ToolbarUpdaterService.exe malware

ToolbarUpdaterService.exe is using a ton of memory (currently 299,124K).  I see references to it on various bulletin boards but I haven't found any fixes other than using regedit and I'm reluctant to do that.  Norton doessn't catch this when it runs.  Are there other options or will Norton address this in the near future?

Startnow Toolbar??  Can you find the file?? to confirm location.

 

If correct, SuperAntispyware 5 Free detects as 

 

 

PUP.StartNow Toolbar

 

 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}
 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}#ProgID
 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}#VersionIndependentProgID
 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}#TypeLib
 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}\InprocServer32
 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}\InprocServer32#ThreadingModel
 HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}\Programmable

 

C:\Program Files\StartNow Toolbar\Resources\images\engine_images.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_maps.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_news.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_videos.png
C:\Program Files\StartNow Toolbar\Resources\images\engine_web.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_amazon.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_ebay.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_facebook.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_games.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_msn.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_shopping.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_travel.png
C:\Program Files\StartNow Toolbar\Resources\images\icon_twitter.png
C:\Program Files\StartNow Toolbar\Resources\images\startnow_logo.png
C:\Program Files\StartNow Toolbar\Resources\images

C:\Program Files\StartNow Toolbar\Resources\installer.xml
C:\Program Files\StartNow Toolbar\Resources\protect\index.html
C:\Program Files\StartNow Toolbar\Resources\protect\NotIE6.css
C:\Program Files\StartNow Toolbar\Resources\protect\OnlyIE6.css
C:\Program Files\StartNow Toolbar\Resources\protect\SearchProtectIcon.png
C:\Program Files\StartNow Toolbar\Resources\protect\window.css
C:\Program Files\StartNow Toolbar\Resources\protect\window.js
C:\Program Files\StartNow Toolbar\Resources\protect
C:\Program Files\StartNow Toolbar\Resources\reactivate\index.html
C:\Program Files\StartNow Toolbar\Resources\reactivate\LeftImage.png
C:\Program Files\StartNow Toolbar\Resources\reactivate\NotIE6.css
C:\Program Files\StartNow Toolbar\Resources\reactivate\OnlyIE6.css
C:\Program Files\StartNow Toolbar\Resources\reactivate\window.css
C:\Program Files\StartNow Toolbar\Resources\reactivate\window.js
C:\Program Files\StartNow Toolbar\Resources\reactivate
C:\Program Files\StartNow Toolbar\Resources\skin\chevron_button.png
C:\Program Files\StartNow Toolbar\Resources\skin\searchbox_button_hover.png
C:\Program Files\StartNow Toolbar\Resources\skin\searchbox_button_normal.png
C:\Program Files\StartNow Toolbar\Resources\skin\searchbox_dropdown_button_normal.png
C:\Program Files\StartNow Toolbar\Resources\skin\searchbox_input_background.png
C:\Program Files\StartNow Toolbar\Resources\skin\searchbox_input_left.png
C:\Program Files\StartNow Toolbar\Resources\skin\searchbox_input_middle.png
C:\Program Files\StartNow Toolbar\Resources\skin\separator.png
C:\Program Files\StartNow Toolbar\Resources\skin\splitter.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ff_hover_c.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_c.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_l.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_hover_r.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_c.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_l.png
C:\Program Files\StartNow Toolbar\Resources\skin\toolbarbutton_ie_normal_r.png
C:\Program Files\StartNow Toolbar\Resources\skin
C:\Program Files\StartNow Toolbar\Resources\toolbar.xml
C:\Program Files\StartNow Toolbar\Resources\update.xml
C:\Program Files\StartNow Toolbar\Resources
C:\Program Files\StartNow Toolbar\StartNowToolbarUninstall.exe
C:\Program Files\StartNow Toolbar\Toolbar32.dll
C:\Program Files\StartNow Toolbar\ToolbarUpdaterService.exe
C:\Program Files\StartNow Toolbar\uninstall.dat
C:\Program Files\StartNow Toolbar
   

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6E13D095-45C3-4271-9475-F3B48227DD9F}

HKCR\CLSID\{6E13D095-45C3-4271-9475-F3B48227DD9F}
HKU\S-1-5-21-4024691547-1351141815-4135537623-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}

HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}#ProgID
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}#VersionIndependentProgID
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}#TypeLib
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}\InprocServer32
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}\InprocServer32#ThreadingModel
HKCR\CLSID\{5911488E-9D1E-40EC-8CBB-06B231CC153F}\Programmable
HKU\S-1-5-21-4024691547-1351141815-4135537623-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
HKU\S-1-5-21-4024691547-1351141815-4135537623-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5911488E-9D1E-40EC-8CBB-06B231CC153F}
HKU\S-1-5-21-4024691547-1351141815-4135537623-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6E13D095-45C3-4271-9475-F3B48227DD9F}
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{5911488E-9D1E-40ec-8CBB-06B231CC153F}
   

C:\PROGRAM FILES\STARTNOW TOOLBAR\TOOLBAR32.DLL

C:\WINDOWS\Prefetch\TOOLBARUPDATERSERVICE.EXE-1F0C2911.pf

 

Quads

Will Norton (Symantec) ever answer this poster's questions?

 

I and many others have this same problem and a full system scan finds nothing. Searching Google shows this malware to have existed for several years.

 

Is there a way to ask this question of Norton other than paying $99?

 

Snowman1929

Hi, Snowman1929,

 

There is a big grey area--generally spyware--that "arguably could" serve some legitimate purpose; in many cases, these are actually things the user either knowingly installs, or (especially the case with a range of toolbars) installs by not noticing to uncheck a box while knowingly installing some other program.

 

While most users might prefer to see these blocked, it often ends up a judgment call. I recently fielded a complaint from a user who was having an app blocked by Norton that he wanted to access. Striking a balance can be tough: antivirus packages will often not block them--because they're not "technically" malware in the sense that a trojan or a rootkit is--while antispyware packages generally will block them.

 

In this particular case, the fact that it's attracted Quads' interest backs your assessment. I would encourage you to submit your critique in the Product Suggestions forum; if enough users indicate that the standards for this sort of thing need to be tightened, we may finally see it changed.

 

If you absolutely feel you need to talk with a Symantec representative in real time, you'll probably have better luck with Live Chat (free) than the phone option. But this is more geared toward customer service (helping folks with immediate problems) than product improvement suggestions. This could still be useful if you just want to remove this particular one--although you'll get there too if you stay here and follow Quads' suggestions. Quads eats this kind of thing for breakfast.

PUP stands for potentially unwanted program.  It is a nuisance and sometimes they can be difficult to get rid of.  All download and installation packages need to be checked carefully for those clingy add-ins.  The link to Superantispyware is here.  Use the free version only.

 

www.superantispyware.com

 


Snowman1929 wrote:

Will Norton (Symantec) ever answer this poster's questions?


The OP  has not responded to Quads' questions to clarify the issue.  It's a two-way street.

Note: that deleting this Trojan not only fixes the cpu overload issue, but also the one where certain sites  cannot be displayed in IE...

 

This is not something I want installed on my system, for Norton to let this go as safe is beyond me. it is for sure MALWARE!

Unfortunately PUP's are considered advertising rather than malware.  That is why it is good to have one or two on demand scanners as different scanners look for different things.  Norton products are looking for truly malicious items.  SAS looks after a lot of things that people install themselves by accident.

Are you kidding!? Quit acting like there is anyone who would want this software on their machine. Are you really saying we shouldn't expect our Norton enterprise product to come up and say.. "Hey, you have this XYZ executable running on your machine... it is known to soak up resources... do you want to kill it?".

There is no excuse that Norton doesn't help at least notify us about this memory & cpu hog... are you just incompetent or in collaboration with this malware marketer?

 

I have never been so disgusted with Norton & Symantec, and instead of getting to this forum and seeing.. "Ya, oops we missed this.. here is how to fix it.. we'll get better... " I see folks making excuses... and where is a Norton moderator.. does Norton not care?!??

PUP is not a defintion  from Symantec, but a term used in many circles of the Security Software groups.  

The Start Now toolbar is freely and easily downloaded from websites that are legit as the Program is NOT malware in any fashion but some people don't like the toolbar so hence the term PUP for this one.

I have tried the toolbar and it does not go anywhere near what malware is. 

 

 If you want things detected purely on the fact they are a memory & (or) cpu hog,  I wonder if at times then AV software should detect itself.  So for that reason detection of software on being a memory or CPU hog  causes problems and probable anger also.

 

Quads