22 replies to this topic

[alicez]

Last week I reported some problems MB scan found which were F/P.

Today I ran a scan and 3 more problems were found:

All three read:


Vemdor: Hijack Security Cemter
Category: Registry Data
Items:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
Other: Bad (1) Good (0)
Action Taken: No action taken

[Tigger93]

Not FPs. If you or a program you know set them, add to them to ignore and they won't show up again.

[alicez]

Tigger93, on Mar 17 2009, 03:20 AM, said:

Not FPs. If you or a program you know set them, add to them to ignore and they won't show up again.

Do you know what these three exceptions pettain to? I ran a scan a few days ago and nothing found. Today I did a download of latest MB updates and then ran a scan and got these 3 exceptions.

What could be causing it? I always do manual updates of Windows Critical Updates, but never got these MB exceptions before. Could it be something new added to this latest download of MB updates that would pick that up?

Alice

(I ran a scan with NIS and SpyBot and nothing found.)

[DaChew]

Quote

Could it be something new added to this latest download of MB updates that would pick that up?

Yes, it was added to the definitions in the last 2 days

Quote

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

I have Security Center disabled myself

[alicez]

DaChew, on Mar 17 2009, 04:22 AM, said:

Yes, it was added to the definitions in the last 2 days

I have Security Center disabled myself

Did you get the same 3 exceptions I did?
If you did, how did you correct?

I your Security Center still in your Control Panel. Mine is not showing any longer!

[coppertrail]

If you go into the XP Security center, click on "Change the way security center alerts me", and uncheck all 3 boxes, you will get those three warnings in your scan. As was mentioned, simply add them to your ignore list if you or a program disabled the notifications.

Regarding Security Center missing from Control Panel, I doubt it's related to MBAM.

[alicez]

coppertrail, on Mar 17 2009, 03:39 AM, said:

If you go into the XP Security center, click on "Change the way security center alerts me", and uncheck all 3 boxes, you will get those three warnings in your scan. As was mentioned, simply add them to your ignore list if you or a program disabled the notifications.

Regarding Security Center missing from Control Panel, I doubt it's related to MBAM.

If you unchecked all three boxes, then Automatic Updates would be enabled (ON). Why would MB show you that there were 3 exceptions if Automatic Updates was ON?
Also, why is MB notifying us of MS security settings? I know many people who do not want automatic updates and want to update manually. I presume that all of them will also be receiviang these MB exceptions (Hijack Security Center).
Why is MB getting involved in MS security center? Very, very confusing to me and probably many others.

(Does anyone know why the Security Center is missing in the Control Panel?)

[coppertrail]

alicez, on Mar 17 2009, 12:38 AM, said:

If you unchecked all three boxes, then Automatic Updates would be enabled (ON). Why would MB show you that there were 3 exceptions if Automatic Updates was ON?
Also, why is MB notifying us of MS security settings? I know many people who do not want automatic updates and want to update manually. I presume that all of them will also be receiviang these MB exceptions (Hijack Security Center).
Why is MB getting involved in MS security center? Very, very confusing to me and probably many others.

(Does anyone know why the Security Center is missing in the Control Panel?)

Having these boxes unchecked does not mean that Automatic Updates is on or off, but rather that it won't notify you if it's off. Why does MBAB notify you of this? Because some malware uncheck this box without the user's knowledge. I have automatic updates disabled, and I don't want security center hounding me on this.

It's simply alerting the SC notifications are disabled. If a user says "Wait, I didn't disable those notifications", it could be an indicator that malware did so without their knowledge.

You may have become infected with malware that removed the .cpl file for Security Center, thus why it's not appearing in Control Panel. You can try the steps below to restore it:

First off, the following procedure will launch Windows Security Center.

Start -> Run -> wscui.cpl

One workaround to your current problem would be to go to
C:\Windows\System32, right click on wscui.cpl, and select Send to -> Desktop
(create shortcut). This would at least give you a way of launching Security
Center should you not be able to restore the Control Panel icon.

As for the missing icon in Control Panel, run the Registry Editor (Start ->
Run -> regedit.exe) and navigate to the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control
Panel\don't load

Take a look in the right hand pane for an entry containing mscui.cpl. If
found, right click on it and delete it.

