Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBAM says infected with Disabled.SecurityCenter


  • Please log in to reply
12 replies to this topic

#1 sameolsameo

sameolsameo

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 10 April 2009 - 04:05 AM

Hi all. Iím new at posting here but have benefited in the past from reading other threads. This time I need more direct help, so thanks in advance.

As in the subject line, Malwarebytes says my wifeís computer is infected with Disabled.SecurityCenter .

As for symptoms, the computer sometimes hangs unexpectedly but the main concern is that when online (usually ADSL), it is pumping out as much or a little more than receiving. All recent scans, onboard as well as online, come back negative for infections, except the MBAM scan.

Let me give these for starters; all are up-to-date to the best of my knowledge:

Win XP Pro, SP3
Mozilla Corporation - Firefox Version 3.0.8 (preferred browser)
IE 7 (for a few sites that donít take FF)
Symantec AntiVirus Corporate Edition Version 9.5.0.1000
Scan Engine Version 81.3.0.
Zone Labs Client Version 5.1.001.000

a-squared Free Version 4.0.0.0
Malwarebytes' Anti-Malware Version 1.36
SUPERAntiSpyware Version 4, 20, 0, 1046

IObit - Advanced SystemCare 3 Version 3.0.0.0
Piriform Ltd - CCleaner Version 2, 13, 0, 720
REGSCRUBXP Application Version 3.25

SuperAdBlocker.com - BootSafe Application Version 2, 0, 0, 1000
SUPERAntiSpyware Version 4, 20, 0, 1046
SpyBot-S&D Version 1, 6, 2, 0
SpywareBlaster Version 4.01

[/indent]

** Further FYI: There is also a Remote access program, or remnants of one, which we believe is disabled. It was installed by a respected comp-pro friend who was helping us out from time to time, but for health reasons is unable to help us now.

And by the way, for anyone who doesnít know about it, Belarc Advisor is a free program that makes it very easy to pull up all the above info, and much more!

Thanks again!

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 10 April 2009 - 06:14 AM

Symantec Antivirus 9.x will reach its End of Support Life as of March 31, 2009. Virus definition updates for version 9.x will be discontinued on April 1, 2009.



These tools can do more harm than good in the wrong hands

IObit - Advanced SystemCare 3 Version 3.0.0.0
Piriform Ltd - CCleaner Version 2, 13, 0, 720
REGSCRUBXP Application Version 3.25


Norton's installs it's own security center, disabling the windows default one, you can ignore that detection from MBAM
Chewy

No. Try not. Do... or do not. There is no try.

#3 sameolsameo

sameolsameo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 10 April 2009 - 08:42 AM

Thanks, Chewy, for pointing that out about Norton-- I'd not caught that at all, but did notice that today's attempt to update did not succeed. Now I've got a good idea as to why.

As for the other tools, I know they can cause problems if messed with. They are at or near default settings.

Any suggestions as to what is allowing so much to leave the computer?

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 10 April 2009 - 08:46 AM

Well in today's normal computing we have 40-50 processes loading at bootup and many want to call home all the time so it's to be expected that outgoing would be very active

I run a lot leaner than that

Please download and run Processexplorer

http://technet.microsoft.com/en-us/sysinte...s/bb896653.aspx

Under file and save as, create a log and post here
Chewy

No. Try not. Do... or do not. There is no try.

#5 sameolsameo

sameolsameo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 25 April 2009 - 05:03 PM

Ok, I'm back after being away for too long (or maybe it wasn't long enough...). The log is as follows:


