Jump to content
2bconfused

Infected Registry Data Item

Recommended Posts

Apologies if I'm not posting this in the correct forum section.

I just ran a quick MBAM scan which turned up : 1 Infected Registry Data Item.

I tried to quarantine it but "Remove" was the only active option and so - that's what I did.

Can someone tell me what this is and whether I should do anything further? Here's the log file:

Malwarebytes' Anti-Malware 1.34

Database version: 1849

Windows 5.1.2600 Service Pack 2

3/14/2009 3:57:28 PM

mbam-log-2009-03-14 (15-57-12).txt

Scan type: Quick Scan

Objects scanned: 68523

Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

I'm a few mintues new here but if i have posted in the wrong forum..plz forgive...and i hope i can

contribute by commenting... But i know why ur getting the infection in ur registry...it shows as

an infection but its not....its an option u chose on ur settings for windowsupdate...sounds like

you may not have the automatic option checked....and if u remove it disappears from the

present scan but being that the next scan u still have the same option checked on ur

windows update..it will continue to do the same thing as if it was a first time scan..

To test this theory of mine..enable windowsupdate feature to on..then scan again and

waaaaaaaa laaaaaaa no more infections...its just the setting...i get this myself and i've

tested it and thas what's doing it..

I hope this has helped you...

Share this post


Link to post
Share on other sites

I just want to say to the Malwarebytes staff, you have a great program there...i have it and i think its one

of the best in the market.....as with any software...takes time to make it good but malwarebytes is

there already..

I've recommened Malwarebytes and will continue plugging it..thas how good i think it is.

THANK you staff for a great software.....have a great day

Share this post


Link to post
Share on other sites

I've been getting this same thing in MBAM but I got a virus just a couple days ago.

I ran Combofix and MBAM and they both seemed to fix a lot of my problems but now the only thing that is showing up Disabled.SecurityCenter and it doesn't always show up. If I run combofix and then MBAM after, it doesn't show up but after a while I'll run another scan with MBAM and Disabled.SecurityCenter will be there. Am I still having problems with this virus disabling Symantec End Protection or is this the same case that everyone else is having? I keep getting a message from Symantec that reads: [sID: 23615] HTTPS Tidserv Request 2 detected

I've also been running spybot-S&D and it just keeps picking up tracking cookies.

Should I reimage my computer?

Here's my MBAM log immediately after running combofix. This is a full scan:

Malwarebytes' Anti-Malware 1.45

www.malwarebytes.org

Database version: 3970

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

4/13/2010 12:44:54 PM

mbam-log-2010-04-13 (12-44-54).txt

Scan type: Full scan (C:\|)

Objects scanned: 165518

Time elapsed: 35 minute(s), 33 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And my log before is bringing this up:

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Just like everyone else.

Thanks for the help!

Share this post


Link to post
Share on other sites
This key controls the warning you get about your antivirus software (out of date , not installed .....) . If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software .

Do you have this disabled for a specific reason ? Also if you have kind of reg guard software it might be preventing the changes we are attempting to make .

The keys themselves tell you exactly what they do :

FirewallDisableNotify -> If set to 1 then do not show windows firewall disabled warnings .

UpdatesDisableNotify -> If set to 1 then do not show the warning indicating that automatic updates are disabled .

AntiVirusDisableNotify -> If set to 1 then do not show anti-virus disabled warnings

If you are seeing these with no other signs of infection then it is far more likely that your 3rd party security software has disabled these warnings to prevent duplicate security warnings and in these cases telling MBAM to ignore them once will forever solve the issue .

* please note *- IF YOUR NOT SURE WHAT CAUSED THESE SETTINGS TO CHANGE ASK SOMEONE THAT DOES BEFORE PUTTING THEM ON YOUR IGNORE LIST

hello everyone

I seen this thread and thought I'd tell you bout a recent repair I did were I discovered the same detections this thread is about

I recently repaired a PC that had McAfee installed on it McAfee had disabled these security notifications

the PC I repaired had an infection that McAfee had missed, I used Malwarebytes and Spybot Search And Destroy to clean the infection while I was working on it I noticed Malwarebytes detected these registry data infections

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) ->

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) ->

I knew what these setting were but wasn't thrilled McAfee (I wasn't sure what disabled them at first but after doing some research I figured out it was McAfee ) had disabled them I re-enabled them in the security center and rescanned with Malwarebytes (searching for any remaining infection) and these detections were gone as was the infection I was removing. after the machine was completely repaired I double checked the security center notifications and they were still on,and I rescanned the machine with everything I had available no further problems were found and McAfee was up to date and working fine it seems that McAfee did not change the settings back they haven't changed since I re-enabled them and I haven't had any other complaints from my client

Share this post


Link to post
Share on other sites

My for being late to this party. I encountered the same problem yesterday with the Windows security Center. As of now, I'm going to choose the Ignore option. I started a thread on this topic in the Wilder Security Forums. If I am making the wrong decision, please let me know. I realize I should be posting a log. I'm just really busy at this time.

