Application blocking interferes........

[Guest]

I just dowloaded the MS Anti-spyware, and I love it. I have had a
svchost.exe/spyware.shopnav in my computer, and Norton nor Spyware Stormer
would delete it, but MS did....

I removed all the adware and spyware, rebooted, etc. I have my setting on
auto update.

The problem is: The application change is still trying to get in. It is
svchost.exe.
The file path is C:\WINDOWS/svchost.exe. NOW the MS AntiSpyware Notice pops
up every 5 seconds on the screen. I thought when I removed the spyware, it
would quit trying to infect. Even if it keeps trying, how in the world do I
get rid of that pop up warning without disabling Real-Time blocking??????

It's impossible to work on the computer with the thing poping ujp all the
time, but obviously I need to keep it enabled to stop the intrusion.

I am on high speed cable, but it pops up even when I don't have my email or
browser, or any other programs running except the normal ones in the
background.

I wish it had a "don't show this again" box.

 

[Guest]

Hy Barry,

Have a look at this article.It may be relevant to your problem.
Look for Spyware Stormer
http://www.spywarewarrior.com/rogue_anti-spyware.htm#top

http://www.spywarewarrior.com/rogue_anti-spyware.htm#online


Go for scans in safe mode and also add Ewido and Ccleaner as Ewido performs
great with Trojans and Ccleaner will clear your temp folders where alot of
malware hides installers. You could upload the file at Jotti's scan site to
find out what it relates to but you may need to enable hidden files and
folders to find the file depending where its saved into.

When MS Antispy finishes scanning it should show where the infected file is,
Go to Jotti's site

http://virusscan.jotti.org/

In the file to upload area press Browse then follow the path to the exe file :

Then press Submit and copy and paste the results to notepad and save them so
you can post back the results if needed.

Here's how To Enable Hidden Files and Folders if you cannot find the file

Click Start > Open My Computer > Select the Tools menu and click Folder
Options > Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and
folders.
Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm > Click OK.

You can set this back later by opening the same page and pressing 'restore
defaults' then pressing apply,

Next Download Ewido and Ccleaner

Download the trial version of Ewido Security Suite here

http://www.ewido.net/en/download/

Install ewido.

During the installation, under "Additional Options" uncheck "Install
background guard" and "Install scan via context menu". Launch ewido, On the
left side of the main screen click update . Click on Start and let it update.
After the update finishes (the status bar at the bottom will display "Update
successful" Exit Ewido.
DO NOT run a scan yet. You will do that later in safe mode.

Download Ccleaner

http://download.ccleaner.com/download124bin.asp

Install Then close

Copy this to noteapd if needed and safe it as you will not be able to access
the internet in safe mode.

Reboot into safe mode - Restart your computer and immediately begin tapping
the F8 key on your keyboard. If done right a Windows Advanced Options menu
will appear. Select the Safe Mode option and press Enter.

To return to normal mode just restart your computer as you normally would.

Once in safe mode run Ewido again.

From the main menu click on 'scanner' then click 'Complete System Scan'

Once its started scanning it will display an alert window when it finds any
infected files, when you see this first alert then choose 'Remove' and check
the box in the bottom left corner that says 'Perform action on all
infections'

When Its finished scanning it will give you some options at the bottom of
the screen, choose 'Save Report' and save it to the desktop incase you need
more help with this.

Run MS Antispy on a full system scan and remove anything found

Finally Run Ccleaner and press "Run Cleaner" to remove temp and unused files
from your system

While still in safe mode reset the Internet Settings : Goto Start Menu then
Control Panel then to Internet Options, Click the Programs Tab and press
"Reset Web Settings" and include the homepage then press Yes, Then goto the
General Tab and enter the homepage you want to use into the space provided
and press Apply .

Reboot back to normal mode

Let us know if you have any problems and post the ewido scan log and the
results from Jotti if its still being detected.

Engel

 

[Guest]

Thanks Engel. I'm afraid all of that is above my pay grade ;-). I have
already ininstalled Spyware Stormer. As noted in my previous post, the trojan
application redirection spyware was removed by MSAP, and confirmed that it
was gone.
The problem with the Real Time Blocker is that it kept popping up until I
disabled it. Of course now when it scans at its' regular time, it will detect
it again, and I will remove it. If that darn pop up Notice didn't interfere,
I wouldn't worry about it. I want MSAP to intercept, but I still can't figure
out why the svchost.exe file keeps trying to invade my computer after it was
removed.

I went to the first page you linked, but I had already uninstalled Spyware
Stormer.
I'm very sceptical of going into dll files or registry files. I may just
need to take it to a pro. All those additional downloads and scanning while
in SAFE mode is defeating my purpose in downloading MSAP.

I delete temp internet files every couple of days and defrag. Your reasoning
is great, but it's me that a little tentative about going into something that
deep.
I will visit the other links provided. Maybe I can avoid a trip to the shop,
but I will have to see after I visit the links you provided and re-read you
message. It's hard to read in that little box...
Thanks a bunch. I think I could do all the things you suggested, but I'm
about sick of screwing with it. I don't know what the shopnav spyware is
doing in my usage, but I don't really notice it, except that my burner
software won't work properly.
Thanks again,
Barry

 

[Guest]

Hi Barry,

Try double click on your name, it's easy to read the text.

Engel

 

[Guest]

Thanks again, Engel. You are too kind with your time......
As of right now (Sunday 1-15-06) I am clean of everything malicious. I
downloaded several free trials of PC Magazine's best Trojan Horse Removal
Tools. One of them found the problem, but wouldn't fix it on the trial
version. Here are some of the actions I took.....
I downloaded MSAS, but had the problem with the pop-ups alerting me that a
Trojan was being blocked. I resolved that by disabling the System Agent, but
that night when my Norton Anti-Virus 2005 ran it's weekly scan, I HAD 4,261
INFECTIONS! Norton Symatec deleted all but one, but that was the svchost.exe
file that was (in layman's terms) calling out to the other Trojan infections.
I downloaded "The Cleaner" trial version and it deleted that file. I
downloaded it instead of Ewido because it is faster and rated just one notch
above Ewido. It also installed a Trojan blocker call TC Monitoring, so I have
that and MSAS both blocking spyware and trojans, and Norton monitoring
viruses. They are all active, with automatic updates. Then I downloaded
Norton's "FixQhost.exe" for finding Trojan hosts, and it deleted the final
Trojan that was hosting (2020 Search).

One key I found out was you need to disable your System Restore in Windows
XP. If you don't, XP may try to restore the files infected with Trojans, so
you have accomplished nothing. Then enable it after you are through cleaning.

I know I didn't take the exact same path as you recommended, but you were a
tremendous help in giving me a game plan.

I did several scans again this morning, and I'm glad to report that none of
them (all of them deep scans of My Computer) reported one single infecion or
at risk file.

The Cleaner has a 30 day trial and it works great, and none of its' features
are disabled. A lot of them won't do the entire job until after you buy it. I
recommend anyone with Norton Symatec to go to the Norton site and download
the "FixQhost". It's free.

Now, my MSAS is not popping up all the time alerting me a Trojan was being
blocked, even after I re-enabled the system agents in Real-Time.

I hope anyone reading this has been helped. I had the C:\WINDOWS\svchost.exe
Trojan Horse Application Directory infection for about three months, and the
regular Norton or Spyware Stormer would not delete it. I have removed Spyware
Stormer, because you recommended me to, and it's definitions are out of date,
and it had it's on spyware, too.

Thanks a million, Engel!!!!
Barry