Strange results from MBAM
in [Spyware]
|
From: wasted on 6 Dec 2008 07:22 Hi I just updated MBAM and did a full scan and it found 18 hits of folders and files that it calls Rogue.XLG, and one Registry data item The files and folders are all subfolders of one particular folder that I created in my Start Menu Called "Protection". In there I have all the shortcuts to my anti-virus and anti-spyware programmes and the hits include ALL those folders and the actual shortcut links - including MBAM itself. There are no executable files in there, just shortcut links. I find it hard to believe that these are real alerts - do you think I can ignore them? The registry item is HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0) Can someone please explain what this is and if I should delete it. Many thanks
From: Andy Walker on 6 Dec 2008 12:06 wasted wrote: >Hi I just updated MBAM and did a full scan and it found 18 hits of folders >and files that it calls Rogue.XLG, and one Registry data item > >The files and folders are all subfolders of one particular folder that I >created in my Start Menu Called "Protection". In there I have all the >shortcuts to my anti-virus and anti-spyware programmes and the hits include >ALL those folders and the actual shortcut links - including MBAM itself. >There are no executable files in there, just shortcut links. > >I find it hard to believe that these are real alerts - do you think I can >ignore them? > > >The registry item is > >HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGES >Bad (1) Good (0) > >Can someone please explain what this is and if I should delete it. > > >Many thanks The HKLM\...\NoActiveDesktopChanges registry key above determines whether or not the users of the machine have the ability to change their active desktop configuration. There are a large number of trojans and malware that change that registry entry to "1" in order to prevent users from removing the displayed content within the active desktop. You can also set this to 1 to prevent users from changing their wallpaper, for instance. It is not necessarily an indication that you are compromised, but by default users are allowed to change their active desktop settings. The Malwarebytes program flagged the registry entry because it is more often than not an indication that malware may be present. If you are comfortable with the appearance and functioning of your Windows desktop, and don't plan on allowing other users to change the desktop settings, then leave the registry entry set to 1, otherwise set it to zero or allow Malwarebytes to do it for you.
From: wasted on 6 Dec 2008 16:44 "Andy Walker" <awalker(a)nspank.invalid> wrote in message news:493ab0e3.148008031(a)news.webtv.com... > wasted wrote: > >>Hi I just updated MBAM and did a full scan and it found 18 hits of >>folders >>and files that it calls Rogue.XLG, and one Registry data item >> >>The files and folders are all subfolders of one particular folder that I >>created in my Start Menu Called "Protection". In there I have all the >>shortcuts to my anti-virus and anti-spyware programmes and the hits >>include >>ALL those folders and the actual shortcut links - including MBAM itself. >>There are no executable files in there, just shortcut links. >> >>I find it hard to believe that these are real alerts - do you think I can >>ignore them? >> >> >>The registry item is >> >>HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGES >>Bad (1) Good (0) >> >>Can someone please explain what this is and if I should delete it. >> >> >>Many thanks > > The HKLM\...\NoActiveDesktopChanges registry key above determines > whether or not the users of the machine have the ability to change > their active desktop configuration. There are a large number of > trojans and malware that change that registry entry to "1" in order to > prevent users from removing the displayed content within the active > desktop. You can also set this to 1 to prevent users from changing > their wallpaper, for instance. It is not necessarily an indication > that you are compromised, but by default users are allowed to change > their active desktop settings. The Malwarebytes program flagged the > registry entry because it is more often than not an indication that > malware may be present. If you are comfortable with the appearance > and functioning of your Windows desktop, and don't plan on allowing > other users to change the desktop settings, then leave the registry > entry set to 1, otherwise set it to zero or allow Malwarebytes to do > it for you. Thanks for the reply - I'm the only user, so unless other scanners suggest otherwise, on the basis of what you describe I will leave the setting as it is.
From: wasted on 7 Dec 2008 11:55 "wasted" <rubbish(a)xxnone.notreal.com> wrote in message news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d(a)posted.plusnet... > Hi I just updated MBAM and did a full scan and it found 18 hits of > folders and files that it calls Rogue.XLG, and one Registry data item > > The files and folders are all subfolders of one particular folder that I > created in my Start Menu Called "Protection". In there I have all the > shortcuts to my anti-virus and anti-spyware programmes and the hits > include ALL those folders and the actual shortcut links - including MBAM > itself. There are no executable files in there, just shortcut links. > > I find it hard to believe that these are real alerts - do you think I can > ignore them? > > > The registry item is > > HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\EXPLORER\NOACTIVEDESKTOPCHANGES > Bad (1) Good (0) > > Can someone please explain what this is and if I should delete it. > > > Many thanks Just discovered from a sequence of Googling that a folder named as "Protection" is created by some malware or other, which is why it is flagged. Renaming my folder has stopped it being flagged.
From: Dustin Cook on 8 Dec 2008 01:10 "wasted" <rubbish(a)xxnone.notreal.com> wrote in news:ZemdneBi37CRnaHUnZ2dnUVZ8omdnZ2d(a)posted.plusnet: > "wasted" <rubbish(a)xxnone.notreal.com> wrote in message > news:QIednfj_1uS35qfUnZ2dnUVZ8jydnZ2d(a)posted.plusnet... >> Hi I just updated MBAM and did a full scan and it found 18 hits of >> folders and files that it calls Rogue.XLG, and one Registry data >> item >> >> The files and folders are all subfolders of one particular folder >> that I created in my Start Menu Called "Protection". In there I have >> all the shortcuts to my anti-virus and anti-spyware programmes and >> the hits include ALL those folders and the actual shortcut links - >> including MBAM itself. There are no executable files in there, just >> shortcut links. >> >> I find it hard to believe that these are real alerts - do you think I >> can ignore them? >> >> >> The registry item is >> >> HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\ >> EXPLORER\NOACTIVEDESKTOPCHANGES Bad (1) Good (0) >> >> Can someone please explain what this is and if I should delete it. >> >> >> Many thanks > Just discovered from a sequence of Googling that a folder named as > "Protection" is created by some malware or other, which is why it is > flagged. Renaming my folder has stopped it being flagged. It has to do with hueristics... MBAM has a complicated collection of them. -- Regards, Dustin Cook Malware Researcher MalwareBytes - http://www.malwarebytes.org
|
Next
|
Last
Pages: 1 2 3 Prev: Free Antispyware Utilities Next: Court Halts Bogus Computer Scans -- WinFixer Group |