posted below is the log of last run of S&D. The last 4 times (days) have all been the same. Any idea why? Oh, and I checkd with MS (after looking thru their kb) and rec'd no answers their.

Besides the problem itself, I wonder what changed suddenly?

FPWD1

Helps if I actually add the log::laugh:
FPWD1

Windows Security Center.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

Windows Security Center.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1


--- Spybot - Search && Destroy version: 1.3 ---
2006-07-21 Includes\Cookies.sbi
2006-07-21 Includes\Dialer.sbi
2006-07-21 Includes\Hijackers.sbi
2006-07-21 Includes\Keyloggers.sbi
2004-05-12 Includes\LSP.sbi
2006-07-21 Includes\Malware.sbi
2006-07-21 Includes\PUPS.sbi
2006-07-21 Includes\Revision.sbi
2006-07-21 Includes\Security.sbi
2006-07-21 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2006-07-21 Includes\Trojans.sbi

FPWD1:

This really has nothing to do with the actual detection you are getting, however:

You are running Spybot 1.3. You should consider upgrading to Spybot 1.4.

There are four (4) download sites for Spybot-S&D 1.4 here:
Mirror Selection – The home of Spybot–S&D!
http://www.safer-networking.org/en/mirrors/index.html

Uninstall Spybot-S&D 1.3: FAQ - Frequently Asked Questions
How to uninstall?
http://www.safer-networking.org/en/faq/27.htmlInstall Spybot-S&D 1.4:
Execute spybotsd14.exe download above.
Do not change the default installation path of:C:\Program Files\Spybot - Search & Destroy
Make sure that you update Sptbot-S&D 1.4 before running a scan.
Note: If you upgrade and use TeaTimer be aware of the following:
There is currently a bug in TeaTimer 1.4. Portions of TeaTimer's popup dialog overlay the "Allow change" and "Deny change" buttons. On my system the very top edges of the "Allow change" button (on the left) and "Deny change" button (on the right) are showing and I am still able to select the options. I also can check "Remember this decision" since it is visible. If no portion of the "Allow change" and "Deny change" buttons are showing, you can answer TeaTimer's popup dialog (English language version) by pressing "A" on your keyboard for "Allow change" or "D" for "Deny change". Note: If you close the dialog without answering "Allow change" or "Deny change" the registry change is denied.

If you can't deal with the problem that way until it is fixed, you can:
Apply one of the workarounds found in the following pinned (Sticky) thread that fixes the pop-up dialog so the buttons are visible:
Solution to fix the pop-ups in TeaTimer
http://forums.spybot.info/showthread.php?t=122

There are Three (3) fixes published in that thread. They are:


The ResHacker fix published by ElPiedra (http://forums.spybot.info/member.php?u=128) here:
http://forums.spybot.info/showpost.php?p=423&postcount=1
The murdo (http://forums.spybot.info/member.php?u=440) patch published here:
http://forums.spybot.info/showpost.php?p=775&postcount=9
The patch originally by SyreneD (http://forums.spybot.info/member.php?u=1735) that I published here:
http://forums.spybot.info/showpost.php?p=2670&postcount=38
Also republished by SyreneD (http://forums.spybot.info/member.php?u=1735) himself here:
http://forums.spybot.info/showpost.php?p=23575&postcount=125


Disable TeaTimer as follows:
Go into Spybot > Mode > Advanced Mode > Tools > Resident.
Uncheck the following:Resident "TeaTimer" (Protection of over-all system settings) Active.

FPWD1:

re: the following detections:


Windows Security Center.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\standardprofile\enablefirewall!=dword:1

Windows Security Center.FirewallDisabled: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\windowsfirewall\domainprofile\enablefirewall!=dword:1
I have never seen queries concerning those particular detections before, so:
I assume that the detections are relatively new.
I must defer any definitive answers to a "Member of Team Spybot".
However, as a matter of curiosity, I do have a couple of question if you don't mind answering them:
Are you running Windows XP Pro?
If so:
Is this an independent implementation of Windows XP Pro?
--- or ---
Is this a system part of a network of systems, centrally controlled by an administrator?
If not what OS are you running?

we also have started to get this. We also run 1.4 with the most recent updates. This machine is a XP pro on a network where updates are pushed down to us. Nothing in the past about this particular find.

before we started getting this one http://forums.spybot.info/showthread.php?t=356

However, as a matter of curiosity, I do have a couple of question if you don't mind answering them:
[list] Are you running Windows XP Pro?

md usa
Don't mind at all! No, I'm not not running Pro, just plain HE with SP2 and all currrent updates.

I also have been running "Windows One Care Live" but I've been runninng that for over a year now (mostly in beta format- as a lab rat for MS:laugh: ) but that's out now as a finished (uhuh) version and IE7 (in beta2 and recently 3) but this started about a week after 3.
FPWD1

md usa

Thanks, I'll get 1.4 and see if it changes anything although scoutt says he gets the same messages with 1.4

FPWD1

that is correct. I have update information as well. in our network, of ~1000 people, a hand full are getting it. I suspect more tomorrow as the updates don't get to the workstations until after the scan every morning. Thus tomorrow everybody will have fridays update so it will happen to all of them. I got it early cause I worked on sunday. We disable the windows firewall through policy and spybot "fixed"/saw as a security threat? Having spybot see it and fix it made the windows security center popup in the systray saying we have a security issues with the firewall being off. our policy takes that popup away also but spybot brought it back.

I can understand why spybot sees this, but in a network environment is there a way to push out a fix to each workstation to exclude this setting? I know we can't edit/change files and it doesn't appear to be a registery setting.

for a individual user it is safe to do this but in a network environment it should be a admin setting or something. it should be left up to the network admin, not each user.

Ok, upgraded to 1.4 and as was the general consensus, no change. Same message. I also understand why Spybot sees this, but why wasn't it seen all along? Just the last 5-6 times? Wierd, very wierd.
FPWD1

... but why wasn't it seen all along?
FPWD1:

It appears as if the detections were just added. From:
Detection updates 2006-07-21
http://forums.spybot.info/showthread.php?goto=newpost&t=5976

Security
+ Windows Security Center.Firewalldisabled
+ Microsoft.WindowsSecurityCenter_disabled