[alicez]

coppertrail, on Mar 17 2009, 04:48 AM, said:

Having these boxes unchecked does not mean that Automatic Updates is on or off, but rather that it won't notify you if it's off. Why does MBAB notify you of this? Because some malware uncheck this box without the user's knowledge. I have automatic updates disabled, and I don't want security center hounding me on this.
It's simply alerting the SC notifications are disabled. If a user says "Wait, I didn't disable those notifications", it could be an indicator that malware did so without their knowledge.
You may have become infected with malware that removed the .cpl file for Security Center, thus why it's not appearing in Control Panel. You can try the steps below to restore it:
First off, the following procedure will launch Windows Security Center.
Start -> Run -> wscui.cpl
One workaround to your current problem would be to go to
C:\Windows\System32, right click on wscui.cpl, and select Send to -> Desktop
(create shortcut). This would at least give you a way of launching Security
Center should you not be able to restore the Control Panel icon.
As for the missing icon in Control Panel, run the Registry Editor (Start ->
Run -> regedit.exe) and navigate to the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control
Panel\don't load
Take a look in the right hand pane for an entry containing mscui.cpl. If
found, right click on it and delete it.

You said "Take a look in the right hand pane for an entry containing mscui.cpl. If found, right click on it and delete it."

Did that and 'lo and behold' - Security Center is back in Control Panel. Thanks much for your help.

Alice

#1- When the 3 Security Center 'errors' show up after the MB scan, I should click on Ignore, correct?
#2- I notice when I click on the Ignore and try to close the MB, I get a pop-up that reads:
"A scan is in progress. Are you sure you want to close MB?"
What is that all about? I thought the scan was finished and when I clicked on Ignore for all 3 'exceptions,' I would be allowed to close MB. The pop-up box has YES and NO under the wording. Should I just click on YES?

[coppertrail]

alicez, on Mar 17 2009, 10:08 AM, said:

You said "Take a look in the right hand pane for an entry containing mscui.cpl. If found, right click on it and delete it."

Did that and 'lo and behold' - Security Center is back in Control Panel. Thanks much for your help.

Alice

#1- When the 3 Security Center 'errors' show up after the MB scan, I should click on Ignore, correct?
#2- I notice when I click on the Ignore and try to close the MB, I get a pop-up that reads:
"A scan is in progress. Are you sure you want to close MB?"
What is that all about? I thought the scan was finished and when I clicked on Ignore for all 3 'exceptions,' I would be allowed to close MB. The pop-up box has YES and NO under the wording. Should I just click on YES?

Good, I'm glad that took care of it. Something must have moved it to to the "don'tload" key.

1. That is correct.
2. Come to think of it, I had the exact same thing happen a couple days ago. I ended up having to kill the MBAM app. Maybe one of the MBAM mods could comment on this? I really didn't think much of it. I'll try another scan today and see what happens. (I'm sure it will display the 3 "HijackSecurityCenter" warnings . . .

[alicez]

coppertrail, on Mar 17 2009, 02:50 PM, said:

Good, I'm glad that took care of it. Something must have moved it to to the "don'tload" key.

1. That is correct.
2. Come to think of it, I had the exact same thing happen a couple days ago. I ended up having to kill the MBAM app. Maybe one of the MBAM mods could comment on this? I really didn't think much of it. I'll try another scan today and see what happens. (I'm sure it will display the 3 "HijackSecurityCenter" warnings . . .

You said "I'll try another scan today and see what happens. (I'm sure it will display the 3 "HijackSecurityCenter" warnings . . . "

If you clicked on Ignore, wouldn't the 3 SC warnings NOT display again?

[coppertrail]

Update: Just did a quick scan, chose to ignore all 3 SecCenter warnings. But I did still get the "A scan is in progress, do you wish to close MBAM?", to which I answered yes and the program closed normally. Opened it back up and the ignore items are in the ignore tab, so those were saved.

Not sure, this is a new behavior that I started seeing this week. FWIW, I'm not running active protection.

