MSAS "exploded"-is it safe?

[Boggled]

Please help. I need an antispyware program but am afraid
to reload MSAS without some advice on what may have
happened.

Running on XPPro, SP2. C:\Program files\Microsoft
Antispyware blew up to 100,900 files using 11.9GB.
Attempts to delete through XP crashed. Finally able to
empty folder at DOS prompt. Should I dare try to
reinstall?

History: Successful use of antispyware until end of May.
Followed MS instructions to upgrade. Upgrade failed
(Error 101) and delete and reinstall also failed. BUT, no
evidence of spyware activity--sort of like antispyware
was still working.

Norton anti-virus program taking more and more runtime
over last two months--focused on "deactivated spyware"
files. Decided I had to fix and followed procedures again
yesterday to uninstall and reinstall--cleaned out all
temp files first. Error 101 again on run.

Uninstalled again through add/remove programs, then
looked at antispyware folder (would not open, could only
see through right click on "properties")--11.9GB, 100,900
files. Got it all off the disk now, BUT WHAT happened?
And is this monster blowup likely to happen again if I
try to reinstall.

Really liked the old antispyware--so much better than
spybot, but afraid to have the new one take over my disk
again without allowing me even to run it. Anybody else
have experience with, knowledge about MS Antispyware
playing the role of the Tomato that ate Cleveland?

 

[Bill Sanderson]

Please help. I need an antispyware program but am afraid
to reload MSAS without some advice on what may have
happened.

Running on XPPro, SP2. C:\Program files\Microsoft
Antispyware blew up to 100,900 files using 11.9GB.
Attempts to delete through XP crashed. Finally able to
empty folder at DOS prompt. Should I dare try to
reinstall?

I know of two issues that might cause this kind of experience, and one of
them only very peripherally, I'm afraid.

1) in older builds, the Errors.log file could baloon (under NTFS) to 4 gigs.
This is capped at a much smaller number in current builds--be sure you are
on .615--see Help, about.

..615 is available here:

http://www.microsoft.com/downloads/...A2-6A57-4C57-A8BD-DBF62EDA9671&displaylang=en

2) I've seen multiple reports here of large numbers of files being alerted
to and stored in "Deactivated items" and perhaps in other subdirectories of
the installation directory for Microsoft Antispyware--I don't have a clear
understanding of what is happening here, but an accumulation of thousands of
such items sounds very much like a trojan in place continually attempting to
reinstall, and being either quarantined or stored in the "deactivated items"
storage.

I've never seen this first hand, and don't have a clear understanding of
what sort of item is involved in this phenomena--I can just recall having
seen several users complaining of large numbers of files being involved.

I am assuming that you are not a P2P user and would have noticed if your
music collection had disappeared into Quarantine and caused this issue.

 

[Boggled]

Okay, Bill, thanks much. Your comments really help,
because after I installed MSAS back in Jan, I was being
alerted every few minutes that a trojan was "knocking".
It was so annoying that I turned off the active
notification. However, makes sense that the attempts
continued; I just wasn't alerted to them.

Now, perhaps you know how I can run an automatic delete
on the "deactivated items" folder? Or is that something
I'd need to clean out manually?

Why doesn't the program uninstall clean out all the
files? From what I saw, it didn't do much more than omit
MSAS from the startup menu.

Could this, that is, the abundance of deactivated items,
explain why I got an "error 101" when I tried to do the
upgrade?

 

[Bill Sanderson]

Okay, Bill, thanks much. Your comments really help,
because after I installed MSAS back in Jan, I was being
alerted every few minutes that a trojan was "knocking".
It was so annoying that I turned off the active
notification. However, makes sense that the attempts
continued; I just wasn't alerted to them.

Now, perhaps you know how I can run an automatic delete
on the "deactivated items" folder? Or is that something
I'd need to clean out manually?

Why doesn't the program uninstall clean out all the
files? From what I saw, it didn't do much more than omit
MSAS from the startup menu.

Could this, that is, the abundance of deactivated items,
explain why I got an "error 101" when I tried to do the
upgrade?

I always thought it was the eggplant that ate Chicago?

I don't think the Error 101 is related--that seems to relate to permissions
issues and multiple users--I don't have a clear understanding of it at all.

I gather you were able to get by that and uninstall, though?

The uninstall is intentionally incomplete, I believe--I think it leaves
enough stuff around so that you can uninstall then reinstall (perhaps a
newer version) and still have access to Quarantine, for example. I've never
investigated just HOW incomplete it is, though.

If you don't blow away at least the .GCD files from the installation folder,
I think you'd be doomed to repeat your experience, as your settings would be
retained.

I think key for you will be to really get rid of whatever this critter is
that was causing the constant alerts. Maybe, with luck, the newer product
code and newer definitions can do the job properly this time. Try
reinstalling, updating both antispyware defs and antivirus defs, restarting
in safe mode, and doing scans with both antispyware and antivirus until both
come through clean.

