Malware and disabled security center

azk · External Since: Nov 22, 2004 Posts: 5

My daughter's computer (HP running WinXP Home SP2) has the same problem as
previously posted by another user. My daughter(who says she knew better)
clicked on a suspicious link in an AIM message she received, AIM went crazy,
and now Windows Security's firewall is disabled and auto update turned off,
with the ability to turn the firewall back on denied because of a group
control issue. The fix suggested by Bruce Chambers to the other poster to go
into group policy editor (start-run-gpedit.msc) would not work for me,
windows said it could not find it. McAfee found no virus, Ad-Aware found no
malware, but Spybot found 6 entries that all relate to windows security
center--it says it fixes them but the firewall problem remains and when I run
Spybot again it finds the same 6 entries. They are all registry changes,
they read as follows:

WindowsSecurityCenter.AntiVirusDisableNotify
settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

WindowsSecurityCenter.AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0

WindowsSecurityCenter.FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0

WindowsSecurityCenter.SP2Update
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0

WindowsSecurityCenter.UpdateDisableNotiry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdayesDisableNotify!=dword:0

Any help would be appreciated, as I just spent many hours getting rid of the
downloader-AWX Trojan that McAfee found but could not remove, and now this.

Signed,
A weary not-really-computer-savvy Mom who has better things to do. LOL

Ron Martell2 · External Since: Aug 30, 2004 Posts: 4325

AZK <AZK RemoveThis @discussions.microsoft.com> wrote:

>My daughter's computer (HP running WinXP Home SP2) has the same problem as
>previously posted by another user. My daughter(who says she knew better)
>clicked on a suspicious link in an AIM message she received, AIM went crazy,
>and now Windows Security's firewall is disabled and auto update turned off,
>with the ability to turn the firewall back on denied because of a group
>control issue. The fix suggested by Bruce Chambers to the other poster to go
>into group policy editor (start-run-gpedit.msc) would not work for me,
>windows said it could not find it. McAfee found no virus, Ad-Aware found no
>malware, but Spybot found 6 entries that all relate to windows security
>center--it says it fixes them but the firewall problem remains and when I run
>Spybot again it finds the same 6 entries. They are all registry changes,
>they read as follows:
>

Try booting the computer into "Safe Mode with Networking" (so as to
minimize the interference by the Malware if possible) and then go to
one of the following free online scanner sites and see if they can
clean up the machine:
Bit Defender http://www.bitdefender.com/scan8/ie.html
Trend Micro http://housecall.trendmicro.com
Kaspersky Online Scanner http://www.kaspersky.com/virusscanner
Panda ActiveScan http://www.pandasoftware.com/activescan
WindowSecurity.com TrojanScan http://windowssecurity.com/trojanscan
Webroot http://www.webroot.com/

To boot the computer into "Safe Mode with Networking" turn it on and
start tapping the F8 key rapidly just as soon as the first information
of any kind shows on the screen. Keep tapping until the Windows XP
Startup menu appears and choose "Safe Mode with Networking" from the
menu.

Note: If the initial Windows XP startup "splash screen" shows instead
of the startup menu you have missed it and will have to restart and
try again. Either you did not start tapping the key soon enough
and/or you were tapping too slowly.

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

Panda_man · External Since: Sep 24, 2005 Posts: 562

My reply is at the bottom of your message :

"AZK" wrote:

> My daughter's computer (HP running WinXP Home SP2) has the same problem as
> previously posted by another user. My daughter(who says she knew better)
> clicked on a suspicious link in an AIM message she received, AIM went crazy,
> and now Windows Security's firewall is disabled and auto update turned off,
> with the ability to turn the firewall back on denied because of a group
> control issue. The fix suggested by Bruce Chambers to the other poster to go
> into group policy editor (start-run-gpedit.msc) would not work for me,
> windows said it could not find it. McAfee found no virus, Ad-Aware found no
> malware, but Spybot found 6 entries that all relate to windows security
> center--it says it fixes them but the firewall problem remains and when I run
> Spybot again it finds the same 6 entries. They are all registry changes,
> they read as follows:
>
> WindowsSecurityCenter.AntiVirusDisableNotify
> settings
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\AntiVirusDisableNotify!=dword:0
>
> WindowsSecurityCenter.AntiVirusOverride
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\AntiVirusOverride!=dword:0
>
> WindowsSecurityCenter.FirewallDisableNotify
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\FirewallDisableNotify!=dword:0
>
> WindowsSecurityCenter.SP2Update
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0
>
> WindowsSecurityCenter.UpdateDisableNotiry
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\UpdayesDisableNotify!=dword:0
>
> Any help would be appreciated, as I just spent many hours getting rid of the
> downloader-AWX Trojan that McAfee found but could not remove, and now this.
>
> Signed,
> A weary not-really-computer-savvy Mom who has better things to do. LOL
>
>
>
>
>
>

Relax first . You can't do anything if you are weird Smile

Now , take a day off
work because this should be solved but it needs some time , some hours ...

