Strange results from MBAM

[wasted]

"wasted" <rubbish@xxnone.notreal.com> wrote in message
news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d@posted.plusn et...
> Hi I just updated MBAM and did a full scan and it found 18 hits of
> folders and files that it calls Rogue.XLG, and one Registry data item
>
> The files and folders are all subfolders of one particular folder that I
> created in my Start Menu Called "Protection". In there I have all the
> shortcuts to my anti-virus and anti-spyware programmes and the hits
> include ALL those folders and the actual shortcut links - including MBAM
> itself. There are no executable files in there, just shortcut links.
>
> I find it hard to believe that these are real alerts - do you think I can
> ignore them?
>
>
> The registry item is
>
> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGE S
> Bad (1) Good (0)
>
> Can someone please explain what this is and if I should delete it.
>
>
> Many thanks
Just discovered from a sequence of Googling that a folder named as
"Protection" is created by some malware or other, which is why it is
flagged. Renaming my folder has stopped it being flagged.

[Dustin Cook]

"wasted" <rubbish@xxnone.notreal.com> wrote in
news:ZemdneBi37CRnaHUnZ2dnUVZ8omdnZ2d@posted.plusn et:

> "wasted" <rubbish@xxnone.notreal.com> wrote in message
> news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d@posted.plusn et...
>> Hi I just updated MBAM and did a full scan and it found 18 hits of
>> folders and files that it calls Rogue.XLG, and one Registry data
>> item
>>
>> The files and folders are all subfolders of one particular folder
>> that I created in my Start Menu Called "Protection". In there I have
>> all the shortcuts to my anti-virus and anti-spyware programmes and
>> the hits include ALL those folders and the actual shortcut links -
>> including MBAM itself. There are no executable files in there, just
>> shortcut links.
>>
>> I find it hard to believe that these are real alerts - do you think I
>> can ignore them?
>>
>>
>> The registry item is
>>
>> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\
>> EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0)
>>
>> Can someone please explain what this is and if I should delete it.
>>
>>
>> Many thanks
> Just discovered from a sequence of Googling that a folder named as
> "Protection" is created by some malware or other, which is why it is
> flagged. Renaming my folder has stopped it being flagged.

It has to do with hueristics... MBAM has a complicated collection of
them.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org

[wasted]

"Dustin Cook" <bughunter.dustin@gmail.com> wrote in message
news:Xns9B6EC262691HHI2948AJD832@69.16.185.250...
> "wasted" <rubbish@xxnone.notreal.com> wrote in
> news:ZemdneBi37CRnaHUnZ2dnUVZ8omdnZ2d@posted.plusn et:
>
>> "wasted" <rubbish@xxnone.notreal.com> wrote in message
>> news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d@posted.plusn et...
>>> Hi I just updated MBAM and did a full scan and it found 18 hits of
>>> folders and files that it calls Rogue.XLG, and one Registry data
>>> item
>>>
>>> The files and folders are all subfolders of one particular folder
>>> that I created in my Start Menu Called "Protection". In there I have
>>> all the shortcuts to my anti-virus and anti-spyware programmes and
>>> the hits include ALL those folders and the actual shortcut links -
>>> including MBAM itself. There are no executable files in there, just
>>> shortcut links.
>>>
>>> I find it hard to believe that these are real alerts - do you think I
>>> can ignore them?
>>>
>>>
>>> The registry item is
>>>
>>> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURR ENTVERSION\POLICIES\
>>> EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0)
>>>
>>> Can someone please explain what this is and if I should delete it.
>>>
>>>
>>> Many thanks
>> Just discovered from a sequence of Googling that a folder named as
>> "Protection" is created by some malware or other, which is why it is
>> flagged. Renaming my folder has stopped it being flagged.
>
> It has to do with hueristics... MBAM has a complicated collection of
> them.
>
>
> --
> Regards,
> Dustin Cook
> Malware Researcher
> MalwareBytes - http://www.malwarebytes.org
>
No problem Dustin - renaming sorted it.

[Andy Walker]

wasted wrote:

>Just discovered from a sequence of Googling that a folder named as
>"Protection" is created by some malware or other, which is why it is
>flagged. Renaming my folder has stopped it being flagged.

Where was the folder located? I've seen more than a few people come
in to the group asking about this and it would be good information to
have for the next request...


It's odd that renaming a folder could change a registry setting...
unless there is a program in memory that monitors the folder and makes
the registry change. I suppose MBAM could be reporting a false
positive based on what it thinks the registry entry would be if the
folder existed... which seems to me to be a bug if that's the case.

Thanks,
Andy

[wasted]

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:493fb161.344733921@news.webtv.com...
> wasted wrote:
>
>>Just discovered from a sequence of Googling that a folder named as
>>"Protection" is created by some malware or other, which is why it is
>>flagged. Renaming my folder has stopped it being flagged.
>
> Where was the folder located? I've seen more than a few people come
> in to the group asking about this and it would be good information to
> have for the next request...
>
>
> It's odd that renaming a folder could change a registry setting...
> unless there is a program in memory that monitors the folder and makes
> the registry change. I suppose MBAM could be reporting a false
> positive based on what it thinks the registry entry would be if the
> folder existed... which seems to me to be a bug if that's the case.
>
> Thanks,
> Andy
See my original post - the location is mentioned already. It is, or was, off
the Start menu folder.