If that fails--let us know as much detail about what is causing the alerts
as you can spot--folks here can probably suggest other ways to get it
cleaned.

 

[Boggled]

Well, reinstalled, and no Error 101 problem. Working
away. Guess the complete wipeout of files last night
cleared the path.

BUT, big BUT...am being continuosly hit by something
called svchost. AND, I can open Windows Explorer and
watch the deactivated items folder filling up--a new file
about every 10 seconds. 138 files only a few minutes
after activating MSAS. I can delete them all and they
just keep coming. I was wrong about the Tomato
(Eggplant?) that ate Cleveland. It's the friggin'
Sorcerer's Apprentice. In a couple weeks, half my machine
may be gone again. HOW do I stop this? HOW do I get the
MS techies attention? Any ideas?

 

[Mikolaj]

BUT, big BUT...am being continuosly hit by something

called svchost. AND, I can open Windows Explorer and
watch the deactivated items folder filling up--a new file
about every 10 seconds. 138 files only a few minutes
after activating MSAS. I can delete them all and they
just keep coming. I was wrong about the Tomato
(Eggplant?) that ate Cleveland. It's the friggin'
Sorcerer's Apprentice. In a couple weeks, half my machine
may be gone again. HOW do I stop this? HOW do I get the
MS techies attention? Any ideas?

In which folder is that svchost file? There is only one proper svchost.exe
file, that resides in \windows\system32 folder. Any other path means
possible malware or trojan threat (of course this file can be infected,
too).
This means you should really check your system for viruses, trojans and
other malware. This apps should be helpful:

Spybot Search&Destroy http://www.spybot.info/en/index.html

HijackThis http://www.tomcoyote.org/hjt/

CWShredder http://www.majorgeeks.com/download3019.html

Ad-Aware SE Personal http://www.lavasoft.com/software/adaware/

McAfee Stinger http://vil.nai.com/vil/stinger/



If you run HijackThis, you can check the log it prepares - just copy and
paste it to the http://www.hijackthis.de web page and click analyze button.



If you need a free antivirus, try this one for example
http://www.free-av.com


And do the scanning and cleaning in the Safe mode (F8 during bootup) - this
provides more chance of success.

 

[Bill Sanderson]

You've got a worm in place.

Easiest way to get the MS techies attention is to call them on the 'phone.

If you are in the U.S. or Canada, call 1-866-pcsafety.

If elsewhere, call the local Microsoft office or number for paid support.
Ask for the free support for virus removal or security patch problems.

Describe what you are seeing, and they should be able to get this sorted out
immediately--this is not something new or esoteric.

--

 

[Boggled]

Another interesting day. I decided to take some of
Mikolaj's advice before spending hours hanging on the
phone for support. Ran my Norton Antivirus in safe mode--
nothing. Then tried MSAS in safe mode--womder of
wonders, "Error 101".

Thought I'd have lost MSAS again when I rebooted to
normal mode, but surprise, it would still load, but
differently". Each time I open it, it wants to do an
initial setup, AND, no matter what I tell it (through the
setup procedure or through Options "Settings"), it won't
retain the instructions to allow automatic updates or to
turn off the alerts. So the only way I can avoid the
every-ten-second alerts now is to shut off MSAS.

Thought you guys might want to know today's followup. I
really appreciate your input, thanks, but I guess it's
the long wait on the phone for a tech coming up next.

Oh, for Mikolaj, I have 2 copies of svchost.exe, one in
windows/system32 and one in windows/. It's the one in
windows that my steady visitor keeps trying to hit. Virus
programs say the file's clean, though, and from its
accompanying .txt file, I gather it was created last year
when I upgraded to SP2.

Not sure I'll be able to go further on this fix--vacation
coming next week, but if you're interested, I'll post the
results from whatever I get from tech support.

Again, thanks for your insights and efforts. Anne

 

[Mikolaj]

Oh, for Mikolaj, I have 2 copies of svchost.exe, one in

windows/system32 and one in windows/. It's the one in
windows that my steady visitor keeps trying to hit. Virus
programs say the file's clean, though, and from its
accompanying .txt file, I gather it was created last year
when I upgraded to SP2.

Not sure I'll be able to go further on this fix--vacation
coming next week, but if you're interested, I'll post the
results from whatever I get from tech support.

Again, thanks for your insights and efforts. Anne

Hi again

I am sure that SP2 does not create the svchost.exe file in the \windows\
folder - I assume this one is a malware or virus/trojan origin, not a system
one.

If you are able to, run the Recovery Console (
http://support.microsoft.com/default.aspx?scid=kb;en-us;314058 ) and go to
\windows\ folder. Then delete or (more safely) rename the svchost.exe (ONLY
THIS ONE IN \WINDOWS\ FOLDER!!) to svchost.ex_
Then restart the computer and try to scan and clean it again (in safe mode
if in normal it won't work).

