Malwarebytes false positive?
Book 'em Dan'O'
below issue. I believe this is a false positive. Correct?
Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1
11/21/2008 09:47:53
mbam-log-2008-11-21 (09-47-33).txt
Scan type: Quick Scan
Objects scanned: 42055
Time elapsed: 1 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges
(Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Dustin Cook
news:TMCVk.1681$oy1....@fe04.news.easynews.com:
> Just updated to latest definitions and ran a scan and it is showing
> the below issue. I believe this is a false positive. Correct?
> Registry Data Items Infected:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\E
> xplorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1)
> Good: (0) -> No action taken.
Nope. It's actually a policy setting. If you did it on purpose, select to
ignore it. If not, let MBAM fix it.
--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org
Mr. Toast
news:Xns9B5DF18FCB3...@69.16.185.247:
>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\
>> E xplorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad:
>> (1) Good: (0) -> No action taken.
>
> Nope. It's actually a policy setting. If you did it on purpose, select
> to ignore it. If not, let MBAM fix it.
>
>
Well, I don't know what the policy change is exactly so don't know if it is
something I set ot not. I use limited user account on the internet so
nothing could have changed a registry setting. I did use TweakUAC to put
UAC into quiet mode and I also have a 3rd party file manager
(Freecommander) that is set to read hiddent files. Does that reg change
apply to either of those?
Andy Walker
The HKLM\...\NoActiveDesktopChanges registry key above determines
whether or not the users of the machine have the ability to change
their active desktop configuration. There are a large number of
trojans and malware that change that registry entry to "1" in order to
prevent users from removing the displayed content within the active
desktop. You can also set this to 1 to prevent users from changing
their wallpaper, for instance. It is not necessarily an indication
that you are compromised, but by default user are allowed to change
their active desktop settings. The Malwarebytes program flagged the
registry entry because it is more often than not an indication that
malware may be present. If you are comfortable with the appearance
and functioning of your Windows desktop, and don't plan on allowing
other users to change the desktop settings, then leave the registry
entry set to 1, otherwise set it to zero or allow Malwarebytes to do
it for you.
Cheers,
Andy
Mr. Toast
news:492845d2....@news.webtv.com:
> The HKLM\...\NoActiveDesktopChanges registry key above determines
> whether or not the users of the machine have the ability to change
> their active desktop configuration. There are a large number of
> trojans and malware that change that registry entry to "1" in order to
> prevent users from removing the displayed content within the active
> desktop. You can also set this to 1 to prevent users from changing
> their wallpaper, for instance. It is not necessarily an indication
> that you are compromised, but by default user are allowed to change
> their active desktop settings. The Malwarebytes program flagged the
> registry entry because it is more often than not an indication that
> malware may be present. If you are comfortable with the appearance
> and functioning of your Windows desktop, and don't plan on allowing
> other users to change the desktop settings, then leave the registry
> entry set to 1, otherwise set it to zero or allow Malwarebytes to do
> it for you.
>
> Cheers,
> Andy
>
OK, thanks. Understand now.
Dustin Cook
news:tRWVk.5011$Kc2...@fe09.news.easynews.com:
I do not know. It just controls the display properties page. IE: whether
it's available to you or not.
cgriffy
I have run the full scan 9 times and have started my 10th run over the
course of a month. Each time I run it, the tool reports:
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control
Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined
and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
(Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and
deleted successfully.
I have had the tool do the repair each time. However, the problem keeps
returning. Why could it be returning? It seems like there is a sleeper
somewhere on my disk that Malwarebytes is not finding to clean off?
Got any suggestions?
Curtis
--
cgriffy
------------------------------------------------------------------------
cgriffy's Profile: http://forums.techarena.in/members/cgriffy.htm
View this thread: http://forums.techarena.in/anonymity-privacy-spam/1075636.htm
Buffalo
cgriffy wrote:
> I have run the full scan 9 times and have started my 10th run over the
> course of a month. Each time I run it, the tool reports:
> Registry Data Items Infected:
> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet
> Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good:
> (0) -> Quarantined and deleted successfully.
>
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveD
esktop\NoChangingWallpaper
> (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and
> deleted successfully.
