NIS 2009 and Malwarebytes

When I installed NIS 2009 around the end of March it turned up two "threats" named Powersearch (or 2020 search) and automatically quarantined them as malware - I later manually removed them altogether.   Following adbvice on this forum I installed Malwarebytes (free version) today mainly to replace Adaware SE Personal a manual scanner which is similar but now obsolete and replaced by a new program running in realtime which will clash with NIS.  My  first scan today with Malwarebytes turned up more 2020search items. I actually know these to be factory installed on my  Packard Bell  computer (also known as "pbukv.dll"  and "Dynamic tool Bar") but it's a search engine I have never used and don't want it - I understand that there are some nasty variants however.  I took a little time to find my way round Malwarebytes as the instructions seem to be for people cleverer than me and once you do a scan and show the results page you are trapped there and can't get to "help" when the only options appeared to be "remove" and "ignore" whereas I wanted "quarantine" as shown on a tab above. I had to exit and start again and was pleased to see that "remove" put the items into quarantine anyway and deletion if required is from there.  I know all about 2020search but the scan also turned up two further registry keys as malware "HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ AntivirusDisabledNotify Bad (1) Good (0)" and same again except " ....FirewallDisabledNotify Bad(1) Good(0)" at the end.  These two are  in my ignore list at present awaiting a decision but what are they ?  I have Windows Firewall disabled but as far as I am aware I have no other Windows security programs.  NIS 2009 seems to be working OK.  Does anyone know  if these two registry keys are something connected with Norton ? 

When I installed NIS 2009 around the end of March it turned up two "threats" named Powersearch (or 2020 search) and automatically quarantined them as malware - I later manually removed them altogether.   Following adbvice on this forum I installed Malwarebytes (free version) today mainly to replace Adaware SE Personal a manual scanner which is similar but now obsolete and replaced by a new program running in realtime which will clash with NIS.  My  first scan today with Malwarebytes turned up more 2020search items. I actually know these to be factory installed on my  Packard Bell  computer (also known as "pbukv.dll"  and "Dynamic tool Bar") but it's a search engine I have never used and don't want it - I understand that there are some nasty variants however.  I took a little time to find my way round Malwarebytes as the instructions seem to be for people cleverer than me and once you do a scan and show the results page you are trapped there and can't get to "help" when the only options appeared to be "remove" and "ignore" whereas I wanted "quarantine" as shown on a tab above. I had to exit and start again and was pleased to see that "remove" put the items into quarantine anyway and deletion if required is from there.  I know all about 2020search but the scan also turned up two further registry keys as malware "HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Security Center\ AntivirusDisabledNotify Bad (1) Good (0)" and same again except " ....FirewallDisabledNotify Bad(1) Good(0)" at the end.  These two are  in my ignore list at present awaiting a decision but what are they ?  I have Windows Firewall disabled but as far as I am aware I have no other Windows security programs.  NIS 2009 seems to be working OK.  Does anyone know  if these two registry keys are something connected with Norton ? 

Imbart:-,

 

Go to this thread, it may help...

 

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=44657&query.id=681096#M44657 

Are both NIS 2009 and MBAM detecting the 2020 search threats? It is possible that MBAM is giving you false possitives. Do you have the latest updates and definitions installed for it? Remember, since it is a free application and is simply scanning everything without any knowledge of what it is scanning it could even mistake something tied to norton as being malware.

Tamper Protection in Norton makes that a non-issue, Pexley.  It is helpful to have another scanner on board which relies on different signatures, and procedures to handle to few things that Norton does not, particularly if there is some problem with the Norton installation.  Any antimalware, including Norton can throw false positives.  Better that than missing something.

I am not saying that it is not helpful to have a second scanner onboard. Compare the latest definitions for identifying the powersearch threat from MBAM and norton. If the MBAM set were last released months before the most recent norton set than MBAM may very well be giving false possitives. It seems possible, no matter how unlikely.

 

Also, here are the official symantec write-ups for powersearch and 2020search: powersearch , 2020search

 

Since both are classified as spyware try downloading and running superantispyware. Let us know of the results.

Many thanks for all the helpful suggestions and all the links supplied which lead on to other links etc.  There are conflicting opinions on this but I am leaning towards the ignore school at the moment which seems to be the Malwarebytes position on their Forum - thankyou for those links - although its confusing and I get the impression nobody really knows.  I have therefore posted about this query on the Malwarebytes board and hope for a definitive answer. 

It is rare for any of us using these forums to instantly know a fix to every problem that is posted. The main thing is that you actually posted your problem so you could get some input on possible fixes. Plus, now that the issue is known people can begin to look into what is causing this.

Hi imbart -

 

You have been given some good advice here.

 

I would like to mention a some simple things:

 

1) Make sure that you always *update* the definitions for MBAM before scanning!

 

2) Look at the MBAM quarantine tab -  if there are items in there, delete them.

 

3) Run a Norton Full System Scan, if you have not done so already. If it comes up clean, you are good to go. Remember, that NIS is what is protecting your system on a real-time basis. The use of MBAM is for additional security. Therefore, check on Live Update at times and ensure that your NIS definitions are being updated correctly.

 

:smileyhappy:

 

 

Thank you for your further interest and assistance.  I may have got to the bottom of this and I would be grateful for further opinions.  Since installing NIS 2009 I had noticed that “Windows Security Center” had disappeared from the Control Panel and I only had “Windows Firewall” which was “off”.   I have now done a file search for “security center” and although no file turned up a short cut icon entitled “security center” did. The target was a file “wscui.cpl” in system32 described as a Control Panel Extension and on clicking the short cut “Windows Security Center” appeared with “Firewall ON” ,  “Automatic Updates CHECK SETTINGS” (as I have it configured to  notify me first before installing) and “Virus Protection ON”.  On expanding “Firewall ON” it read “Norton Internet Security is currently ON. A firewall helps protect your computer against viruses and other security threats” and “Virus Protection ON” told me “Norton Internet Security reports that it is up to dateand virus scanning is on”. Could this be an explanation of the strange registry entries because Windows Security Center has been altered (by Norton?) to accomodate Norton Firewall and Norton Antivirus instead of Windows?  

