25 replies to this topic

[edge]

I have two entries after a scan for Hijack.Security Center as below. What do these entries mean? Will it change the registry if I remove?

I am running a Kaspersky AV 2009 and Online Armor Firewall. I found the Windows Firewall on, which should be off with OA FW.



Malwarebytes' Anti-Malware 1.34
Database version: 1849
Windows 5.1.2600 Service Pack 2
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

[coppertrail]

edge, on Mar 15 2009, 12:56 PM, said:

I have two entries after a scan for Hijack.Security Center as below. What do these entries mean? Will it change the registry if I remove?

I am running a Kaspersky AV 2009 and Online Armor Firewall. I found the Windows Firewall on, which should be off with OA FW.



Malwarebytes' Anti-Malware 1.34
Database version: 1849
Windows 5.1.2600 Service Pack 2
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

I can't be 100% positive, but that looks like a false positive if you've disabled your XP Security Center notifications. I have all my XP security notifications disabled, and don't remember getting those items during a scan, but I do have those exact registry values (set to 0) in my registry.

What I have had is a start menu hijack entry, which is the result of my enabling "Show Logoff" on the Windows start menu. I've simply added this to the MBAM ignore list.

[edge]

coppertrail, on Mar 15 2009, 01:28 PM, said:

I can't be 100% positive, but that looks like a false positive if you've disabled your XP Security Center notifications. I have all my XP security notifications disabled, and don't remember getting those items during a scan, but I do have those exact registry values (set to 0) in my registry.

What I have had is a start menu hijack entry, which is the result of my enabling "Show Logoff" on the Windows start menu. I've simply added this to the MBAM ignore list.

What would be the best way to confirm a false positive? Run a HJT log? The latest MBAM database 1851 give this same results and I did not changed the security notifications prior to the scan . When I checked the security center after the MBAM scan I found Windows firewall enabled, which I then disabled.

[Fatdcuk]

Hi,

These detections are as a result of MBAM adding them to the database recently and hence why they showed up after an updated scan.

We have seen many malware infections recently directly swithing off(disabling)the security centre options.Because of this it was decided to alert the end user if those settings are disabled and also if needed during course of cleaning up an infected pc then to re-enable the security centre.

Unfortunetly the software has no way of telling whether it was malware or end user that has disabled these settings.

So if you have knowingly disabled these options in security centre then please add to ignore list within MBAM scan so you will not receive repeat alerts.

hth

[Blue452]

edge, on Mar 15 2009, 06:56 AM, said:

I have two entries after a scan for Hijack.Security Center as below. What do these entries mean? Will it change the registry if I remove?

I am running a Kaspersky AV 2009 and Online Armor Firewall. I found the Windows Firewall on, which should be off with OA FW.



Malwarebytes' Anti-Malware 1.34
Database version: 1849
Windows 5.1.2600 Service Pack 2
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

I got the same entries as Edge when I did a scan today. The entries were checked for removal and since the explanation indicated it was a malware, I trusted malwarebytes and pressed the button to continue with the removal.

Below is my log after automatic restart and removal:

"Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 5.1.2600 Service Pack 3

3/16/2009 4:31:58 PM
mbam-log-2009-03-16 (16-31-58).txt

Scan type: Quick Scan
Objects scanned: 78756
Time elapsed: 13 minute(s), 50 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)"


The log indicates that these entries were removed and they were quarantined and deleted successfully. But when I checked the quarantine section, these entries were not listed. And Fatdcuk's post indicated this is just an alert. So I assume I did not have to let malwarebyes remove it.

My question: Was I wrong in letting malwarebytes remove the entries and need I be concerned that my registry got messed up? Or was no harm done?

I wish I had read this thread before I ran the scan today and did what I did.

Thank you.
Blue452
An inexperience user

[exile360]

The way Malwarebytes' says it "deletes" these entries is actually inacurrate. All it really does is change the value from a 1 to a 0 in those registry keys (which is the default). More often than not, these settings are changed by the user of the computer who doesn't want the alerts from Security Center or because the antivirus that they have installed monitors itself with it's own security center type application so it disables the built in one so you don't get duplicate warnings, however sometimes it is changed by malware so that you don't get any alert that your protection is turned off (the malware that does this also disables your antivirus and firewall).

