Strange results from MBAM

[wasted]

Hi I just updated MBAM and did a full scan and it found 18 hits of folders
and files that it calls Rogue.XLG, and one Registry data item

The files and folders are all subfolders of one particular folder that I
created in my Start Menu Called "Protection". In there I have all the
shortcuts to my anti-virus and anti-spyware programmes and the hits include
ALL those folders and the actual shortcut links - including MBAM itself.
There are no executable files in there, just shortcut links.

I find it hard to believe that these are real alerts - do you think I can
ignore them?


The registry item is

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGE S
Bad (1) Good (0)

Can someone please explain what this is and if I should delete it.


Many thanks

[Andy Walker]

wasted wrote:

>Hi I just updated MBAM and did a full scan and it found 18 hits of folders
>and files that it calls Rogue.XLG, and one Registry data item
>
>The files and folders are all subfolders of one particular folder that I
>created in my Start Menu Called "Protection". In there I have all the
>shortcuts to my anti-virus and anti-spyware programmes and the hits include
>ALL those folders and the actual shortcut links - including MBAM itself.
>There are no executable files in there, just shortcut links.
>
>I find it hard to believe that these are real alerts - do you think I can
>ignore them?
>
>
>The registry item is
>
>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CUR RENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANG ES
>Bad (1) Good (0)
>
>Can someone please explain what this is and if I should delete it.
>
>
>Many thanks

The HKLM\...\NoActiveDesktopChanges registry key above determines
whether or not the users of the machine have the ability to change
their active desktop configuration. There are a large number of
trojans and malware that change that registry entry to "1" in order to
prevent users from removing the displayed content within the active
desktop. You can also set this to 1 to prevent users from changing
their wallpaper, for instance. It is not necessarily an indication
that you are compromised, but by default users are allowed to change
their active desktop settings. The Malwarebytes program flagged the
registry entry because it is more often than not an indication that
malware may be present. If you are comfortable with the appearance
and functioning of your Windows desktop, and don't plan on allowing
other users to change the desktop settings, then leave the registry
entry set to 1, otherwise set it to zero or allow Malwarebytes to do
it for you.

[wasted]

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:493ab0e3.148008031@news.webtv.com...
> wasted wrote:
>
>>Hi I just updated MBAM and did a full scan and it found 18 hits of
>>folders
>>and files that it calls Rogue.XLG, and one Registry data item
>>
>>The files and folders are all subfolders of one particular folder that I
>>created in my Start Menu Called "Protection". In there I have all the
>>shortcuts to my anti-virus and anti-spyware programmes and the hits
>>include
>>ALL those folders and the actual shortcut links - including MBAM itself.
>>There are no executable files in there, just shortcut links.
>>
>>I find it hard to believe that these are real alerts - do you think I can
>>ignore them?
>>
>>
>>The registry item is
>>
>>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CU RRENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHAN GES
>>Bad (1) Good (0)
>>
>>Can someone please explain what this is and if I should delete it.
>>
>>
>>Many thanks
>
> The HKLM\...\NoActiveDesktopChanges registry key above determines
> whether or not the users of the machine have the ability to change
> their active desktop configuration. There are a large number of
> trojans and malware that change that registry entry to "1" in order to
> prevent users from removing the displayed content within the active
> desktop. You can also set this to 1 to prevent users from changing
> their wallpaper, for instance. It is not necessarily an indication
> that you are compromised, but by default users are allowed to change
> their active desktop settings. The Malwarebytes program flagged the
> registry entry because it is more often than not an indication that
> malware may be present. If you are comfortable with the appearance
> and functioning of your Windows desktop, and don't plan on allowing
> other users to change the desktop settings, then leave the registry
> entry set to 1, otherwise set it to zero or allow Malwarebytes to do
> it for you.
Thanks for the reply - I'm the only user, so unless other scanners suggest
otherwise, on the basis of what you describe I will leave the setting as it
is.

[wasted]

"wasted" <rubbish@xxnone.notreal.com> wrote in message
news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d@posted.plusn et...
> Hi I just updated MBAM and did a full scan and it found 18 hits of
> folders and files that it calls Rogue.XLG, and one Registry data item
>
> The files and folders are all subfolders of one particular folder that I
> created in my Start Menu Called "Protection". In there I have all the
> shortcuts to my anti-virus and anti-spyware programmes and the hits
> include ALL those folders and the actual shortcut links - including MBAM
> itself. There are no executable files in there, just shortcut links.
>
> I find it hard to believe that these are real alerts - do you think I can
> ignore them?
>
>
> The registry item is
>
> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGE S
> Bad (1) Good (0)
>
> Can someone please explain what this is and if I should delete it.
>
>
> Many thanks
Just discovered from a sequence of Googling that a folder named as
"Protection" is created by some malware or other, which is why it is
flagged. Renaming my folder has stopped it being flagged.

[Dustin Cook]

"wasted" <rubbish@xxnone.notreal.com> wrote in
news:ZemdneBi37CRnaHUnZ2dnUVZ8omdnZ2d@posted.plusn et:

> "wasted" <rubbish@xxnone.notreal.com> wrote in message
> news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d@posted.plusn et...
>> Hi I just updated MBAM and did a full scan and it found 18 hits of
>> folders and files that it calls Rogue.XLG, and one Registry data
>> item
>>
>> The files and folders are all subfolders of one particular folder
>> that I created in my Start Menu Called "Protection". In there I have
>> all the shortcuts to my anti-virus and anti-spyware programmes and
>> the hits include ALL those folders and the actual shortcut links -
>> including MBAM itself. There are no executable files in there, just
>> shortcut links.
>>
>> I find it hard to believe that these are real alerts - do you think I
>> can ignore them?
>>
>>
>> The registry item is
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\
>> EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0)
>>
>> Can someone please explain what this is and if I should delete it.
>>
>>
>> Many thanks
> Just discovered from a sequence of Googling that a folder named as
> "Protection" is created by some malware or other, which is why it is
> flagged. Renaming my folder has stopped it being flagged.

