General discussion

Malwarebytes' Anti-Malware found items in registry data

Please assist in helping me with what to do next. Running Windows XP. Malwarebytes' Anti-Malware found items in registry data, please scroll down below for review. Thank You.

Malwarebytes' Anti-Malware 1.46
Database version: 4786

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

THANK YOU FOR YOUR ASSISTANCE.

Discussion is locked

Follow
Reply to: Malwarebytes' Anti-Malware found items in registry data
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: Malwarebytes' Anti-Malware found items in registry data
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Malwarebytes' Anti-Malware Registry Detections

TRV..

In regard to the below detections, which indicate two of your Security Center settings are disabled:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)

There are 3 conditions, which could have caused your A/V and Firewall to become disabled. If you disabled them yourself. If a third party software such as Norton, McAfee, or Trend disabled them. They do so, as a matter of course, in order to prevent duplicate warnings or conflicts from the Security Center. Or by malware. If you disabled them, or your security software did, you can have MBAM "ignore" the two.

In regard to : HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit)

The reg key detected is from AntiSpyKit, which is a rogue anti-spyware program. I have to presume it was leftover from its prior removal. Either by another security software you have installed, or my MBAM itself.

Your log indicates "no action taken", removing the AntiSpyKit reg key. Reboot your computer. Update MBAM, and run another scan. It should be gone. If not, please let us know.

Best of luck..
Carol

- Collapse -
re: Malwarebytes' Anti-Malware Registry Detections

Carol,

First thank you for your help. I do have a 3rd party security suite. So I assume the security suite disabled the two items:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0)


I downloaded the MalwareBytes for the first time yesterday from the CNET because I was having a problem downloading it directly from MalwareBytes earlier in the day. I also did update the software directly after the initial download. Then I ran the Quick Scan.

Regarding the second item - HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit)
I have not downloaded this software, unless it was hidden in some other program prior.

The reason you saw the original log indicating "no action taken", removing the AntiSpyKit reg key is because I did not "click" the next button for removal, until I heard from you.

However, after I read your response, I followed your directions, except I seem to have (my error) quarantined ALL 3 instead of just the AntiSpyKit reg Key.

BELOW IS THE CURRENT LOG FROM TODAY. Please Advise. I will not continue, until I hear from your team. Again, Thank You.


Malwarebytes' Anti-Malware 1.46
Database version: 4786


10/10/2010

Scan type: Quick scan

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

- Collapse -
Some Minor Adjustments..

TRV...

If my memory serves me correctly, when the two reg keys your Security Suite changed by default are "deleted" instead of "ignored", they will show again with another scan. Update MBAM (presently Database Version #4793) and run another scan. IF you DO see the same two results again, after clicking "show results", right-click on the items, and then "Add to Ignore List".

Your log should indicate you "clean", at this point. If not, let us know and we'll move on from there.

You're welcome, by the way..
Carol

- Collapse -
re: Malwarebytes' Anti-Malware Registry Detections

Hi Carol,

Thank you for your response. Your correct. I ran a full scan yesterday - took a number of hours - using the Malwarebytes' Anti-Malware 1.46 Database version: 4786 and it found the two reg keys, so I added those two to the "ignore list." I also see that the HKEY_CLASSES_ROOT\engine.backupengine (Rogue.AntiSpyKit) is in the "quarantine" folder. Do I leave that in the folder or delete it?

After seeing your most recent posting, I followed your directions and manually updated the Anti-Malware 1.46 to the DataBase Version: 4793 and ran a "quick scan." There does not seem to be any more infected files. I posted the latest log BELOW. Thanks.

Malwarebytes' Anti-Malware 1.46
Database version: 4795

10/11/2010

Scan type: Quick scan
Objects scanned: 172516


Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

-

- Collapse -
Perfecto! Looks Good! :)

Good job! In this instance you can delete the "AntiSpy" detection from quarantine.

Generally, you want to keep file/s in quarantine, until such time you're sure they're safe to delete. Every now and then, most (if not all) security software will detect a file (or files) as malicious, when in fact it's not. Commonly called a "false positive". Read the response given by a former staff member at Lavasoft, when asked about deleting files from quarantine. It's a good explanation. And also a lot shorter, than if I were to explain it. I think it's important to understand.

If at any point in time, you have any doubts about a false detection, you can either go the software's official website, or ask here.

Keep up the good work!
Carol

- Collapse -
system running slow...

Thank You Carol. I have also been having some issues with the computer system running a bit sluggish. I am running XP, CCleaner, and of course the recently installed MalwareBytes. I recently switched from Norton Anti-virus and other Norton Products (some which were installed, but not used in a while) to the McAfee Security Suite. But I maybe suspect there could be remnants of previous software programs installed. I also noticed that the system resources warn are low. I will follow your direction and can provide you additional information.

Thank You.

- Collapse -
When You Removed Norton..

When you removed NAV and whichever other Norton product you had installed, did you use the Norton Removal Tool? Norton and McAfee both, are notorious for leaving leftover files. If you didn't use the tool, I would suggest you try it.

If you feel you have remnants left from other kinds of software, you can give Revo Uninstaller a try. (It's free) Whether it will make a difference, I don't know. It's relatively easy to use.

