• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

Kudos0

MSA.exe & b.exe

Hi..

My first post on the Norton community, and, regretfully, it's for the wrong reasons

I share this computer with my younger sister, who has... interesting ideas concerning safe internet surfing. At some point yesterday, she downloaded an .exe (she can't remember which one), which in turn led to MSA.exe and B.exe being placed on my computer. She then deleted them, in the hope that it would prevent further damage to the computer, (and the hope that her older brother wouldn't find out)

However, this hasn't solved the problem, as I'm still being randomly redirected to websites when I use Google.

I'm also vaguely aware that this means that there's a nasty rootkit installed on my computer, which has prevented me from using (Malwarebytes, DDS.scr and Hijackthis) to gather logs that analyse the problem. The only thing I've managed to get working is Win32kDiag - I've attached the log, in the hope that this might provide information to help solve the problem.

Quick replies would be appreciated, although I'm aware that it takes great deals of time to deal with this sort of thing (having written code before... I'm aware that it can be like finding a needle in a haystack when the needle's made of hay)

Many thanks

File Attachment: 

Replies

Kudos0

Re: MSA.exe & b.exe

Hi..

My first post on the Norton community, and, regretfully, it's for the wrong reasons

I share this computer with my younger sister, who has... interesting ideas concerning safe internet surfing. At some point yesterday, she downloaded an .exe (she can't remember which one), which in turn led to MSA.exe and B.exe being placed on my computer. She then deleted them, in the hope that it would prevent further damage to the computer, (and the hope that her older brother wouldn't find out)

However, this hasn't solved the problem, as I'm still being randomly redirected to websites when I use Google.

I'm also vaguely aware that this means that there's a nasty rootkit installed on my computer, which has prevented me from using (Malwarebytes, DDS.scr and Hijackthis) to gather logs that analyse the problem. The only thing I've managed to get working is Win32kDiag - I've attached the log, in the hope that this might provide information to help solve the problem.

Quick replies would be appreciated, although I'm aware that it takes great deals of time to deal with this sort of thing (having written code before... I'm aware that it can be like finding a needle in a haystack when the needle's made of hay)

Many thanks

Kudos0

Re: MSA.exe & b.exe

Please download SysProt here http://sites.google.com/site/sysprotantirootkit/  (direct link for latest version is at the bottom of the page), disable Norton's Auto-Protect feature (Settings > Real Time Protection > Auto-Protect > Off) and run SysProt.

Choose the Log tab and select all the items in the Write to log box. Then select Create Log to start scanning. When it is done, a message window will appear with the location of the log file.

Please attach the log file to a post here; the Add Attachments links is below the orange Post button. Thanks
Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: MSA.exe & b.exe

Ok. here's the log.

Thanks for getting back to me so quickly

File Attachment: 
Kudos0

Re: MSA.exe & b.exe

Username1:

Are you running XP or Vista?  If you are running XP, right click on Hijackthis, go to properties, and check at the bottom for an Unblock option. This is preventing quite a few programs from running rather than malware. 

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

Hi,

Have you tried doing scans in safe mode? You can try the Eset online scan if you aren't blocked from accessing the website (try the www.eset.co.za one).

I don't see any rootkits in your SysProt log, so seems as though you're lucky in that respect. I also noticed that you have Norton 2009 installed - you may want to upgrade that to 2010, as Sonar 2 might catch these pesks. But I'm not sure it would be a good idea to install it while malware is on the system - I'm sure other posters can comment on this? :-). But definitely upgrade after this has been sorted out, as the detection rates are significantly better.

Matt

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos0

Re: MSA.exe & b.exe

Delphinium: I'm running Windows Vista

mattsegers: I've just tried running the ESET online antivirus... and there doesn't seem to be any virus according to that.

What do I do now?

