attached!