[solved] Norton Anti-virus unable to delete

Norton anti-virus found the following adware files and was unable to delete them. Webroot spy sweeper, ad-aware, spyware blaster, and spyboy didn't find them.

the files:

msbar.exe according to norton is an adware.statblaster

WinWildApp.exe another adware.statblaster

What do I need to do?

Thanks

 

Re: Norton Anti-virus unable to delete

Hi mildbill,

It sounds like you may have picked up another infection.

Please post a hijackthis log here in this thread.

Regards,

snap

 

Re: Norton Anti-virus unable to delete

Here it is

Logfile of HijackThis v1.97.7
Scan saved at 9:20:06 AM, on 6/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://charter.msn.com
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.charter.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38035.5948842593
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

 

Re: Norton Anti-virus unable to delete

Hi mildbill,

I am not seeing anything bad in your log. Where is Norton finding the infected files?

If they are located in the System Restore, then all you have to do is turn System Restore off, reboot your computer to clear the old restore points which will clear out any infected files that may have been backed up in there. Do another scan with Norton's to make sure everything is clean, then turn System Restore back on.

Here is a link for instructions on how to turn System Restore off: System Restore Instructions.
Remember to re-enable System Restore after it has been cleaned.

Let us know what the Norton scan comes back with after you have cleared the System Restore.

Regards,

snap

 

Re: Norton Anti-virus unable to delete

snapdragin,

I cleared the System Restore and ran norton anti-virus and the two files were still there.

They are located at the following place

c:\Windows\system32\msbar.exe

c:\Documents and Settings\Bill\LocalSettings\Temp\WinWildApp.exe

Now what should I do?

Also I just put webroot Spy Sweeper on yesterday and the machine seems sluggish, seems to stall out for a little bit every minute or so. It is a pentium 3 800 mhz with 256 ram. Not a speed demon by any means anymore, but prior to putting Spy Sweeper in it didn't behave like this.

Is that typical with spy sweeper?

Thanks

 

Re: Norton Anti-virus unable to delete

Hi mildbill,

I have not used spy sweeper, so I'm unable to say whether that is causing your computer to become sluggish or not.

For the two files that you've mentioned, could you zip up a copy of the msbar.exe and WinWildApp.exe and submit them to This Email Address for analysis.

In case the above files are hidden, make sure you have all files and folders viewable: How to Show hidden files and folders.

I am pretty sure the msbar.exe file is a malware file, but would rather see a scan for it before I say delete it. Could you upload the 'msbar.exe' at Kaspersky for a scan. Then post back the scan results here.

For the one in your temp folder, boot into Safe Mode (tapping the F8 key just before Windows begins to load) and empty the contents of the C:\Documents and Settings\Bill\LocalSettings\Temp (but do not delete the Temp folder itself.)

Here is a more detailed description of the WinWildApp.exe
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ_STILEN.A&VSect=T

Then do an on-line scan at one of these on-line antivirus sites:
Free Services

Regards,

snap

 

Re: Norton Anti-virus unable to delete

Following is the scan results for c:\windows\system32\msbar.exe from Kaspersky

Scanned file: msbar.exe

msbar.exe - archived by NSIS
msbar.exe/data0001 - OK
msbar.exe/data0002 - OK
msbar.exe/data0003 - OK
msbar.exe - OK

 

Re: Norton Anti-virus unable to delete

humm...

Well the Kaspersky scan didn't tell us much, and I am not finding anything on that file either, so it may be still too new and unknown.

mildbill, could you also send a zipped copy of both those files to submit@diamondcs.com.au for analysis.

Please include the link back to this thread in the body of the emails so the Experts will be able to locate the thread easily, and add a brief description also.

Then rename the msbar.exe to msbar.bak just so we don't wake it up. I am not seeing it in the Running Processes, but just to be on the safe side, let's rename it until we hear back from the Experts.

Regards,

snap

*to add - you could move it to a floppy for now also if it will let you. I do not have a file like that on my XP-Home, so unless you know what it is used for (you can check it's properties) then it won't hurt anything to move it to a different location also.

 

Re: Norton Anti-virus unable to delete

Ok,

I put Windows in safe mode and deleted WinWildApps and everything else in that temp file. Put back in regular mode and ran house call from Microtrends.

Changed msbar.exe to msbar.bak

Floppy doesn't work so it I left it where it is.

What next?

 

Re: Norton Anti-virus unable to delete

I received and e-mail from csdiamond that said the msbar was an adware and to delete it.

So I put the computer in safe mode and deleted it.

Then I ran Norton Anti-virus and it did not find anything. Hopefully that is a good sign.

Is there any merit to the statement that Netscape Navigator and or Mozilla is less vulnerable to this stuff than Internet Explorer?

Also curious as to if Webroot Spy Sweeper makes systems sluggish. I sent webroot an e-mail, but if any of you have any experiene that would be great.

Thanks for your help.

Mild Bill

 

Re: Norton Anti-virus unable to delete

Thanks mildbill, for letting us know what the outcome was for that file.

If your Norton's has said you are clear, then yes, that is a good sign. You can do an on-line scan for a second opinion of course: Free Services

As for Netscape and Mozilla, they are not targeted as much as IE is, but I use Opera myself. If you want other's opinions regarding a safer browser to use, there are several threads in the other sections of the forum about which browser's members prefer. You can check out the Poll thread here: Pros & Cons of Alertnative Browsers to get you started.

For Webroot Spy Sweeper, you can start a new topic over in the Privacy Software Forum where you will be able to get other member's opinions.

Regards,

snap