[wasted]

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:493fb161.344733921@news.webtv.com...
> wasted wrote:
>
>>Just discovered from a sequence of Googling that a folder named as
>>"Protection" is created by some malware or other, which is why it is
>>flagged. Renaming my folder has stopped it being flagged.
>
> Where was the folder located? I've seen more than a few people come
> in to the group asking about this and it would be good information to
> have for the next request...
>
>
> It's odd that renaming a folder could change a registry setting...
> unless there is a program in memory that monitors the folder and makes
> the registry change. I suppose MBAM could be reporting a false
> positive based on what it thinks the registry entry would be if the
> folder existed... which seems to me to be a bug if that's the case.
>
> Thanks,
> Andy
See my original post Andy - the location is mentioned already. It is, or
was, off
the Start menu folder. I hadn't seen any previous references here (if by
"here" you mean alt.privacy.spyware). I only found one reference to it
elsewhere through Googling.

[Andy Walker]

wasted wrote:

>
>
>"Andy Walker" <awalker@nspank.invalid> wrote in message
>news:493fb161.344733921@news.webtv.com...
>> wasted wrote:
>>
>>>Just discovered from a sequence of Googling that a folder named as
>>>"Protection" is created by some malware or other, which is why it is
>>>flagged. Renaming my folder has stopped it being flagged.
>>
>> Where was the folder located? I've seen more than a few people come
>> in to the group asking about this and it would be good information to
>> have for the next request...
>>
>>
>> It's odd that renaming a folder could change a registry setting...
>> unless there is a program in memory that monitors the folder and makes
>> the registry change. I suppose MBAM could be reporting a false
>> positive based on what it thinks the registry entry would be if the
>> folder existed... which seems to me to be a bug if that's the case.
>>
>> Thanks,
>> Andy
>See my original post Andy - the location is mentioned already. It is, or
>was, off
>the Start menu folder.

Ok, but that could mean a number of different locations depending upon
what you mean by "start menu". You also have (at least) two different
locations where the folder could reside "All Users" and "current_user"
are two of the most used. If you don't know the exact location then
that's fine, I just thought it would be useful to know the exact
location.

> I hadn't seen any previous references here (if by
>"here" you mean alt.privacy.spyware). I only found one reference to it
>elsewhere through Googling.

The reply I originally gave you was a cut-and-paste from one of my
prior posts on the subject. It's possible that the x-no-archive flag
was set on the post, though, because I normally honor the x-no-archive
when responding. That would remove it from Google after a few days.

[wasted]

"Andy Walker" <awalker@nspank.invalid> wrote in message
news:49415fd2.67919046@news.webtv.com...
> wasted wrote:
>
>>
>>
>>"Andy Walker" <awalker@nspank.invalid> wrote in message
>>news:493fb161.344733921@news.webtv.com...
>>> wasted wrote:
>>>
>>>>Just discovered from a sequence of Googling that a folder named as
>>>>"Protection" is created by some malware or other, which is why it is
>>>>flagged. Renaming my folder has stopped it being flagged.
>>>
>>> Where was the folder located? I've seen more than a few people come
>>> in to the group asking about this and it would be good information to
>>> have for the next request...
>>>
>>>
>>> It's odd that renaming a folder could change a registry setting...
>>> unless there is a program in memory that monitors the folder and makes
>>> the registry change. I suppose MBAM could be reporting a false
>>> positive based on what it thinks the registry entry would be if the
>>> folder existed... which seems to me to be a bug if that's the case.
>>>
>>> Thanks,
>>> Andy
>>See my original post Andy - the location is mentioned already. It is, or
>>was, off
>>the Start menu folder.
>
> Ok, but that could mean a number of different locations depending upon
> what you mean by "start menu". You also have (at least) two different
> locations where the folder could reside "All Users" and "current_user"
> are two of the most used. If you don't know the exact location then
> that's fine, I just thought it would be useful to know the exact
> location.
>
>> I hadn't seen any previous references here (if by
>>"here" you mean alt.privacy.spyware). I only found one reference to it
>>elsewhere through Googling.
>
> The reply I originally gave you was a cut-and-paste from one of my
> prior posts on the subject. It's possible that the x-no-archive flag
> was set on the post, though, because I normally honor the x-no-archive
> when responding. That would remove it from Google after a few days.

Ah - didn't think about there being a Start Menu for other users - because
I'm the only user so never see that

the full path was C:/Program Data/Microsoft/Windows/Start
Menu/Programs/Protection

[Dustin Cook]

Andy Walker <awalker@nspank.invalid> wrote in news:493fb161.344733921
@news.webtv.com:

> wasted wrote:
>
>>Just discovered from a sequence of Googling that a folder named as
>>"Protection" is created by some malware or other, which is why it is
>>flagged. Renaming my folder has stopped it being flagged.
>
> Where was the folder located? I've seen more than a few people come
> in to the group asking about this and it would be good information to
> have for the next request...
>
>
> It's odd that renaming a folder could change a registry setting...
> unless there is a program in memory that monitors the folder and makes
> the registry change. I suppose MBAM could be reporting a false
> positive based on what it thinks the registry entry would be if the
> folder existed... which seems to me to be a bug if that's the case.
>
> Thanks,
> Andy
>

Well, If I wasn't killfiled by you, I'd explain what's going on. But,
no it's not a bug.


--
Regards,
Dustin Cook
Malware Researcher
MalwareBytes - http://www.malwarebytes.org