Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

don't know what to do with results of malwarebytes


  • Please log in to reply
5 replies to this topic

#1 tryingtolearn

tryingtolearn

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 25 January 2010 - 05:13 PM

i just got my laptop back a couple of months ago with a new harddrive, programs, etc. I used to have Avast! and ran that fairly frequently, but uninstalled it a couple days ago and now am using Avira. I ran it, and there were several trojans/worms that went into quarantine. I just ran malwarebytes and there are 3 things in the registry and I am afraid to do anything!

Disabled.SecurityCenter - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify

Disabled.SecurityCenter - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify

Hijack.Help - HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp

All 3 are Registry Data

Quarantined in the Avira AntiVir Personal Free Version:
TR/PWS.73216.3
File Name: C:\WINDOWS\LastXP\Games\Bridges.exe

TR/Crypt.CFI.Gen - Trojan
File Name: C:\System Volume Information\_restore{E6779B2B-1143-477A-B6E1-22B875AAF768}\RP78\A0012467.exe

Contains recognition pattern of the WORM/Agent.389120 worm
File Name: C:\System Volume Information\_restore{E6779B2B-1143-477A-B6E1-22B875AAF768} \RP78\A0012468.exe


Please let me know what to do. Hubby and I are sharing my laptop since he lost his job last month. My desktop died 2 weeks before that and we can't afford for this pc to crash. We need it to look for work and pay the bills!

Please forgive my ignorance, and my anxiety.

I am just...

Trying to learn

Edited by Orange Blossom, 25 January 2010 - 05:47 PM.
Move to AII from HJT. ~ OB


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:05 AM

Posted 26 January 2010 - 01:48 PM

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp

Indicates that help will be prevented from being displayed in the start menu.

Both malware and legit actions can cause and since there is no way to tell which is the cause we choose to help novice users assuming that expert users will understand what the detection(s) indicate and then use the ignore function to hide their custom modifications.

explanation by Malwarebytes Staff

There are various tweaking programs which can keep Help from appearing in the Start Menu. You can even perform that action in Windows by right-clicking Start > select Properties > Cusotmize... under the Start Menu tab > Advanced tab, uncheck Help and Support and click Ok twice. To add it back to the Start Menu, you repeat those steps but this time check Help and Support.

The Disabled.SecurityCenter entries do not necessarily mean malware. They are registry keys that can be:
  • Disabled by malware to prevent notification that your protection has been disabled
  • Disabled intentionally by the user.
  • Disabled by other security programs to prevent conflicts, duplicate warnings and allow them to have control.

This key controls the warning you get about your antivirus software (out of date, not installed .....). If the value is set to 1 you wont get any of these warnings and multiple malicious applications do this to prevent you from knowing that they have disabled your antivirus software. MBAM is re-enabling this function in your log

explanation by Malwarebytes Staff

For example, if you have McAfee Security Center or Norton Internet Security installed, they will disable the Windows Security Center in order to take care of (manage) things themselves. Other security programs like Spybot S&D will provide similar detections for these type of registry changes and ask you to allow or deny them. Please refer to this discussion thread and click the link in Post #2 for a more detailed explanation.

If a scan is showing these entries and there no other signs of infection, then it's likely another security program has disabled them. If that's the case, then having MBAM add them to the Ignore list will prevent the detections from showing in future scans. If you are experiencing symptoms of malware, do not use other security programs and did not disable them yourself, then further investigation is warranted as there is no way to specifically tell how or by what something became disabled. MBAM only shows that it is disabled.

As for the Avira AntiVir Personal Free detections:

When an anti-virus or security program quarantines a file by moving it into a virus vault (chest) or a dedicated quarantine folder where it is renamed, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat until you take action to delete it. One reason for doing this is to prevent deletion of a crucial file that may have been flagged as a "false positive" especially if the scanner uses heuristic analysis technology. Heuristics is the ability of a scanning program to detect possible new variants of malware before the vendor can get samples and update the program's definitions for detection. Heuristics uses non-specific detection methods to find new or unknown malware which allows the anti-virus to detect and stop if before doing any harm to your system. The disadvantage to using heuristics is that it is not as reliable as signature-based detection (blacklisting) and can potentially increase the chances that a non-malicious program is flagged as suspicious or infected. If that is the case, then you can restore the file and add it to the exclusion or ignore list. Doing this also allows you to view and investigate the files while keeping them from harming your computer. Quarantine is just an added safety measure. When the quarantined file is known to be malicious, you can delete it at any time.

Keep in mind, however, that if these files are left in quarantine, other scanning programs and security tools may flag them as a threat while in the quarantined area so don't be alarmed if you see such an alert. Just delete the quarantined items after confirming they are malware and subsequent scans should no longer detect them.

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan are in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by monitoring a core set of system and application files and by creating backups (snapshots saved as restore points) of vital system configurations and files before changes are made. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. See What's Restored when using System Restore and What's Not.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. If you only get a detection on a file in the SVI folder, that means the original file was on your system in another location at some point and probably has been removed. However, when you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (in System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point. Vista and Windows 7 users can refer to these links: Create a New Restore Point in Vista or Windows 7 and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 tryingtolearn

tryingtolearn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 26 January 2010 - 02:47 PM

Thank you for your response. I must ask you to please forgive my ignorance, but I have a little problem with my brain that is preventing me from processing it and coming to a conclusion on what I am to do next. However, I am usually able to follow step-by-step instructions without too much trouble if I print them out. (Hubby always had a company computer and they always took care of any problem there may have been. So he is doesn't know anymore about computers than I do)

Are you saying I should just delete the problems that show up in Avira and Malwarebytes and don't worry about it and then make a new system restore point? I am running Windows XP, not Vista or Windows 7.

Thank you in advance for all your help.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:05 AM

Posted 26 January 2010 - 02:59 PM

The entries in MBAB can be left alone and set to ignore so future scans will ignore if you or another security program made the changes. You can let Avira remove what it found.

Then if there are no further signs of infection, you create a new Restore Point.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 tryingtolearn

tryingtolearn
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:01:05 AM

Posted 28 January 2010 - 10:25 AM

thank you very much for your kindness.

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:05 AM

Posted 28 January 2010 - 10:29 AM

You're welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users