NIS2009 shuts Windows firewall off by default as systems do not work well with two firewalls.  I believe there is some discussion and a fix or two in the works because some users prefer to have Windows Defender running as well.  Again two real-time scanners frequently conflict.


dbrisendine wrote:
These are not related to Norton or any other reputable software.  This a malwares attempt to disable the security centers monitoring of the firewall status and AV status on your machine.  Delete the keys.

If memory serves me right, these are settings in the registry as a result of having other security programs present than Windows' stuff.  Because establishing those settings would also be the target of malware, they are often flagged for user awareness - you know if your system has other non-Windows security software and if so you can ignore the flags.

 

And if I am right, you should not remove those keys because they are part of Windows internal self-monitoring.  The choice in the past was to create an "ignore" setting.

Hi imbart,

 

As delphinium mentioned, Norton will turn off the Windows firewall, but it should not remove the Security Center applet from Control Panel. That sounds like the work of the malware you encountered.

 

Malware often changes the registry and adds the wscui.cpl to a "don't load" subkey under Control Panel.

 

The applet can usually be added back to Control Panel by means of a minor registry edit, but I don't know how comfortable you are working within the registry.

 

 

Hi There

 

There have been Malware that can change those settings, or you can have done it yourself to not be notified etc. etc. MBAM won't know the difference between Malware creating the change or the user intentually ticking the box etc.. So Can't be consided an F.P.

 

I have had MBAM detect those 2 as well (in the past).
 
If you have Security Center set to not notify if those things are not checked then malwarebytes as well as spybot S&Dwill report this, because malware, like Trojans and security Flaws Botnets also do this so they can do the dirty work that they do. 
You shouldn't erase those if you know you have settings that you want. These entries tell the Security Center not to warn you when your antivirus is turned off, and that's ok as long as your Norton protection notifies you instead and you know about the setting. However, if you don't know or didn't manually change those settings, you should check for malware because many viruses disable these notifications.
People could have it set not to notify they have no for instance AntiVirus because for some reason the Windows Security Centre does not detect they have one installed even though they do. 
 
If you have manually done security settings etc. yourself, you can place them instead in Malwarebytes ignore list.  

You do have to remember the registry entry setting looks the same whether you do it by disabling the security centre, via Group Policy, do it via "Regedit" or its Malware that does it.

 

Due to the registry value being the same under all those, Malwarebytes or the likes of Spybot etc.  does not have fuzzy logic, it can't figure for itself whether.

 

huh, it's a left over setting(s) from Malware so detects the Value change,

 

Or

 

huh, it was the user that intentionally did that Value change, so don't detect. 


 

If you want to PM me the Malwarebytes log you can 

  
 
Quads 
 

Thanks again.  Having mulled over all the opinions I have decided to go for the ignore option.  Furthermore having perused my Control Panel again I can see there is no real need for Windows Security Center there as I have Automatic Updates to adjust the Windows Updates preferences and Windows Firewall to switch it on or off.   Any Antivirus is covered by Norton so Windows Security Center is superfluous.  Malwarebytes Forum haven’t answered my post about this yet but from past threads there they may not have a definitive answer.  As a full NIS scan reveals nothing and neither did Adaware SE when I ran it a couple of days ago I am happy to believe that Malwarebytes is being overcautious.

Further to the above I think I’ve solved it (again).  Thinking back I now realise I have never had Windows Security Center (the coloured shield icon) in my Control Panel.  My computer came with NIS 2004 pre-installed and the Security Center was Nortons (a round yellow icon with a kind of zigzag through it) and inside was checked not to show (or disable?) Windows Security Center which could account for the registry entries. Since uninstalling NIS 2004 with the Norton removal tool and installing NIS 2009 that icon has disappeared.  Does this sound like a reasonable explanation for it to be missing?

Hi imbart -

 

It would be hard for me to believe that Security Center was not part of your original configuration.

 

I think that Phil_D's explanation is the most plausible.

 

You could always uninstall NIS 2009 and reboot, to see if it re-appears, but I would just leave it alone if both the MBAM and NIS comprehseive scans are clean. What you should do, IMHO, is make a backup of your system using Acronis True Image Home 2009 at www.acronis.com, since you can always revert to the backup in case of a disaster.

 

Acronis is a great product and I highly recommend it.

 

:smileyhappy:

Thanks again Compumind.   I am sure that Windows Security Center was part of the original configuration but my Packard Bell computer came with all kinds of factory prepared extras including NIS 2004 which put it’s own security center in Control Panel which as I say was checked so as to not show Windows Security Center “(recommended)” - hence I never ever saw it in Control Panel.  I can still raise the Windows one with the shortcut I mentioned to wscui.cpl but even that has been taken over by Norton except for the Windows Update section as I mentioned.  As you can gather I am no expert and appreciate all the advice given which predominently seems to favour the Ignore option.

Hi imbart -

 

Your next step up from System and Network Security is Disaster Preperation.

 

The Acronis link above will help you achieve that level of comfort.

 

It is best to buy an external USB Hard Drive to make it all work.

 

Good luck!

 

:smileyhappy:

 

Thanks for the quick response.  I hope disaster is not imminent. If I hadn’t gone for Malwarebytes I would never have known about any of this. Thanks for your help and the good wishes.