Spyware From Microsoft?

  • Thread starter Thread starter John Gregory
  • Start date Start date
J

John Gregory

I've been using Windows XP for about two years. In the past few days, I've
begun getting an occasional window after startup labeled "System32". Inside
are numerous folders and files. They've never been touched by me; I simply
close the window and move on.

Today I ran Spybot. It returned two items in registries; both identified as
being something from Microsoft.

The first is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\AntiVirusDisableNotify!=dword:0

The second is the same through "SecurityCenter" then:
\FirewallDisableNotify!=dword:0

I didn't mark Spyboth to fix the "problem" it sees. Should I? If not, why
would this be showing up just now after all this time. It may not be relayed
to that "System32" window that popped up by it sure is a coincidence.
 
John said:
I've been using Windows XP for about two years. In the past
few days, I've begun getting an occasional window after
startup labeled "System32". Inside are numerous folders and
files. They've never been touched by me; I simply close the
window and move on.
Today I ran Spybot. It returned two items in registries;
both identified as being something from Microsoft.

The first is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\AntiVirusDisableNotify!=dword:0

The second is the same through "SecurityCenter" then:
\FirewallDisableNotify!=dword:0

I didn't mark Spyboth to fix the "problem" it sees. Should
I? If not, why would this be showing up just now after all
this time. It may not be relayed to that "System32" window
that popped up by it sure is a coincidence.
Click to expand...

They're probably unrelated issues. That said, it wouldn't hurt
to run a scan with your antivirus program. Make sure it's been
updated.

When was the last time you ran Spybot? Over a month ago the
makers of Spybot S & D decided to include a feature which would
report if alerts that are generated by the Windows Security
Center have been disabled. A number of antivirus programs
(McAfee, Norton, etc.) disable the antivirus alert during
installation. Unfortunately, some spyware does this as well so
an up-to-date version of Spybot will report this behavior.

If you want to test this, do the following: run Spybot and have
it fix those two problems. Now restart your computer. At some
point during the startup process you may receive a message from
your AV program asking if you want it to stop Windows Security
center from monitoring your AV protection. Answer yes. Run
Spybot and you're going to see those errors showing up again.
If you right click on the errors in Spybot you can choose to
exclude them from future scans.

From the Spybot web site:

Why does Spybot-S&D flag changes in the Windows Security
Center?
http://www.safer-networking.org/en/faq/46.html

Here are a few threads from the Spybot forum which
discuss this issue:

Antivirus Is Off Alert, after the latest defs update
http://forums.net-integration.net/index.php?showtopic=32300

Spybot Search And Destroy 1.4, Possible Problem or false
positive
http://forums.net-integration.net/index.php?showtopic=32260

Security Risks, Is this a false positive?
http://forums.net-integration.net/index.php?showtopic=32257

As for the System32 folder opening, take a look at this
article:

System32 Folder Opens When Logging on to Windows XP
http://support.microsoft.com/kb/q170086/

Good luck

Nepatsfan
 
When that comes up after a scan, just left-click on those, then right-click,
and indicate you want those "ignored" on future scans.
 
Spybot apparently is the culprit. I was unaware of how it began treating
Windows Security Center. I remember the scan made a week or two ago.
Trusting Spybot, I accepted the fix. That's when I started getting that
System32 folder popping up at startup.



Am I better served with Windows Security Center activated or turned off and
McAfee handling the tasks? If McAfee should handle, how do I give control
back to that program? The fact that my McAfee window tells me the antivirus
protection is running is a possible indicator that whatever needs to be
turned on is, in fact, turned on. Right?
 
This is just my opinion, but I'd let McAfee's Security Center
take control from the Windows Security Center.

To see if the McAfee Security Center is in charge, check the
following:

Right click on your Taskbar at the bottom of the screen and
select Task Manager from the menu.
1. In Task Manager, look for an entry named Mcdetect.exe.
2. Go to Start -> Run and enter services.msc in the Open box.
Click OK.
In the right hand pane, look for "McAfee WSC Integration".
Make sure Started is displayed in the Status column and
Automatic in the Startup Type column.
If that's not the case you'll need to right click on it and
select Properties from the menu.
Make the appropriate changes on the General tab.
3. Go to Start -> Control Panel and double click on Security
Center.
In the left hand column, click on "Change the way Security
Center alerts me".
If McAfee's security center is in control you'll see an
empty box next to Virus Protection. The box next to
Firewall will be empty as well if you're using a firewall
program supplied by McAfee or another third party.

Nepatsfan
 
"McAfee WSC Integration" isn't listed but when I went to the Control Panel I
found what you described if McAfee were in control. What's more, the McAfee
Security Center window shows "Antivirus" and "Antihacker" readings at 10.0
which I take to mean everything is OK with McAfee. Right?
 
Having the Antivirus reading at 10 means that you have
VirusScan installed and operating properly. The Antihacker
reading at 10 means you have a firewall program installed and
operating. Both of those are readings you should expect to see
at all times.

I don't know why you don't have "McAfee WSC Integration" listed
as an installed service. What about Mcdetect.exe? Launch Task
Manager (Start -> Run -> taskmgr.exe) and click on the
Processes tab. Do you see Mcdetect.exe listed?

