Norton pop up message "auto protect blocked security risk downloader"

Looking at the history, norton tells me it's been removed, not quarantined, removed.

 

If so, why does the pop up continue?

 

here are screen shots of the issue.

 

downloader.jpg

 

downloader2.jpg

 

This is started the issue yesterday at 5pm

 

"Statistical Submission downloader"  

 

statsub.jpg

 

 

If you have not done so, clear out your browser cache and history / temporary files.  This has been blocked so no damage done but the source may be hiding in the files mentioned above.

Thank you dbrisending   Done!  Pop up is still popping - it's been at it since 5pm yesterday.

 

Patricia

Well, that is just not satisfactory then; let's clean that out.

 

Please download MalwareBytes' AntiMalware from this LINK . Choose the free version as this does not have a real time scanner that will interfere with Norton products. Install the program and update the definitions.

Boot into Safe Mode:
Start your system and tap the F8 key until the Advanced Options Menu appears. Using the arrow keys, select Safe Mode (no networking or command prompt) and press ENTER.

Once Safe Mode is loaded, run a full scan with MBAM. Have the program fix / delete whatever it finds and make a log file. Please post the log file contents back here for review.

Since you are able to restore it or delete it, it may also be sitting in quarantine.  You can check your quarantine in the history menu, and delete it.

Hi

 

the is a legit "vshost.exe" that belongs to Visual Studio

 

but there is also an Autorun Malware that attempts to create "vshost.exe",   So this could be what you have every time the file is created Norton takes again and again and again.........................................

 

Quads 

Thanks to each of you that shared your 2 cents.  I followed dbrisendine's instructions and no more pop ups plus the malware software quarantined some trojans.  Here's the log.

 

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

6/17/2009 6:40:03 AM
mbam-log-2009-06-17 (06-40-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 316766
Time elapsed: 2 hour(s), 2 minute(s), 34 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\urlsearchhook.toolbarurlsearchhook.1 (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\documents and settings\Owner\my documents\emerald passport\team-allstars\pageswirl\MasterWebGraphics.exe (Trojan.Agent) -> Quarantined and deleted successfully.
 

I am glad this has worked out for you; in our haste to help you, some basics seem to have been overlooked that I would like to follow up on.  What type and version of a Norton product are you using?  I was a little worried when we finally saw your screen shot as I did not immediately recognize the version.

 

Also, I would run Live Update manually until it states that there are no more updates for your Norton product.  Then, run a full system scan to see if anything else was hiding "behind the Trojan".

 

If you need anything else, come back and post anytime.

good idea - As far as I know, it's Norton Antivirus - I bought it on a disc - it's 2009 issue and I plugged into the live symantec site.  But, I did have a problem early on with live updates.  So, I'll go run the full scan and report back.

 

Thanks again,

 

Patricia

Can you check the version please?  It is located in the Help&Support menu on the main screen under Version and should be listed as 16.xx.xx.xxx .  Thanks; I just wanted to check that you are on the latest updated build.

15.0.0.58

 

I have 301 days to go on the acct.

Does it say Norton AntiVirus Tech Center Edition on the main screen?

Here's the first page:

home-norton.jpg

 

2nd page:

 

norton-antivirus.jpg

 

 

Help & Support 1st page

 

welcome.jpg

 

Help & Support 2nd page

 

aboutnorton.jpg

 

Help & Support 3rd  page

 

norton2.jpg

 

 

Hope this helps you - I can't find what you describe.

 

Patricia

Hi Patwin:

 

You found what we needed.  You have NAV 2008.  Are you using anything else for a firewall?

The cd says Nortorn Antivirus 2009 System Builder Edition

 

 Where do I go to get the right edition?

 

I have the windows XP operationg system firewall

 

Also, I don't think the full scan got the bug

 

Folllowing is the history:

 

downloader.jpg

 

downloader2.jpg

 

 

 

mwsnap.jpg

 

 

quicktime.jpg

 

I don't know what quicktime is doing - I rarely use it.

 

I use MWSnap to take these screen shots 

 

Should I click the remove on the tab - does that remove the file???

 

Patricia

Hi

 

Looks like by the first lot of screenshots and the last lot. that you have "PSW-Stealer.wow.bhc"

 

As shown by ...............\system32\vshost.exe     and   ...................\system32\tempvshost.exe

 

System32  in this case is it's working directory.   the data being blocked etc will be your personal data from being taken.

 

Do you have in the System 32 folder 2 files, one starting with "yr" and "aepa" 

 

Quads 

where do I find the System 32 folder?

Sorry, I've never seen the version numbers on the Systembuilder version before.  Always something new.

 

Go to "My Computer">C drive if that is your operating drive>Windows>system32.

did a search - found the System 32 that says can't access - clicked the link had a lot of stuff in it and there is an

aepa-

 

file:///C:/WINDOWS/system32/aepa-872d09e4-215d-4d6a-b056-515b9c76f5a8.dll

 

dated 4-9-2009

 

 


 I am trying to thik a way around this.

 

What happens if you click on "My Computer" then the HD drive  (C:\)??

 

Quads