*EDIT*: After a discussion with my sister, she grudgingly revealed from where she found the virus:

<remove the hashes, but whatever you do, for the love of prog, please don't download anything!>

bil#lgab#le.co#m/r#oset#ta-s#tone-3#-3-7-r#apidshare-mega#upload-key#gen-serial-cr#ack.html

 

Message Edited by Username1 on 10-17-2009 08:00 AM
Kudos0

Re: MSA.exe & b.exe

Username1 - As stated , your system seems to be rootkit free but there does look to be something running a lot of svchst processes.

Please download HiJackThis for this web site.  Choose the executable and save it on your desktop.  Run the file and select the first option on the main menu "Do a system scan and save a log file".  When this is finished, Notepad will open with the log file in it. Save the log file and attach it to a post here via the Add Attachments under the orange Post button.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: MSA.exe & b.exe

Hi Delph

I found this thread from another forum. I don't know if it will be of any use or if it's the same problem that Username 1 has. Please take a look at this forum and decide if it's of any help.  That mentions a bagel also so I don't know if the fix would be the same or not. But PLEASE DONT DO ANYTHING SAID ON THAT FORUM UNTIL YOU GET INSTRUCTIONS FROM A MORE QUALIFIED PERSON than myself Username1.

http://www.geekstogo.com/forum/b-exe-msa-exe-Win32-bagel-t255262.html

Username1 ----- Please don't do any thing suggested in that link until some of the more experienced helpers here ok it first.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 202 I E 11
Kudos0

Re: MSA.exe & b.exe

Hi,

I've tried downloading and then running Hijackthis a couple of times, and each time I do it, it cuts out, and when I try to reopen the original application, it tells me I can't access it - and denies me renaming, moving and deleting privileges.

I've also noticed since earlier, that when I tried to boot up MSN Messenger, it comes up with an error message that says "Windows Live Communications Platform has stopped working" - this only seems to have occured since my new best friends moved in.  (I've changed my password since on another computer, and won't be using it on this one)

Message Edited by Username1 on 10-17-2009 09:36 AM
Kudos0

Re: MSA.exe & b.exe

Hi Username1

Have you updated your Windows Live Messenger to the newest version? This is an update for security reasons and they have been saying if you don't update it, then you won't be able to use MSN Live Messenger. I don't know just when the update became or will become mandatory or just when the functionality of the program will end if you haven't updated it yet. So the MSN messenger could be affected by these viruses or because the program hasn't been updated yet. If you already have the newest version, then it may be the viruses themselves. Please check out the Windows Live site and see if you have the newest update for it. Thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 202 I E 11
Kudos0

Re: MSA.exe & b.exe

I've tried updating Live Messenger, and when that didn't work, uninstalling/reinstalling it, but I'm still getting the same message. I'm still having the problems with HijackThis; it won't let me run more than about 10 seconds of scanning before it closes down and refuses to re-open

I'm also getting another error message (according to Firefox), which says that's there's an error with the .NET framework 1.1 plugin, and it recommended disabling it.

I'm beginning to worry a little bit now....

Kudos0

Re: MSA.exe & b.exe

The Firefox pop up is unrelated.  It has to do with a security issue introduced into the browser by a couple of Microsoft .NET framework plug-ins that Mozilla is disabling to protect users.  The alert and disabling of the plug-ins are not malicious.Message Edited by SendOfJive on 10-17-2009 11:14 AM
Kudos0

Re: MSA.exe & b.exe

In spite of the fact that the Eset online scan came back clean, you still have symptoms of a malware infection. Just for diagnostic purposes I would suggest that you download and run a scan with Prevx 3.0.  In the trial version it will find but not remove the malware. It's less than a 1MB download and will only take a few minutes to install and run. It is very good at finding malware and usually finds things that other scanners don't.   Prevx
Kudos0

Re: MSA.exe & b.exe

Username1:

Keep in mind, that for Vista, you will need to right click on anything and "run as admin."

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

SendOfJive:

Thanks for letting me know.