Perform carefully and strictly the "Check for and eliminate" instructions in
my site
http://pandaman.my.contact.bg
to kill that malicious software . In addition ,on the bottom of the
instructions there is a link to the "Special clean" instructions which you
need to read

When you are clean , make sure you visit all other sections and protect your
PC and force your child use Limited accout and things like that ... Smile

Panda_man
--
Bronze level Contributor
http://pandaman.my.contact.bg
Please , rate posts

Doug Knox MS-MVP · External Since: Feb 19, 2004 Posts: 2333

As an additional note, the Group Policy Editor (GPEDIT) does not exist in XP Home. And if you're having trouble getting into Safe Mode, boot normally. Then click Start, Run and enter MSCONFIG Go to the BOOT.INI tab and check the /SAFEBOOT option. Reboot. This forces XP to boot into Safe Mode. Undo the change when you're finished.

--
Doug Knox, MS-MVP Windows Media Center\Windows Powered Smart Display\Security
Win 95/98/Me/XP Tweaks and Fixes
http://www.dougknox.com
--------------------------------
Per user Group Policy Restrictions for XP Home and XP Pro
http://www.dougknox.com/xp/utils/xp_securityconsole.htm
--------------------------------
Please reply only to the newsgroup so all may benefit.
Unsolicited e-mail is not answered.

"AZK" <AZK.RemoveThis@discussions.microsoft.com> wrote in message news:8722639C-597C-4D22-88FA-3E10A0D592A8@microsoft.com...
> My daughter's computer (HP running WinXP Home SP2) has the same problem as
> previously posted by another user. My daughter(who says she knew better)
> clicked on a suspicious link in an AIM message she received, AIM went crazy,
> and now Windows Security's firewall is disabled and auto update turned off,
> with the ability to turn the firewall back on denied because of a group
> control issue. The fix suggested by Bruce Chambers to the other poster to go
> into group policy editor (start-run-gpedit.msc) would not work for me,
> windows said it could not find it. McAfee found no virus, Ad-Aware found no
> malware, but Spybot found 6 entries that all relate to windows security
> center--it says it fixes them but the firewall problem remains and when I run
> Spybot again it finds the same 6 entries. They are all registry changes,
> they read as follows:
>
> WindowsSecurityCenter.AntiVirusDisableNotify
> settings
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\AntiVirusDisableNotify!=dword:0
>
> WindowsSecurityCenter.AntiVirusOverride
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\AntiVirusOverride!=dword:0
>
> WindowsSecurityCenter.FirewallDisableNotify
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\FirewallDisableNotify!=dword:0
>
> WindowsSecurityCenter.SP2Update
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0
>
> WindowsSecurityCenter.UpdateDisableNotiry
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\UpdayesDisableNotify!=dword:0
>
> Any help would be appreciated, as I just spent many hours getting rid of the
> downloader-AWX Trojan that McAfee found but could not remove, and now this.
>
> Signed,
> A weary not-really-computer-savvy Mom who has better things to do. LOL
>
>
>
>
>
>

azk · External Since: Nov 22, 2004 Posts: 5

Thanks to all for the replies, I guess I have some work to do. If one of
these steps finds and removes the malware responsible, will the registry
settings go back to the way they should be or will I have to do it myself? I
know less about editing registry than I do about malware. Sigh.

Thanks again.

Dan_E · External Since: Jun 22, 2006 Posts: 1

Ugh, same problem with me, I have been chasing this one for a week. This has
been the only place I have found the exact symptoms to my problem, however I
have not seen any posts from users who were able to correct the errors.

I will try the suggestions here and report back.

"AZK" wrote:

> My daughter's computer (HP running WinXP Home SP2) has the same problem as
> previously posted by another user. My daughter(who says she knew better)
> clicked on a suspicious link in an AIM message she received, AIM went crazy,
> and now Windows Security's firewall is disabled and auto update turned off,
> with the ability to turn the firewall back on denied because of a group
> control issue. The fix suggested by Bruce Chambers to the other poster to go
> into group policy editor (start-run-gpedit.msc) would not work for me,
> windows said it could not find it. McAfee found no virus, Ad-Aware found no
> malware, but Spybot found 6 entries that all relate to windows security
> center--it says it fixes them but the firewall problem remains and when I run
> Spybot again it finds the same 6 entries. They are all registry changes,
> they read as follows:
>
> WindowsSecurityCenter.AntiVirusDisableNotify
> settings
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\AntiVirusDisableNotify!=dword:0
>
> WindowsSecurityCenter.AntiVirusOverride
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\AntiVirusOverride!=dword:0
>
> WindowsSecurityCenter.FirewallDisableNotify
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\FirewallDisableNotify!=dword:0
>
> WindowsSecurityCenter.SP2Update
> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0
>
> WindowsSecurityCenter.UpdateDisableNotiry
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
> Center\UpdayesDisableNotify!=dword:0
>
> Any help would be appreciated, as I just spent many hours getting rid of the
> downloader-AWX Trojan that McAfee found but could not remove, and now this.
>
> Signed,
> A weary not-really-computer-savvy Mom who has better things to do. LOL
>
>
>
>
>
>

