AntiSpyware Notice

  • Thread starter Thread starter Mike Goss
  • Start date Start date
M

Mike Goss

I am constantly (every 5 - 10 seconds) getting a Microsoft
AntiSpyware Notice popping up in the lower right corner of
the window.

Usually, while it is there, I cannot type into a form or
document while it is up. Sometimes I can type. There does
not seem to be a pattern when it interferes and when it
does not.

It has taken me about ten minutes to type this message,
because of the interference.

The message tells me that "C:\WINDOWS\svchost.exe" has been
blocked. It is named "An Application Change has been Blocked".

Can this be shut down?
 
Don't really think you want to stop this from coming up.
SVCHost is a common process used by Windows. If it is
corrupted, you will have a hard time removing it. Run a
virus scan and anti-spyware scan in safe mode. There may
be a trojan trying to download something to your computer.
 
I agree with the other responder--this is not a normal occurrence.

There is a normal Windows file, svchost.exe. but the message you are seeing
is not from its normal location.

You may wish to see if you can browse to c:\windows\svchost.exe and send the
file to these two antivirus reporting locations for an opinion:

http://www.virustotal.com/flash/index_en.html (virustotal--see link in upper
right)
http://virusscan.jotti.org/

The file may be hidden, system, read-only.

Symantec references this file as part of at least two different viruses:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dewin.html
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.tarno.html
--but there are other possibilities as well.

Update your antivirus definitions, reboot to safe mode, and scan with both
the antivirus and with Microsoft Antispyware , doing full scans, and repeat
until both scans come through clean.
 
Elaborating upon what Bill wrote -

The legitimate svhost.exe lives at
%systemroot%\system32\svhost.exe
(typically c:\windows\system32\svhost.exe)

Should Bill's suggestion about scanning in safe mode fail to clear this
problem. Try renaming the file while you're in SAFE MODE.

Should that fail, check back for additional steps.
 
Good catch! I had an interesting critter--adware, rather than virus, as I
recall on a machine last week.

At a cmd prompt, the filename was l?ass.exe

Viewed in Windows, via Explorer, it was Lsass.exe with the appropriate icon
and all of the real thing, but in a different location. I didn't dig deeper
to see just what character set they were using that achieved that effect.
 
Hi Bill,

Do you read Robert Hensing's Incident Response WebLog?

http://weblogs.asp.net/robert_hensing/archive/2005/01/17/354471.aspx
Advanced hiding techniques: The mystery of the trojaned Winlogon.exe

http://weblogs.asp.net/robert_hensing/archive/2005/01/14/353156.aspx
More miscreant hiding techniques and some interesting observations on
the Hacker Defender rootkit . . .

http://weblogs.asp.net/robert_hensing/archive/2005/01/10/350359.aspx
Miscreant hiding techniques: Would the real explorer.exe please stand
up? And the relevance of 1979 when doing searches . . .
 
I do now! Thanks. I believe I've actually heard him speak in
person--fascinating stuff.
 
Back
Top