Infected Registry Data Item Options

[2bconfused]

Apologies if I'm not posting this in the correct forum section.
I just ran a quick MBAM scan which turned up : 1 Infected Registry Data Item.
I tried to quarantine it but "Remove" was the only active option and so - that's what I did.
Can someone tell me what this is and whether I should do anything further? Here's the log file:


Malwarebytes' Anti-Malware 1.34
Database version: 1849
Windows 5.1.2600 Service Pack 2

3/14/2009 3:57:28 PM
mbam-log-2009-03-14 (15-57-12).txt

Scan type: Quick Scan
Objects scanned: 68523
Time elapsed: 4 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[2bconfused]

The log I posted is inaccurate...I had copied it before removing the "Infected" Registry item. That line now reads:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

By the way...I ran a 2nd scan and this same "Infected" item shows up AGAIN. And there's nothing in my quarantine file.

[nosirrah]

This key controls the warning you get about your antivirus software (out of date , not installed .....) . If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software . MBAM is re-enabling this function in your log .

Do you have this disabled for a specific reason ? Also if you have kind of reg guard software it might be preventing the changes we are attempting to make .

[starr3882]

nosirrah,

Can you explain further? I just got the same thing, as well as \FirewallDisableNotify. When I scanned approximately 7 hours ago, everything was fine...now I get this. Should I quarantine or is this a fp?

[Reilly'sPal]

I am receiving the same two items as starr3882. I also had a clean scan several hours ago. Is there any additional info on these notifications?

[Madeline]

I'm getting the same 2 items as others on this thread:

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Like 2bconfused, these items don't appear in my Quarantine file. They got removed as it says above and there doesn't seem to be any problem so far. Also, like starr3882, I'd run a scan a few hours earlier and nothing showed up then.
I've had a look at the settings on the Security Center and changed the alerts back to notify me only if my Automatic Updates setting is wrong as my Internet security program will notify me if there is anything problematic with my Firewall or AV settings.
Wasn't there something similar to this with Spybot some time ago?

[Andy-FML]

Also received the same thing today.

CODE

Malwarebytes' Anti-Malware 1.34
Database version: 1849
Windows 5.1.2600 Service Pack 3

3/15/2009 1:22:43 AM
mbam-log-2009-03-15 (01-22-43).txt

Scan type: Quick Scan
Objects scanned: 67746
Time elapsed: 1 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[nosirrah]

Like I said before , these are registry keys that can be disabled by either malware (to prevent notification that protection is disabled) or by the user or their legit software to prevent conflicts or duplicate warnings .

If you are seeing these with no other signs of infection then it is far more likely that your 3rd party security software has disabled these warnings to prevent duplicate security warnings and in these cases telling MBAM to ignore them once will forever solve the issue .

The keys themselves tell you exactly what they do :

FirewallDisableNotify -> If set to 1 then do not show windows firewall disabled warnings .

UpdatesDisableNotify -> If set to 1 then do not show the warning indicating that automatic updates are disabled .

[Newbi3]

Dear MBAM Gurus,

I too received the following errors on my scan today. I got this in my restricted user account on Window$ XP SP3. My understanding of the cause of these entries on my system is:

AntiVirusDisableNotify (Hijack.SecurityCenter) - Avast Pro anti-virus disabled this and is currently installed, updating and running correctly
FirewallDisableNotify (Hijack.SecurityCenter) - ZoneAlarm Pro disabled this and is currently installed and running correctly
UpdatesDisableNotify (Hijack.SecurityCenter) - I disabled this because I prefer to manually update Window$ on the second Tuesday of every month.

Attached below is a developer's log. Would be keen to hear any comments from MBAM on this. In particular:

- Why did these entries suddenly appear?
- Is my interpretation on the entries above reasonable?
- Is it safe to keep these entries in the ignore list permanently? (assuming the above reasons continue to be valid)

If you could please shed some light on this I would be most grateful.

