13 replies to this topic

[cas1]

My sister has a graypiegon virus and can't get rid of it. When she trys to remove it, her pc locks up. She can't boot into safe mode either. She can't even download hijack this. Can someone provide some ideas?

[Micah_6:8]

Welcome to the forum Can you provide the name(s) of the infected file(s), or file(s) responsible for the infection? What happens when she trys to download HijackThis! ?

[cas1]

Webroot Spy Sweeper detected the graypigeon trojan. Whenever she tries to clean it, it locks up Spy Sweeper.

Her other programs, Spybot, Adaware, and Norton aren't detecting the virus. When she searches for anything with graypigeon on her hard drive, she doesn't find anything.

When she tries to install Hijackthis from the zip file, it launches Spy Sweeper instead.

When she tries to boot into safe mode, it goes straight into normal mode.

This is what I found online about it - http://www.symantec....graybird.h.html

Are there any free online virus scanners that she should try?

[Micah_6:8]

These are the three most recommended free online scans:

Trend-Micro Housecall
Put on 'Autoclean' and delete what it can't clean.

Panda Activescan
Accept default settings.

Etrust Security Advisor
Choose 'Cure' whatever is found, then delete if unsuccessful.

Somethings to try (on the infected machine):

Links to Hijack This! v 1.99.1:

Hijack This! (© Merijn) at tools.radiosplace.com

Hijack This! (© Merijn) at spywarewarrior.com

<right-click> on one of the above links, and choose "Save target as", then give it another name (instead of "Hijacklthis.exe") like "friday.exe". Then try to run it.

Copy the text in the following quote box into Notepad:

dir c:\WINDOWS\system32\gray*.* /ah /s > files.txt
dir c:\WINDOWS\system32\gray*.* /s >> files.txt
notepad files.txt

Save it to the desktop as ff.bat.

CLOSE NOTEPAD.

Now, <double-click> the ff.bat file on the desktop. A Notepad window will open up.

Please paste it's contents into your next post.

[cas1]

Okay, she was able to download hijackthis (she can read your responses but can't post here for some reason).

She was able to finally boot into safe mode but it didn't detect the virus in safe mode. When she returned to regular mode, it detected the virus and locked up again.

This is her hijackthis log -

Logfile of HijackThis v1.99.1
Scan saved at 5:52:20 PM, on 06/02/2006
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
c:\windows\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\GWHOTKEY.EXE
C:\WINDOWS\STARTER.EXE
C:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\PROGRAM FILES\REAL\REALPLAYER\REALPLAY.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\MICROSOFT MONEY\SYSTEM\REMINDER.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\AOLTRAY.EXE
C:\PROGRAM FILES\GREETINGS WORKSHOP\GWREMIND.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\WRSSSDK.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\DESKTOP\FRIDAY.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by America Online
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: (no name) - {EEC1633C-C399-19A6-71D9-37290C4DFE89} - C:\WINDOWS\Ebqgzcvl.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\PROGRAM FILES\FREEPROD TOOLBAR\FREEPROD.DLL (file missing)
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Multi-function Keyboard] GWHotKey.exe
O4 - HKLM\..\Run: [EnsoniqMixer] starter.exe
O4 - HKLM\..\Run: [Norton Auto-Protect] C:\PROGRA~1\NORTON~1\NAVAPW32.EXE /LOADQUIET
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AdwareAlert] C:\PROGRAM FILES\ADWAREALERT\ADWAREALERT.Exe -boot
O4 - HKLM\..\Run: [SpySweeper] "C:\PROGRAM FILES\WEBROOT\SPY SWEEPER\SPYSWEEPER.EXE" /startintray
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [KB891711] c:\windows\SYSTEM\KB891711\KB891711.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [Reminder] C:\Program Files\Microsoft Money\System\reminder.exe
O4 - Startup: America Online 7.0 Tray Icon.lnk = C:\Program Files\America Online 7.0\aoltray.exe
O4 - Startup: Greetings Workshop Reminders.lnk = C:\Program Files\Greetings Workshop\GWREMIND.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PowerReg Scheduler.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O12 - Plugin for .mid: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .wav: C:\PROGRA~1\INTERN~1\PLUGINS\npqtplugin.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.com
O16 - DPF: {70522FA2-4656-11D5-B0E9-0050DAC24E8F} - http://download.iwon...m_5_1,0,2,5.cab
O16 - DPF: {785EA525-5066-495F-ADF6-3B8316515DEF} (Collapse Control) - http://mirror.worldw...se/collapse.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zone...ee/cm/ICSCM.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://www.taxsimple...TSWeb/msrdp.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - https://livewc01.cus...l/java/RntX.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab

Sorry if this isn't the place to post the log. Should I continue this conversation under the log section?

Thanks for all your help....

[Micah_6:8]

I'm still not seeing any infection.....


Copy the text in the following quote box into Notepad:

dir c:\WINDOWS\system\gray*.* /ah /s > files.txt
dir c:\WINDOWS\system\gray*.* /s >> files.txt
notepad files.txt

Save it to the desktop as ff.bat (on the infected machine).

CLOSE NOTEPAD.

Now, <double-click> the ff.bat file on the desktop. A Notepad window will open up.

Please paste it's contents into your next post.

It would help if I could have the "full path names" (i.e. "C:\Windows\virus.exe") of any file being flagged as "viral".

[cas1]

Oh I am sooo screwed. I opened an email from her and now my own computer isn't booting into regular OR safe mode - any ideas on what to do?