Just to be on the safe side you might want to run the McAfee
Virtual Technician:

McAfee Security - Virtual Technician
http://www.amiuptodate.com/mvt/

You'll be asked to install an ActiveX component in order to run
the utility. Download and install the ActiveX component and
then click on "Check System". Look for entries in the "Issues
Detected" column.

If you have any further questions with regard to McAfee
products, you might want to visit their support page:

McAfee Technical Support
http://ts.mcafeehelp.com/?siteID=1&resolution=800x600

They also have support forums where you can post questions
regarding their products:

McAfee Help Forums
http://forums.mcafeehelp.com/index.php

Good luck

Nepatsfan
 
It just hit me why you wouldn't see "McAfee WSC Integration"
listed. That service as well as Mcdetect.exe would only be
present if you were running the latest version of VirusScan,
version 10.0. If you're running the 2005, or earlier, version
those items would not be present.

I'd still suggest visiting the Virtual Technincian site. You
can disregard the notice that you'll receive about using an
earlier version of VirusScan. That's their way of prodding you
to purchase the latest version. As long as your AV program is
no more than two years old, 2004 or newer, you're fine.

Sorry for the confusion.

Nepatsfan
 
I run Virtual Technician before reading your reply. Everything check fine. I
am running version 9.1 and have 10 setting unwrapped in a box (my
subscription doesn't expire 'til December I think). Unless I'm wrong, I see
no significant reason to cut my current subscription short just to have
version 10. Do you?
 
Thank you for the references Dave, and Pentium. I've read them all. Little
skittish about playing with the register. It's not a big thing to simple
close the Sytem32 folder when it appears. I'll probably get frustrated in
time and brave the repair. Perhaps then, SpyBot might even have some way to
make it automatically since they caused it (well... I really did by
accepting the "fix" when Windows Security was found to have been altered.
Learned a bit of a lesson here.)
Dave Patrick said:
This article may help.
http://support.microsoft.com/default.aspx?scid=KB;en-us;q170086

These registry settings were determined according to your choice
immediately following the SP2 install.
http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2maint.mspx

--

Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

John Gregory said:
I've been using Windows XP for about two years. In the past few days,
I've begun getting an occasional window after startup labeled "System32".
Inside are numerous folders and files. They've never been touched by me;
I simply close the window and move on.

Today I ran Spybot. It returned two items in registries; both identified
as being something from Microsoft.

The first is:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SecurityCenter\AntiVirusDisableNotify!=dword:0

The second is the same through "SecurityCenter" then:
\FirewallDisableNotify!=dword:0

I didn't mark Spyboth to fix the "problem" it sees. Should I? If not, why
would this be showing up just now after all this time. It may not be
relayed to that "System32" window that popped up by it sure is a
coincidence.
Click to expand...
Click to expand...
 
The only reason I'd open it up before then would be if I needed
the UPC sticker from the box for a rebate. I'd wait until the
subscription had almost expired to run the installation. You
should receive email alerts from McAfee when there are 30 and 7
days left.

Nepatsfan
 
I have had the same problems when i built my machine in 11 of 2003 but I
also got a physical memory dump afterwards. When this happened over a dozen
times and I lost important data I ran a scan on all disk and drives, as it
turns out I had a virus not yet detected yet by the software companies,
wininit 32 also kept hitting my compputer and then I finally found out a
virus ran in 200 and 2002 was cause by a cd that had been downloaded from a
file share web site, I could not stop the bug so had to reformatthe drive,
Samnaytyc has come up with the detection ov the virus and it is spybot and
mydoom worm or a version of th worm from 2000, they still do not have a fix
for on eof the bugs so if you are still getting the same problem TRUST ME
BACK UP RIGHT AWAY you will be hacked in the near future and you WILL LOSE
ALL DATA on a Physcial Memory dump. Pat attention to your Virus software, it
may not detect the problem but it can be a warning system before a major
crash occors, By the way if you have kids running file share programs remove
them and do not allow them to use them and block all old MP3 files and do
not allow them to run on your computer or you will have the same thing pop up
again.
 
This is a tad frightening. No one but me uses this machine, it's running a
firewall and is behind a router. Current McAfee finds no virus and all this
started when Spybot reported "=dword:0" in two Windows registers. What's the
probability here that I have a virus rather than a "simple" registry
adjustment?
 
John,

I think what Truckerbill is referring to is a worm named Spybot
that infected his computer sometime ago. Take a look at this
article for
more information:

W32.Spybot.Worm
http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html

I think he saw a reference in your question to "Spybot" and
thought it may be related to the problem he had. Keep the
following things in mind. He's referring to a worm that happens
to be named Spybot. You ran a program named Spybot S & D. The
infection he's referring to happened in 2003. The "Security
Center" that you're referring to has only been a part of
Windows since Service Pack 2 was released in August of 2004.

If you're really concerned that there may be something present
on your computer that your current antivirus program hasn't
detected then you might want to visit one or more of the free
online virus scanning sites. Here's a list of some of the more
popular ones:

Run both the AntiVirus and the AntiSpyware scan on this site:
http://housecall.trendmicro.com/

Click on the "Scan your PC button" while holding down the CTRL
key (to override any popup stoppers):
http://www.pandasoftware.com/products/activescan/com/activescan_principal.htm

McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp?WWW_URL=www.mcafee.com/myapps/mfs/default.asp

Symantec Security Check
http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

Good luck

Nepatsfan
 
Back
Top