It has to do with hueristics... MBAM has a complicated collection of
them.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[wasted]

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B6EC262691HHI2948AJD832@69.16.185.250...
> "wasted" <rubbish@xxnone.notreal.com> wrote in
> news:ZemdneBi37CRnaHUnZ2dnUVZ8omdnZ2d@posted.plusn et:
>
>> "wasted" <rubbish@xxnone.notreal.com> wrote in message
>> news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d@posted.plusn et...
>>> Hi I just updated MBAM and did a full scan and it found 18 hits of
>>> folders and files that it calls Rogue.XLG, and one Registry data
>>> item
>>>
>>> The files and folders are all subfolders of one particular folder
>>> that I created in my Start Menu Called "Protection". In there I have
>>> all the shortcuts to my anti-virus and anti-spyware programmes and
>>> the hits include ALL those folders and the actual shortcut links -
>>> including MBAM itself. There are no executable files in there, just
>>> shortcut links.
>>>
>>> I find it hard to believe that these are real alerts - do you think I
>>> can ignore them?
>>>
>>>
>>> The registry item is
>>>
>>> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\
>>> EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0)
>>>
>>> Can someone please explain what this is and if I should delete it.
>>>
>>>
>>> Many thanks
>> Just discovered from a sequence of Googling that a folder named as
>> "Protection" is created by some malware or other, which is why it is
>> flagged. Renaming my folder has stopped it being flagged.
>
> It has to do with hueristics... MBAM has a complicated collection of
> them.
>
>
> --
> Regards,
> Dustin Cook
> Malware Researcher
> MalwareBytes - http://www.malwarebytes.org
>
No problem Dustin - renaming sorted it.

[Andy Walker]

wasted wrote:

>Just discovered from a sequence of Googling that a folder named as
>"Protection" is created by some malware or other, which is why it is
>flagged. Renaming my folder has stopped it being flagged.

Where was the folder located? I've seen more than a few people come
in to the group asking about this and it would be good information to
have for the next request...


It's odd that renaming a folder could change a registry setting...
unless there is a program in memory that monitors the folder and makes
the registry change. I suppose MBAM could be reporting a false
positive based on what it thinks the registry entry would be if the
folder existed... which seems to me to be a bug if that's the case.

Thanks,
Andy

[wasted]

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:493fb161.344733921@news.webtv.com...
> wasted wrote:
>
>>Just discovered from a sequence of Googling that a folder named as
>>"Protection" is created by some malware or other, which is why it is
>>flagged. Renaming my folder has stopped it being flagged.
>
> Where was the folder located? I've seen more than a few people come
> in to the group asking about this and it would be good information to
> have for the next request...
>
>
> It's odd that renaming a folder could change a registry setting...
> unless there is a program in memory that monitors the folder and makes
> the registry change. I suppose MBAM could be reporting a false
> positive based on what it thinks the registry entry would be if the
> folder existed... which seems to me to be a bug if that's the case.
>
> Thanks,
> Andy
See my original post - the location is mentioned already. It is, or was, off
the Start menu folder.

[wasted]

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:493fb161.344733921@news.webtv.com...
> wasted wrote:
>
>>Just discovered from a sequence of Googling that a folder named as
>>"Protection" is created by some malware or other, which is why it is
>>flagged. Renaming my folder has stopped it being flagged.
>
> Where was the folder located? I've seen more than a few people come
> in to the group asking about this and it would be good information to
> have for the next request...
>
>
> It's odd that renaming a folder could change a registry setting...
> unless there is a program in memory that monitors the folder and makes
> the registry change. I suppose MBAM could be reporting a false
> positive based on what it thinks the registry entry would be if the
> folder existed... which seems to me to be a bug if that's the case.
>
> Thanks,
> Andy
See my original post Andy - the location is mentioned already. It is, or
was, off
the Start menu folder. I hadn't seen any previous references here (if by
"here" you mean alt.privacy.spyware). I only found one reference to it
elsewhere through Googling.

[Andy Walker]

wasted wrote:

>
>
>"Andy Walker" <awalker@nspank.invalid> wrote in message
>news:493fb161.344733921@news.webtv.com...
>> wasted wrote:
>>
>>>Just discovered from a sequence of Googling that a folder named as
>>>"Protection" is created by some malware or other, which is why it is
>>>flagged. Renaming my folder has stopped it being flagged.
>>
>> Where was the folder located? I've seen more than a few people come
>> in to the group asking about this and it would be good information to
>> have for the next request...
>>
>>
>> It's odd that renaming a folder could change a registry setting...
>> unless there is a program in memory that monitors the folder and makes
>> the registry change. I suppose MBAM could be reporting a false
>> positive based on what it thinks the registry entry would be if the
>> folder existed... which seems to me to be a bug if that's the case.
>>
>> Thanks,
>> Andy
>See my original post Andy - the location is mentioned already. It is, or
>was, off
>the Start menu folder.

Ok, but that could mean a number of different locations depending upon
what you mean by "start menu". You also have (at least) two different
locations where the folder could reside "All Users" and "current_user"
are two of the most used. If you don't know the exact location then
that's fine, I just thought it would be useful to know the exact
location.

> I hadn't seen any previous references here (if by
>"here" you mean alt.privacy.spyware). I only found one reference to it
>elsewhere through Googling.

The reply I originally gave you was a cut-and-paste from one of my
prior posts on the subject. It's possible that the x-no-archive flag
was set on the post, though, because I normally honor the x-no-archive
when responding. That would remove it from Google after a few days.