Registry keys deleted; Can MSAS help to restore them?

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Another anti-spyware program deleted some registry keys as possible trojans.
I have found out that this was a false positive and that those keys usually
have a value of 0 or are blank for home users. Apparently they had the value
of 1. I also understand from another forum that the change to 1 could have
been made by a program providing protection for my PC. My question is, if
MSAS was the program providing such protection, could MSAS be used to restore
those keys? I was thinking maybe a re-install might accomplish it. Of course,
I don't know if MSAS did this to begin with. I would appreciate any info
anyone can provide. The log giving the deleted registry items follows:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:18:40 PM, 1/26/2006
+ Report-Checksum: AC22E743

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\DisableTaskMgr -> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoChangingWallPaper
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoAddingComponents
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoComponents
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoDeletingComponents
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoEditingComponents
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoCloseDragDropBands
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoMovingBands
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\\NoHTMLWallPaper
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoActiveDesktop
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoSaveSettings
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\\NoThemesTab
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\DisableTaskMgr
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispAppearancePage
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoColorChoice
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoSizeChoice
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispBackgroundPage
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispScrSavPage
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispCPL
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoVisualStyleChoice
-> Trojan.Small : Cleaned with backup
HKU\S-1-5-21-4018711648-284700086-2646643178-1010\Software\Microsoft\Windows\CurrentVersion\Policies\System\\NoDispSettingsPage
-> Trojan.Small : Cleaned with backup


::Report End
 
I've only a minimal familiarity with Ewido--but when the log states "Cleaned
with backup" doesn't that imply that Ewido has a backup function to make
this action reversable?

I don't think Microsoft Antispyware can reverse this action. A repair
install of the OS would, if these keys are related to the OS and not
installed programs, but a repair install is not possible with some OEM
media, as I understand it.

--
 
Hi Old Rebel

To restore a backup with Ewido, Open the main menu and click Quarantine,
Left click the entry you wish to restore then press the Restore Button, I'm
really not sure if this is a false positive though, They are not active
trojan files but the values could of been added or changed by malware to make
it more difficult to clean up, If Ewido has reset the values to 0 then its
disabled them and if Ewido deletes the key values the system behaves as
though the value is 0 so it wouldnt cause you any problems.

The only reason those policy entries would exist is if you have XP
pro,w2K/2003 and have the restrictive policies enabled and disabling the
policy would also delete the values Ewido has removed, if some tweaking tool
or your Administrator has added restrictions that would explain it and in
that sense it could get frustrating if Ewido is removing the keys but they
were not protective, If they were set to enabled then you will lose alot of
functions and control and if they are disabled it would be the same as
deleting the values.

Here's a support page showing how to lock a pc using the policy values:

http://support.microsoft.com/?kbid=198771

Here the full contents of my policy keys, This is a Windows XP Home Edition
with SP2.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Hope That Helps

Andy
 
Thannk you for the information. Unfortunately, I cannot restore the items
from Ewido because I deleted them too hastily. I am only a home user and use
Windows XP SP2 Home Edition. I do not know how/why these registry keys were
set to restrictions anyway. I have not deliberately done so, and I am the
only administrator. Possibly one of my security tools did, but I would not
know which one. I use MSAS,Webroot Spysweeper, McAfee VS,Ewido,Spybot S&D, Ad
AwareSE Personal, AOL AntiSpyware, X Cleaner free edition, and
Spywareblaster. OF COURSE I do NOT use all of them for real time protection.
Perhaps the immunizations from Webroot, Spybot, or Spywareblaster came into
play here,but I do not know. There is a possibility that changes were made by
Malware. I had to remove fragments of something related to Smitfraud or
Spyware Strike, and used Ewido, Ad Aware, and Smitrem to do so. I never had
the complete infection, but small changes could have been made before I
cleaned up. I guess I'll never know for sure. Thanks again. At least I can
continue unimpeded with the registry as it is.
--
Old Rebel: Too Old to Rebel; Too Young to just take it!


AndyManchesta said:
Hi Old Rebel

To restore a backup with Ewido, Open the main menu and click Quarantine,
Left click the entry you wish to restore then press the Restore Button, I'm
really not sure if this is a false positive though, They are not active
trojan files but the values could of been added or changed by malware to make
it more difficult to clean up, If Ewido has reset the values to 0 then its
disabled them and if Ewido deletes the key values the system behaves as
though the value is 0 so it wouldnt cause you any problems.

