AntiSpyware Notice

[Mike Goss]

I am constantly (every 5 - 10 seconds) getting a Microsoft
AntiSpyware Notice popping up in the lower right corner of
the window.

Usually, while it is there, I cannot type into a form or
document while it is up. Sometimes I can type. There does
not seem to be a pattern when it interferes and when it
does not.

It has taken me about ten minutes to type this message,
because of the interference.

The message tells me that "C:\WINDOWS\svchost.exe" has been
blocked. It is named "An Application Change has been Blocked".

Can this be shut down?

 

[Guest]

Don't really think you want to stop this from coming up.
SVCHost is a common process used by Windows. If it is
corrupted, you will have a hard time removing it. Run a
virus scan and anti-spyware scan in safe mode. There may
be a trojan trying to download something to your computer.

 

[Bill Sanderson]

I agree with the other responder--this is not a normal occurrence.

There is a normal Windows file, svchost.exe. but the message you are seeing
is not from its normal location.

You may wish to see if you can browse to c:\windows\svchost.exe and send the
file to these two antivirus reporting locations for an opinion:

http://www.virustotal.com/flash/index_en.html (virustotal--see link in upper
right)
http://virusscan.jotti.org/

The file may be hidden, system, read-only.

Symantec references this file as part of at least two different viruses:

http://securityresponse.symantec.com/avcenter/venc/data/backdoor.dewin.html
http://securityresponse.symantec.com/avcenter/venc/data/pwsteal.tarno.html
--but there are other possibilities as well.

Update your antivirus definitions, reboot to safe mode, and scan with both
the antivirus and with Microsoft Antispyware , doing full scans, and repeat
until both scans come through clean.

 

[Bob Dietz]

Elaborating upon what Bill wrote -

The legitimate svhost.exe lives at
%systemroot%\system32\svhost.exe
(typically c:\windows\system32\svhost.exe)

Should Bill's suggestion about scanning in safe mode fail to clear this
problem. Try renaming the file while you're in SAFE MODE.

Should that fail, check back for additional steps.

 

[Bill Sanderson]

Good catch! I had an interesting critter--adware, rather than virus, as I
recall on a machine last week.

At a cmd prompt, the filename was l?ass.exe

Viewed in Windows, via Explorer, it was Lsass.exe with the appropriate icon
and all of the real thing, but in a different location. I didn't dig deeper
to see just what character set they were using that achieved that effect.

 

[Bob Dietz]

Hi Bill,

Do you read Robert Hensing's Incident Response WebLog?

http://weblogs.asp.net/robert_hensing/archive/2005/01/17/354471.aspx
Advanced hiding techniques: The mystery of the trojaned Winlogon.exe

http://weblogs.asp.net/robert_hensing/archive/2005/01/14/353156.aspx
More miscreant hiding techniques and some interesting observations on
the Hacker Defender rootkit . . .

http://weblogs.asp.net/robert_hensing/archive/2005/01/10/350359.aspx
Miscreant hiding techniques: Would the real explorer.exe please stand
up? And the relevance of 1979 when doing searches . . .

 

[Bill Sanderson]

I do now! Thanks. I believe I've actually heard him speak in
person--fascinating stuff.

 

[Peter Foldes]

?????????

 

[Bill Sanderson]

Checked my notes. It was Tim Rains, I think, who gave a talk on Microsoft
PSS incident response:
http://blogs.msdn.com/tim_rains/

So--same discussion--how Microsoft PSS handles incident response, but a
different presenter.