Thanks.

Share this post


Link to post
Share on other sites

I couldn't figure out a way to edit my first reply.

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4165

Windows 5.1.2600 Service Pack 2

Internet Explorer 7.0.5730.13

6/2/2010 5:51:20 PM

mbam-log-2010-06-02 (17-51-20).txt

Scan type: Quick scan

Objects scanned: 117194

Time elapsed: 2 minute(s), 18 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 3

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Maybe I am not making myself clear. Is this a false positive?

My Windows Security Center is not disabled. I have done three different online scans with zero threats found. Nod32 comes up clean. I also ran the Microsoft's Malicious Software Removal Tool (no threats found).

Thanks.

Share this post


Link to post
Share on other sites

It's not a false positive, these are marked because those particular monitoring abilities for the Security Center are disabled. The first two are very commonly disabled by third party antivirus and firewall software such as McAfee and Norton because they monitor themselves and alert you when they are disabled so Security Center's monitoring for AV and firewall are disabled to eliminate duplicate notifications to the user.

The third means that Security Center's capacity to alert you to the status of your Windows Updates and Windows Update settings has been disabled.

Please post back with the name and version of antivirus and firewall or internet security suite that you are using on your system.

Thanks :P

Share this post


Link to post
Share on other sites
It's not a false positive, these are marked because those particular monitoring abilities for the Security Center are disabled. The first two are very commonly disabled by third party antivirus and firewall software such as McAfee and Norton because they monitor themselves and alert you when they are disabled so Security Center's monitoring for AV and firewall are disabled to eliminate duplicate notifications to the user.

The third means that Security Center's capacity to alert you to the status of your Windows Updates and Windows Update settings has been disabled.

Please post back with the name and version of antivirus and firewall or internet security suite that you are using on your system.

Thanks :)

I am using Nod32 Antivirus, and the Windows Built-In Firewall. I am behind a NAT Router. Yesterday SUPERAntiSpyware came up with the same results. It has now been moved to quarantine. Malwarebytes is no longer giving me this warning. If it appears again I will post back.

Thanks for your reply! :-)

Share this post


Link to post
Share on other sites

hi - hope you can clarify my issue in a real easy to understand way!

my pc started having strange behaviour and then outlook didn't want to send/receive & my scanner "could not connect to default e-mail programme". took it to pc tech & the following scan was done.

I run XP , windows updates was set by myself to "notify but don't download or install", windows firewall off as it conflicted with my bitdefender , etc. ( bitdefender full system scan didn't show any problems)

how do I know if this was false/ true positive & how do one rectify my outlook problem - and is it necessary to re-install xp?

;)

Malwarebytes' Anti-Malware 1.46

www.malwarebytes.org

Database version: 4052

Windows 5.1.2600 Service Pack 2 (Safe Mode)

Internet Explorer 7.0.5730.11

2010/05/31 07:33:16 AM

mbam-log-2010-05-31 (07-33-16).txt

Scan type: Full scan (C:\|)

Objects scanned: 256861

Time elapsed: 1 hour(s), 24 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 4

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1a2cl9hb-10a0-27nd-cqp3-597182kam43g} (Generic.Bot.H) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (userinit.exe,C:\WINDOWS\system\svchost.exe) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

mbam_log_2010_05_31__07_33_16_.txt

Share this post


Link to post
Share on other sites

Hi,

In your case, this is no false positive, so if you still need additional help to verify if the malware is gone, please do next:

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
  3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

  • Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  • Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  • Using these other tools often makes the cleanup task more difficult and time consuming.
  • If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  • Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  • There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

  • NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Share this post


Link to post
Share on other sites

Hi,

In your case, this is no false positive, so if you still need additional help to verify if the malware is gone, please do next:

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

  1. Please read and follow the instructions provided here: I'm infected - What do I do now?
  2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
    thanks -
    so, if I understand you correctly, first try the links to remove problem, if it doesn't work, when would it be necessary to uninstall windows & re-install (considering my mbam log)... this would be a major inconvenience ?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.