Have I blocked a Windows Service ?

[Kevin Bean]

According to my event log I have blocked a Windows service:
Extranet_serv.exe C:\Program Files\Nortel Networks\Extranet_serv.exe -
although I now cannot find this file !

There are no entries in the 'Blocked events' list.

Could AntiSpyware have removed the file from my system ?

Any help would be appreciated.

 

[Bill Sanderson]

Please check two more locations:

1) Tools, Spyware Scan, Manage Spyware Quarantine.

If that (and restoring from that) doesn't help, lets check:

2) %program files%\Microsoft Antispyware\cleaner.log
to see whether it is listed as having been deleted in a cleaner operation.

You may need to reinstall this third-party service--is it part of a VPN
client?

Can you post the text of the Event Log entry?

 

[Kevin Bean]

Bill,
I've just noticed a couple of other messages in these newsgroups
regarding VPN clients, I guess I may have the same problem, although there
is always the possibility that the problem is unrelated, however the entry
in the event log seems to indicate that AntiSpyware did something.

The quarantine list is empty, the cleaner.log is:

8/1/2005
21:04:58::------------------------------------------------------------------
8/1/2005 21:04:58::Initializing Clean - (ScanID:
8798118D-78D1-4524-854F-C2D0E0)
8/1/2005 21:04:58::Remove Threat (ID:7644)
8/1/2005 21:04:58::Clean Threat KCGame (ID:7644)
8/1/2005 21:05:00::Removing file c:\windows\system32\winsys.exe
8/1/2005 21:05:00:isable file c:\windows\system32\winsys.exe and
quarantine to C:\Program Files\Microsoft
AntiSpyware\Quarantine\FED767CB-4C30-4AA4-AC52-DDECF0\D1C7D251-80D6-4DC1-834B-C9F6D5
8/1/2005 21:05:00::Clean Threat KCGame (ID:7644) Complete
8/1/2005 21:05:00::Remove Threat (ID:7644) Complete
8/1/2005 21:05:00::Remove Threat (ID:5117)
8/1/2005 21:05:00::Clean Threat eZula.TopText (ID:5117)
8/1/2005 21:05:01::Clean Threat eZula.TopText (ID:5117) Complete
8/1/2005 21:05:01::Remove Threat (ID:5117) Complete
8/1/2005 21:05:01::Unititializing Clean
8/1/2005
21:05:01::------------------------------------------------------------------

(I was aware of ID: 7644 being on my PC, but not ID:5117)

The event log entry is:

Windows Services alert
Occured on: 12/1/2005 at 00:02:58

The user Kevin Bean, has decided to block the Windows service
Extranet_serv.exe C:\Program Files\Nortel Networks\Extranet_serv.exe from
being added.

About Windows Services: A Windows service is a process or set of processes
that adds functionality to Windows by providing support to other programs.
Windows services can run without any user interaction and load when the
computer starts prior to a user logging in.

I cannot remember blocking the service, although I may have.

I have tried uninstalling/reinstalling the VPN client, and also uninstalling
AntiSpyware, without success.

thanks for any help/advice you can supply.

 

[Bill Sanderson]

OK--I think the cleaner log looks like it did the right thing--I don't see
anything on the surface there that looks wrong.

The block is what breaks the vpn, I'm sure--and since it is a user action,
there must be a way to reverse that action--lets see:

If you go to Tools, Real Time Protection, View All Blocked Events--is this
event listed there--is there a way to reverse it?

I'm not sure whether this is something that was a one-time--i.e. if you run
it again you get another alert and can choose ignore always--or if it has
set a block which is semi-permanent--in which case it should be reversible.