Are any other security programs running in "real-time", in addition to McAfee? If so, it could be why you're system is running slow. Only a friendly word of caution. Please don't be tempted to install a registry cleaner, thinking it will "speed up your system". CCleaner, which you already have, is the better bet. Just mentioning the registry cleaner, in case it crossed your mind.

Here's a couple of threads to read through, which should give you additional food for thought:

Restore Your Computer's Performance with Windows XP

There's also a stickie at the top of our Computer Newbie forum, which is a wealth of information. As an example, it includes instructions on how to shutdown unnecessary startup programs. Something which can also slow your system down. "A Few 'Tips' For Computer Newbies" is a long thread, so set aside some time to read through it. It's well worth the time.

Have you checked the Task Manager? You might find some helpful information there.

Give some of the above a try. There's a lot to take into consideration, when one's system is "sluggish".

Let us know how you make out..
Carol

- Collapse -
re:sluggish system

Thanks again for the response. I am working my way through your directions. But before I get too far into them, I did install the norton removal tool, but it notes that it is only good for products from 2003 on. One of the NAV items was from 2001.

I don't think any other programs are running in 'real time' besides the McAfee, but I could be incorrect. How would I double-check?

Added information that may provide you a better inside look. The system is running 'selective start-up' through 'msconfig.' Are there some items I should double check in the 'selective-start up?

What information can I provide you to you from the 'task manager?'

On a regular basis I click the delete button in my internet browser to clear cookies, temporary files. Not sure if I should be doing more, or if I may be missing additional steps?

Thank you.



I will now download the Revo uninstaller and see how that goes.

Thanks.

- Collapse -
NAV 2001? How Old Is The Computer?

Have you had the computer for 9 years? If it's anywhere near 9 years old, it could be one reason why it's running slow.

I'm not that familiar with Norton products, but according to Commonly used Symantec tools (#19) it states the tool is for NAV 2003 or earlier. Did you first go to Add/Remove in the Control Panel and remove it from there? Do a "search" for files "Symantec" or "Norton" related. If the search yields a lot of files, run the tool. Otherwise, it may not be necessary.

Did you look at the "Tips" thread, I included in my prior post? It explains about start up items. Here is a description of what some of the items are. If you're in doubt about any of them, try googling the name. Or post at the Window's XP Forum, or Computer Newbie's Forum and ask. They would be more than eager to help. (Also read this)

I included the article about the Task Manager, to show you how to determine, if any of your applications are taking up a lot of your resources. If any are exceptionally high (besides McAfee) you might want to investigate it.

Lastly, if your computer has never had a good cleaning, "Clean up your grungy PC" should show you how.

Best of luck..
Carol

- Collapse -
Computer update - Carol

Hi Carol,

Thanks.

I read the Task manager RAM article. I will be sending you my stats shorty for review.

I read through the 'Newbie' link and will keep it handy. The 'Restore Your Computer's Performance with Windows XP' has good information, although one of the links within the article doesn't seem to work, but I will revisit another time too see if the link if fixed.

re: response to the REVO and NAV uninstaller

The system is not that old. I presume the NAV was an install as a lay over until the version was updated. THANK YOU for sending me the Norton Uninstall link. The uninstall tool you pointed me to did pick up a few items from NAV and a couple of the Norton live update files. How were you able to find that uninstall tool, in previous attempts I have searched the site for something similar and the only thing I could find was for uninstalling the recent software. THANKS AGAIN! I also remember this system having a Norton Disk Doctor which was uninstalled a time ago but not sure if all segments were deleted. Do you think there is an uninstall program to double check that too? Not sure if any of those other programs will search for them.

REVO

I followed your directions and installed REVO, and it did list my programs, but I don't see where it lists file remnants of previously deleted or uninstalled programs that may have left segmented files?

FOR EXAMPLE - REV did not show the files that the NAV uninstall tool found after.

I see in the 'junk file finder' it found .db files, many .tmp files, .TMP files, .gid, .fts

EXAMPLE OF tmp
C:\WINDOWS\fffea2cf_{BC45DFA5-4142-4355-B7A1-4BD7F22D73DD}.tmp

I will look to hear from you.

Thank You again.

- Collapse -
Re: Computer Update

Hi..

You asked, "How were you able to find that uninstall tool, in previous attempts I have searched the site for something similar and the only thing I could find was for uninstalling the recent software". I always keep this thought in mind. It works every time! Happy It takes patience and determination, but eventually you'll find what you're looking for. I'm glad to hear the tool worked for you.

If you don't have a safe browsing tool installed, such as "WOT" (Web of Trust), it's probably the most valuable piece of advice I can give you. And it's well worth the money you DON'T have to pay. It adds safety ratings to your search engine results. It's free and will keep you away from potentially harmful sites.

I couldn't find a specific uninstall tool for Norton Disk Doctor. What you might want to do is go to the Norton Community Forum, and try to "search" for one there. If one exists, you should be able to find it. I don't know if it's part of Norton Utilities, or some other (older?) product. Given the time I had, I wasn't able to find one.

You don't need an uninstall tool for every product. If you use Add/Remove, do a search for files and also use CCleaner, there shouldn't be many files left to clean. The Revo Unstaller isn't going to find the same files, the Norton Removal Tool found. The tools are different, as is the software.

The leftover files aren't what's slowing your system down. I would concentrate on what you have running at start up, along with the suggestions in the Microsoft article.

You're quite welcome..
Carol

CNET Forums

Forum Info