I received an email with a link to a blogspot site that I thought was legitimate. Clicked on it and instantly realized my mistake. Opened several pages with fake virus software ads. Closed immediately and ran quick scan with both Symantec End Point and MalwareBytes. SEP found nothing, MB found a couple tracking cookies and deleted them. Rebooted into safe mode, and ran full scans with each. neither found anything. But started getting popups from SEP "Traffic has been blocked from this application (svchost.exe)". Logs show SEP blocking UDP packets attempting to be sent to 18.104.22.168 and TCP packets to ocsp.thawte.com, ocsp.verisign.com, ocsp.comodoca.com.
Ran quick scan with DrWeb-CureIt. And still nothing found. But still getting the popups. SEP also shows that C:\windows\system32\svchost.exe was setup as a block rule in Network Threat Protection application settings. I don't recall ever setting up that rule, and there are no other manual rules setup. Logs show that rule blocking svchost.exe about a half dozen times every minute or two.
Machine is running Windows 7 Home Premium x64
Edited by clforkn, 16 April 2011 - 02:47 PM.