Best regards,

Newbi3

CODE

Malwarebytes' Anti-Malware 1.34
Database version: 1851
Windows 5.1.2600 Service Pack 3

15/03/2009 11:36:00 AM
mbam-log-2009-03-15 (11-35-55).txt

Scan type: Quick Scan
Objects scanned: 76763
Time elapsed: 3 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830417475666876155270688683748590367079857083130141443858644548
36344564463436414247386152483953563451386146746883808480718561527068868374859001
3
6707985708393347985745574838684377484666777704780857471903018130117]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830417475666876155270688683748590367079857083130141443858644548
36344564463436414247386152483953563451386146746883808480718561527068868374859001
3
67079857083933974837088667777377484666777704780857471903018130117]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830417475666876155270688683748590367079857083130141443858644548
36344564463436414247386152483953563451386146746883808480718561527068868374859001
3
670798570839354816966857084377484666777704780857471903018130117]

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[nosirrah]

Why did these entries suddenly appear?

We were asked to start fixing these as multiple infections are disabling them . Security center notification defs were added yesterday .

Is my interpretation on the entries above reasonable?

Yes

Is it safe to keep these entries in the ignore list permanently? (assuming the above reasons continue to be valid)

Yes it is safe and this is the correct course of action for all user/legit software initiated system modifications that MBAM may detect .

One thing people reading this need to keep in mind is that there is no way to tell how something got disabled , only that it is . The vast majority of people never go beyond the antivirus software preinstalled on their system and the occasional free scanner so these detections (for the vast majority of people) will only show up if malware has disabled them .

[Andy-FML]

I disabled mine myself and was concerned that they just started to show up now.

Also there was suspicious login activity in an online account of mine, which was disabled as a result so I felt it was related. Ran full scan of both drives with Avast but nothing was found. (sorry OT)

[Newbi3]

Dear Mr. Harrison and Andy-FML,

Thank you for the response. It is indeed pleasing to see that my understanding was commensurate with the experts' knowledge. Moreover because I consider my self not so skilled with computers. Hence my nickname :-)

Mr. Harrison - MBAM is a fantastic product. Keep up the great work you lads are doing!

Andy-FML - I recommend boot-time scans with Avast. Followed by a full MBAM scan in Window$ safe-mode. A little overkill however a full scan using SuperantiSpyware wouldn't hurt either.

I believe that MBAM and SAS are both excellent scanners. My apologies for mentioning the competition in this forum. However I use MBAM as the resident protection program against malware and spyware. In conjunction with Avast as the anti-virus protection.

Best regards,

Simon

[2bconfused]

This key controls the warning you get about your antivirus software (out of date , not installed .....) . If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software . MBAM is re-enabling this function in your log .
Do you have this disabled for a specific reason ? Also if you have kind of reg guard software it might be preventing the changes we are attempting to make .

Hi Bruce (ADMIN:Nosirrah)....I'm the person who began this string (posts #1&2)...thanks for your replies which still leave me a bit confused.
I just re-scanned after updating MBAM from v.1849 to v.1851. Unfortunately, I still receive the same log entry as before:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.


To answer your querys and add a bit more info:
No, I don't have any "reg guard software" (which you suggest as a possible culprit in your reply).
I only have Norton AntiVirus 2005 and the free version of AdAware 2008 (which, of course, doesn't run in real time).
My settings are no different from when I've run prior scans. They are as follows:
I leave Windows (XP2 Home Ed.) Firewall enabled. It's always been configured (re: Nortons instructions) with Norton Live Update added to its Exceptions List - so that Nortons and Windows firewalls don't conflict (I know they're both pretty paltry ...and I can still receive my Automatic Updates).

Prior to running a scan I've always disabled my NAV (out of an abundance of caution) and did so this time as well.
1.Does the above provide any insight into why I've suddenly begun receiving the "Registry Data Infected" log notation (despite not making any system changes)?
2.When you suggest changing registry key...I don't know how to do that (or even what that actually means).
Does your 2nd reply in this string, copied below, describe what's occurring in my case? (If so, if I run another scan, and then hit ignore when I (again) receive that log entry warning, what protection will I have if some malware (in the future) turns off my protection and MBAM is configured to ignore this?



Like I said before, these are registry keys that can be disabled by either malware (to prevent notification that protection is disabled) or by the user or their legit software to prevent conflicts or duplicate warnings .
If you are seeing these with no other signs of infection then it is far more likely that your 3rd party security software has disabled these warnings to prevent duplicate security warnings and in these cases telling MBAM to ignore them once will forever solve the issue .
The keys themselves tell you exactly what they do :
FirewallDisableNotify -> If set to 1 then do not show windows firewall disabled warnings .
UpdatesDisableNotify -> If set to 1 then do not show the warning indicating that automatic updates are disabled .

