Malwarebytes false positive?

[Book 'em Dan'O']

Just updated to latest definitions and ran a scan and it is showing the
below issue. I believe this is a false positive. Correct?


Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1

11/21/2008 09:47:53
mbam-log-2008-11-21 (09-47-33).txt

Scan type: Quick Scan
Objects scanned: 42055
Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\Explorer\NoActiveDesktopChange s
(Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Dustin Cook]

"Book 'em Dan'O'" <five@O.here> wrote in
news:TMCVk.1681$oy1.1016@fe04.news.easynews.com:

> Just updated to latest definitions and ran a scan and it is showing
> the below issue. I believe this is a false positive. Correct?
> Registry Data Items Infected:
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\E
> xplorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1)
> Good: (0) -> No action taken.

Nope. It's actually a policy setting. If you did it on purpose, select to
ignore it. If not, let MBAM fix it.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[Mr. Toast]

Dustin Cook <bughunter.dustin@gmail.com> wrote in
news:Xns9B5DF18FCB341HHI2948AJD832@69.16.185.247:

>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\
>> E xplorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad:
>> (1) Good: (0) -> No action taken.
>
> Nope. It's actually a policy setting. If you did it on purpose, select
> to ignore it. If not, let MBAM fix it.
>
>

Well, I don't know what the policy change is exactly so don't know if it is
something I set ot not. I use limited user account on the internet so
nothing could have changed a registry setting. I did use TweakUAC to put
UAC into quiet mode and I also have a 3rd party file manager
(Freecommander) that is set to read hiddent files. Does that reg change
apply to either of those?

[Andy Walker]

Mr. Toast wrote:

>Dustin Cook <bughunter.dustin@gmail.com> wrote in
>news:Xns9B5DF18FCB341HHI2948AJD832@69.16.185.24 7:
>
>>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies\
>>> E xplorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad:
>>> (1) Good: (0) -> No action taken.
>>
>> Nope. It's actually a policy setting. If you did it on purpose, select
>> to ignore it. If not, let MBAM fix it.
>>
>>
>
>Well, I don't know what the policy change is exactly so don't know if it is
>something I set ot not. I use limited user account on the internet so
>nothing could have changed a registry setting. I did use TweakUAC to put
>UAC into quiet mode and I also have a 3rd party file manager
>(Freecommander) that is set to read hiddent files. Does that reg change
>apply to either of those?

The HKLM\...\NoActiveDesktopChanges registry key above determines
whether or not the users of the machine have the ability to change
their active desktop configuration. There are a large number of
trojans and malware that change that registry entry to "1" in order to
prevent users from removing the displayed content within the active
desktop. You can also set this to 1 to prevent users from changing
their wallpaper, for instance. It is not necessarily an indication
that you are compromised, but by default user are allowed to change
their active desktop settings. The Malwarebytes program flagged the
registry entry because it is more often than not an indication that
malware may be present. If you are comfortable with the appearance
and functioning of your Windows desktop, and don't plan on allowing
other users to change the desktop settings, then leave the registry
entry set to 1, otherwise set it to zero or allow Malwarebytes to do
it for you.

Cheers,
Andy

[Mr. Toast]

Andy Walker <awalker@nspank.invalid> wrote in
news:492845d2.883789265@news.webtv.com:

> The HKLM\...\NoActiveDesktopChanges registry key above determines
> whether or not the users of the machine have the ability to change
> their active desktop configuration. There are a large number of
> trojans and malware that change that registry entry to "1" in order to
> prevent users from removing the displayed content within the active
> desktop. You can also set this to 1 to prevent users from changing
> their wallpaper, for instance. It is not necessarily an indication
> that you are compromised, but by default user are allowed to change
> their active desktop settings. The Malwarebytes program flagged the
> registry entry because it is more often than not an indication that
> malware may be present. If you are comfortable with the appearance
> and functioning of your Windows desktop, and don't plan on allowing
> other users to change the desktop settings, then leave the registry
> entry set to 1, otherwise set it to zero or allow Malwarebytes to do
> it for you.
>
> Cheers,
> Andy
>

OK, thanks. Understand now.