Process PID CPU Description Company Name
System Idle Process 0 98.02
Interrupts n/a 0.99 Hardware Interrupts
DPCs n/a Deferred Procedure Calls
System 4
smss.exe 616 Windows NT Session Manager Microsoft Corporation
csrss.exe 776 Client Server Runtime Process Microsoft Corporation
winlogon.exe 804 Windows NT Logon Application Microsoft Corporation
services.exe 848 0.99 Services and Controller app Microsoft Corporation
svchost.exe 1036 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1116 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1196 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1276 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1416 Generic Host Process for Win32 Services Microsoft Corporation
spoolsv.exe 1536 Spooler SubSystem App Microsoft Corporation
svchost.exe 1608 Generic Host Process for Win32 Services Microsoft Corporation
a2service.exe 1652 a-squared Service Emsi Software GmbH
jqs.exe 1748 Java™ Quick Starter Service Sun Microsystems, Inc.
MDM.EXE 1808 Machine Debug Manager Microsoft Corporation
svchost.exe 1876 Generic Host Process for Win32 Services Microsoft Corporation
Rtvscan.exe 1924 Symantec AntiVirus Symantec Corporation
tvt_reg_monitor_svc.exe 1952 ThinkVantage Registry Monitor Service Lenovo Group Limited
tvtsched.exe 1980 ThinkVantage Scheduler Lenovo Group Limited
Fast.exe 364 Super Fast User Switcher Microsoft Corporation
alg.exe 748 Application Layer Gateway Service Microsoft Corporation
vsmon.exe 2492 TrueVector Service Zone Labs Inc.
isafe.exe 2792 ISafe Service Computer Associates International, Inc.
svchost.exe 3416 Generic Host Process for Win32 Services Microsoft Corporation
AppleMobileDeviceService.exe 3288 Apple Mobile Device Service Apple Inc.
lsass.exe 860 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 3308 Windows Explorer Microsoft Corporation
scheduler_proxy.exe 3708 scheduler_proxy Application Lenovo Group Limited
jusched.exe 3724 Java™ Platform SE binary Sun Microsystems, Inc.
ctfmon.exe 3732 CTF Loader Microsoft Corporation
AWC.exe 3776 Advanced SystemCare 3 IObit
zlclient.exe 2464 Zone Labs Client Zone Labs Inc.
Skype.exe 3136 Skype Skype Technologies S.A.
explorer.exe 4048 Windows Explorer Microsoft Corporation
procexp.exe 408 Sysinternals Process Explorer Sysinternals - www.sysinternals.com


I hope you are able to review this soon and that I will not be so terribly long in getting back! Thanks.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 25 April 2009 - 05:46 PM

Skype.exe 3136 Skype Skype Technologies S.A.


Turn this off and see what happens
Chewy

No. Try not. Do... or do not. There is no try.

#7 sameolsameo

sameolsameo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 26 April 2009 - 05:23 AM

I'm not quite sure what you mean by "see what happens." Did you mean to see how the machine functions connected to the web?

I have previously turned off (via Task Manager) skype, Machine Debug, Java Quick Start, Apple Mobile Service, and Advanced System Care. Performance is about the same, in that sending is still ahead of receiving even with these services off.

Added: I have noticed that on rare occasions there is not so much outbound, but I have not been able to establish a pattern to this.

Edited by sameolsameo, 26 April 2009 - 05:28 AM.


#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 26 April 2009 - 07:14 AM

I have found fast user switching to be more trouble than it's worth and a huge performance hit when used on older machines
Chewy

No. Try not. Do... or do not. There is no try.

#9 sameolsameo

sameolsameo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 27 April 2009 - 03:43 PM

I have found fast user switching to be more trouble than it's worth and a huge performance hit when used on older machines



With all due respect, it seems we are straying from the original concern:


As in the subject line, Malwarebytes says my wifeís computer is infected with Disabled.SecurityCenter .

As for symptoms, the computer sometimes hangs unexpectedly but the main concern is that when online (usually ADSL), it is pumping out as much or a little more than receiving. All recent scans, onboard as well as online, come back negative for infections, except the MBAM scan.



#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 27 April 2009 - 04:50 PM

As long as no one else is logged in and you are trying to isolate what's sending packets?
Chewy

No. Try not. Do... or do not. There is no try.

#11 sameolsameo

sameolsameo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 29 April 2009 - 04:03 PM

As long as no one else is logged in and you are trying to isolate what's sending packets?


Precisely what we are wondering-- what's sending packets? I would not think Fast Switch could do that, but have ended that process. Still the packets sent out are about 1:1 or more sent than received.

#12 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:09 AM

Posted 29 April 2009 - 04:18 PM

I have been active online for an hour, have very few running processes and 5200 sent 5400 received
Chewy

No. Try not. Do... or do not. There is no try.

#13 sameolsameo

sameolsameo
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:04:09 AM

Posted 08 May 2009 - 06:13 PM

ok, Not sure why only this one unit behaves this way but I guess I'm ready to close this, as it seems things are otherwise fine.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users