>
> I have had the tool do the repair each time. However, the problem
> keeps returning. Why could it be returning? It seems like there is a
> sleeper somewhere on my disk that Malwarebytes is not finding to
> clean off?
>
> Got any suggestions?
>
> Curtis
If you have another program, such as SpyWareBlaster which allows you to lock
your homepage, MBAM will see it as a HiJack and bring it to your attention.
If that is the case, just set MBAM to 'ignore' that entry.
A similar situration may be with your 'Not Changing Wallpaper'.
Kayman
> I have run the full scan 9 times and have started my 10th run over the
> course of a month. Each time I run it, the tool reports:
> Registry Data Items Infected:
> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control
> Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined
> and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper
> (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and
> deleted successfully.
> I have had the tool do the repair each time. However, the problem keeps
> returning. Why could it be returning? It seems like there is a sleeper
> somewhere on my disk that Malwarebytes is not finding to clean off?
> Got any suggestions?
1.CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...
http://www.filehippo.com/download_ccleaner/
The toolbar offered prior installation is not required!
If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.
2.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
Please, do not post HJT logs to this newsgroup.
Fora where you can get expert advice for HiJack This! (HJT) logs.
http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/index.php?showforum=7
http://www.5starsupport.com/ipboard/index.php?showforum=18
http://www.theeldergeek.com/forum/index.php?s=2e9ea4e19d3289dd877ab75a8220bff6&showforum=29
NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.
Good luck :)
Dustin Cook
news:cgriffy...@DoNotSpam.com:
> I have run the full scan 9 times and have started my 10th run over the
> course of a month. Each time I run it, the tool reports:
> Registry Data Items Infected:
> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet
> Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good:
> (0) -> Quarantined and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ac
> tiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1)
> Good: (0) -> Quarantined and deleted successfully.
>
> I have had the tool do the repair each time. However, the problem
> keeps returning. Why could it be returning? It seems like there is a
> sleeper somewhere on my disk that Malwarebytes is not finding to clean
> off?
Is this computer part of a network? If so, group policies will override
our efforts to undo them.
> Got any suggestions?
Have MBAM ignore them. We have no way of knowing if you set those keys,
or if malware did. As such, we offer to remove policies that are found
and commonly set by malware.
alexcomp
So my no active desktop change policy is set to 1 also but I'm able to
change wallpaper and access display properties. What are my limitations
with this policy set? Maybe it's not alive because I have user account
control turned off?
--
alexcomp
------------------------------------------------------------------------
alexcomp's Profile: http://forums.techarena.in/members/101545.htm
Security helper
Yes, I have the same problem. I do not believe, however that it is of
any concern. After "fixing" it, Spyware doctor (that's right, a security
program) had to restart IntelliGuard. This simply could be one security
program not liking the processes of another.
I have a free trial version of Malwarebytes, Norton 2010, and Spyware
Doctor 2010, and nothing is wrong with my computer (no slow down or
etcetra.)
I'm not sure if this works, but if you are seeming to have a virus
problem, you could try clearing all browser history, and use Firefox. I
happened to get some non-malicious tracking cookies and adware, and my
computer is clean. Not all adware is bad, though.
--
Security helper
------------------------------------------------------------------------
Security helper's Profile: http://forums.techarena.in/members/179185.htm
David H. Lipman
| Yes, I have the same problem.
No, you have MORE of a problem its called techarena.in
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
Beauregard T. Shagnasty
> From: "Security helper" <Security.he...@DoNotSpam.com>
>| Yes, I have the same problem.
>
> No, you have MORE of a problem its called techarena.in
<g> Yes, another Usenet-scraper. And what's with them holding 'forum'
posts for five days before releasing to Usenet? There's a new post from
them in a.c.a-v .. where three of their "members" have replied to a
thread from last March.
--
-bts
-Four wheels carry the body; two wheels move the soul
IRnuts2
I bought a brand new Acer laptop from newegg, and opened it today. After
initial setup with first boot etc i logged on to the net and
1. Went to Acer website to register the laptop,
2. Went to windows updates and downloaded updates for win7
3. downloaded ms security essentials and installed, and ran scan, came
up green, and then
4. downloaded and installed MBytes, ran scan, and came up with the same
scan results....