[coppertrail]

Worst case, go into security center, click "Change the way security center alerts me", and uncheck all three boxes, which is the equivalent of changes those registry values back to a 1.

MBAM does the same thing with the StartMenu. I noticed that my "Logoff" option was disappearing from the start menu. MBAM was detecting a StartMenu Hijack because my start menu had changed, which can be the result of malware. I simply had to re-check "Show Logoff" on the start menu, and ignore the start menu hijack finding in MBAM.

[alicez]

I found same 'problem' and posted a thread. My Security Center has always had the MS "Automatic Updates" turned OFF so that I could do the updates Manually. And MB never found error. Now MB is finding 3 'errors' relating to the Security Center.
I wish MB would revert back and not allow the MB program to show these Security Center "errors." Just my opinion.

Please read my thread.

Alice

[swagger]

alicez, on Mar 17 2009, 08:44 AM, said:

I found same 'problem' and posted a thread. My Security Center has always had the MS "Automatic Updates" turned OFF so that I could do the updates Manually. And MB never found error. Now MB is finding 3 'errors' relating to the Security Center.
I wish MB would revert back and not allow the MB program to show these Security Center "errors." Just my opinion.

Please read my thread.

Alice

Why not? As stated above, newer malware disables the Security Center notifications... It just takes a little thought and a bit of inconvenience if you let MBAM fix this warning if it wasn't caused by malware. I like it, I just wish we were better informed. But there are plenty of threads covering this issue now.

swagger (Keith)

[YoKenny1]

swagger, on Mar 17 2009, 01:28 PM, said:

Why not? As stated above, newer malware disables the Security Center notifications... It just takes a little thought and a bit of inconvenience if you let MBAM fix this warning if it wasn't caused by malware. I like it, I just wish we were better informed. But there are plenty of threads covering this issue now.

swagger (Keith)

I agree with you Keith and it is the people that disable Automatic updates or at least have "Check for updates but let me choose whether to download and install them" are amongst the 10 million or more victims of the Conflicker infection that this update was made for MBAM I believe.

[coppertrail]

YoKenny1, on Mar 17 2009, 02:49 PM, said:

I agree with you Keith and it is the people that disable Automatic updates or at least have "Check for updates but let me choose whether to download and install them" are amongst the 10 million or more victims of the Conflicker infection that this update was made for MBAM I believe.

While I agree that this may be partially true, there are those of use who have Automatic Updates disabled (myself included) and probably have the latest MS Security patches installed before those who have Auto Update enabled.

If you're one who's diligent about keeping your system patched (I subscribe to the MS TechNet Security newsletter that's emailed as soon as the monthly updates are available), then I see no need for Automatic Updates.

But, if you're prone to forget or blow it off, you should have this enabled.

[swagger]

YoKenny1, on Mar 17 2009, 01:49 PM, said:

I agree with you Keith and it is the people that disable Automatic updates or at least have "Check for updates but let me choose whether to download and install them" are amongst the 10 million or more victims of the Conflicker infection that this update was made for MBAM I believe.

Now I don't necessarily agree with letting updates install automatically. I've run into too many instances (mostly at work) where Microsoft updates cause some other problem on the computer. More recently it has been Internet Explorer not being able to connect to webpages because of the KB951748 and KB956803 updates. I install updates, but I generally give a small grace period and read what I am installing and what the vulnerability is.

swagger

[GT500]

swagger said:

Now I don't necessarily agree with letting updates install automatically. I've run into too many instances (mostly at work) where Microsoft updates cause some other problem on the computer. More recently it has been Internet Explorer not being able to connect to webpages because of the KB951748 and KB956803 updates. I install updates, but I generally give a small grace period and read what I am installing and what the vulnerability is.

You every try using alternate web browser? From a security stand-point it's the smart thing to do, at the very least.

