questionquestion
2010-10-18, 01:58
When I run Spybot Search and Destroy, I get a Microsoft.WindowsSecurityCenter_disabled detection. More specifically: (SBI $2E20C9A9) Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Services\wscsvc\Start (is not) W=2 Registry Change.
When I tell Spybot to fix the problem, it tells me that it is fixed, and I can run another Search and Destroy and it will not register, but the next time I start my computer and run Search and Destroy, it detects the same change.
I have tried right clicking, selecting More Details, and jump to location, where I follow the file path, click on the file, and change the Value data from 4 to 2, however, when I restart my computer, it changes back to 4 and re-registers a registry change when I run Search and Destroy.
When I start my computer in Safe Mode, I can run Search and Destroy, select Fix selected problems when Microsoft.WindowsSecurityCenter_disabled pops up, and restart my computer in Safe Mode, run Search and Destroy again, and it will come back clean. However, when I start my computer in normal mode again, I will again get the Microsoft.WindowsSecurityCenter_disabled message.
This is not caused by other anti-virus software and I am not currently connected to the internet on the problem computer.
Previously, I had CoolWWWSearch.Leftovers HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\Win32 Classes
and
CoolWWWSearch.OleHelp
Autorun settings (svchost)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Autorun settings (svchost)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Program file
C:\Documents and Settings\(Me)\ApplicationData\Microsoft\svchost.exe
Program file
C:\Documents and Settings\(Me)\Application Data\Microsoft\svchost.exe
and I believe a keylogger that is not currently showing up under my Recovery page.
After I removed these threats, I did a system restore to the earliest point I could and started troubleshooting as I have explained above.
When I tell Spybot to fix the problem, it tells me that it is fixed, and I can run another Search and Destroy and it will not register, but the next time I start my computer and run Search and Destroy, it detects the same change.
I have tried right clicking, selecting More Details, and jump to location, where I follow the file path, click on the file, and change the Value data from 4 to 2, however, when I restart my computer, it changes back to 4 and re-registers a registry change when I run Search and Destroy.
When I start my computer in Safe Mode, I can run Search and Destroy, select Fix selected problems when Microsoft.WindowsSecurityCenter_disabled pops up, and restart my computer in Safe Mode, run Search and Destroy again, and it will come back clean. However, when I start my computer in normal mode again, I will again get the Microsoft.WindowsSecurityCenter_disabled message.
This is not caused by other anti-virus software and I am not currently connected to the internet on the problem computer.
Previously, I had CoolWWWSearch.Leftovers HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\Win32 Classes
and
CoolWWWSearch.OleHelp
Autorun settings (svchost)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Autorun settings (svchost)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost
Program file
C:\Documents and Settings\(Me)\ApplicationData\Microsoft\svchost.exe
Program file
C:\Documents and Settings\(Me)\Application Data\Microsoft\svchost.exe
and I believe a keylogger that is not currently showing up under my Recovery page.
After I removed these threats, I did a system restore to the earliest point I could and started troubleshooting as I have explained above.