Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win XP Security Center products listed


  • Please log in to reply
7 replies to this topic

#1 abidlen

abidlen

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 16 February 2011 - 09:09 AM

I have a computer that for sure was infected with Smart Internet Protection 2011.
I went through the common documented steps to remove the infection.
Nothing that I scan with shows any more traces of the infection. Yet, it's still listed in Security Center as an active Firewall and AntiVirus product.

Can anyone shed some light on how a product gets listed in the Security Center? If it's shown, does that mean that the computer is still infected or is there just some entry somewhere telling the Security Center that it's installed?

Edited by abidlen, 16 February 2011 - 09:10 AM.


BC AdBot (Login to Remove)

 


#2 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 16 February 2011 - 09:55 AM

The Security Center gets its data from WMI. I assume you've not installed another AV or firewall?

I've written a VB script to display the Security Center data WMI has for AV and Firewall.
That's the same data the Windows Security Center is accessing to display its information.
You can download it from here:
http://DidierStevens.com/files/software/wmi-sc.zip

Unzip it and execute it (double-click).

You'll have at least 2 message boxes, and 4 at most.
First one displays "Start"
Second one displays the AV info, if there is no info, this message box is not displayed.
Third one displays the FW info, if there is no info, this message box is not displayed.
Fourth one displays "Done"

Please report back which messages were displayed.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#3 abidlen

abidlen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 16 February 2011 - 10:18 AM

I installed MS Security Essentials also, which you'll see below.
If I disable the realtime scanning in MSSE, then I see SIP2011 listed specifically in Security Center, otherwise I see the message about having multiple AV's installed...

1. Start
2. AVP Inc
Smart Internet Protection 2011
True
True
3. Microsoft Corporation
Microsoft Security Essentials
True
True
3.0.8107.0
4. AVP Inc
Smart Internet Protection 2011
True
5. WMI Class SecurityCenter2 not found
6. Done

#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 16 February 2011 - 03:09 PM

OK, the fact that you've two entries for AV products in WMI explains why the security center still reports Smart Internet Protection 2011.

I assume that you want that we try to remove this entry?

Edited by Didier Stevens, 16 February 2011 - 03:09 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 abidlen

abidlen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 16 February 2011 - 03:23 PM

Yes, I would like to.
It sounds like I'm right in assuming that just because it's listed does not mean that it's still infected - agree?

#6 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 16 February 2011 - 03:41 PM

It sounds like I'm right in assuming that just because it's listed does not mean that it's still infected - agree?


Not necessarily. It could be that the entry is created because there is still a software component active. But we'll establish that.

Do the following from a Windows XP administrator account:

Start the security center.
Start Run... and launch wbemtest.
Click Connect...
Replace default with SecurityCenter in the first input box
Click connect
Click Enum Classes
Click OK
Double-click AntiVirusProduct
Click Instances
You will see 1 or 2 objects (AntiVirusProduct.instanceGUID...)

If there is only one:
select it and Delete it.

If there are two:
Double click the first entry
Scroll down until you see displayName, if it is something like Smart Internet Protection 2011, then you've to delete this entry, otherwise it is the second entry you need to delete.
Click close
Select the correct entry
Click Delete

The moment you delete the entry, Security Center will update its status (that's why I asked you to start the Security Center).

Click Close, Close and Exit.



Now you have deleted the WMI entry for SIP that the Security Center uses to display its status.
Reboot your machine.
If the entry reappears, then there is still a component of SIP installed that recreates the entry.
You'll need to find that component and remove it.

Edited by Didier Stevens, 16 February 2011 - 03:42 PM.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#7 abidlen

abidlen
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:51 PM

Posted 16 February 2011 - 04:21 PM

After reboot it only showed MS Security Essentials - which I interpret to be GOOD NEWS!

Thanks so much for your time and sharing your knowledge!

#8 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,707 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:51 AM

Posted 16 February 2011 - 04:24 PM

After reboot it only showed MS Security Essentials - which I interpret to be GOOD NEWS!


Yep, that is good news, there is no active SIP component left to create the WMI entries.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users