The only reason those policy entries would exist is if you have XP
pro,w2K/2003 and have the restrictive policies enabled and disabling the
policy would also delete the values Ewido has removed, if some tweaking tool
or your Administrator has added restrictions that would explain it and in
that sense it could get frustrating if Ewido is removing the keys but they
were not protective, If they were set to enabled then you will lose alot of
functions and control and if they are disabled it would be the same as
deleting the values.

Here's a support page showing how to lock a pc using the policy values:

http://support.microsoft.com/?kbid=198771

Here the full contents of my policy keys, This is a Windows XP Home Edition
with SP2.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091

Hope That Helps

Andy
Click to expand...
 
Hey Old Rebel,

Thanks for the extra information , Everything Ewido removed is fine for your
system as they should not exist but Ewido removing them could be a problem
for Administrators if they have been put in place for a valid reason, it does
look like Ewido has removed most of them from the scanner as I cannot
re-create the results by adding restrictions and disabling Task Manager
etc.., I think its possible Ewido was detecting them with a value of 0
(disabled) on your system and removing them because of the connection to
Smitfraud variants, Here's a couple of variants that add policy restrictions

http://www.sophos.com/virusinfo/analyses/trojspyjackb.html
http://www.sophos.com/virusinfo/analyses/trojspywade.html
http://www.sophos.com/virusinfo/analyses/trojfakealec.html

All the entries Ewido found are added by smitRem with a value of 0 so if it
was removing them it would be a false positive as they were already disabled
and not causing any restrictions,

Here's my policy keys after running smitRem:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoMovingBands"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

If I scan my registry with Ewido it shows clear, After using Smitrem, Ewido
then shows one Trojan Small entry for 'NoActiveDesktopChanges' , If I set the
value to 0 or 1 it still detects it as Trojan Small which makes me think
Ewido has removed the other detections from their malware definitions
especially if they also detected a Trojan even if it was set to 0,

Here the Ewido scan after running smitRem:

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:16:26 PM, 1/29/2006
+ Report-Checksum: 21F1A0C4

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup

::Report End

Ewido removing them isnt really a big problem for XP Home users as the Group
Policy isnt supported but I'm sure they have been getting some feedback from
all the other Windows users who have them entries in place for genuine
reasons :)

All The Best

Andy
 
Thank you, Andy. The Mystery has been solved!
--
Old Rebel: Too Old to Rebel; Too Young to just take it!


AndyManchesta said:
Hey Old Rebel,

Thanks for the extra information , Everything Ewido removed is fine for your
system as they should not exist but Ewido removing them could be a problem
for Administrators if they have been put in place for a valid reason, it does
look like Ewido has removed most of them from the scanner as I cannot
re-create the results by adding restrictions and disabling Task Manager
etc.., I think its possible Ewido was detecting them with a value of 0
(disabled) on your system and removing them because of the connection to
Smitfraud variants, Here's a couple of variants that add policy restrictions

http://www.sophos.com/virusinfo/analyses/trojspyjackb.html
http://www.sophos.com/virusinfo/analyses/trojspywade.html
http://www.sophos.com/virusinfo/analyses/trojfakealec.html

All the entries Ewido found are added by smitRem with a value of 0 so if it
was removing them it would be a false positive as they were already disabled
and not causing any restrictions,

Here's my policy keys after running smitRem:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallPaper"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoMovingBands"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

If I scan my registry with Ewido it shows clear, After using Smitrem, Ewido
then shows one Trojan Small entry for 'NoActiveDesktopChanges' , If I set the
value to 0 or 1 it still detects it as Trojan Small which makes me think
Ewido has removed the other detections from their malware definitions
especially if they also detected a Trojan even if it was set to 0,

Here the Ewido scan after running smitRem:

--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:16:26 PM, 1/29/2006
+ Report-Checksum: 21F1A0C4

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoActiveDesktopChanges -> Trojan.Small : Cleaned with backup

::Report End

Ewido removing them isnt really a big problem for XP Home users as the Group
Policy isnt supported but I'm sure they have been getting some feedback from
all the other Windows users who have them entries in place for genuine
reasons :)

All The Best

Andy
Click to expand...
 
Back
Top