Possible Malware???

I have been finding this entry of Micorsoft.WindowsSecurityCenter.FirewallBypass in Spybot for the past week and no matter if I fix it it always reappears upon reboot. I did some research on what the firewall bypass means and how it could have occured I found an explanation in the Spybot FAQ that said while it is not definite malware as such it is a security risk that could have occured by disabling an alert in the Windows Security Center. I do not recall manually changing anything so I was concerned.

Another thing that has been happening is everytime I reboot and go to, say, control panel, I get a Windows Security pop up saying that for my protection it is blocking Windows Explorer and do I wish to keep blocking or unblock it. I have always selected keep blocking so far. I this the right thing to do?

I then came across this post in your forum from a few years ago:

http://forums.majorgeeks.com/showthread.php?t=121531

The fact that the expert in that thread mentioned it could be a trojan then got me to thinking I had the same problem so I followed the advice he gave and followed the 'READ AND RUN ME FIRST' tutorial completely.

After the complete procedure I am still seeing Micosoft.WindowsSecurityCenter.FirewallBypass in Spybot and still recieving the pop up message from Windows Security about keeping blocking Windows Explorer.

I am running XP SP3 and all Windows updates have been completed.

I have attached the 3 logs requested in the XP Cleaning Procedure and will attach the MGTools.zip next

 

The MGTools.zip and HJT log file...

 

This isn't malware, this is telling you what the option to monitor the status of your firewall is set to not monitor. This can happen by someone clicking do not monitor or a third party firewall automatically disabling it.

Are you saying your Firewall is alerting you of this?

That thread is 2 years old, things change daily, you can't go by that.

 

Your logs are clean! If you are not having any malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware & Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources (except a little disk space) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
   • Delete the C:\combofix folder from combofix (if it exists)
3. If we had you run Avenger, you can delete all files related to Avenger now.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have re-enabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to Add/Remove Programs and uninstall HijackThis.
8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
9. If you are running Windows Vista, Windows XP or Windows ME, you need to follow the below:
   • Refer to the cleaning steps in the READ ME for your Windows version and see the steps to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thank you bjgarrick, good to know I am in the clear. I have followed the advised additional steps.

I am still recieving:

'Microsoft.WindowsSecurityCenter.FirewallBypass'

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe

in Spybot whenever I run after a reboot.

In addition, I am also still recieving Windows Security Alerts asking if I wish to keep blocking Windows Explorer. Sometimes a window will pop up to say Windows Explorer as been closed for my security and then it goes on to send an error report to Microsoft.

In spite of being free of malware I would like to get to the bottom of what is causing this, do you have any advice?

I know the forums are busy so thanks again for your help, it's appreciated!

 

Sorry, I replied without seeing your first reply!

When you say:

"This isn't malware, this is telling you what the option to monitor the status of your firewall is set to not monitor. This can happen by someone clicking do not monitor or a third party firewall automatically disabling it."

I am a little confused as I do not use a third party firewall and to the best of my knowledge I have never clicked a 'do not monitor' option. In the Windows Firewall exceptions list I see Windows Explorer is present but the box UNCHECKED. Also, the box underneath the exceptions list that says 'Display a notification when Windows Firewall blocks a program' IS checked.

In answer to your other question, yes, the blue pop up box that asks me if I'd like to keep blocking Windows Explorer is a message from Windows Security Center. I have just tried to get it to occur just again, but it hasn't, it's very strange and there doesn't seem to be anything definite that makes it appear. What I have had in the last 5 minutes is a Data Execution Protection pop up that says it has closed Explorer and then sends an error report.. I have no clue what is causing any of this and am trying to read up on it as I write this.

I haven't reformatted and done a clean install of Windows for about 2 years now, could it be that there is just something corrupted?

I appreciate the help so thanks again!

 

No, it sounds like you need to install a third party software firewall as the Windows Firewall is hardly a firewall. See step 10 in my previous post and install a third party firewall and see what happens.

 

I have installed Zone Alarm and disabled the standard Windows Firewall. Thank you for the advice I feel better now knowing that I don't actually have anything on my system.

Spybot still shows the Windows firewall bypass for explorer.exe but since I am now using Zone Alarm it doesn't matter as this will block it presumably.

I have been getting a warning every now and again that an IP address 192.168.1.3:5........ is trying to access my computer but I'll do some research on this over at the Zone Alarm forum, I feel bad taking up your time as it is when I'm sure there are plenty of other people out there needing your help with real malware!

Thanks again!

 

Could this be another system on your home network? Are you familiar with this IP address?

 

Yes, it turns out it's just my girlfriend's laptop. Zone Alarm looks great, so much better than Windows Firewall.

Thank you!

 

You're Welcome!:major