Svchost being naughty: What do you think? [resolved] For a while before I disabled Kerio Personal Firewall, I was getting the following warning multiple times when starting up: Code: [26/Sep/2008 04:07:55] "Hips" type = 'Code injection', action = 'denied', descr = 'Process C:\WINDOWS\system32\spoolsv.exe injected dangerous code into C:\WINDOWS\system32\svchost.exe (code address: 0x00406A67) Having Kerio pause on this often caused one of my svchost processes would lock up. terminating the process would fix it and it wouldn't come back until I restarted the computer. I disabled Kerio a little while ago because of it bluescreening me consecutively, and a number of hours ago NOD32 picked this up: Code: Time: 9/29/2008 16:20:26 PM Module : AMON Object Name: file C:\WINDOWS\system32\dts12.exe Threat: a variant of Win32/TrojanDropper.Agent.WZR trojan Action: quarantined - deleted User: NT AUTHORITY\SYSTEM Information: Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. Now I've cleared my cache(s) and cleaned up my registry with CCleaner, I've run Super Antispyware, Malwarebyte, spybot, and ad-aware, but came up more or less empty handed. Seeing where the threat came from and the lack of being picked up by multiple scans, I don't think its gone. Any Idea's? edit: I've seen a couple times where RPC has been as well, causing the system to restart if the auto shutdown sequence is not aborted in the command prompt. Not sure if its part of the problem, but probably is.