View Full Version : Spybot identifying Microsoft Registry Keys as high risk
I have just downloaded and started using Spybot. With each scan I receive messages identifying several Microsoft programs as "high risk". When I click on the + to get more information, it appears that the high risk items are registry keys. This occurs each time that I boot up my PC. These MS programs all are in the MS Security Center, and are the following programs: "Antivirus Disable notify" (1 registry key); "Internet Explorer" (1 registry key); (Firewall disable notify" (1 registry key); and "disabled" (4 registry keys).
Is this a problem with Spybot? Or, is it actually identifying problems that I need to delete?
NOTE: I use third-party firewall and antivirus programs, so I am not using the firewall and antivirus programs ide4ntified.
I have found where I can tell Spubot to ignore these areas when I run a scan. Should I do that? Should I tell Spybot to ignore ALL MS programs?
Please let me nkow -- if possible, please EMail me at removed Thanks!
md usa spybot fan
2007-11-08, 21:00
Please post a log of the actual detections you are getting. To do that:
Run another scan.
When the scan completes, right click on the results list, select "Copy results to clipboard".
Then paste (Ctrl+V) those results to a new post in this thread.
Also, what firewall and antivirus programs are you running?
lmendol
Your duplicate topic was removed, please respond in this thread and do not post your email address. ;)
Thank you.
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-240452933-1526793513-891911580-1006\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: [SBI $5509538C] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify
Microsoft.WindowsSecurityCenter.FirewallDisableNotify: [SBI $8CFC8C85] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify
Microsoft.WindowsSecurityCenter_disabled: [SBI $2E20C9A9] Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\Start
--- Spybot - Search & Destroy version: 1.5 (build: 20070830) ---
2007-08-31 blindman.exe (1.0.0.6)
2007-08-31 SDMain.exe (1.0.0.4)
2007-08-31 SDUpdate.exe (1.0.6.4)
2007-08-31 SDWinSec.exe (1.0.0.8)
2007-08-31 SpybotSD.exe (1.5.1.15)
2007-08-31 TeaTimer.exe (1.5.0.9)
2007-11-02 unins000.exe (51.46.0.0)
2007-08-31 Update.exe (1.4.0.5)
2007-08-31 advcheck.dll (1.5.3.0)
2007-04-02 aports.dll (2.1.0.0)
2007-04-02 DelZip179.dll (1.79.5.3)
2007-08-31 SDHelper.dll (1.5.0.8)
2007-08-31 Tools.dll (2.1.2.0)
2007-11-07 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-07 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-07 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-07 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-07 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-07 Includes\PUPSC.sbi (*)
2007-11-07 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-07 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-07 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-07 Includes\Trojans.sbi (*)
2007-11-07 Includes\TrojansC.sbi (*)
2008-12-24 Plugins\TCPIPAddress.dll
You asked, and I forgot to add... I'm running Norton Antivirus software and Zone Alarm's Firewall.
spybotsandra
2007-11-10, 02:10
Hello,
You just answered the item yourself. ;)
You are using a third part anti-virus and firewall.
So the Windows anti-virus and firewall are disabled.
That is being detected by Spybot and notified to you.
As these changes are made by yourself cause you are using these other programs you can safely ignore this entries in future scans.
Best regards
Sandra
Team Spybot
Rosenfeld
2007-11-10, 02:39
Also if you highlight one of those registry key entries and open the information side panel (click on the large grey button with two arrow heads to the right of Spybot's scan results pane), you will see the explanation.
Useful, that information side bar. Pity so few users of Spybot seem to know it is there. :-)
La Senora
2009-10-30, 01:11
Some of us, perhaps most of us, actually do see that side area for explanations. The problem is that the explanations are not always useful to an non IT Tech. In the case of this specific problem, all that clicking there does is take us to the Registry. It has several subfolders that show up. We aren't told which subfolder is the problem. When I click on one of the subfolders i see a lot of files that I have no knowledge of. So for an IT person, the click was helpful; for us laymen this particular 'explanation' was just confusion.
La Senora
2009-10-30, 01:19
I'm running Microsoft Security Center and have removed other virus and antispyware software. Just reinstalled Spybot as machine was running very, very slowly. From comments above I'm making the guess that my microsoft stuff is ok as is. Here's the log....
Microsoft.Windows.Security.InternetExplorer: [SBI $A3433CBF] Settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2800993877-623776200-53095332-1009\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $D80580B5] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Microsoft.WindowsSecurityCenter.FirewallBypass: [SBI $B067B5B7] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe
Win32.TDSS.rtk: [SBI $CBE34A63] Data (File, fixed)
C:\WINDOWS\izanug._dl
Properties.size=0
Properties.md5=D41D8CD98F00B204E9800998ECF8427E
Right Media: Tracking cookie (Internet Explorer: Compaq_Owner) (Cookie, fixed)
DoubleClick: Tracking cookie (Internet Explorer: Compaq_Owner) (Cookie, fixed)
MediaPlex: Tracking cookie (Internet Explorer: Compaq_Owner) (Cookie, fixed)
spybotsandra
2009-10-30, 12:27
Hello,
I would recommend for the next time that you start a new thread, than using one that is two years old.
Microsoft.Windows.Security.InternetExplorer:
I suggest you "Fix selected problems" on those detections unless you experienced an issue such as the one described in the following article and intentionally changed those registry entries from their default setting:
* AutoShapes that were added to an HTML or an MHTML file in a Microsoft Office program do not appear when you open the file in Internet Explorer after you install Windows XP SP2, see Microsoft Support (http://support.microsoft.com/?scid=kb%3Ben-us%3B883969&x=12&y=12).
The key "HKEY_CURRENT_USER,"\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN" (standard value is 1 with SP2) determines the ability to perform certain actions for local websites, i.e. websites saved on harddisk.
The value is set to 0 (zero) by some malicious applications in order to deminish the security settings for the zone "local computer". See Microsoft Info (http://msdn.microsoft.com/security/productinfo/XPSP2/securebrowsing/locallockdown.aspx) for details.
There are several threads on the subject: Windows.Security.Internet Explorer (http://forums.spybot.info/showthread.php?t=6560) and Scan Result (http://forums.spybot.info/showthread.php?t=6749).
If you want you can also tell Spybot-S&D to exclude those detections from further scans.
You can exclude a product from the search as follows:
First of all procede a scan with Spybot - Search & Destroy. Now, mark the item, you want to exclude from the search, with a left-click.
It is marked blue now. Then right-click this entry and select "exclude this product from further searches".
It is also possible to exclude it before the search. Please run Spybot - Search & Destroy in "Advanced Mode" and go to "Settings" -> "Ignore products". There you can tick the checkbox in front of the product you want to exclude from the search.
Microsoft.WindowsSecurityCenter.FirewallBypass:
This is no infection - this is only a notification.
Please have a look at this link (http://forums.spybot.info/showthread.php?t=14824) in our forum it should help to explain.
If you do not want to get this entry anymore you can safely exclude it from future scans like described above.
Best regards
Sandra
Team Spybot