[Micah_6:8]

Do you have any Windows CD's available that were supplied when you bought the PC?

What Operating system are you using (i.e. XP, ME, '98, etc.)?

http://www.ultimatebootcd.com/
http://www.bootdisk.com/

[cas1]

I have XP but I've been trying to boot with an ME boot disk - can you do that? I do have the XP CD but I'm not sure what to do.

[cas1]

Okay, I downloaded the 6 disk XP boot disk setup. I ran it and at the end tried to repair Windows. I got an error that it couldn't find my hard drive. Do you think it's the virus or a hardware problem? Now what should I do? PS - I really appreciate your help - you're awesome!

[Doug]

Hi cas1,

I have been following your thread with interest, and imagine that you've experienced frustration because in the process of helping your friend with their Win98 machine you now believe that you have an infection on your WinXP machine!

Working with the 6 disk WinXP setup may help you.
An alternative may be to use your WinXP CD itself. (and perhaps eventually the Win98 CD for your friend)
Here's a couple of reliable sources that can walk you through a Repair Installation for XP.
http://www.michaelst...pairinstall.htm
http://www.microsoft...ips/doug92.mspx

Please be aware that you should back up all your important data and documents, because even though a Repair Installation should be non-destructive, the risk of data loss exists!
Similarly, please note that a Repair Installation may "fix" the destruction caused to the System Files by an infection, but a Repair Installation will not necessarily remove/fix/eliminate the original infection that caused the problem. More conventional anti-malware steps may be needed for the removal of the Malware, and for that Micah is already on board to assist.

I am puzzled as to why you have apparently not responded with the results of the "ff.bat" routine that Micah created for the purpose of discovering the exact address of the greypigeon infection. Seems to me it would certainly help to have that information available.

The Symantec article does identify specific files related to greypigeon trojan, does your friend actually find those files at the locations suggested by Symantec.

Please post with your progress.
Best Regards

An additional tool that may prove helpful regarding your work with Micah on your Sister's Win98 machine is TrojanHunter. You can use the trial period version, found here:
http://www.misec.net/

Edited by dough, 04 June 2006 - 01:12 PM.

[cas1]

Dough, I'm sorry I didn't reply about my sister's computer. She was finally able to clean the infection and now she's up and running well. Sorry I don't know how she fixed it, I've been busy trying to fix my own PC today. As soon as I speak to her again, I'll post the details for everyone else. In the meantime, I'm talking to you from a second PC in my home. My main PC isn't doing well at all. I can't do a restore or a new install of XP because it tells me that it can't find my hard drive. My sisters problem wasn't the same as mine - she could actually boot into Windows and I can't at all. I'll look over the sites that you posted and will see if I can find a solution there (going cross eyed from reading tech sites today). Thanks for your help.

[Doug]

Do your have files and data that you would not like to lose?
If so, consider physically removing the hard drive from your present dysfunctional computer and installing it as "slave" in your working computer.

Using your well-functioning computer's hard drive, be sure you have all the Microsoft critical updates and patches. Be sure your Anti-Virus and Anti-spyware are up to date.
Download Ewido from: http://www.ewido.net/en/

Presumably you have, at least, Spybot Search & Destroy, Ad-Aware, some Anti-virus, possibly a Webroot product? Please list what you have installed on that well-functioning machine and what Operating System it is running.

Now run each of your Anti-malware tools, including Ewido, to scan specifically the "slave" disk.

From there, carefully back-up your files and data to CD or to your well-functioning hard drive.

Return the supposedly dysfunctional hard drive to its native machine.

I think that you have indicated that your machine runs XP.
If so, use the XP installation CD to format and partition your hard drive, then make a fresh installation.

If you are running other than Win XP...
I think you mentioned that you have a WinME startup disk?
Put it into your A:\ and reboot

Select Open with CD support

Do you know how to Re-format a hard drive?
Do you know how to use F-Disk to create partitions?

Now you can do a complete new Re-format and Reinstall upon the supposedly infected/compromised hard drive and do a fresh installation of your Windows operating system.

Please note, that in doing so, you will lose All of your Chipset Drivers, all of your peripheral Drivers, all the Microsoft updates, and all of your data and files.

Please let us know if this course of action makes sense and seems doable for you.

Best Regards

P.S. A common cause of not being able to boot into windows or not being able to find a hard drive is the CMOS battery. How old is your machine? Consider replacing the battery. You can get one for about $2.50 at any Office or electronics store. If a new battery solves your problem....great! you won't have to do anything more or any of the steps above. If a new battery does nothing, you have only lost $2.50 and now have a fresh CMOS battery.

[cas1]

Sorry I didn't answer before - my "good" pc is apparantly infected too. I can boot into safe mode only on this one. I just ordered a new Dell yesterday so at least I'll have a working computer while I try to clean the other 2. The Dell I'm on now has a different hard drive connection than the newer one (and I'm not sure how to do the master/slave thing thing anyhow). Don't laugh if I'm wrong but I think one's IDE and the other's ATA??? I would like to get the data off of my other PC but worst case scenario, I'll just buy a new hard drive and reinstall everything. On my first computer to become infected, it said something about the partition (don't remember what it said). After that it didn't detect the hard drive at all. Do you think that a virus could have done that? Or is this one BIG coincidence that my sister's and both my pcs all failed at the same time? I'm running XP over ME on this pc. I've tried cleaning this one with Adaware, Mcafee, Spybot, Webroot. I still can't boot into regular mode, it shuts off before it finishes booting. I guess I'll try ewido too. You guys are great here, I absolutely apprecaite all the help!