Strange results from MBAM
wasted
and files that it calls Rogue.XLG, and one Registry data item
The files and folders are all subfolders of one particular folder that I
created in my Start Menu Called "Protection". In there I have all the
shortcuts to my anti-virus and anti-spyware programmes and the hits include
ALL those folders and the actual shortcut links - including MBAM itself.
There are no executable files in there, just shortcut links.
I find it hard to believe that these are real alerts - do you think I can
ignore them?
The registry item is
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGES
Bad (1) Good (0)
Can someone please explain what this is and if I should delete it.
Many thanks
Andy Walker
The HKLM\...\NoActiveDesktopChanges registry key above determines
whether or not the users of the machine have the ability to change
their active desktop configuration. There are a large number of
trojans and malware that change that registry entry to "1" in order to
prevent users from removing the displayed content within the active
desktop. You can also set this to 1 to prevent users from changing
their wallpaper, for instance. It is not necessarily an indication
that you are compromised, but by default users are allowed to change
their active desktop settings. The Malwarebytes program flagged the
registry entry because it is more often than not an indication that
malware may be present. If you are comfortable with the appearance
and functioning of your Windows desktop, and don't plan on allowing
other users to change the desktop settings, then leave the registry
entry set to 1, otherwise set it to zero or allow Malwarebytes to do
it for you.
wasted
"Andy Walker" <awa...@nspank.invalid> wrote in message
news:493ab0e3....@news.webtv.com...
Thanks for the reply - I'm the only user, so unless other scanners suggest
otherwise, on the basis of what you describe I will leave the setting as it
is.
wasted
"wasted" <rub...@xxnone.notreal.com> wrote in message
news:QIednfj_1uS35qfU...@posted.plusnet...
Just discovered from a sequence of Googling that a folder named as
"Protection" is created by some malware or other, which is why it is
flagged. Renaming my folder has stopped it being flagged.
Dustin Cook
news:ZemdneBi37CRnaHU...@posted.plusnet:
It has to do with hueristics... MBAM has a complicated collection of
them.
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
wasted
"Dustin Cook" <bughunte...@gmail.com> wrote in message
news:Xns9B6EC26269...@69.16.185.250...
No problem Dustin - renaming sorted it.
Andy Walker
>Just discovered from a sequence of Googling that a folder named as
>"Protection" is created by some malware or other, which is why it is
>flagged. Renaming my folder has stopped it being flagged.
Where was the folder located? I've seen more than a few people come
in to the group asking about this and it would be good information to
have for the next request...
It's odd that renaming a folder could change a registry setting...
unless there is a program in memory that monitors the folder and makes
the registry change. I suppose MBAM could be reporting a false
positive based on what it thinks the registry entry would be if the
folder existed... which seems to me to be a bug if that's the case.
Thanks,
Andy
wasted
"Andy Walker" <awa...@nspank.invalid> wrote in message
news:493fb161....@news.webtv.com...
See my original post - the location is mentioned already. It is, or was, off
the Start menu folder.
wasted
"Andy Walker" <awa...@nspank.invalid> wrote in message
news:493fb161....@news.webtv.com...
See my original post Andy - the location is mentioned already. It is, or
was, off
the Start menu folder. I hadn't seen any previous references here (if by
"here" you mean alt.privacy.spyware). I only found one reference to it
elsewhere through Googling.
Andy Walker
>
>
>"Andy Walker" <awa...@nspank.invalid> wrote in message
>news:493fb161....@news.webtv.com...
>> wasted wrote:
>>
>>>Just discovered from a sequence of Googling that a folder named as
>>>"Protection" is created by some malware or other, which is why it is
>>>flagged. Renaming my folder has stopped it being flagged.
>>
>> Where was the folder located? I've seen more than a few people come
>> in to the group asking about this and it would be good information to
>> have for the next request...
>>
>>
>> It's odd that renaming a folder could change a registry setting...
>> unless there is a program in memory that monitors the folder and makes
>> the registry change. I suppose MBAM could be reporting a false
>> positive based on what it thinks the registry entry would be if the
>> folder existed... which seems to me to be a bug if that's the case.
>>
>> Thanks,
>> Andy
>See my original post Andy - the location is mentioned already. It is, or
>was, off
>the Start menu folder.
Ok, but that could mean a number of different locations depending upon
what you mean by "start menu". You also have (at least) two different
locations where the folder could reside "All Users" and "current_user"
are two of the most used. If you don't know the exact location then
that's fine, I just thought it would be useful to know the exact
location.
> I hadn't seen any previous references here (if by
>"here" you mean alt.privacy.spyware). I only found one reference to it
>elsewhere through Googling.
The reply I originally gave you was a cut-and-paste from one of my
prior posts on the subject. It's possible that the x-no-archive flag
was set on the post, though, because I normally honor the x-no-archive
when responding. That would remove it from Google after a few days.
wasted
"Andy Walker" <awa...@nspank.invalid> wrote in message
news:49415fd2...@news.webtv.com...
Ah - didn't think about there being a Start Menu for other users - because
I'm the only user so never see that
the full path was C:/Program Data/Microsoft/Windows/Start
Menu/Programs/Protection
Dustin Cook
@news.webtv.com:
Well, If I wasn't killfiled by you, I'd explain what's going on. :) But,
no it's not a bug.