Malware and disabled security center

[Guest]

My daughter's computer (HP running WinXP Home SP2) has the same problem as
previously posted by another user. My daughter(who says she knew better)
clicked on a suspicious link in an AIM message she received, AIM went crazy,
and now Windows Security's firewall is disabled and auto update turned off,
with the ability to turn the firewall back on denied because of a group
control issue. The fix suggested by Bruce Chambers to the other poster to go
into group policy editor (start-run-gpedit.msc) would not work for me,
windows said it could not find it. McAfee found no virus, Ad-Aware found no
malware, but Spybot found 6 entries that all relate to windows security
center--it says it fixes them but the firewall problem remains and when I run
Spybot again it finds the same 6 entries. They are all registry changes,
they read as follows:

WindowsSecurityCenter.AntiVirusDisableNotify
settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

WindowsSecurityCenter.AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0

WindowsSecurityCenter.FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0

WindowsSecurityCenter.SP2Update
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0

WindowsSecurityCenter.UpdateDisableNotiry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdayesDisableNotify!=dword:0

Any help would be appreciated, as I just spent many hours getting rid of the
downloader-AWX Trojan that McAfee found but could not remove, and now this.

Signed,
A weary not-really-computer-savvy Mom who has better things to do. LOL

 

[Ron Martell]

My daughter's computer (HP running WinXP Home SP2) has the same problem as
previously posted by another user. My daughter(who says she knew better)
clicked on a suspicious link in an AIM message she received, AIM went crazy,
and now Windows Security's firewall is disabled and auto update turned off,
with the ability to turn the firewall back on denied because of a group
control issue. The fix suggested by Bruce Chambers to the other poster to go
into group policy editor (start-run-gpedit.msc) would not work for me,
windows said it could not find it. McAfee found no virus, Ad-Aware found no
malware, but Spybot found 6 entries that all relate to windows security
center--it says it fixes them but the firewall problem remains and when I run
Spybot again it finds the same 6 entries. They are all registry changes,
they read as follows:

Try booting the computer into "Safe Mode with Networking" (so as to
minimize the interference by the Malware if possible) and then go to
one of the following free online scanner sites and see if they can
clean up the machine:
Bit Defender http://www.bitdefender.com/scan8/ie.html
Trend Micro http://housecall.trendmicro.com
Kaspersky Online Scanner http://www.kaspersky.com/virusscanner
Panda ActiveScan http://www.pandasoftware.com/activescan
WindowSecurity.com TrojanScan http://windowssecurity.com/trojanscan
Webroot http://www.webroot.com/

To boot the computer into "Safe Mode with Networking" turn it on and
start tapping the F8 key rapidly just as soon as the first information
of any kind shows on the screen. Keep tapping until the Windows XP
Startup menu appears and choose "Safe Mode with Networking" from the
menu.

Note: If the initial Windows XP startup "splash screen" shows instead
of the startup menu you have missed it and will have to restart and
try again. Either you did not start tapping the key soon enough
and/or you were tapping too slowly.

Good luck

Ron Martell Duncan B.C. Canada
--
Microsoft MVP (1997 - 2006)
On-Line Help Computer Service
http://onlinehelp.bc.ca

"Anyone who thinks that they are too small to make a difference
has never been in bed with a mosquito."

 

[Doug Knox MS-MVP]

As an additional note, the Group Policy Editor (GPEDIT) does not exist in XP Home. And if you're having trouble getting into Safe Mode, boot normally. Then click Start, Run and enter MSCONFIG Go to the BOOT.INI tab and check the /SAFEBOOT option. Reboot. This forces XP to boot into Safe Mode. Undo the change when you're finished.

 

[Guest]

My reply is at the bottom of your message :

My daughter's computer (HP running WinXP Home SP2) has the same problem as
previously posted by another user. My daughter(who says she knew better)
clicked on a suspicious link in an AIM message she received, AIM went crazy,
and now Windows Security's firewall is disabled and auto update turned off,
with the ability to turn the firewall back on denied because of a group
control issue. The fix suggested by Bruce Chambers to the other poster to go
into group policy editor (start-run-gpedit.msc) would not work for me,
windows said it could not find it. McAfee found no virus, Ad-Aware found no
malware, but Spybot found 6 entries that all relate to windows security
center--it says it fixes them but the firewall problem remains and when I run
Spybot again it finds the same 6 entries. They are all registry changes,
they read as follows:

WindowsSecurityCenter.AntiVirusDisableNotify
settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusDisableNotify!=dword:0

WindowsSecurityCenter.AntiVirusOverride
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\AntiVirusOverride!=dword:0

WindowsSecurityCenter.FirewallDisableNotify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\FirewallDisableNotify!=dword:0

WindowsSecurityCenter.SP2Update
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wondows\WindowsUpdate\DoNotAllowxps2!=dword:0

WindowsSecurityCenter.UpdateDisableNotiry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security
Center\UpdayesDisableNotify!=dword:0

Any help would be appreciated, as I just spent many hours getting rid of the
downloader-AWX Trojan that McAfee found but could not remove, and now this.

Signed,
A weary not-really-computer-savvy Mom who has better things to do. LOL

Relax first . You can't do anything if you are weird Now , take a day off
work because this should be solved but it needs some time , some hours ...

