Windows Security Center

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dirtman1

Thread Starter
Joined
Oct 28, 2005
Messages
142
ive had a new laptop for 2 days and i just ran a spybot scan an these results came up:

ISearchTech.PowerScan: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-3576622776-1441969562-4161221951-1005\Software\IST

Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

the most puzzling is the windows reg keys ,does anyone know what they are or why they are appering as spyware.thanks(y)
 

dirtman1

Thread Starter
Joined
Oct 28, 2005
Messages
142
i have just ran a kaspersky online scan and its come up with these results:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, December 31, 2005 20:08:47
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 31/12/2005
Kaspersky Anti-Virus database records: 158218
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 31882
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 2653 sec

Infected Object Name - Virus Name
C:\Documents and Settings\mark\Local Settings\Temporary Internet Files\Content.IE5\1N3Z9LGE\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
C:\Documents and Settings\mark\Local Settings\Temporary Internet Files\Content.IE5\VMC7ZP01\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
C:\RECYCLER\S-1-5-21-3576622776-1441969562-4161221951-1005\Dc24.exe/stream/data0004 Infected: Trojan-Downloader.Win32.IstBar.nn
C:\RECYCLER\S-1-5-21-3576622776-1441969562-4161221951-1005\Dc24.exe/stream Infected: Trojan-Downloader.Win32.IstBar.nn
C:\RECYCLER\S-1-5-21-3576622776-1441969562-4161221951-1005\Dc24.exe Infected: Trojan-Downloader.Win32.IstBar.nn

could someone take a look at these results and the post earlier please .....cheers(y)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,216
Here is information on the two Security Center entries.

This is from Spybot Customer Support:

Since the Detections Update from July 25, 2005, Spybot - Search & Destroy 1.4 has been detecting Security Risks (renamed to "Windows Security Center" on July 30) associated with Microsoft Security Center Registry changes. This is neither a false positive nor a bug. It is just an information.
Spybot-S&D only wants to bring to your attention that "someone" disabled one or more notifications in the Windows Security Center, e.g. the notifications that your virus protection is not active or not up-to-date. If you changed the settings yourself you can safely tell Spybot to exclude those detections from further scans.
In order to do so please right-click each in turn, then click "exclude this detection from future scans". That way, should any other part of security center settings change, Spybot will still detect those.
The same is true if you have another security solution installed (like McAfee Security Center or Norton Internet Security). These programs also disable the Windows Security Center in order to take care of things themselves. The reason why the changes are flagged by Spybot-S&D is that there are also malware programs that disable the notifications so the user doesn't take note of his security tools not being effective.

Please do the following:

Click here to download HJTsetup.exe
  • Save HJTsetup.exe to your desktop.
  • Double click on the HJTsetup.exe icon on your desktop.
  • By default it will install to C:\Program Files\Hijack This.
  • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
  • Put a check by Create a desktop icon then click Next again.
  • Continue to follow the rest of the prompts from there.
  • At the final dialogue box click Finish and it will launch Hijack This.
  • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
  • Click Save to save the log file and then the log will open in notepad.
  • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
  • Come back here to this thread and Paste the log in your next reply.
  • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
 

dirtman1

Thread Starter
Joined
Oct 28, 2005
Messages
142
cheers for responding cookiegal,sorry for taking so long but the new year and all that!.heres my hjs:

Logfile of HijackThis v1.99.1
Scan saved at 03:36:18, on 01/01/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\MadeSafe\Bin\Zanda.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\S3hotkey.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\MadeSafe\bin\NJEEVES.EXE
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\MadeSafe\Nvc\BIN\NVCSCHED.EXE
C:\MadeSafe\Nvc\BIN\nipsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\BitTornado\btdownloadgui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
C:\PROGRA~1\McAfee.com\Agent\mcupdui.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\mark\My Documents\downloaded internet programs\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [S3hotkey] S3hotkey.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: [vsoupd.dll] rundll32.exe advpack.dll,RegisterOCX c:\PROGRA~1\mcafee.com\vso\vsoupd.dll
O4 - HKLM\..\RunOnce: [mcvsescn.exe] c:\PROGRA~1\mcafee.com\vso\mcvsescn.exe -regserver
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BullGuard] "C:\Program Files\BullGuard Software\BullGuard\bullguard.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Stan James Poker.com Poker - {7F2F6F5A-CAE2-4954-A461-36B3757B2BFB} - C:\Program Files\stanjamesgibMPP\MPPoker.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O23 - Service: BullGuard LiveUpdate (BGLiveSvc) - BullGuard, Ltd. - C:\Program Files\BullGuard Software\BullGuard\BullGuardUpdate.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - C:\MadeSafe\Nvc\BIN\nipsvc.exe
O23 - Service: Norman NJeeves - Unknown owner - C:\MadeSafe\bin\NJEEVES.EXE
O23 - Service: Norman ZANDA - Unknown owner - C:\MadeSafe\Bin\Zanda.exe
O23 - Service: Norman Virus Control on-access component (nvcoas) - Norman ASA - C:\MadeSafe\Nvc\bin\nvcoas.exe
O23 - Service: Norman Virus Control Scheduler (NVCScheduler) - Norman Data Defense Systems - C:\MadeSafe\Nvc\BIN\NVCSCHED.EXE

