Virus removal help needed...

ajstan

ajstan

ajstan

Associate
Joined
3 Jan 2009
Posts
2,056
Location
London
Hi all, at the moment I am in charge of a fairly large network of around 500 computers and all was running fine until friday.

Lots of people have been coming to me saying their memory sticks will not work, and each time I fixed it they all had the same problem - there was an icon called 'bar' with a recycling bin icon and an autorun script which runs 'bar/bar32.exe'.

All the computers have Symantec AntiVirus and this simply isn't picking anything up, I can't see how to add an entry on the server to block bar32.exe. It also seems to jump through the network since every PC seems to have it.

Has anyone dealt with this crappy little Virus/spyware? - so far its having no effects but to screw up memory sticks
 
Last edited:
the exec you names is True Launch Bar 32bit, its normally a legit application... if your computers are runing it it may be causing issues with the sticks...
 
It might have the same name as True launch bar but I don't think it is.
This is how it comes up.

screenshotpw.jpg


This is the code in the autorun script - (it has to be unlocked using a small program before I can open it because its 'in use').

Code: 
è??(??ë(&
[autorun
;M?y?Âë?M'Bm?ÌÜ<Cÿé???????è?Xæ?y~x?á?ÏrÑB?bt??ðà?n?ý??eW?VefÊÊ??X?ð?ÔÚfë?àEÓFù?æBXs??b?s-?t?(sBÿ?ç=ë???Xà?CT?I?ÔKÊ????#?ò?IL?é~?Í?ØÍä?z?
open=bar/bar32.exe
;?é?àèªÈ????VI)??X?dsÙ?ÁF#
icon=SHELL32.dll,4
;??XÂø~?C??M?sF?ú???ªª??F(?QX??M??òÂîë?áë?Ó??~??æ??ÁcrÞ*v??&?I???Oâ?ùBMëìènäE?r??ba?,to?ÿÌ?já?µ
acTIon=Open folder*to view files using*Windows*Explorer
;ñMë?ô?(úTX?|??d???àr??,?ee?èXà}??!?o?{???r?ÌOFå??èA??v?ìà?a?m??Xà?Ï????'g~?????zè???Wv??Ö-ÚçÚ?îvÞXìÄXgCe?èwM??ÿémÊíÞÜ?CLr?sò?????ù
shElL\oPEn\commaNd=bar\\\\\\\\\\\bar32.exe
;ìNJRm=aC?m~rÔF???fç?????ù?eJ?çXz?òè?òø-ìÒmxXw?C??ÊxÇgJ?x,TVì'?øø?-an??????ædý??C??Ç?KÇ????Á?A??ñ?öeFNá?MÜ?éÂ?M?a???éáõ?JÃ??&ç?c~B&?vcFÈx?XFæùs?C?'ç?K?ssÖÐJ???m?ëfÔ?Â?#zâIr\?è???^eçìy?n?Â?}!e?fàÜågEÿls?
SheLl\\\\\\\\exPLore\\\\\\\\\comMand=bar/////////bar32.exe
;?Á??CF<Zè!???ù?I????%ètò??àKO?z?,Â????÷??Ç?mdýñAXøs???Ýg=R?vë?úTøñ?d?C????îv?&??Â?ðB?Ñ?j
useautoplay=1
;???öèÊv????$éàl??Í{??ms?Á?Q?C~????ô??ë???TFçÆ?d?äÔTkf??

I have done a few tests, taking a brand new memory stick, with nothing on it, putting it in a standalone computer (not attached to network) and it works fine, I then plug it into an 'infected' computer and it comes up like image above. Then back into the stand alone computer and it's tricky to get it to work and then when it does, it comes up like the image above.

Please someone must be able to help, I've been at this all morning and its driving me mad.

Thanks
 
Have you scanned the drive with something other than symantec?

I usually disable autorun on all drives via group policy to stop this kind of thing happening.
 
Sp00n said:
Have you scanned the drive with something other than symantec?

I usually disable autorun on all drives via group policy to stop this kind of thing happening.
Click to expand...

Well I was trying to use AVG but was having trouble so moved to Avast, after about 5secs of scanning it had found it - bar32.exe and considered it to be a 'high threat level'.

Trouble is, I obviously can't go around installing avast on every single computer on the network...
 
bar32.jpg


To update, I found that deleting the recycling/folder thing lets a windows search pick up the actual application 'bar32.exe'. So now I can easily delete it manually and I can actually see it on the memory stick (pictured above are its properties).

However, as soon as the clean, virus-free memory stick is plugged back in to the same computer, it is reinfected. This means there must be something on the computer to copy it back on.

A bit of googling shows that bar32.exe is somehow linked to 'MsMxEng.exe' and 'Win32:Flot-C' and I reckon its one of these copying bar32.exe back on.

18358527.jpg


After finding this I finally thought I was in luck - it was even created on the date I first started having problems with this virus, so I deleted it, annoyingly it made no difference at all.
 
Sp00n said:
I usually disable autorun on all drives via group policy to stop this kind of thing happening.
Click to expand...

This. ^

You could also use a clean workstation to manually remove autorun.inf from infected flash disks. Then create an autorun.inf folder and hide it.

Code: 
cd\
mkdir autorun.inf
attrib +h +r +s autorun.inf

Unsophisticated malware will then be unable to create an autorun.inf file. :D

You may also want to consider setting up a Software Restriction Policy, such that nothing can run from any locations other than \Program Files and \Windows.

It will mean more work for admins as users will come running asking to install things, but at least your network will be clean. :p
 
eXor said:
You may also want to consider setting up a Software Restriction Policy, such that nothing can run from any locations other than \Program Files and \Windows.

It will mean more work for admins as users will come running asking to install things, but at least your network will be clean. :p
Click to expand...

We already do - hence why this is baffling ;)
 
SOLVED for standalone PCs

Since this thread is the second link on google to deal with this, and at the time of writing this neither Symantec, AVG or Avast can help, I might as well tell people how to remove the bar32.exe stuff manually.

First you will need to make sure you can see all hidden files and folders.

Next do a search on your primary drive for 'MsMxEng.exe' (pic below) and permanently delete it (shift+del) This is very important because if you do not delete this file, as soon as you delete the actual virus, its just recreated be this executable - I think anyway :p

step1kd.jpg


Now open up your C: drive (or whichever one has windows installed on it) and look for a folder called 'RECYCLER' - in this folder are a few other recycling bins - one for each user - make sure all of these have nothing in them, - if they do and you don't know what it is, its almost certainly the virus. You might need to download unlocker to force delete the contents if it says they are in use.

If you have been using a memory stick, back up its contents and format it.

Restart your PC and check back in Recycler to make sure it hasn't come back.

Done. That has worked for 2 different PCs I have tried - (one xp, one vista)
 
Last edited:
They're all rubbish. :D:p Symantec has the nickname The Yellow Peril among certain security companies apparantly! :eek:

Try a real AV, such as Kaspersky or NOD32. Malwarebyte's Antimalware is another good free program to try.
 
You must log in or register to reply here.
Back
Top Bottom