[swagger]

GT500, on Mar 17 2009, 02:08 PM, said:

You every try using alternate web browser? From a security stand-point it's the smart thing to do, at the very least.

Personally, Opera is my browser of choice at home. Firefox's memory leak issue (at least on my desktop) has become too much for me to handle. But at work (I am in the IT field), IE rules over all. We also have firewall software called Endpoint Security. It's this program that the updates negatively interact with to cause the connection problems Sorry I didn't say that to begin with.

swagger

[exile360]

No matter what, as long as you made the settings change, it's simple enough to tell MBAM to add them to the Ignore List, and they won't be detected again. Spybot Search & Destroy has detected these entries for at least a couple of years now, and I don't think it's bad for MBAM to let you know. I have auto updates off as well, but I check at least once every couple of days for new updates and also receive the emails from MS about new patches.

[alicez]

All points are well taken. However, for those of us who are new at this (computers, AV and AS porgrams), it is a bit disconceting when these "exception' notices pop-up. In this case it was because of a 'new' addition to the recent download of MB updates, which I (we) didn't know anything about.
I don't know how, but it would have been easier to understand if something was mentioned about what was included (or changed) in the MB updates that might make these Security Center exceptions to show up all of a sudden. As I said, I don't know how this might be done, but it might help a lot of people understand that these 'exceptions' are showing because of a new addition to the downloaded updates. Hope I am explaing this properly
I have been using MB for quite a while and have been well pleased with it and when something pop-ups all of a sudden (the recent Security Center warnings), we, the novices, begin thinking that our computer has been 'infected,' etc. And when we are asked "did you change a program or settings?" we really don't know what is being asked of us.
Once again, just my opinion.
Alice

[exile360]

I think you raise a very good point. The detection of such a setting just suddenly popping up where there was none before could lead a user to think they have recently been infected where there was no problem before. Perhaps the developers might use the Latest news section of the program or some sort of pop-up info providing a web link to a page that explains the changes (much like other software does when new versions are released and they give release notes). I'm not suggesting this be done for every update, but all updates that have a change this significant where MBAM isn't actually detecting any sort of malware, just a non-default Windows setting that is sometimes used by malware.

[swagger]

exile360, on Mar 17 2009, 03:15 PM, said:

I think you raise a very good point. The detection of such a setting just suddenly popping up where there was none before could lead a user to think they have recently been infected where there was no problem before. Perhaps the developers might use the Latest news section of the program or some sort of pop-up info providing a web link to a page that explains the changes (much like other software does when new versions are released and they give release notes). I'm not suggesting this be done for every update, but all updates that have a change this significant where MBAM isn't actually detecting any sort of malware, just a non-default Windows setting that is sometimes used by malware.

I agree with you Alice and that is a good recommendation exile360. I think this definition update caught us all by surprise. I just happened to scan my work computer today and came across the 3 detections and immediately started researching because I am 99.9% sure my computer is clean so in my mind it had to be a F/P. I hope that MB keeps us in the loop a lot better the next time! I could only imagine a novice user right now seeing that and wondering what the heck is going on.

swagger

[alicez]

Just wanted to question whether anyone if running MB on a Vista system?
My son ran recent MB quick scan on his notebook wihich has Vista Premium and MB found no exceptions, even though he has Automatic Updates turned off as they are on my WinXP sp3 desktop. And yet I, and others, have found those 3 Security Control exceptions.

Anyone do an MB scan on their Vista and nothing found?
Just wondering.

Alice

[swagger]

alicez, on Mar 17 2009, 06:09 PM, said:

Just wanted to question whether anyone if running MB on a Vista system?
My son ran recent MB quick scan on his notebook wihich has Vista Premium and MB found no exceptions, even though he has Automatic Updates turned off as they are on my WinXP sp3 desktop. And yet I, and others, have found those 3 Security Control exceptions.

Anyone do an MB scan on their Vista and nothing found?
Just wondering.

Alice

It's been said already in another thread. Vista does not have the same registry entries as XP therefore it won't show up in MBAM.

swagger