Malwarebytes and registry changes

Discussion in 'other anti-malware software' started by lawnfree, Mar 21, 2009.

Thread Status:
Not open for further replies.
  1. lawnfree

    lawnfree Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    6
    First time user of Malwarebytes. During quick scan I found 1 registry key belonging to Worm.SDbot which I looked up and deleted because it looked its a worm according to reviews. Also in reviews this worm was said to make other changes to registry which bring me to my next question.

    Malwarebytes found 3 other registry data which it flagged and here are they:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

    My question is should I remove them? The weird part is I'm running sp1 and I dont even have a security center as far as I know. Also I have automatic updates turned off, could this be the reason it shows up in registry as disabled?

    Normally I would delete them but I've read quite a bit of the horror stories regarding malware and the registry, how they can take down the system with it or false positives that end up cripling the OS like recent example with superantispyware.

    I'm taking the catious route, whats your advice?

    And another thing, I just finished complete scan with Malwarebytes and thats the only issues I'm getting, in the registry, no other malware anywhere. Does this mean these registry keys/data are leftovers of a previous infection that was cleaned? Or are they the infection itself? Thanks.
     
  2. darthsideous666

    darthsideous666 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    202
    Location:
    Secret Hideout on Coruscant
    Hello lawnfree,

    If you were to make your way over to the Malwarebytes forum you will see this topic as well! In a nutshell though it is what you suspected and is in reference to the disabling of the security center and not an infection. You can either ignore them or fix them, it is up to you.

    ds
     
  3. lawnfree

    lawnfree Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    6
    Hi thanks for the reply. The thing is, I have windows sp1 and they only started with the security center from sp2 as far as I know? Thats what buggs me. Looks to me like the malware just added the lines to the registry even though I have sp1.

    What would be the effect of deleting these registry keys?

    I tried looking this up at the malwarebytes forum before posting here but couldnt find it, can you point me to the exact thread?
     
  4. darthsideous666

    darthsideous666 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    202
    Location:
    Secret Hideout on Coruscant
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    lawnfree, first, welcome to Wilders! Here's another MBAM Forum thread: 3 problems found. Post #14 inform us why these Registry values were added.

    To check if you have a Security Center, click Start > Control Panel > Security Center.
     
  6. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi lawnfree,

    In this case where the disabled security centre settings are flagged then MBAM will re-enable them= Resetting registry key data value back so they are enabled again.

    This type of repair(not deletion) will not run the risk of registry corruption.

    As to why these values are appearing on SP1 that i'm not sure what the root cause of this is.

    It is possible that you have a 3rd party software that takes control of those settings by default and maybe they have set the registry keys.Some internet suites/av's have been seen to do this.

    hth
     
  7. lawnfree

    lawnfree Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    6
    I have security pack with av,firewall etc... maybe that put them in there. Or maybe the worm did it as some of the reviews said it can do it.

    I read malwarebytes thread and looks like these are harmless, malwarebytes just notifies you about them cause malware can change them.

    I think I'll try repair just in case the worm did it, then I can go back myself and disable updates again and I'm guessing the security pack will disable them again, if thats the cause. That merry go round shouldn't be a problem I guess? At least I'll find out who did it. Could that work or maybe cause conflicts with the security pack?

    How about this part of my question...

    And another thing, I just finished complete scan with Malwarebytes and thats the only issues I'm getting, in the registry, no other malware anywhere. Does this mean these registry keys/data are leftovers of a previous infection that was cleaned? Or are they the infection itself?

    I need to know if I was infected so I can change passes etc... Do you guys change your passes after you find infections like trojans/worms that can steal them just to make sure?

    Thanks for the welcome, I've learned a lot from this place while lurking but still very new to all this hence the silly qs.
     
  8. darthsideous666

    darthsideous666 Registered Member

    Joined:
    Feb 9, 2007
    Posts:
    202
    Location:
    Secret Hideout on Coruscant
    lawnfree,

    I am not 100% but I do not think that the infection you mentioned in your original post is related to the registry scan results. I am sure you can verify this though with some further research on the worm or by posing your question over at the malwarebytes forum. Maybe fcukdat would be able to answer that best.

    ds
     
  9. lawnfree

    lawnfree Registered Member

    Joined:
    Mar 21, 2009
    Posts:
    6
    Yeah it can either worm or security software... Thats why i wanted to repair them and then see what happens. Can it cause conflicts with the security software?

    The part you quoted I was asking smth different. Since the infection was only in registry and nowhere else, was I infected at all or are these just traces of earlier infections?

    You know how after you remove software it can still stay in registry etc... Was this one of those cases, can malware cause harm if its just in the registry and nowhere else?
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    lawnfree, as an exercise just to see what would happen, I ran a MBAM scan on my Win XP SP2 rig and the results were the same as yours:

    2009-03-21_163504.gif

    However, I elected to remove them all. Restarted my PC and ran another scan, this time all clean:

    2009-03-21_165349.gif

    So I went into the Registry to check the keys and they were all there, except now the REG_DWORD values were set to 0 (disabled - meaning MBAM would not pick them up):

    2009-03-21_165922.gif

    Since I do have a Security Center, I traveled to the Alert Settings via the Change the way Security Center alerts me link:

    2009-03-21_171232.gif

    Unchecked the 3 boxes above. Then, checked the Registry and I found the 3 same keys but now the REG_DWORD values had been set to 1 (enabled):

    2009-03-21_171405.gif

    Ran another MBAM scan and of course, the same 3 Registry keys appeared once more as Infected. This time I selected Ignore.

    I don't think that these are traces of past infections and as fcukdat explained, most security suites will register these keys, even if you don't have a Security Center. As shown above, if you remove these 3 keys via MBAM, it will only reset the values to 0, yet the keys will remain there so if a future infection tries to mess around with these keys, MBAM will alert you once again. I would not manually remove the keys from the Registry itself, let MBAM reset them.
     
  11. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    thanks for the good info
     
  12. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,980
    Location:
    U.S.A.
    jmonge, you are welcome! Take care.
     
Loading...
Thread Status:
Not open for further replies.