Steven L Umbach5 · External Since: Jul 05, 2004 Posts: 2936

As far as problems with the Windows Firewall and Windows Updates logon as an
administrator and then use regedit to open the registry editor. Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies and right click and select export.
Choose a name and save the key to a folder. Hopefully you will not need it
again but this is best practice when messing with the registry to save
existing configuration before making a change. Then go down to Microsoft,
select Windows Firewall, right click and select delete. Do that same for
Windows\WindowsUpdate. Then reboot your computer and see if that helps. I
HIGHLY recommend that if at all possible you do not allow other users to be
local administrators on your computer or you do not use your local
administrator account unless needed as that malware or spyware needed
administrator access to do the changes that it did. The risk is particularly
high when using any internet application or opening email. --- Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
-- Protect Your PC tips

"Dan_E" <Dan_E.DeleteThis@discussions.microsoft.com> wrote in message
news:D62F3343-AC4E-4217-B9FC-A66530B02647@microsoft.com...
> Ugh, same problem with me, I have been chasing this one for a week. This
> has
> been the only place I have found the exact symptoms to my problem, however
> I
> have not seen any posts from users who were able to correct the errors.
>
> I will try the suggestions here and report back.
>
> "AZK" wrote:
>
>> My daughter's computer (HP running WinXP Home SP2) has the same problem
>> as
>> previously posted by another user. My daughter(who says she knew better)
>> clicked on a suspicious link in an AIM message she received, AIM went
>> crazy,
>> and now Windows Security's firewall is disabled and auto update turned
>> off,
>> with the ability to turn the firewall back on denied because of a group
>> control issue. The fix suggested by Bruce Chambers to the other poster
>> to go
>> into group policy editor (start-run-gpedit.msc) would not work for me,
>> windows said it could not find it. McAfee found no virus, Ad-Aware found
>> no
>> malware, but Spybot found 6 entries that all relate to windows security
>> center--it says it fixes them but the firewall problem remains and when I
>> run
>> Spybot again it finds the same 6 entries. They are all registry changes,
>> they read as follows:
>>
>> WindowsSecurityCenter.AntiVirusDisableNotify
>> settings
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
>> Center\AntiVirusDisableNotify!=dword:0
>>
>> WindowsSecurityCenter.AntiVirusOverride
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
>> Center\AntiVirusOverride!=dword:0
>>
>> WindowsSecurityCenter.FirewallDisableNotify
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
>> Center\FirewallDisableNotify!=dword:0
>>
>> WindowsSecurityCenter.SP2Update
>> HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0
>>
>> WindowsSecurityCenter.UpdateDisableNotiry
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
>> Center\UpdayesDisableNotify!=dword:0
>>
>> Any help would be appreciated, as I just spent many hours getting rid of
>> the
>> downloader-AWX Trojan that McAfee found but could not remove, and now
>> this.
>>
>> Signed,
>> A weary not-really-computer-savvy Mom who has better things to do. LOL
>>
>>
>>
>>
>>
>>

glove · External Since: Jun 25, 2007 Posts: 1

This is not necessary bad. You get this message when Windows Automatic
Updates is turned Off. Many people like me don't turn on the annoying
automatic updates for windows.

--
glove
------------------------------------------------------------------------
glove's Profile: http://forums.techarena.in/member.php?userid=27125
View this thread: http://forums.techarena.in/showthread.php?t=535552

http://forums.techarena.in

RobertOnline · External Since: Sep 24, 2009 Posts: 1

Well, to tell you the truth! I have had all sorts of "malware" ruining
Windows Server 2003!

Although I had all kinds of security precautions one could ever think
of, at the end the server was "nailed"!

After trying all kinds of malware utilities (and also purchased some of
them since they showed me possible solutions that could only be solved
by registration) most of the problems weren't solved.

The BEST SOLUTION that I came across, and I am sure it will LITERALLY
make your problems disappear, was Malwarebytes' Anti Malware.

The great thing about this software is that it will perform fixes
without any kind of purchase! The demo period is fully functional!

Malwarebytes' Anti Malware can be downloaded from:
http://www.malwarebytes.org/

I wish you *all* the best of luck!

