Spybot fixes error which then re-appears !

[mariner77]

Hi there,

When I run a SPybot S&D (or Malware Bytes antiMalware) I get an error:

Microsoft.WindowsSecurityCenter.AntiVirusOverride - 1 entries security (Spybot S&D)

and for MalwareBytes:

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f919fbd3-a96b-4679-af26-f551439bb5fd} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

I apparently removed succesfully on both, but it keeps cropping up on Spybot S&D all the time when I do repeat scans.

Indeed when I was infected, I got a red shield popup on startup saying "Your computer may be at risk"
and I had to go into Control Panel-> Security Centre -> and click on the anti virus "recommendations" button to select
"I have an anti-virus program that I'll monitor myself".

I've done this several times, sometimes I still get the red shield warning up and sometimes not.

The results when I do these scans also seem inconsistent.
At one point I thought I had removed it after running both scans, but now it's cropped up again in Spybot.

I've also removed an "Adware.Agent" entry using Malware bytes when I thought I was clean:

Files Infected:
C:\System Volume Information\_restore{77CE76F8-E959-472D-9FDE-5F909B65082F}\RP1848\A0582040.exe (Adware.Agent) -> Quarantined and deleted successfully.

Right now, Malwarebytes runs clean but Spybot S&D still finds the error again, even after fixing it, shutting down and restarting.
And upon statup I still get the "Your computer may be at risk" red shield message associated with my anti-virus settings.
(though I went through a period where it didn't appear and thought it was fixed)

Bearing in mind I've already tried removing it myself what do I need to do ?
Post a HJT log ?

Thanks in advance.

[mariner77]

Oh just to expand on the Spybot error (if it helps....)

(SBI $3604910C) Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride (is not) dword:0

With "Kind" showing "Registry change" on the right hand side.........

[drragostea]

Hm... It could be possible that your AV was not recognized by Windows Security Center or it did not integrate properly into Security Center when it was installed. What AV do you use?

This detection by Spybot is giving you a head's up that the monitoring of your AV has been disabled (by the user [most likely since you said you did that]). That might explain why you constantly get that red shield warning. You fix it in the Spybot and you tell Security Center to ignore it.

[mariner77]

Hm... It could be possible that your AV was not recognized by Windows Security Center or it did not integrate properly into Security Center when it was installed. What AV do you use?

This detection by Spybot is giving you a head's up that the monitoring of your AV has been disabled (by the user [most likely since you said you did that]). That might explain why you constantly get that red shield warning. You fix it in the Spybot and you tell Security Center to ignore it.

Let me put it another way........

If I select "I have an antivirus program that I'll monitor myself", then I run a Spybot scan, fix the error and shutdown, should I get the red shield up again with my security center setting (that I chose before I shutdown) reversed when I re-start ?

If not(as would seem logical) then what advice do you have to fix the problem ?

By the way, when you said, "most likely since you said you did that", I only did it AFTER it was initially disabled by "someone" else(as in the actual Spybot error description......)

Hope that basic logic makes sense.

[drragostea]

If I select "I have an antivirus program that I'll monitor myself", then I run a Spybot scan, fix the error and shutdown, should I get the red shield up again with my security center setting (that I chose before I shutdown) reversed when I re-start ?

No, because if you fix it, Spybot resets the registry value of the Security Center. When you tell Windows that you'll monitor your AV status yourself, the registry value is changed to 1. When Spybot fixes it, it is resetted to 0 (default value). So you're going in a circle. As long as you keep fixing it and telling Windows that your going to monitor your AV, it's not going to work.

You never answered my question about what AV program you used.

[mariner77]

No, because if you fix it, Spybot resets the registry value of the Security Center. When you tell Windows that you'll monitor your AV status yourself, the registry value is changed to 1. When Spybot fixes it, it is resetted to 0 (default value). So you're going in a circle. As long as you keep fixing it and telling Windows that your going to monitor your AV, it's not going to work.

Fair enough, but the fact that I never changed the security setting myself before "someone" changed it, meant that it didn't matter whether I changed it or not.
I still got the error, even after Spybot said it had fixed it, regardless of whether I changed the security setting or not.

You never answered my question about what AV program you used.

I'll tell you what happened to me.......

I was using AVG Free Edition and this what Windows recognized as my AV.

I was being censored on youtube(believe what you like) and almost instantly I got the red shield pop up with "Your AVG may be out of date".....

Hence the "anti-virus override" error....... ?

Panicking a bit, I shut down my computer quick and saw a strange task named like "[[[[[[[[[[[[[[" (or something similar) ending.........

Then logging back on, I uninstalled AVG(hey if you get an AVG error at the exact same time as being censored and having weird tasks cropping up, you tend not to trust that either....) and tried resetting security centre to "I have my own antivirus program", and then went round in the circle trying to get Spybot to fix it.

The good news is, after slagging off Spyware Doctor (for other reasons) I ran a full scan and found errors, one of which was a trojan relating I think to the "System Volume Information" restore folder. (my memory isn't great)

Anyway, since then I don't get the error anymore. (touchwood), so I think this is solved.

One things for sure, it certainly wasn't me who changed the security setting, more likely some good soul censoring at youtube..........

Now my e-mail that I registered with youtube has in it's Junk folder an e-mail "Try out IP to location database" sent at the exact same time.

Oh yeah, I'm so scared big brother........

Think youtube, think c*ns**s*ip, think power-grabbing scumbags and their IT minnions who don't want the truth getting out and will do anything to stop free speech that reflects the real truth.

No wonder Rupert Muroch says "the internet will soon be over".......

www.infowars.com

[Matt]

Hi mariner77,

One things for sure, it certainly wasn't me who changed the security setting

Aggressive Malware can do this as well...

Please remember... you can always do that, just to make sure that you're really clean.

[drragostea]

I was being censored on youtube(believe what you like)

I don't know what that means, I don't jump to conclusions.
The Antivirus override detection made by Spybot was probably because that red shield popped up. Does this happen each time you visit Youtube? Any Youtube video?

Censored... that could possibly hint that your ISP or your area might be blocking access to some sites.

[mariner77]

Hi mariner77,

Aggressive Malware can do this as well...

That's exactly what I think it was too........
[/QUOTE]

Please remember... you can always do that, just to make sure that you're really clean.

Thanks, I nearly did, until I ran a spyware doctor scan, found a trojan(relating to financial phishing sites strangely) but it seems to have fixed it. (I got over 800 errors !) although to be fair 99.9% of these were "host file" errors....... Can't remember exactly.

So I think I'm ok as the error has now stopped appearing and I've also downloaded the 30 day trial for AVG, done complete scans and scanned for rootkits too.....

Suppose I'd like to be doubly safe and post a HJT but not really fair to post one now when I don't have any errors !
Or should I ?

Thanks for your help.

[drragostea]

Or should I ?

Your choice.