win32/adware visua toolbar

Discussion in 'NOD32 version 2 Forum' started by booyaa, Oct 26, 2005.

Thread Status:
Not open for further replies.
  1. booyaa
    Offline

    booyaa Registered Member

    nod32 (2) finds infected files (:cool: and can only clean 3. It keeps finding an adware toolbar named visua and at one point it found a trojan(trojan.dropper) i have run spy bot search & destroy, trojan hunter, adaware se, counter spy,microsofts anti spy and a full system scan with nod32 and anti-vir all in safe mode and all with system restore disabled. i have deleted %temp% files and *.tmp files. im at my wits end and thinking about doing a wipe of the hard drive and starting over. am i missing something here or am i not looking in the right place? the toolbar first appeared in the firefox browser. the trojan(trojan.dropper) i have no idea where it is. again nod32 finds and quarintines 2 files(win32/adware) but it does not tell me what the other 6 are. if anyone could help i would appreciate it
  2. fosius
    Offline

    fosius Registered Member

    Could you please send the log of NOD32 on-demand scanner so that we can help you more?...
  3. booyaa
    Offline

    booyaa Registered Member

    The latest file is 36 meg,how can i add it to the forum, the amon monitor is reading 8 files infected, 2 cleaned but i cannot find where these infected files are
  4. alglove
    Offline

    alglove Registered Member

    Instead of looking at the NOD32 Scanner Logs, try looking at the Threat Log.
  5. booyaa
    Offline

    booyaa Registered Member

    Time Module Object Name Threat Action User Information
    10/26/2005 17:06:17 PM AMON file C:\WINDOWS\TEMP\tmp1.tmp Win32/Adware.Toolbar.Visua application quarantined - deleted - error while Cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe. The file was moved to quarantine. You may close this window.
  6. alglove
    Offline

    alglove Registered Member

    The "deleted - error while Cleaning - operation unavailable for this type of object" part usually occurs when a virus is found within a .zip file. NOD32 cannot delete files from within a .zip file, so it just deletes the entire .zip file instead. I think that NOD32 sometimes considers this as 2 infected files (once for the virus inside the .zip, another for the .zip file itself), but only only cleans one of the files (the .zip file).

    navapsvc.exe is the "Auto Protect" feature of Norton Antivirus. Are you running this and NOD32 at the same time? It could be that Norton is using tmp1.tmp for its own purposes (detecting Visua Toolbar?), and then NOD32 jumps in and finds it there, as well.
  7. booyaa
    Offline

    booyaa Registered Member

    if the virus/trojan is in a zip file, how can i locate it, and any idea why, when i look in the windows temp folder the tmp1.tmp (that number keeps changing it could be 1 or 2 etc) file cannot be found. when i reboot nod32 find 4-8 infected files, lists only 1 in the threat log and cleans 2-3 files.
  8. alglove
    Offline

    alglove Registered Member

    What do you see in your NOD32 System Tools --> Quarantine?
  9. booyaa
    Offline

    booyaa Registered Member

    1st from 10/25 C:WINDOWS\TEMP\tmp1.tmp size 80384 reason
    win32/adware.toolbar.visua.application number 3

    2nd from today all the same except tmp2.tmp reason 1
  10. Blackspear
    Offline

    Blackspear Global Moderator

    Can you please empty your Temp Files, then reboot into Safe Mode and run a full scan with Nod32 fully tweaked.

    Let us know how you go...

    Cheers :D
    Last edited: Oct 29, 2005
  11. booyaa
    Offline

    booyaa Registered Member

    Did the above, ran nod32 in safemode it found nothing. rebbot computer and amon is stating 4 infected files, 2 cleaned. how do i find those infected files?
  12. Blackspear
    Offline

    Blackspear Global Moderator

    Can you please copy from the Nod32 Log the 4 files that AMON is catching, I suspect they are in System Restore, in which case you will have to turn System Restore off, reboot your computer and turn it back on.

    Cheers :D
  13. booyaa
    Offline

    booyaa Registered Member

    Everything that i have run has always been with system restore off. The only log file i can find is in a dat format and is difficult for me to read. if i can attach it i will and you can read it
  14. Blackspear
    Offline

    Blackspear Global Moderator

    Hi Booyaa, I'm talking about opening up the Control Centre and double clicking on a scan that shows the 4 files, as per screen shot.

    Cheers :D

    Attached Files:

    • Log.gif
      Log.gif
      File size:
      33 KB
      Views:
      195
  15. booyaa
    Offline

    booyaa Registered Member

    did a full system can with nod32 it shows no infections/virus. the amon scanner is the one showing (now it is 8 files infected and 2 cleaned) the file cleaned is in the threat log, it is the adware.toolbar.visua, this is in nortons navapsvc.exe?
    it says it is quarantined and i can close the threat log but there is nothing in quarantine. what are the other 6 files? should i delete norton's and see if nod32 stop seeing the infections with amon scanner?

    Time Module Object Name Threat Action User Information
    11/1/2005 4:49:06 AM AMON file C:\WINDOWS\TEMP\tmp1.tmp Win32/Adware.Toolbar.Visua application quarantined - deleted - error while Cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe. The file was moved to quarantine. You may close this window.
    Last edited: Nov 1, 2005
  16. alglove
    Offline

    alglove Registered Member

    Before deleting Norton, I would try finding a way to disable it, or at least its AutoProtect feature.

    One question I have is, does Norton say anything about this file in its logs, or is it just NOD32?
  17. booyaa
    Offline

    booyaa Registered Member

    norton's av does not see it, just the nod32 amon scanner, cannot shut off or disable norton's auto protect feature only after comp has rebooted and by then nod's amon scanner has already seen and logged it and put it in quarantine
  18. alglove
    Offline

    alglove Registered Member

    I am not sure which version of Norton Antivirus you use, but try this to disable Auto-Protect:

    Open Norton Systemworks/Antivirus.
    Go to Options --> Norton Systemworks.
    Click Startup.
    Uncheck Auto-Protect.
    Hit OK and reboot.
  19. booyaa
    Offline

    booyaa Registered Member

    found that, thanks. disabled norton av and rebooted, nod's amon scanner is finding 0 infected files. has nortons av been infected somehow or is this a conflict between the two? this hasnt happened before, they co-existed fine until i picked up a trojan.
  20. alglove
    Offline

    alglove Registered Member

    It sounds like it could be a conflict or a false positive. It is hard to say for sure without a virus sample. Does the problem come back if you reenable Norton Auto-Protect?
  21. booyaa
    Offline

    booyaa Registered Member

    re-activated norton's av, i could not shut off the warning notices telling me that a trojan.dropper has been quarantined and or unable to be removed (had to do ctrl,alt del to stop the process from running), that all these files are located in the windows\temp folder (they dont exist in that folder). i am beginning to think i should say goodbye to norton's av
  22. alglove
    Offline

    alglove Registered Member

    Yeah, it sounds like a conflict or false positive. If you want, I guess you can keep Norton on the computer, but leave the Auto-Protect off. You can still keep it around for periodic manual scans, just in case NOD32 misses something.
Thread Status:
Not open for further replies.