BleepingComputer.com: Win XP Security Center products listed

I have a computer that for sure was infected with Smart Internet Protection 2011.
I went through the common documented steps to remove the infection.
Nothing that I scan with shows any more traces of the infection. Yet, it's still listed in Security Center as an active Firewall and AntiVirus product.

Can anyone shed some light on how a product gets listed in the Security Center? If it's shown, does that mean that the computer is still infected or is there just some entry somewhere telling the Security Center that it's installed?

This post has been edited by abidlen: 16 February 2011 - 09:10 AM

The Security Center gets its data from WMI. I assume you've not installed another AV or firewall?

I've written a VB script to display the Security Center data WMI has for AV and Firewall.
That's the same data the Windows Security Center is accessing to display its information.
You can download it from here:
http://DidierStevens.com/files/software/wmi-sc.zip

Unzip it and execute it (double-click).

You'll have at least 2 message boxes, and 4 at most.
First one displays "Start"
Second one displays the AV info, if there is no info, this message box is not displayed.
Third one displays the FW info, if there is no info, this message box is not displayed.
Fourth one displays "Done"

Please report back which messages were displayed.

I installed MS Security Essentials also, which you'll see below.
If I disable the realtime scanning in MSSE, then I see SIP2011 listed specifically in Security Center, otherwise I see the message about having multiple AV's installed...

1. Start
2. AVP Inc
Smart Internet Protection 2011
True
True
3. Microsoft Corporation
Microsoft Security Essentials
True
True
3.0.8107.0
4. AVP Inc
Smart Internet Protection 2011
True
5. WMI Class SecurityCenter2 not found
6. Done

OK, the fact that you've two entries for AV products in WMI explains why the security center still reports Smart Internet Protection 2011.

I assume that you want that we try to remove this entry?

This post has been edited by Didier Stevens: 16 February 2011 - 03:09 PM

Yes, I would like to.
It sounds like I'm right in assuming that just because it's listed does not mean that it's still infected - agree?

abidlen, on 16 February 2011 - 03:23 PM, said:

Not necessarily. It could be that the entry is created because there is still a software component active. But we'll establish that.

Do the following from a Windows XP administrator account:

Start the security center.
Start Run... and launch wbemtest.
Click Connect...
Replace default with SecurityCenter in the first input box
Click connect
Click Enum Classes
Click OK
Double-click AntiVirusProduct
Click Instances
You will see 1 or 2 objects (AntiVirusProduct.instanceGUID...)

If there is only one:
select it and Delete it.

If there are two:
Double click the first entry
Scroll down until you see displayName, if it is something like Smart Internet Protection 2011, then you've to delete this entry, otherwise it is the second entry you need to delete.
Click close
Select the correct entry
Click Delete

The moment you delete the entry, Security Center will update its status (that's why I asked you to start the Security Center).

Click Close, Close and Exit.



Now you have deleted the WMI entry for SIP that the Security Center uses to display its status.
Reboot your machine.
If the entry reappears, then there is still a component of SIP installed that recreates the entry.
You'll need to find that component and remove it.

This post has been edited by Didier Stevens: 16 February 2011 - 03:42 PM

After reboot it only showed MS Security Essentials - which I interpret to be GOOD NEWS!

Thanks so much for your time and sharing your knowledge!

abidlen, on 16 February 2011 - 04:21 PM, said:

Yep, that is good news, there is no active SIP component left to create the WMI entries.