And of course, please inform us about the progress

 

[Bill Sanderson]

Might even try creating a svchost.exe FOLDER in \windows.

Could cause false alerts, not sure, but it should also help keep that
critter from coming back.
(hmm - no alerts here--seems to be OK)
--

 

[Boggled]

Hi guys--not sure f you'll check back this far given all
the other exciting stuff I see has been happening while I
vacationed. but just in case...situation the same here
after another full cleanup and reinstall. Appreciated
your further suggestion, M, but I think you may have
forgotten that I am not able to run MSAS in safe mode--
error 101 every time even though I eliminated that
problem in regular mode.

Frankly, after scanning through the postings here and in
the General and Announcements folders during my absence,
I'm getting the picture that version 2 beta is a p o s.
I'll keep it installed to run a manual scan periodically,
but not resident since I can't turn off the alerts on the
continuous svchost hits I get (or get auto updates
anymore. Regarding the file buildups from when I do have
it turned on, guess I can go out and delete them once a
week to avoid a near crash like before when my hard drive
was nearly filled. Pain in the butt, but seemingly easier
than pursuing the phantom fix. If I have a worm, there's
nothing out there that seems to find it, at least not
mcafee virus, MSAS or spybot. There are only two
malwares, found every time by MSAS, in my registry--
Huntbar and Favorite Man. Can't keep em out. wonder if
one of these could be the source of the problem. But
hey, sick of wondering about this, so will just grit
teeth and wait for the future beta enhancement. Thanks
guys. Please let me know if you get to see this.

 

[Mikolaj]

Hi guys--not sure f you'll check back this far given all

the other exciting stuff I see has been happening while I
vacationed. but just in case...situation the same here
after another full cleanup and reinstall. Appreciated
your further suggestion, M, but I think you may have
forgotten that I am not able to run MSAS in safe mode--
error 101 every time even though I eliminated that
problem in regular mode.

I have mentioned the Safe Mode especially for renaming/deleting this
svchost.file file in \windows\ folder. If you do that, just scan in normal
mode, if the safe mode is still problematic.
However, if you are unable to start the system in safe mode, then try to
boot your computer from Windows installation CD, choose to start Recovery
Console, go to \windows\ folder and rename the svchost.exe to svchost.ex_
( using such command:
ren svchost.exe svchost.ex_ ).
Then start it normally and once again scan and check whether you have still
this bombing allerts.. And whether the MSAS folder grows still rapidly.

Frankly, after scanning through the postings here and in
the General and Announcements folders during my absence,
I'm getting the picture that version 2 beta is a p o s.
I'll keep it installed to run a manual scan periodically,
but not resident since I can't turn off the alerts on the
continuous svchost hits I get (or get auto updates
anymore. Regarding the file buildups from when I do have
it turned on, guess I can go out and delete them once a
week to avoid a near crash like before when my hard drive
was nearly filled. Pain in the butt, but seemingly easier
than pursuing the phantom fix. If I have a worm, there's
nothing out there that seems to find it, at least not
mcafee virus, MSAS or spybot. There are only two
malwares, found every time by MSAS, in my registry--
Huntbar and Favorite Man. Can't keep em out. wonder if
one of these could be the source of the problem. But
hey, sick of wondering about this, so will just grit
teeth and wait for the future beta enhancement. Thanks
guys. Please let me know if you get to see this.

As you see I have read this ;-)

 

[Boggled]

Hey, thanks again for your efforts.

-----Original Message-----

I have mentioned the Safe Mode especially for renaming/deleting this
svchost.file file in \windows\ folder. If you do that, just scan in normal
mode, if the safe mode is still problematic.
However, if you are unable to start the system in safe mode, then try to
boot your computer from Windows installation CD, choose to start Recovery
Console, go to \windows\ folder and rename the svchost.exe to svchost.ex_
( using such command:
ren svchost.exe svchost.ex_ ).
Then start it normally and once again scan and check whether you have still
this bombing allerts.. And whether the MSAS folder grows still rapidly.


As you see I have read this ;-)

--
Pozdrawiam serdecznie / Kind regards
Mikolaj Kaminski
MS-MVP, Poland

.

 

[Bill Sanderson]

Check this group for a message today from Kevan Brown, who believes he has a
solution to the error 101 issue. It is possible his findings may help you
out, but I'm not sure.

You might just want to make a new post from scratch to remind us all what's
happening--might catch some new minds who haven't looked at it before.
Beta2 will be out this year, but there's no predicting how soon. It'd be
good to get rid of the two infections you seem to have--maybe with some
other products--have you tried an online scanner?

http://housecall.trendmicro.com targets spyware as well as viruses.


--