Perform carefully and strictly the "Check for and eliminate" instructions in
my site
http://pandaman.my.contact.bg
to kill that malicious software . In addition ,on the bottom of the
instructions there is a link to the "Special clean" instructions which you
need to read


When you are clean , make sure you visit all other sections and protect your
PC and force your child use Limited accout and things like that ...


Panda_man

 

[Guest]

Thanks to all for the replies, I guess I have some work to do. If one of
these steps finds and removes the malware responsible, will the registry
settings go back to the way they should be or will I have to do it myself? I
know less about editing registry than I do about malware. Sigh.

Thanks again.

 

[Guest]

Ugh, same problem with me, I have been chasing this one for a week. This has
been the only place I have found the exact symptoms to my problem, however I
have not seen any posts from users who were able to correct the errors.

I will try the suggestions here and report back.

 

[Steven L Umbach]

As far as problems with the Windows Firewall and Windows Updates logon as an
administrator and then use regedit to open the registry editor. Go to
HKEY_LOCAL_MACHINE\SOFTWARE\Policies and right click and select export.
Choose a name and save the key to a folder. Hopefully you will not need it
again but this is best practice when messing with the registry to save
existing configuration before making a change. Then go down to Microsoft,
select Windows Firewall, right click and select delete. Do that same for
Windows\WindowsUpdate. Then reboot your computer and see if that helps. I
HIGHLY recommend that if at all possible you do not allow other users to be
local administrators on your computer or you do not use your local
administrator account unless needed as that malware or spyware needed
administrator access to do the changes that it did. The risk is particularly
high when using any internet application or opening email. --- Steve

http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx
-- Protect Your PC tips

 

[1PW]

Well, to tell you the truth! I have had all sorts of "malware" ruining
Windows Server 2003!

Although I had all kinds of security precautions one could ever think
of, at the end the server was "nailed"!

Can you specifically detail how the server was protected from malware?

After trying all kinds of malware utilities (and also purchased some of
them since they showed me possible solutions that could only be solved
by registration) most of the problems weren't solved.

I'm sure you mean antimalware utilities. But, which ones and
specifically, what were the problems?

The BEST SOLUTION that I came across, and I am sure it will LITERALLY
make your problems disappear, was Malwarebytes' Anti Malware.

The great thing about this software is that it will perform fixes
without any kind of purchase! The demo period is fully functional!

Malwarebytes' Anti Malware can be downloaded from:
http://www.malwarebytes.org/

I wish you *all* the best of luck!

Perhaps if MBAM's "full version" is now in-use, some of the server's
problems will be avoided.

Respectfully,

 

[Anteaus]

Most important aspect of server security is to minimize the attack surface.

Disable unneeded services (particularly IIS if it's not a webserver,
terminal services, etc. if not used.) Close remote-access loopholes such as
Administrative Shares and Remote Registry if you have no need of them.
Disable CD and USB auto-run. (Very important!) Ensure that the firewall only
allows access to those ports which are actually needed. (And yes on a DC
that's no simple task but it's bad practice to just turn the firewall off
instead) On a non-domain workgroup server, it's possible that 445 may be the
only port you actually need open to the LAN, plus perhaps the email ports
110/25.

And, most importantly, do not allow a Domain Admin logon to be used on any
workstation, as this opens the way for any malware running on that
workstation to attack the server across-the-wire. Instead, use a local Admin
logon for maintenance work.

Set a group policy to only allow designated server-operators to logon at the
server console (and lock the console if it's normally left logged-on) This
will stop users from treating the server as a 'spare computer' when the
admin's not around.

Attend to these essentials and your server probably won't get hit by
malware. Fail to attend to them and I can pretty-much guarantee it will, no
matter what anti-this or anti-that you install.

 

[1PW]

Most important aspect of server security is to minimize the attack surface.

Disable unneeded services (particularly IIS if it's not a webserver,
terminal services, etc. if not used.) Close remote-access loopholes such as
Administrative Shares and Remote Registry if you have no need of them.
Disable CD and USB auto-run. (Very important!) Ensure that the firewall only
allows access to those ports which are actually needed. (And yes on a DC
that's no simple task but it's bad practice to just turn the firewall off
instead) On a non-domain workgroup server, it's possible that 445 may be the
only port you actually need open to the LAN, plus perhaps the email ports
110/25.

And, most importantly, do not allow a Domain Admin logon to be used on any
workstation, as this opens the way for any malware running on that
workstation to attack the server across-the-wire. Instead, use a local Admin
logon for maintenance work.

Set a group policy to only allow designated server-operators to logon at the
server console (and lock the console if it's normally left logged-on) This
will stop users from treating the server as a 'spare computer' when the
admin's not around.

Attend to these essentials and your server probably won't get hit by
malware. Fail to attend to them and I can pretty-much guarantee it will, no
matter what anti-this or anti-that you install.

In the sense of postmortem analysis, it would have been quite helpful
to know exactly /what/ got through their defenses and /what/ those
defenses were that failed.

Good basic server hardening is certainly one of several important aspects.

 

[Anteaus]

That is true, in my experience it's fortunately not too common for servers to
be compromised. If it does happen, it warrants some thought as to why, and
what can be done to prevent a repeat.

The greatest concern for servers is probably SMB/RPC attack vectors, since
these do not require any user-interaction, and will often work despite users
having limited accounts. (and apparently server 2008 has a serious example of
such already, which does not bode well for future Microsoft security!)