[alicez]

coppertrail, on Mar 17 2009, 05:48 AM, said:

Having these boxes unchecked does not mean that Automatic Updates is on or off, but rather that it won't notify you if it's off. Why does MBAB notify you of this? Because some malware uncheck this box without the user's knowledge. I have automatic updates disabled, and I don't want security center hounding me on this.

I am still trying to understand the above. I've looked in the Security Center and I have the Automatic Updates checked for "Turn Off Automatic Updates."
If I check on "Automatic," the check next to "Turn Off Automatic Updates" goes away.
You said, "if those boxes are unchecked, does not mean that Automatic Upddates is ON or OFF."
But, as I see it, if those boxes are UNchecked, the Automatic is ON. If you check one of those boxes, the Automatic check - ON - goes away.
Am I reading something wrong here? Your help would be appreciated in helping me understand. As a novice, this is all so confusing.

Thanks,
Alice

[Fatdcuk]

Hi all,

The reason why we are flagging these Registry values is because we are seeing a massive increase in the number of malware infections that are disabling the securit center functions during the course of compromising the victim machine.

The detections act as a repair to restore(enable) security center settings in that scenario

If you have knowingly disabled these settings or one of your installed softwares have disabled them then you will need to add to the MBAM ignore list or we will keep flagging and trying to re-enable them.

Unfortunetly MBAM has no way of knowing whether the security centre functions were disabled by malware or whether the end user has consented(wants them) to be switched off.

hth

[coppertrail]

Alice -

You're missing a step from my post. Once in Security Center, click on "Change how Security Center Notifies Me" on the middle left hand side of the window (I believe it's in blue lettering, no button". Those are the boxes I'm referring to.

[swagger]

alicez, on Mar 17 2009, 09:08 AM, said:

#2- I notice when I click on the Ignore and try to close the MB, I get a pop-up that reads:
"A scan is in progress. Are you sure you want to close MB?"
What is that all about? I thought the scan was finished and when I clicked on Ignore for all 3 'exceptions,' I would be allowed to close MB. The pop-up box has YES and NO under the wording. Should I just click on YES?

This has happened to me whenever MBAM found something and I didn't remove the "infections". Sometimes, in a case like that, I would add the "infections" to the Ignore List but MBAM does not realize that they are not infections and thinks that there should be some action taken (remove). I think if you click "Main Menu" (if my memory serves me correctly), it will allow you to get back into the scan options.

swagger (Keith)

[alicez]

coppertrail, on Mar 17 2009, 04:54 PM, said:

Alice -

You're missing a step from my post. Once in Security Center, click on "Change how Security Center Notifies Me" on the middle left hand side of the window (I believe it's in blue lettering, no button". Those are the boxes I'm referring to.

Many thanks. Now I understand. Sorry for the bother.

[alicez]

I just ran an MB scan (after downloading latest updates) on my grandson's Acer Aspire One 10.1" and only see one exception, which is:

Vendor: Disabled.Security Center
Category: Registry Data
Items:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdateDisableNotify
Other: Bad (1) Good (0)
Action Taken: No action taken

As you can see, the description is different than the (3) exceptions I found on my desktop. Is this 1 item that was found on the Acer the same as the 3 that were found on my desktop?
And can I just add this one (1) to the ignore list on the MB on the Acer?

Thank you.

[coppertrail]

It looks like the Acer only has notifications for Windows Update disabled, and not Firewall and AV.

[alicez]

coppertrail, on Mar 17 2009, 07:31 PM, said:

It looks like the Acer only has notifications for Windows Update disabled, and not Firewall and AV.

Right again! Two items were still checked.
I wish I could keep you as a 'friend' when I have a problem with MB. Your explanations are so informative and "to the point."

Just wanted to mention. I did uncheck those boxes and ran another MB scan and the Acer did then come up with 3 exceptions.

But the explanations are a bit different.

The 3 found on my desktop (with WinXPsp3) were all described as:

Vemdor: Hijack Security Cemter


The 3 now found on the Acer (WinXPsp3 also) are:

Vendor: Disabled.Security Cemter

The Acer has: Disabled.Security Center and the desktop has: Hijack Security Center.

Are they both the 'same' and can I now add the 3 found on the Acer to the Ignore list?