[Dustin Cook]

"Mr. Toast" <burnt@toast.invalid> wrote in
news:tRWVk.5011$Kc2.661@fe09.news.easynews.com:

> Dustin Cook <bughunter.dustin@gmail.com> wrote in
> news:Xns9B5DF18FCB341HHI2948AJD832@69.16.185.247:
>
>>> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Policies
>>> \ E xplorer\NoActiveDesktopChanges (Hijack.DisplayProperties) ->
>>> Bad: (1) Good: (0) -> No action taken.
>>
>> Nope. It's actually a policy setting. If you did it on purpose,
>> select to ignore it. If not, let MBAM fix it.
>>
>>
>
> Well, I don't know what the policy change is exactly so don't know if
> it is something I set ot not. I use limited user account on the
> internet so nothing could have changed a registry setting. I did use
> TweakUAC to put UAC into quiet mode and I also have a 3rd party file
> manager (Freecommander) that is set to read hiddent files. Does that
> reg change apply to either of those?
>

I do not know. It just controls the display properties page. IE: whether
it's available to you or not.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[cgriffy]

I have run the full scan 9 times and have started my 10th run over the
course of a month. Each time I run it, the tool reports:
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Inte rnet Explorer\Control
Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined
and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallpap er
(Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and
deleted successfully.

I have had the tool do the repair each time. However, the problem keeps
returning. Why could it be returning? It seems like there is a sleeper
somewhere on my disk that Malwarebytes is not finding to clean off?

Got any suggestions?

Curtis


--
cgriffy
------------------------------------------------------------------------
cgriffy's Profile: http://forums.techarena.in/members/cgriffy.htm
View this thread: http://forums.techarena.in/anonymity...am/1075636.htm

http://forums.techarena.in

[Buffalo]

cgriffy wrote:
> I have run the full scan 9 times and have started my 10th run over the
> course of a month. Each time I run it, the tool reports:
> Registry Data Items Infected:
> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Inte rnet
> Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good:
> (0) -> Quarantined and deleted successfully.
>
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveD
esktop\NoChangingWallpaper
> (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and
> deleted successfully.
>
> I have had the tool do the repair each time. However, the problem
> keeps returning. Why could it be returning? It seems like there is a
> sleeper somewhere on my disk that Malwarebytes is not finding to
> clean off?
>
> Got any suggestions?
>
> Curtis

If you have another program, such as SpyWareBlaster which allows you to lock
your homepage, MBAM will see it as a HiJack and bring it to your attention.
If that is the case, just set MBAM to 'ignore' that entry.
A similar situration may be with your 'Not Changing Wallpaper'.

[Kayman]

On Wed, 31 Dec 2008 21:52:54 +0530, cgriffy wrote:

> I have run the full scan 9 times and have started my 10th run over the
> course of a month. Each time I run it, the tool reports:
> Registry Data Items Infected:
> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Inte rnet Explorer\Control
> Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined
> and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\ActiveDesktop\NoChangingWallpap er
> (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and
> deleted successfully.
> I have had the tool do the repair each time. However, the problem keeps
> returning. Why could it be returning? It seems like there is a sleeper
> somewhere on my disk that Malwarebytes is not finding to clean off?
> Got any suggestions?

1.CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...
http://www.filehippo.com/download_ccleaner/
The toolbar offered prior installation is not required!
If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.

2.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...ols/hijackthis

Please, do not post HJT logs to this newsgroup.

Fora where you can get expert advice for HiJack This! (HJT) logs.

http://www.thespykiller.co.uk/index.php?board=3.0
http://www.spywarewarrior.com/viewforum.php?f=5
http://forums.tomcoyote.org/index.php?showforum=27
http://www.bleepingcomputer.com/forums/forum22.html
http://www.malwarebytes.org/forums/i...hp?showforum=7
http://www.5starsupport.com/ipboard/...p?showforum=18
http://www.theeldergeek.com/forum/in...6&showforum=29

NOTE:
Registration is required in any of the above mentioned fora before posting
a HJT log and read the 'stickies' (instructions/guidelines) for the
respective HJT forum.

Good luck

[Dustin Cook]

cgriffy <cgriffy.3lamja@DoNotSpam.com> wrote in
news:cgriffy.3lamja@DoNotSpam.com:

> I have run the full scan 9 times and have started my 10th run over the
> course of a month. Each time I run it, the tool reports:
> Registry Data Items Infected:
> HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Inte rnet
> Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good:
> (0) -> Quarantined and deleted successfully.
> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Policies\Ac
> tiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1)
> Good: (0) -> Quarantined and deleted successfully.
>
> I have had the tool do the repair each time. However, the problem
> keeps returning. Why could it be returning? It seems like there is a
> sleeper somewhere on my disk that Malwarebytes is not finding to clean
> off?

Is this computer part of a network? If so, group policies will override
our efforts to undo them.

> Got any suggestions?

Have MBAM ignore them. We have no way of knowing if you set those keys,
or if malware did. As such, we offer to remove policies that are found
and commonly set by malware.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org