Okay -- was up til one doing this and virus scans.
Here is the odd thing on the virus scans -- Norton would detect the virus and deny access to it during boot-up (which is still taking an inordinately long time), but could not locate it during a subsequent full system scan.
PandaScan couldn't find it on a full system scan, either.
I did some reading about the Backdoor.Greybird virus -- here is Symantec's entry:
<quote>Backdoor.Graybird is a back door Trojan Horse that gives its creator unauthorized access to your computer. The existence of the file, Svch0st.exe, is an indication of a possible infection. Backdoor.Graybird is a Delphi application.
Also Known As: Backdoor.GrayBird [KAV], BackDoor-ARR [McAfee]
Type: Trojan Horse
Infection Length: 386,236 bytes
Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
_________________
Damage
Payload:
Modifies files: Modifies the registry
Releases confidential info: Intercepts confidential information by hooking keystrokes
Compromises security settings: Allows unauthorized access to your computer
When Backdoor.Graybird runs, it performs the following actions:
Copies itself as one of the following filenames:
%System%\Svch0st.exe
%System%\Winlogon.exe
%System%\Explorer.exe
%System%\ravmond.exe
NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
Creates one of the following values, or a similar value, depending on the variant:
"svchost" = "%System%\Svch0st.exe"
"winlogon" = "%System%\Winlogon.exe"
"system" = "%System%\Explorer.exe"
"ravmond" = "%System%\Explorer.exe"
in the registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
so that the Trojan runs when you start Windows.
If the operating system is Windows NT/2000/XP, the Trojan also creates the value:
"run" = "%system%\svch0st.EXE"
"run" = "%system%\ravmond.exe"
in the registry key:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
If the operating system is Windows 95/98/Me, the Trojan adds the line to the [windows] section of the Win.ini file:
run = C:\WINDOWS\SYSTEM\SVCH0ST.EXE
so that the Trojan runs when you start Windows.
Attempts to access the password cache stored on your computer. The cached passwords include, amongst others, the modem and dialup passwords, URL passwords, and share passwords.
Intercepts keystrokes allowing Backdoor.Graybird to steal confidential information.
Once Backdoor.Graybird is installed, it waits for the commands from the remote client.
These commands allow the Trojan's creator to perform any of the following actions:
Deliver system and network information to the Trojan's creator, including the login names and cached network passwords.
Install an FTP server, allowing the hacker to use the compromised computer as a temporary storage device.
Open or close the CD-ROM drive and perform other annoying actions.
Download and execute files.
I have not tried to manually remove the virus yet. I suspect Norton AV is already tainted and that I may have to uninstall/reinstall to fix it.
The very odd thing is that, until I ran RegSeeker, Norton missed this file entirely.
As to RegSeeker -- I will try to finish that tonight. My list went from 200 processes the first tim, then to 100; then to 60; then to 6, then to 11.
Then is was one AM.
Steve