Hijack.DisplayProperties
Now, i am thinking it is extremely unlikely i picked up a trojan "out
there" that quickly while working at 3 very reliable and safe sites.
So...
My question is...Was this hijack routine;
a) created by Acer when doing an info seek to see if i'm a legitimate
Acer laptop (??) yet MS SE missed the registry change while doing the
initial scan immediately after (hmmmm, unlikely?)
b) MS did this when checking my win7 version and checking if i have
admin rights while installing the desktop icons for MS Sec. Essentials??
, OR
c) MBytes did it while installing desktop and startmenu icons, then
unknowingly flags the traces of its own activity?? wouldn't that be
funny.
I'm a mechanical engineer and think in terms of function, but a
complete novice to this stuff, so its a bit frustrating that i don't (at
present) know how to begin researching this problem. If i knew a little
more about win code i'd go digging and find out what is really
happening, but it sure would be nice if someone who really knows what
he's doing could explain to us exactly what must occur for this string
to be deposited in the registry, and what legitimate processes could do
it. because it SURE seems like a false positive to me.
Or should i say a "safe" positive. By that i mean a tracking routine
deposited during a noninjurious process, but junk that certainly doesn't
need to be on our systems and needs cleaning.
Andy Walker;4092523 Wrote:
> The HKLM\...\NoActiveDesktopChanges registry key above determines
> whether or not the users of the machine have the ability to change
> their active desktop configuration. There are a large number of
> trojans and malware that change that registry entry to "1" in order to
> prevent users from removing the displayed content within the active
> desktop. You can also set this to 1 to prevent users from changing
> their wallpaper, for instance. It is not necessarily an indication
> that you are compromised, but by default user are allowed to change
> their active desktop settings. The Malwarebytes program flagged the
> registry entry because it is more often than not an indication that
> malware may be present. If you are comfortable with the appearance
> and functioning of your Windows desktop, and don't plan on allowing
> other users to change the desktop settings, then leave the registry
> entry set to 1, otherwise set it to zero or allow Malwarebytes to do
> it for you.
--
IRnuts2
------------------------------------------------------------------------
IRnuts2's Profile: http://forums.techarena.in/members/189073.htm
rogerd
I had the same issue, and did some reading on the web (Google search for
Hijack.DisplayProperties) -- some of the items on the MalwareBytes forum
were pretty helpful.
From what I gather, on older OSes (XP vintage), this registry setting
was normally turned off, and was often turned on by malware (as well as
some legitimate software) that messed with your Active Desktop to make
it harder for you to undo what they'd done, so seeing it turned on was a
suspicious sign (though not conculusive proof that you were infected).
On newer OSes (I'm running Vista 64-bit) the setting is turned on by
default, so it's simply a false positive. So how much you need to worry
about seeing this depends on what OS you're running. On a brand new
laptop, I'd guess you have Vista or Win 7, in which case don't worry,
just set MalwareBytes to ignore this (and if you removed it, you can
restore it from quarantine, though it's not a big deal).
Basically, what the setting does is stop you changing the contents of
the Windows Active Desktop (the ability to use a webpage as your desktop
- MS added this feature during the legal fight about whether IE was a
web browser competitor to Netscape or a part of the operating system, I
imagine to strengthen their case that IE was part of the operating
system. Very few people use it, since it's clunky, though it's actually
kind of a cool idea to be able to have have something off the web as
your desktop -- I wish MS had made it not clunky rather than disabling
it, though it did have potential security issues since you were
basically running IE immediately on startup).
So the short answer is that if Hijack.DisplayProperties is detected,
you're on XP, and you have a Viagra advert site as your desktop and
can't get rid of it, you have a problem. But if you're on Vista or Win
7, it's going to be detected, and if your desktop looks normal, it's
almost certainly a false alarm.
I wish MalwareBytes was smart enough to know that on some OSes this is
the default setting so it should ignore it, even though on other OSes
it's a useful warning sign.
--
rogerd
------------------------------------------------------------------------
rogerd's Profile: http://forums.techarena.in/members/199554.htm