bar311.exe virus not detected
In that I'd recently noticed odd behaviour on my laptop, where folder properties/options (for unhiding protected files and also listing known file's extensions) while they could be unticked/ticked and the folder view responded accordingly, the changes were restored to Windows default as soon as I either closed the folder or up-foldered and back folder-ed to that folder (i.e.; the once seen extensions were no longer listed).
Also noticed that when I changed the options (to showing file extns and unhiding files, of course clicking apply and OK), even when I left folder open, as soon as I once again opened it's tools, foldervoptions and view, I found the tickables again 'default' ticked and unticked. Clearly something was wrong.
Additionally, I noticed when I was in any Windows 'save-as' window and I tried using the back arrow to go back to a previously navigated to folder, I got nearly always (or recentl;y always was?) prompted that 'that feature was not installed, would I like to install it now'. I didn't just fall off the turnip truck (yesterday), so I never clicked'ok' or 'yes'.
Also having recently noticed that one of my pen drive's refused to format (my usual means of assuring my pen drive's don't have any viruses, trojans or malware, because I don't absolutely reply solely on my well maintained and pretty good security softwares).
So not ever recalling running into that, intent on formatting the pen drive and/or towards seeing what was on the drive that was running in other directories, first I tried cut-pasting all th drive's files (same no can do prompt).
So I began cutting groups of the files for pasting and got down to tone file that was causing the prompts. I found a file ('autorun.inf') which file unlocker told me explorer and my AV prog were 'running in conjunction' with that file.
Obviously one can't shut down explorer and then delete a file (as desktop icons all disappear and no means to access any of Windows's commands (unless one can use DOS, whatever). And neither was I going to shut down my AV so as to delete this bugger (suspect some users encountering the bugger might try that and really get into trouble, whatever).
So I opened ProcessExplorer and it revealed 4 instances of a previously (and still) unknown executable running ("bar311.exe") and it was pretty well protected as I later discovered it's real name and icon seemed to have been masked under the assumed name ("autorun.inf" an otherwise legitimate file name) and I only discovered it's real name, etc., when I tried using 'file unlocker' on the 'autorun.inf' file.
Of note when I looked for file unlocker's usual file option (i.e.; by right clicking any file, the menu is supposed to display things like SpyBot scan, AV scan and file unlocker), but only SpyBot was there. Hmmm.
So I think I copied the suspect file and placed it into a desktop folder, then again I think it was when file unlocker appeared on the menu.
When I used 'file unlocker' on the file, it first prompted that the file was in use (duh, I knew that), so I used file unlocker's initial option to kill that file's running processes, but file unlocker's built protection prompted me of the app/progs that this 'autorun.inf file was also running in, and it displayed why by what apps/progs were running w/'autorun.inf.
So I used yet another of file unlocker options ('kill all running processes') and it was then that I saw the autorun.inf momentarily delete, replaced itself and both it's icon and name morphed into it's details (see below). Not sure, but I think it actually morphed again and back into the masked autorun.ink. Nevertheless, it was clear the file needed special handling.
Wary that it's 227 MB's not only had a replicating script, it might well be capable of changing it's name and/or even it's location, so I left it alone and first disabled my system restore, then used ProcessExplorer to kill all running instances of bar311.exe and then found the 'autorun.inf' file was readily deleted from the pen drive.
As SpyBot and my AV hadn't dealt with this bugger, moreover it had been running in both explorer and in my AV prog, that indicated it had slipped past their usual safeguards, so I chose to manually clean house rather than waiting for a week or more on others to post definitions update and a fix.
Again w/system restore still off/disabled, simply deleted all temp files, Content IE, etc., etc., ran disk clean, then privacy mantra and simply re-booted. But still the folder options won’t stay as I set them.
Note only thru a specific method of using 'file unlocker' was I made aware of the bugger. Accordingly, before even trying to delete the bugger, I then used ProcessExplorer to kill all four incidences of it's running.
Note, not sure but apparently (at least on my machine) one of the effects of the virus is modifying the Windows's file properties window, as when viewing the file's properties, ref. window names "bar311.exe Properties", only one tab is displayed ("General") and it lists/listed a crudely fashioned icon, a 'typical' smiley (facing toward the viewer and shaded as if facing south at about 9AM).
Detailed were; "Type of file: Application", "Location: Pcrtable Media Devices\Memory Stick (E", "Size: 221 KB 227,157 bytes)"* [note: my screenshot oddly captured that line's displayed text with only approx. 90% of the bottom-most detailed text, i.e.; the top '10%' of the entire text line was missing], "Files cannot be opened directly from this device. Please copy the file to a local folder and open copy.", an "OK" and a "Cancel" button.
Note that before using ProcessExplorer's kill feature on all running instances of this bugger, ProcessExplorer's properties (for an instance of the running bugger was as follows:
Path: C:\Windows\bar311.exe ("image probably packed")
Command line: bar311.exe
Directory: C:\Documents and Settings\My Name\
Parent: winlogon.exe(648)
User: My Machine's Name\My Name
Started: 'current time and date'
Comment: 'none'
Data Execution Protection (DEP) Status: On
Note, Windows Task Mgr's 'App's tab didn't list the bugger, but it's 'Processes' tab did list four extra processes running (I didn't note them before I used ProcessExplorer's kill feature on them).
But before re-booting, sure glad I did, I Googled bar311.exe...
http://hubpages.com/hub/winzip123 which has a pretty good looking post for fixing bar311.exe and/or winzip123
..that post, I followed and sure enough there were a couple of registry issues which I corrected and I also fashioned the post's 'bat' file and ran it, followed the re-boot prompt and on re-start, a check of the task mgr's listed processes, listed bat311.exe! Plus as expected, my folder options still wouldn't stay as I set them.
Thinking maybe when I copied the script, that something might not have been posted/copied correctly (i.e.; some lines ended with an unused space, mid way thru the script, there was a double 'line break' and at the end of the script, there was another 'line break' along with an empty line, so I re-fashioned the scripted bat file (w/o the unused end of line spaces and less those two odd line breaks, and re-ran it.
While a DOS window flashed once (as before), this time the restart computer prompt didn't appear, so I re-fashioned the bat file, this time exercising extreme caution in copying the script's text (my resulting pasted script didn't have the just the last line's 'line break'). Ran it and grrr, while the DOS window flashed, again no prompt to restart.
So I went thru the posted article again, and once more I found several registry entries out of order, and once again I followed the recommended editing, but for one edit where it opted to either modify the key as mentioned or delete the autorun key entirely. I deleted it, re-booted and presto, all is back to normal (despite the snafu with my running the alternative bat files.
What luck, seems the initial bat took and stuck, the others didn't do anything, and moreover what seemed to have done the trick was deleting the autorun key in my registry (the post's 'or delete autorun key', ref. as opposed to modifying it as was the other alternative I first tried).
Reply With Quote
Originally Posted by md usa spybot fan
