Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Firewall and NAV "off" after reboot for a short time/ Moved

  • Please log in to reply
2 replies to this topic

#1 STR3T


  • Members
  • 1 posts
  • Local time:10:36 AM

Posted 16 April 2009 - 07:52 PM

NAV recently found Bloodhound.exploit.213, but says it has been quarantined sucessfully.

After a reboot, both NAV and/or Windows Firewall get shown as "off" by the Security Center's popup. The system basically locks up for 5-20 seconds when this occurs. Then the warning popup goes away and AV and firwewall are active/on and I have full internet access, etc. Everything seems fine.

Malwarebytes finds the following notice:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Not selected for removal.

Both NAV and Windows Defender are now finding no issues.

Process Exporere .txt:

Process PID CPU Description Company Name
System Idle Process 0 97.66
Interrupts n/a Hardware Interrupts
DPCs n/a 0.78 Deferred Procedure Calls
System 4 0.78
smss.exe 736 Windows NT Session Manager Microsoft Corporation
csrss.exe 792 Client Server Runtime Process Microsoft Corporation
winlogon.exe 816 Windows NT Logon Application Microsoft Corporation
services.exe 868 Services and Controller app Microsoft Corporation
svchost.exe 1048 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1116 Generic Host Process for Win32 Services Microsoft Corporation
MsMpEng.exe 1216 Service Executable Microsoft Corporation
svchost.exe 1256 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1376 Generic Host Process for Win32 Services Microsoft Corporation
svchost.exe 1452 Generic Host Process for Win32 Services Microsoft Corporation
ccSetMgr.exe 1592 Common Client Settings Manager Service Symantec Corporation
ccEvtMgr.exe 1640 Common Client Event Manager Service Symantec Corporation
spoolsv.exe 1776 Spooler SubSystem App Microsoft Corporation
svchost.exe 540 Generic Host Process for Win32 Services Microsoft Corporation
schedul2.exe 584 Acronis Scheduler 2 Acronis
AppleMobileDeviceService.exe 600 Apple Mobile Device Service Apple Inc.
mDNSResponder.exe 624 Bonjour Service Apple Inc.
DefWatch.exe 644 Virus Definition Daemon Symantec Corporation
FreeAgentService.exe 672 Sync Windows Services Seagate Technology LLC
nvsvc32.exe 1208 NVIDIA Driver Helper Service, Version 181.22 NVIDIA Corporation
HPZipm12.exe 1312 PML Driver HP
Rtvscan.exe 2168 Symantec AntiVirus Symantec Corporation
searchindexer.exe 2332 Microsoft Windows Search Indexer Microsoft Corporation
alg.exe 2036 Application Layer Gateway Service Microsoft Corporation
svchost.exe 2760 Generic Host Process for Win32 Services Microsoft Corporation
lsass.exe 880 LSA Shell (Export Version) Microsoft Corporation
explorer.exe 772 Windows Explorer Microsoft Corporation
ccApp.exe 1832 Common Client User Session Symantec Corporation
VPTray.exe 1888 Symantec AntiVirus Symantec Corporation
VPC32.exe 3240 Symantec AntiVirus Symantec Corporation
nvraidservice.exe 1892 NVIDIA RAID Service English language NVIDIA Corporation
CtHelper.exe 1944 CtHelper Application Creative Technology Ltd
TrueImageMonitor.exe 1952 Acronis True Image Monitor Acronis
schedhlp.exe 1980 Acronis Scheduler Helper Acronis
TimounterMonitor.exe 924 Monitor for Acronis True Image Backup Archive Explorer Acronis
MSASCui.exe 2004 Windows Defender User Interface Microsoft Corporation
iexplore.exe 1480 Internet Explorer Microsoft Corporation
WinRAR.exe 3128 WinRAR archiver Alexander Roshal
procexp.exe 704 0.78 Sysinternals Process Explorer Sysinternals - www.sysinternals.com
mbam.exe 1600 Malwarebytes' Anti-Malware Malwarebytes Corporation
notepad.exe 3536 Notepad Microsoft Corporation

Tnx in advance, I don't want my pc to be a 'zombie' :thumbsup:

Hmm, noticed another similar thread here and a recommendation for Winsocket XP Fix. When I run this and try to backup the registry, I get an "Security!" errors on saving file.

Edited by STR3T, 16 April 2009 - 08:33 PM.

BC AdBot (Login to Remove)


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:11:36 AM

Posted 18 April 2009 - 12:57 AM

I am moving this topic from the XP forum to the Am I Infected forum. ~ OB
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:11:36 AM

Posted 18 April 2009 - 09:18 PM

Hello thais just a notification from MBam that secority had been turn off by malware or and it has been fixed

Why did these entries suddenly appear?

From MBAM secutrity.

We were asked to start fixing these as multiple infections are disabling them . Security center notification defs were added yesterday .

Is my interpretation on the entries above reasonable?


Is it safe to keep these entries in the ignore list permanently? (assuming the above reasons continue to be valid)

Yes it is safe and this is the correct course of action for all user/legit software initiated system modifications that MBAM may detect .

One thing people reading this need to keep in mind is that there is no way to tell how something got disabled , only that it is . The vast majority of people never go beyond the antivirus software preinstalled on their system and the occasional free scanner so these detections (for the vast majority of people) will only show up if malware has disabled them.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users