--
RobertOnline
------------------------------------------------------------------------
RobertOnline's Profile: http://forums.techarena.in/members/138156.htm
View this thread: http://forums.techarena.in/windows-security/535552.htm

http://forums.techarena.in

1PW · External Since: Aug 25, 2009 Posts: 24

RobertOnline wrote:
> Well, to tell you the truth! I have had all sorts of "malware" ruining
> Windows Server 2003!
>
> Although I had all kinds of security precautions one could ever think
> of, at the end the server was "nailed"!

Can you specifically detail how the server was protected from malware?

> After trying all kinds of malware utilities (and also purchased some of
> them since they showed me possible solutions that could only be solved
> by registration) most of the problems weren't solved.

I'm sure you mean antimalware utilities. But, which ones and
specifically, what were the problems?

> The BEST SOLUTION that I came across, and I am sure it will LITERALLY
> make your problems disappear, was Malwarebytes' Anti Malware.
>
> The great thing about this software is that it will perform fixes
> without any kind of purchase! The demo period is fully functional!
>
> Malwarebytes' Anti Malware can be downloaded from:
> http://www.malwarebytes.org/
>
> I wish you *all* the best of luck!

Perhaps if MBAM's "full version" is now in-use, some of the server's
problems will be avoided.

Respectfully,

--
1PW

Anteaus · External Since: Aug 08, 2007 Posts: 16

Most important aspect of server security is to minimize the attack surface.

Disable unneeded services (particularly IIS if it's not a webserver,
terminal services, etc. if not used.) Close remote-access loopholes such as
Administrative Shares and Remote Registry if you have no need of them.
Disable CD and USB auto-run. (Very important!) Ensure that the firewall only
allows access to those ports which are actually needed. (And yes on a DC
that's no simple task but it's bad practice to just turn the firewall off
instead) On a non-domain workgroup server, it's possible that 445 may be the
only port you actually need open to the LAN, plus perhaps the email ports
110/25.

And, most importantly, do not allow a Domain Admin logon to be used on any
workstation, as this opens the way for any malware running on that
workstation to attack the server across-the-wire. Instead, use a local Admin
logon for maintenance work.

Set a group policy to only allow designated server-operators to logon at the
server console (and lock the console if it's normally left logged-on) This
will stop users from treating the server as a 'spare computer' when the
admin's not around.

Attend to these essentials and your server probably won't get hit by
malware. Fail to attend to them and I can pretty-much guarantee it will, no
matter what anti-this or anti-that you install.

> RobertOnline wrote:
> >
> > Although I had all kinds of security precautions one could ever think
> > of, at the end the server was "nailed"!
>

1PW · External Since: Aug 25, 2009 Posts: 24

Anteaus wrote:
> Most important aspect of server security is to minimize the attack surface.
>
> Disable unneeded services (particularly IIS if it's not a webserver,
> terminal services, etc. if not used.) Close remote-access loopholes such as
> Administrative Shares and Remote Registry if you have no need of them.
> Disable CD and USB auto-run. (Very important!) Ensure that the firewall only
> allows access to those ports which are actually needed. (And yes on a DC
> that's no simple task but it's bad practice to just turn the firewall off
> instead) On a non-domain workgroup server, it's possible that 445 may be the
> only port you actually need open to the LAN, plus perhaps the email ports
> 110/25.
>
> And, most importantly, do not allow a Domain Admin logon to be used on any
> workstation, as this opens the way for any malware running on that
> workstation to attack the server across-the-wire. Instead, use a local Admin
> logon for maintenance work.
>
> Set a group policy to only allow designated server-operators to logon at the
> server console (and lock the console if it's normally left logged-on) This
> will stop users from treating the server as a 'spare computer' when the
> admin's not around.
>
> Attend to these essentials and your server probably won't get hit by
> malware. Fail to attend to them and I can pretty-much guarantee it will, no
> matter what anti-this or anti-that you install.
>
>> RobertOnline wrote:
>>> Although I had all kinds of security precautions one could ever think
>>> of, at the end the server was "nailed"!
>

In the sense of postmortem analysis, it would have been quite helpful
to know exactly /what/ got through their defenses and /what/ those
defenses were that failed.

Good basic server hardening is certainly one of several important aspects.

--
1PW

Anteaus · External Since: Aug 08, 2007 Posts: 16

That is true, in my experience it's fortunately not too common for servers to
be compromised. If it does happen, it warrants some thought as to why, and
what can be done to prevent a repeat.

The greatest concern for servers is probably SMB/RPC attack vectors, since
these do not require any user-interaction, and will often work despite users
having limited accounts. (and apparently server 2008 has a serious example of
such already, which does not bode well for future Microsoft security!)

"1PW" wrote:

> In the sense of postmortem analysis, it would have been quite helpful
> to know exactly /what/ got through their defenses and /what/ those
> defenses were that failed.