Delphinium:

Have just tried running and installing PrevX 3.0 - I managed to install it, but part of the way through it running its initial scan, it vanished, and I haven't seen it since. I've just tried to uninstall it, to reinstall it - but I get greeted with a message informing me, despite this being the only account, that I have insufficient privileges to uninstall or reinstall.

Message Edited by Username1 on 10-17-2009 11:54 AM
Kudos0

Re: MSA.exe & b.exe

Username1:

Are you able to bring up task manager?  Could you provide a screen shot of what is on it?  Save your screen shot, or "snipit" to paint and upload it using the little green tree icon near the smilie.  Use the "large size"

Even if yours is the only account, you will still have to right click and run as administrator.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

Username1, it sounds like you have a rootkit, if so it will prevent any well known security apps. from running. I saw 2 suspicious entries in your Sysprot log. Download and run a scan with Hitman Pro, it is an on demand scanner that uses cloud technology to scan with 5 different security apps. It is particularly effective against rootkits. The fact that it is not well known works in your favor as the malware probably wont know about it and will allow you to complete a scan. Unlike Prevx Hitman Pro will allow you to delete the malware it finds for the entire 30 day trial period. Let us know how it goes.   Hitman Pro
Kudos0

Re: MSA.exe & b.exe

OK... I've attached screenshots of the processes page of task manager (I'm guessing that that's the most important one, although if I'm wrong, I do apologise)

I sorted the processes alphabetically, and it took two screenshots to fit them in. I've attached them both, but seeing as the forum won't let me attach text files, I had to rename the extensions to .txt - they should be .jpg - I apologise for any irritation that this might cause.

I also tried "Run as Administrator" earlier, but it still vanishes without a trace.

*EDIT*: I tried Hitman as well... Still no luck - I ran it as administrator, and it vanished as well - and with every application that this rootkit neuters, in the bottom left of the application's icon, a little picture of two heads appears

Message Edited by Username1 on 10-17-2009 12:23 PMMessage Edited by Username1 on 10-17-2009 12:32 PM
Kudos0

Re: MSA.exe & b.exe

Username1:

Please read the instructions I gave you on how to upload a screenshot.  You can not change the file name  and attach it and actually expect to see it.  Won't work.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

OK. Here they are.... Please ignore that momentary act of stupidity. 

Kudos0

Re: MSA.exe & b.exe

Hi

Did any of you look at the link I posted back on post # 8? Would following any of the instructions in that other forum be of any help to Username1? It's back on page 1 of this thread thanks.

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 202 I E 11
Kudos0

Re: MSA.exe & b.exe

floplot:

I would recommend leaving that for a ditch effort.  It appeared to be solved more by good luck than totally good management.  Not every machine will respond the same way.  

If we can find msa.exe in task manager, right click and end process, a search of the file should then allow it to be deleted.  Then the clean up programs should run.  b.exe used to show in the GMER and SysProt, but isn't here.

Message Edited by delphinium on 10-17-2009 03:14 PM
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

For those members using Firefox, as I do, SendofJive advises that Internet Explorer which is much more versed in the intracacies of Microsoft's mind than I, the .txt files will be readable.

SoJ can find anything, anywhere, anytime.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1 Stats

Re: MSA.exe & b.exe


delphinium wrote:

For those members using Firefox, as I do, SendofJive advises that Internet Explorer which is much more versed in the intracacies of Microsoft's mind than I, the .txt files will be readable.

SoJ can find anything, anywhere, anytime.


It's one of those "Firefox-follows-HTTP-specifications-but-IE-doesn't" things that allows IE to be creative in displaying images and other content from what would appear to be a plain-text file.  Firefox gives you the text, even if it is gibberish.  I think I found this one under a rock somewhere.

Kudos0

Re: MSA.exe & b.exe

Hi, I found the following links about people suffering similar problems to me. (But I'm not going to follow any of the advice until somebody can check it out and approve it. Are these going to be ones that were fixed more by luck than skill?)

