Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What is this that malwarebytes found?


  • Please log in to reply
9 replies to this topic

#1 Curiousp

Curiousp

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 PM

Posted 12 April 2011 - 06:02 AM

I downloaded and installed Malwarebytes, and after it ran its scan, right at the end it found this.

PUM.Disabled.SecurityCenter in the Registry Data.

Our computer has never been infected by malware, there was a site that tried to be ESET NOD32 terminated the attempt. There have also been no indications of infection. Does this mean that the computer is infected or is it a false positive?

Our Antivirus is Nod32 version 4

Thanks :)

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 12 April 2011 - 08:09 AM

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0)


The Disabled.SecurityCenter entries do not necessarily mean malware. They are registry keys that can be:
  • Disabled by malware to prevent notification that your protection has been disabled
  • Disabled intentionally by the user.
  • Disabled by other security programs to prevent conflicts, duplicate warnings and allow them to have control.

This key controls the warning you get about your antivirus software (out of date, not installed .....). If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software. MBAM is re-enabling this function in your log.

...these are registry keys that can be disabled by either malware (to prevent notification that protection is disabled) or by the user or their legit software to prevent conflicts or duplicate warnings.

explanation by Malwarebytes Staff

It is not uncommon for security programs (as well as malware) to disable these keys and other security tools like Malwarebytes to detect and let you know they have been disabled. So if a scan is showing these entries and there are no other signs of infection, then it's likely that you or one of your security program has disabled them. If that's the case, then adding them to Malwarebytes's Ignore list (by right-clicking) will prevent the detections from showing in future scans. If you are experiencing symptoms of malware, do not use other security programs and did not disable them yourself, then further investigation is warranted as there is no way to specifically tell how or by what something became disabled.

Usually when your machine is infected with malware, you will experience other signs and symptoms (pop-up alerts, slow computer, poor performance, browser redirects, etc) that indicate something is wrong.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 PM

Posted 12 April 2011 - 07:16 PM

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0)


The Disabled.SecurityCenter entries do not necessarily mean malware. They are registry keys that can be:
  • Disabled by malware to prevent notification that your protection has been disabled
  • Disabled intentionally by the user.
  • Disabled by other security programs to prevent conflicts, duplicate warnings and allow them to have control.

This key controls the warning you get about your antivirus software (out of date, not installed .....). If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software. MBAM is re-enabling this function in your log.

...these are registry keys that can be disabled by either malware (to prevent notification that protection is disabled) or by the user or their legit software to prevent conflicts or duplicate warnings.

explanation by Malwarebytes Staff

It is not uncommon for security programs (as well as malware) to disable these keys and other security tools like Malwarebytes to detect and let you know they have been disabled. So if a scan is showing these entries and there are no other signs of infection, then it's likely that you or one of your security program has disabled them. If that's the case, then adding them to Malwarebytes's Ignore list (by right-clicking) will prevent the detections from showing in future scans. If you are experiencing symptoms of malware, do not use other security programs and did not disable them yourself, then further investigation is warranted as there is no way to specifically tell how or by what something became disabled.

Usually when your machine is infected with malware, you will experience other signs and symptoms (pop-up alerts, slow computer, poor performance, browser redirects, etc) that indicate something is wrong.


Yes, although there has been no signs of malware infection. Computer is fast, no pop-ups, no alerts, Nod32 has been running normally. The only weird infection we have had, which I am not sure if it is a false positive or not, is this autorun.inf infection. I think it has been fixed, but it was strange that it even was detected. Malwarebytes found this:

HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Security Center/UpdatesDisableNotify

No other things were detected, only one instance of this, so I am unsure of what to think about it, as I don't know if eset configured Security Centre, or some button was pressed to disable updates.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 13 April 2011 - 07:36 AM

The explanation for the HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/Security Center/UpdatesDisableNotify key is essentially the same as the above.

There are four automatic update settings options available
Automatic (recommended).
Download updates for me, but let me choose when to install them.
Notify me but don't automatically download or install them.
Turn off Automatic Updates.

How to change your Automatic Updates settings by using Windows Security Center

The fourth option, which I prefer, permits full control when to download and install any updates.


Posting Tip: There is no need to quote the entire post you're replying to. Just use the Posted Image button (found at the top and bottom of the page) instead of the ''Quote" button (found under each post).


Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 PM

Posted 16 April 2011 - 04:18 AM

Thanks for the posting tip. Just wondering if I need to be worried about that PUM thing.... Don't know if it is of serious concern or something I should just watch out for in the future. Could there be any other reason for its deactivation if there is no malware present on the computer?

Thanks

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 16 April 2011 - 08:49 AM

The Disabled.SecurityCenter entries are registry keys that can be:
  • Disabled by malware to prevent notification that your protection has been disabled
  • Disabled intentionally by the user.
  • Disabled by other security programs (i.e Anti-virus) to prevent conflicts, duplicate warnings and allow them to manage control of the Security Center.

Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#7 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 PM

Posted 17 April 2011 - 07:35 AM

Is there a way that I can find out if Nod32 disabled the windows updates for some reason, or any way that I can see if I might have done something? I usually manually install the updates as the time was set to automatically check for updates at 3am. Nothing was updated as no one uses the computer at 3 am. I recently changed it to 5pm so it will work now, but are there any other signs I can look out for to discover whether it was malware or my own doing?

Thank you

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 17 April 2011 - 04:29 PM

NOD32 manages the Security Center by default and provides an orange alert icon when Windows updates are available. See these ESET Knowledgebase articles:

Edited by quietman7, 17 April 2011 - 04:30 PM.

Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#9 Curiousp

Curiousp
  • Topic Starter

  • Members
  • 74 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:08:07 PM

Posted 17 April 2011 - 07:29 PM

Thank you, I don't think I have anything big to worry about then. Thank you for your time and effort and all the links you provided. It was really helpful.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 32,776 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:07 AM

Posted 17 April 2011 - 08:48 PM

You're welcome.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users