Strange results from MBAM
in [Spyware]
|
From: wasted on 8 Dec 2008 14:31 "Dustin Cook" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9B6EC262691HHI2948AJD832(a)69.16.185.250... > "wasted" <rubbish(a)xxnone.notreal.com> wrote in > news:ZemdneBi37CRnaHUnZ2dnUVZ8omdnZ2d(a)posted.plusnet: > >> "wasted" <rubbish(a)xxnone.notreal.com> wrote in message >> news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d(a)posted.plusnet... >>> Hi I just updated MBAM and did a full scan and it found 18 hits of >>> folders and files that it calls Rogue.XLG, and one Registry data >>> item >>> >>> The files and folders are all subfolders of one particular folder >>> that I created in my Start Menu Called "Protection". In there I have >>> all the shortcuts to my anti-virus and anti-spyware programmes and >>> the hits include ALL those folders and the actual shortcut links - >>> including MBAM itself. There are no executable files in there, just >>> shortcut links. >>> >>> I find it hard to believe that these are real alerts - do you think I >>> can ignore them? >>> >>> >>> The registry item is >>> >>> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ >>> EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0) >>> >>> Can someone please explain what this is and if I should delete it. >>> >>> >>> Many thanks >> Just discovered from a sequence of Googling that a folder named as >> "Protection" is created by some malware or other, which is why it is >> flagged. Renaming my folder has stopped it being flagged. > > It has to do with hueristics... MBAM has a complicated collection of > them. > > > -- > Regards, > Dustin Cook > Malware Researcher > MalwareBytes - http://www.malwarebytes.org > No problem Dustin - renaming sorted it.
From: Andy Walker on 8 Dec 2008 18:48 wasted wrote: >Just discovered from a sequence of Googling that a folder named as >"Protection" is created by some malware or other, which is why it is >flagged. Renaming my folder has stopped it being flagged. Where was the folder located? I've seen more than a few people come in to the group asking about this and it would be good information to have for the next request... It's odd that renaming a folder could change a registry setting... unless there is a program in memory that monitors the folder and makes the registry change. I suppose MBAM could be reporting a false positive based on what it thinks the registry entry would be if the folder existed... which seems to me to be a bug if that's the case. Thanks, Andy
From: wasted on 9 Dec 2008 12:15 "Andy Walker" <awalker(a)nspank.invalid> wrote in message news:493fb161.344733921(a)news.webtv.com... > wasted wrote: > >>Just discovered from a sequence of Googling that a folder named as >>"Protection" is created by some malware or other, which is why it is >>flagged. Renaming my folder has stopped it being flagged. > > Where was the folder located? I've seen more than a few people come > in to the group asking about this and it would be good information to > have for the next request... > > > It's odd that renaming a folder could change a registry setting... > unless there is a program in memory that monitors the folder and makes > the registry change. I suppose MBAM could be reporting a false > positive based on what it thinks the registry entry would be if the > folder existed... which seems to me to be a bug if that's the case. > > Thanks, > Andy See my original post - the location is mentioned already. It is, or was, off the Start menu folder.
From: wasted on 9 Dec 2008 12:19 "Andy Walker" <awalker(a)nspank.invalid> wrote in message news:493fb161.344733921(a)news.webtv.com... > wasted wrote: > >>Just discovered from a sequence of Googling that a folder named as >>"Protection" is created by some malware or other, which is why it is >>flagged. Renaming my folder has stopped it being flagged. > > Where was the folder located? I've seen more than a few people come > in to the group asking about this and it would be good information to > have for the next request... > > > It's odd that renaming a folder could change a registry setting... > unless there is a program in memory that monitors the folder and makes > the registry change. I suppose MBAM could be reporting a false > positive based on what it thinks the registry entry would be if the > folder existed... which seems to me to be a bug if that's the case. > > Thanks, > Andy See my original post Andy - the location is mentioned already. It is, or was, off the Start menu folder. I hadn't seen any previous references here (if by "here" you mean alt.privacy.spyware). I only found one reference to it elsewhere through Googling.
From: Andy Walker on 10 Dec 2008 19:41 wasted wrote: > > >"Andy Walker" <awalker(a)nspank.invalid> wrote in message >news:493fb161.344733921(a)news.webtv.com... >> wasted wrote: >> >>>Just discovered from a sequence of Googling that a folder named as >>>"Protection" is created by some malware or other, which is why it is >>>flagged. Renaming my folder has stopped it being flagged. >> >> Where was the folder located? I've seen more than a few people come >> in to the group asking about this and it would be good information to >> have for the next request... >> >> >> It's odd that renaming a folder could change a registry setting... >> unless there is a program in memory that monitors the folder and makes >> the registry change. I suppose MBAM could be reporting a false >> positive based on what it thinks the registry entry would be if the >> folder existed... which seems to me to be a bug if that's the case. >> >> Thanks, >> Andy >See my original post Andy - the location is mentioned already. It is, or >was, off >the Start menu folder. Ok, but that could mean a number of different locations depending upon what you mean by "start menu". You also have (at least) two different locations where the folder could reside "All Users" and "current_user" are two of the most used. If you don't know the exact location then that's fine, I just thought it would be useful to know the exact location. > I hadn't seen any previous references here (if by >"here" you mean alt.privacy.spyware). I only found one reference to it >elsewhere through Googling. The reply I originally gave you was a cut-and-paste from one of my prior posts on the subject. It's possible that the x-no-archive flag was set on the post, though, because I normally honor the x-no-archive when responding. That would remove it from Google after a few days.
First
|
Prev
|
Next
|
Last
Pages: 1 2 3 Prev: Free Antispyware Utilities Next: Court Halts Bogus Computer Scans -- WinFixer Group |