MBAM says infected with Disabled.SecurityCenter

Hi all. I’m new at posting here but have benefited in the past from reading other threads. This time I need more direct help, so thanks in advance.

As in the subject line, Malwarebytes says my wife’s computer is infected with Disabled.SecurityCenter .

As for symptoms, the computer sometimes hangs unexpectedly but the main concern is that when online (usually ADSL), it is pumping out as much or a little more than receiving. All recent scans, onboard as well as online, come back negative for infections, except the MBAM scan.

Let me give these for starters; all are up-to-date to the best of my knowledge:

Win XP Pro, SP3
Mozilla Corporation - Firefox Version 3.0.8 (preferred browser)
IE 7 (for a few sites that don’t take FF)
Symantec AntiVirus Corporate Edition Version 9.5.0.1000
Scan Engine Version 81.3.0.
Zone Labs Client Version 5.1.001.000

a-squared Free Version 4.0.0.0
Malwarebytes' Anti-Malware Version 1.36
SUPERAntiSpyware Version 4, 20, 0, 1046

IObit - Advanced SystemCare 3 Version 3.0.0.0
Piriform Ltd - CCleaner Version 2, 13, 0, 720
REGSCRUBXP Application Version 3.25

SuperAdBlocker.com - BootSafe Application Version 2, 0, 0, 1000
SUPERAntiSpyware Version 4, 20, 0, 1046
SpyBot-S&D Version 1, 6, 2, 0
SpywareBlaster Version 4.01

[/indent]

** Further FYI: There is also a Remote access program, or remnants of one, which we believe is disabled. It was installed by a respected comp-pro friend who was helping us out from time to time, but for health reasons is unable to help us now.

And by the way, for anyone who doesn’t know about it, Belarc Advisor is a free program that makes it very easy to pull up all the above info, and much more!

Thanks again!

Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009.

These tools can do more harm than good in the wrong hands

IObit - Advanced SystemCare 3 Version 3.0.0.0
Piriform Ltd - CCleaner Version 2, 13, 0, 720
REGSCRUBXP Application Version 3.25

Norton's installs it's own security center, disabling the windows default one, you can ignore that detection from MBAM

Thanks, Chewy, for pointing that out about Norton-- I'd not caught that at all, but did notice that today's attempt to update did not succeed. Now I've got a good idea as to why.

As for the other tools, I know they can cause problems if messed with. They are at or near default settings.

Any suggestions as to what is allowing so much to leave the computer?

Well in today's normal computing we have 40-50 processes loading at bootup and many want to call home all the time so it's to be expected that outgoing would be very active

I run a lot leaner than that

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here

Ok, I'm back after being away for too long (or maybe it wasn't long enough...). The log is as follows:

Process PID CPU Description Company Name
System Idle Process 0 98.02
Interrupts n/a 0.99 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 616 Windows NT Session Manager Microsoft Corporation
csrss.exe 776 Client Server Runtime Process Microsoft Corporation
winlogon.exe 804 Windows NT Logon Application Microsoft Corporation
services.exe 848 0.99 Services and Controller app Microsoft Corporation
svchost.exe 1036 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1116 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1196 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1276 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1536 Spooler SubSystem App Microsoft Corporation
svchost.exe 1608 Generic Host Process for Win32 Services Microsoft Corporation
a2service.exe 1652 a-squared Service Emsi Software GmbH
jqs.exe 1748 Java™ Quick Starter Service Sun Microsystems, Inc.
MDM.EXE 1808 Machine Debug Manager Microsoft Corporation
svchost.exe 1876 Generic Host Process for Win32 Services Microsoft Corporation
Rtvscan.exe 1924 Symantec AntiVirus Symantec Corporation
tvt_reg_monitor_svc.exe 1952 ThinkVantage Registry Monitor Service Lenovo Group Limited
tvtsched.exe 1980 ThinkVantage Scheduler Lenovo Group Limited
Fast.exe 364 Super Fast User Switcher Microsoft Corporation
alg.exe 748 Application Layer Gateway Service Microsoft Corporation
vsmon.exe 2492 TrueVector Service Zone Labs Inc.
isafe.exe 2792 ISafe Service Computer Associates International, Inc.
svchost.exe 3416 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 3288 Apple Mobile Device Service Apple Inc.
lsass.exe 860 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3308 Windows Explorer Microsoft Corporation
scheduler_proxy.exe 3708 scheduler_proxy Application Lenovo Group Limited
jusched.exe 3724 Java™ Platform SE binary Sun Microsystems, Inc.
ctfmon.exe 3732 CTF Loader Microsoft Corporation
AWC.exe 3776 Advanced SystemCare 3 IObit
zlclient.exe 2464 Zone Labs Client Zone Labs Inc.
Skype.exe 3136 Skype Skype Technologies S.A.
explorer.exe 4048 Windows Explorer Microsoft Corporation
procexp.exe 408 Sysinternals Process Explorer Sysinternals - www.sysinternals.com

I hope you are able to review this soon and that I will not be so terribly long in getting back! Thanks.

Skype.exe 3136 Skype Skype Technologies S.A.

Turn this off and see what happens

I'm not quite sure what you mean by "see what happens." Did you mean to see how the machine functions connected to the web?

I have previously turned off (via Task Manager) skype, Machine Debug, Java Quick Start, Apple Mobile Service, and Advanced System Care. Performance is about the same, in that sending is still ahead of receiving even with these services off.

Added: I have noticed that on rare occasions there is not so much outbound, but I have not been able to establish a pattern to this.

Edited by sameolsameo, 26 April 2009 - 05:28 AM.

I have found fast user switching to be more trouble than it's worth and a huge performance hit when used on older machines

I have found fast user switching to be more trouble than it's worth and a huge performance hit when used on older machines

With all due respect, it seems we are straying from the original concern:

As in the subject line, Malwarebytes says my wife’s computer is infected with Disabled.SecurityCenter .

As for symptoms, the computer sometimes hangs unexpectedly but the main concern is that when online (usually ADSL), it is pumping out as much or a little more than receiving. All recent scans, onboard as well as online, come back negative for infections, except the MBAM scan.

As long as no one else is logged in and you are trying to isolate what's sending packets?

As long as no one else is logged in and you are trying to isolate what's sending packets?

Precisely what we are wondering-- what's sending packets? I would not think Fast Switch could do that, but have ended that process. Still the packets sent out are about 1:1 or more sent than received.

I have been active online for an hour, have very few running processes and 5200 sent 5400 received

ok, Not sure why only this one unit behaves this way but I guess I'm ready to close this, as it seems things are otherwise fine.

Thanks!