PDA

View Full Version : False/Positives with Search & Destroy?



benic
2007-03-03, 22:23
Each time I run Spybot ,S&D detects the following :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify - dword=0
This entry in the registry is "1" not " 0 "

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc±Start dword=W=2
This entry in the registry is "4" not " 2 "

Nurech
HKEY_USERS\S-1-5-21-854245398-484763869-1343024091-1003\Software\Microsoft\Windows\ShellNoR
oam\MUICache\*\upnp.exe
This entry does not exist

I have learned that Nurech is a worm.

How should I read those results form the scans?

thanks

benic

md usa spybot fan
2007-03-03, 23:12
benic:

I believe you may be misinterpreting the detections. The format of the registry detections many times are in the format "!=dword:x" which indicates not equal ("!=") to what Spybot is looking for ("dword:x"). The detections don't necessarily indicate what is found, in many cases that indicate what is not found.

Please post the actual detections you are getting and possibly someone will be better able to interprete what you are getting and advise you. To do that:
Run another scan/fix.
When the scan/fix completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.

benic
2007-03-04, 08:08
Thank you md usa spybot fan;

here are the actual detections:

Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0

Microsoft.WindowsSecurityCenter_disabled: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2

Nurech: User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-854245398-484763869-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\upnp.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-02-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-01-15 advcheck.dll (1.2.1.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-02-28 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-02-28 Includes\DialerC.sbi (*)
2007-02-07 Includes\Hijackers.sbi (*)
2007-02-28 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-02-28 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-02-14 Includes\Malware.sbi (*)
2007-02-28 Includes\MalwareC.sbi (*)
2007-01-19 Includes\PUPS.sbi (*)
2007-02-28 Includes\PUPSC.sbi (*)
2007-02-28 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-02-28 Includes\SecurityC.sbi (*)
2007-02-02 Includes\Spybots.sbi (*)
2007-02-28 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-02-14 Includes\Trojans.sbi (*)
2007-02-28 Includes\TrojansC.sbi (*)

benic

md usa spybot fan
2007-03-04, 15:57
benic:

This detection:


Microsoft.WindowsSecurityCenter.UpdateDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify!=dword:0
Go into Start > Control Panel > Security Center > Resources (on the left hand side of the window – expand if necessary) > click "Change the way Security Center alerts me". This brings up an "Alert Setting" window.

There are three possible alerts:
Firewall
Alert me if my computer might be at risk because of my firewall settings
Automatic Updates
Alert me if my computer might be at risk because of my Automatic Updates settings
Virus Protection
Alert me if my computer might be at risk because of my virus protection software settingsI believe that you will find the alert for "Automatic Updates" is turned off.

This detection:


Microsoft.WindowsSecurityCenter_disabled
Settings HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start!=W=2
That detection (problem) indicates that Spybot-S&D found that the registry entry that controls the starting of Windows Security Center was not set to "Automatic".

To verify that this is not a false positive:
Click Start then Run.
Type "Services.msc" (no quotes) in the Open block.
Click OK.
When Services dialog opens, scroll down in the right pane and locate the "Security Center" entry in the list.
Double click on the entry.
In the Security Center Properties (Local Computer) dialog I believe that you will find the "Startup type" is set to either "Disabled" or "Manual" not "Automatic".
This detection:


Nurech: User settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-854245398-484763869-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\*\upnp.exe
I am not familiar with that particular detection. However a Google (http://www.google.com/) search for "upnp.exe Nurech" (without the quotes) doesn't turn up anything that looks good to me.

benic
2007-03-04, 19:37
thank you md usa spybot fan

You were right all along; I made the corrections as you suggest .

benic