(y)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,216
Run this removal tool:

http://securityresponse.symantec.com/avcenter/FxIstbar.exe


Also, you appear to have three anti-virus programs. It is not good to have more than one as they will conflict with each other and cause problems. You should decide which one you want to keep and remove the others.


Run Spybot again and see if that entry is still detected.
 

dirtman1

Thread Starter
Joined
Oct 28, 2005
Messages
142
hi here are the results of the latest spybot scan,ive noticed theres a couple of winfixer cookies,thats not the dreaded vx2 problem is it?:

--- Search result list ---
Windows Security Center.FirewallDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify!=dword:0

Windows Security Center.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

DoubleClick: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


Winfixer: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


Adviva: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


MediaPlex: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


Winfixer: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


FastClick: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


Avenue A, Inc.: Tracking cookie (Internet Explorer: mark) (Cookie, nothing done)


(y)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,216
It is a variant but i don't see any signs of it in your log and you don't seem to have the symptoms.

As a precaution though, let's run this tool:


Adware-Virtumundo Removal Tool v1.2 (Associated with WinFixer Popups)

Note: This tools does not remove the WinFixer application. WinFixer alone does not cause popups or disrupt the system. If WinFixer was installed on your system because Adware or a Trojan Downloader installed it without your permission, please remove it using the Add/Remove Programs Control Panel Applet.

If Virtumundo is not found, the tool will exit showing the log file.
If Virtumundo is found it will do the following:

Version 1.1
Create a Date/Time Stamped log file (VBG.TXT) on the All Users profile's Desktop.
Kill Internet Explorer and Explorer processes.
Rename the infected files with a .vir extension (this is to disable them from being run)
Remove the Browser Helper Object registry key
Adds a registry value to block file from running in Internet Explorer again.
Remove the Winlogon Notify registry key
Automatically restart the computer (via STOP error)
Note: This is a BLUE SCREEN "Fatal Error" Message. It is normal and expected. The tool ends an important Windows Process that was protecting the file and NT Security STOPS the system as soon as it detects this is happening.

Version 1.2
Removed the instruction to Stop McShield
Cleaned up some logging messages.
Added checking for BHO with no default name. These entries will be checked to see if they are referenced to be start up with WinLogon. If it is, it will be tagged as Virtumundo and removed.

VirusScan will now be able to remove the files normally when you run an on-demand scan.

Download Link -> http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe [76.2 KB]MD5 SUM: a210c12a8264c024da5e0b05cb082a14

Then run your antivirus to remove any left over files

Post the report from this tool please.
 

dirtman1

Thread Starter
Joined
Oct 28, 2005
Messages
142
just ran the virtumondo tool you gave me and this is the results :


[01/02/2006, 21:35:33] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\mark\Desktop\VirtumundoBeGone.exe" )
[01/02/2006, 21:36:33] - User choose NOT to continue. Exiting...

[01/02/2006, 23:51:47] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\mark\Desktop\VirtumundoBeGone.exe" )
[01/02/2006, 23:51:58] - Detected System Information:
[01/02/2006, 23:51:58] - Windows Version: 5.1.2600, Service Pack 2
[01/02/2006, 23:51:58] - Current Username: mark (Admin)
[01/02/2006, 23:51:58] - Windows is in NORMAL mode.
[01/02/2006, 23:51:58] - Searching for Browser Helper Objects:
[01/02/2006, 23:51:58] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (AcroIEHlprObj Class)
[01/02/2006, 23:51:58] - BHO 2: {53707962-6F74-2D53-2644-206D7942484F} ()
[01/02/2006, 23:51:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[01/02/2006, 23:51:58] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[01/02/2006, 23:51:58] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[01/02/2006, 23:51:58] - BHO 3: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[01/02/2006, 23:51:59] - Finished Searching Browser Helper Objects
[01/02/2006, 23:51:59] - Finishing up...
[01/02/2006, 23:51:59] - Nothing found! Exiting...



:)
 

Cookiegal

Karen
Administrator
Malware Specialist Coordinator
Joined
Aug 27, 2003
Messages
120,216
Please run Spybot again and see if it detects anything.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top