Archived from groups: microsoft.public.windowsxp.general (More info?)
I'm running XP Media Center Edition, Version 2002, SP2 with Norton
Internet Security 2004. The virus definitions are up-to-date.
We have had this computer, Sony Vaio PCV-RZ54G for nearly a year now and
this evening is the first time I tried the Windows Media Center stuff
and such. In doing so it initialized the Center for the first time.
Soon after, I rebooted and Auto-Protect detected a Trojan Horse called
Backdoor.Graybird:
"Backdoor.Graybird is a back door Trojan Horse that gives its creator
unauthorized access to your computer. The existence of the file,
Svch0st.exe, is an indication of a possible infection. Backdoor.Graybird
is a Delphi application."
The Alert said it was located in the file mc26.tmp in C:\Windows\Temp.
The Alert said it could not repair the file, could not quarantine the
file, and that it had denied access to the file. Wellll.... I
immediately manually searched the Temp folder for the file and it was
not there. I then did a total search of the whole computer and it was
not found. I then ran a full Virus scan of the computer and nothing was
found. I rebooted and the alert still pops up. I've been to the Symantec
knowledge base and could find not help and have posted on a Symantec
newsgroup - will be surprised if I get any help there. :-(
Now I suspect after starting/initializing Media Center, it is producing
temp files at booting and then after booting these files are removed
because the suspected file carrys the name "mc". Somewhere in setting up
Media Center guide it said something about info would be sent to MS....
Symantec has posted a removal process of this trojan but one needs to
delete the file first. As I can't find the file I can't delete it.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html
The rest of the process is to correct the damage:
1. End the Trojan process in Task manager by ending the process of
SvchOst.exe under the Processes tab
(right now the Processes Tab show 5 svchost.exe running)
2. Do a complete scan of the computer for any infected files and delete
them. (I've done a complete scan and nothing was found)
3. Reverse changes in the registry the Trojan Horse made.
I haven't gone into the Registry because it would be a futile gesture
for the next time I boot that temp file will be created again. As you
can see this borders on a "Catch 22" situation.
Pleaseeeee..... ****help****.... if this so called Trojan Horse file
mc26.tmp is being created by the Media Center:
1. Is it really a trojan horse?
2. How can I stop it being created?
3. Is the Media Center Guide causing it?
If Media Center isn't creating this file, what can I do to stop it being
created?
TIA.
--- Susan
I'm running XP Media Center Edition, Version 2002, SP2 with Norton
Internet Security 2004. The virus definitions are up-to-date.
We have had this computer, Sony Vaio PCV-RZ54G for nearly a year now and
this evening is the first time I tried the Windows Media Center stuff
and such. In doing so it initialized the Center for the first time.
Soon after, I rebooted and Auto-Protect detected a Trojan Horse called
Backdoor.Graybird:
"Backdoor.Graybird is a back door Trojan Horse that gives its creator
unauthorized access to your computer. The existence of the file,
Svch0st.exe, is an indication of a possible infection. Backdoor.Graybird
is a Delphi application."
The Alert said it was located in the file mc26.tmp in C:\Windows\Temp.
The Alert said it could not repair the file, could not quarantine the
file, and that it had denied access to the file. Wellll.... I
immediately manually searched the Temp folder for the file and it was
not there. I then did a total search of the whole computer and it was
not found. I then ran a full Virus scan of the computer and nothing was
found. I rebooted and the alert still pops up. I've been to the Symantec
knowledge base and could find not help and have posted on a Symantec
newsgroup - will be surprised if I get any help there. :-(
Now I suspect after starting/initializing Media Center, it is producing
temp files at booting and then after booting these files are removed
because the suspected file carrys the name "mc". Somewhere in setting up
Media Center guide it said something about info would be sent to MS....
Symantec has posted a removal process of this trojan but one needs to
delete the file first. As I can't find the file I can't delete it.
http://securityresponse.symantec.com/avcenter/venc/data/backdoor.graybird.html
The rest of the process is to correct the damage:
1. End the Trojan process in Task manager by ending the process of
SvchOst.exe under the Processes tab
(right now the Processes Tab show 5 svchost.exe running)
2. Do a complete scan of the computer for any infected files and delete
them. (I've done a complete scan and nothing was found)
3. Reverse changes in the registry the Trojan Horse made.
I haven't gone into the Registry because it would be a futile gesture
for the next time I boot that temp file will be created again. As you
can see this borders on a "Catch 22" situation.
Pleaseeeee..... ****help****.... if this so called Trojan Horse file
mc26.tmp is being created by the Media Center:
1. Is it really a trojan horse?
2. How can I stop it being created?
3. Is the Media Center Guide causing it?
If Media Center isn't creating this file, what can I do to stop it being
created?
TIA.
--- Susan