[Newbi3]

Dear 2bconfused,

I apologise if I hijacked your thread.

I think Mr. Harrison already provided the answer to your first question:

Security center notification defs were added yesterday.

I would wait for the response to the second question.

Good luck!

Simon

PS: I can only strongly recommend upgrading to SP3. Moreover - are the Norton 2005 subscription and the virus definitions current?

[Madeline]

Since I was the one who changed the settings on my PC, rather than malware doing it, I've done what nosirrah/ Bruce Harrison said in post #8. I ran a scan and when it found the same 2 items, I told MBAM to ignore them, so they're now shown on my Ignore List and I don't expect them to show up on future scans.

These aren't really false positives as such. I think it's right that MBAM flags up these 2 items in case they have been altered by malware. The program doesn't know one way or another how the change happened.

[exile360]

That's exactly right Madeline, in fact Spybot Search & Destroy has been flagging this setting in it's scans for a very long time now. I think it's worth the inconvenience of having to click Ignore for the sake of having MBAM be able to fix the issue if it really was caused by malware.

[2bconfused]

That's exactly right ............. I think it's worth the inconvenience of having to click Ignore for the sake of having MBAM be able to fix the issue if it really was caused by malware.

1. ......but for me - when I scanned - every option (including "Ignore") was inactive!!! When I tried to hit ignore nothing would occur .
"Remove" - at the bottom of the window was the only option for me. (The only "active" choice) As I said in my prior posts - I proactively choose to disable my virus protection before scanning but I don't seem to be able to select "Ignore" at the top of the window, instead of "Remove" at the bottom, with regard to the "Ïnfected Registry Data Item."
2. I don't understand what Nosirrah is suggesting I do (if anything?) in his post "# 8 when he says:
FirewallDisableNotify -> If set to 1 then do not show windows firewall disabled warnings .
UpdatesDisableNotify -> If set to 1 then do not show the warning indicating that automatic updates are disabled .
Perhaps he's just exp;laining that MBAM - in an abundance of caution - assumes such a setting was caused by malware (rather than by the user)
3. Nor do I understand what was attempted by MBAM, which Nosirrah refers to in his post #3 (only know it seems to change my settings for the worse):


"MBAM is re-enabling this function in your log. (***** What did MBAM do?****) Do you have this disabled for some reason?.......it might be preventing the changes we are attempting to make".

I'm afraid I don't understand his 1st sentence or what changes you have made...but it seems to have made matters worse.
Sorry to be "thick as a plank".....but bottom line....how can I choose Ignore when I receive that log entry whilst not having MBAM "mess up" or change my Windows Security Centre Virus Protection settings.
I do appreciate your assistance and regret that I am so slow to catch on Do bear with me......

[exile360]

As far as what MBAM does with it, it doesn't get deleted, it changes a 0 to a 1 in the registry. If it was changed back (which it was, and that's why MBAM still showed it the second time you scanned) it's probably because of the antivirus you're using monitoring it's own status, thus disabling Windows built in monitor (Security Center). To ignore an item you have to highlight it by left clicking on it with your mouse and clicking the Ignore button at the bottom of the program. You can do this for each of those entries if you don't want MBAM to change anything.

[2bconfused]

As far as what MBAM does with it, it doesn't get deleted, it changes a 0 to a 1 in the registry. If it was changed back (which it was, and that's why MBAM still showed it the second time you scanned) it's probably because of the antivirus you're using monitoring it's own status, thus disabling Windows built in monitor (Security Center). To ignore an item you have to highlight it by left clicking on it with your mouse and clicking the Ignore button at the bottom of the program. You can do this for each of those entries if you don't want MBAM to change anything.

Thanks exile360. At last...all is well. And just in case anyone else runs into the same problem I did...I was only able to finally find and select "ignore" by right clicking on the entry and selecting "Add to Ignore List" from the drop down menu.
It's always so embarrassingly obvious once one finally 'gets' it
I appreciate everyones helpful input.......

[exile360]

You're welcome. I'm glad you finally got it sorted out.