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/417768-scan-programs-quit-mcafee-wont-update-possible-msa-exe.html

http://www.windowsbbs.com/malware-virus-removal/87259-resolved-think-i-have-msa-exe-virus.html

Kudos4 Stats

Re: MSA.exe & b.exe

Username1:

These remediations are both very interesting.  While appearing similar, the helpers have actually made two different approaches to the problem.  The first remediation required the ability of the reader to accurately identify which Windows driver had been over written and to replace the file using Combofix and script.  The second remediation involved the reader's ability to accurately identify the .dlls involved and  disable them again using Combofix and script.

This is where people get caught using someone elses remediation.  If your driver file is different from the one in the first fix, it will either have no effect, or will screw up your system.  If your involved .dlls are different from the ones in the second fix, the same sort of thing will happen.  The script is used to limit what Combofix does.  Without a script, it does as it thinks best, sometimes with unexpected results.

In the link provided by floplot, the readers used more time and tools to accurately identify the files that had been over-written, and kept getting surprising results or no results at all.  They were equally successful in the end.

These remediations worked on 2 XP Pro and 1 XP Home sp 3,  but we don't have a comparison on a Vista machine.

I don't think anyone here can say whether it will work, or take out your operating system.  It is a best guess scenario without the knowledge and experience to accurately identify your files and produce a script unique to your machine. 

Do you have a Vista disc, program discs and have you backed up your My Documents and other impotant files in case a reformat is necessary?

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

Delphinium:

By a completely happy conincidence, I backed up my files about a day before this thing hit (That's what happens when you pay attention in Computing lessons... And they say what you learn in school is completely pointless )

I can't find my Vista disc, however - when I bought my laptop,  it came with Vista installed on it; I can't remember if there was a disc, and if there was, it'll be at home, which is the other end of England (To Sheffield from Southampton is about 6 or 7 hours)...

What should I do now?

Kudos0

Re: MSA.exe & b.exe

Hi Username

Can someone at home check to see if it's at home and if there, maybe they can mail it to you.?

Success always occurs in private and failure in full view. Windows 7 Pro 64 bit NS with BackUp 22.11.2.7 Core 202 I E 11
Kudos0

Re: MSA.exe & b.exe

What kind of laptop have you got Username1.  Often, when the operating system comes pre-installed, recovery discs are supplied, but not necessarily the operating system disc.  If you can, go to the website of your laptop manufacturer to see what is available, and offered online.  You may be able to burn something to a disc that will enable you to recover in a worst case scenario.

Let us know how that goes before you begin.  There are going to be some issues with Vista putting things in slightly different places than XP.  Make sure you can recover.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

To get of this rootkit, am I basically going to have to completely wipe my computer, and then start again afresh? I'll try to get my parents to mail it to me first class ASAP (if they can find it).
Kudos0

Re: MSA.exe & b.exe

Username1:

You might or might not have a rootkit behind the other malware. The malware is nasty to deal with and even trickier to get rid of.  Without appropriate assistance, you have two options.  You can choose to try one of the other fixes, or you can reformat and start over fresh.  It should be a complete bare metal format, not just a reload.

To do either, you need to be able to reload your operating system.  

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: MSA.exe & b.exe

I don't think my laptop (HP-DV6910ea) came with any discs - but it did make me make 3 DVDs for system recovery - I'm aware that this isn't quite the same as completely reformatting my laptop (There's no guarantee of destroying the malware if it's smart enough), and that the malware could also have crept into the recovery partition of my hard-drive.
Kudos0

Re: MSA.exe & b.exe

At this point Username, we perhaps need the advice or opinion of someone who has used the recovery discs for this purpose.  I don't have a laptop, and have always ordered an O/S disc.  I don't know how the recovery system works, although with this type of malware, replacing the infected files with the correct files may well solve the issue.  That is what is happening in the remediations.
Under certain circumstances profanity provides relief denied even to prayer.Mark Twain

This thread is closed from further comment. Please visit the forum to start a new thread.