141 replies to this topic

[Hardhead]

Hello Bruce and Dustin,

I know this is place for malware to hide and thought I would post for others to see since its a new location.
This is on new notebook Vista Ultimate 64bit.
I will whitelist the entrie. Correct me if I'm wrong please.

Quote

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1

11/21/2008 2:39:56 AM
mbam-log-2008-11-21 (02-39-53).txt

Scan type: Quick Scan
Objects scanned: 43184
Time elapsed: 1 minute(s), 22 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[exile360]

Interesting, I'm on Vista Ultimate x64 and have never seen this detection with an MBAM scan. I'll have to run a quick scan when I get home (currently at work) and see what I come up with. I'll post back and let you know.

edit: Just got home, updated to database 1414 and did a quick scan. Mine came back with the same result.

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1

11/21/2008 11:08:10 AM
mbam-log-2008-11-21 (11-08-04).txt

Scan type: Quick Scan
Objects scanned: 36814
Time elapsed: 1 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[exile360]

Hey Hardhead, are you using dreamscene? I am and was wondering if maybe that was causing it. I don't see why it would but who knows. I can't scan again now as I'm at work, but I will turn off dreamscene when I get home and give MBAM another go and see what happens.

[Hardhead]

exile360, on Nov 22 2008, 12:27 AM, said:

Hey Hardhead, are you using dreamscene? I am and was wondering if maybe that was causing it. I don't see why it would but who knows. I can't scan again now as I'm at work, but I will turn off dreamscene when I get home and give MBAM another go and see what happens.

Hello exile360,

Yes I do have all components of DreamScene installed.

[nosirrah]

It is a new restriction correction , one that seems to be disabled on Vista by default .

For now whitelist it and I will look into whitelisting it for Vista only in defs .

[Hardhead]

nosirrah, on Nov 22 2008, 11:19 AM, said:

It is a new restriction correction , one that seems to be disabled on Vista by default .

For now whitelist it and I will look into whitelisting it for Vista only in defs .

Thanks Bruce
I whitelisted after I posted.
This is only in Vista 64bit for me.

[Nitrius]

Got this myself, vista x64 here as well. So this can be ignored for sure?

[nosirrah]

Hardhead, on Nov 22 2008, 11:23 AM, said:

Thanks Bruce
I whitelisted after I posted.
This is only in Vista 64bit for me.

yes

[Hardhead]

kiamori, on Dec 23 2008, 01:37 AM, said:

I'm also getting this in XP Pro x64

Hello kiamori,
You can whitelist it.

[Justsuern]

I also have a new laptop with Vista 64 bit. Today I updated Malwarebytes and ran a scan. Now receiving the same message.
Malwarebytes' Anti-Malware 1.31
Database version: 1607
Windows 6.0.6001 Service Pack 1

1/3/2009 9:05:58 PM
mbam-log-2009-01-03 (21-05-25).txt

Scan type: Quick Scan
Objects scanned: 43466
Time elapsed: 2 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

I ran Windows Defender and it did not discover anything. My desktop and computer are running fine. Can I add this to ignore list? Is this still a problem since November for Vista 64 bit?
Thanks.

[exile360]

Yup, you can whitelist it. It's a false positive (note I'm running Vista x64 as well).

[Urban-uk]

Hi

I didnt realise this was a false positive, when malwarebytes flagged it has an infection, how do i put the registry key back as it should be?

thanks

[Tigger93]

This isn't a false positive. If it was a program that set that and you would like to restore it, in the quarantine click restore.

[Urban-uk]

Tigger93, on Jan 7 2009, 10:22 PM, said:

This isn't a false positive. If it was a program that set that and you would like to restore it, in the quarantine click restore.

seems from earlier post in the thread that it is?, I thought it was a little odd getting anything come in mwb, as it was a fresh install, and had not been on the internet, cept to get latest windows updates

I have heard you can get infected while getting these updates so i let mwb sort out the problem

The only problem is, if it is a false positive, I went in to the quarantine folder, but it is not in there, so i can not just restore it

so basically im asking if this is definately a false positive, i just need to know what to put back in my registry, "Im not good when it comes to the registry"

I am on vista 64

heres log from day i installed vista, I ran anti virus progs before i made a disk image

Malwarebytes' Anti-Malware 1.31
Database version: 1571
Windows 6.0.6000

29/12/2008 23:05:31
mbam-log-2008-12-29 (23-05-31).txt

Scan type: Quick Scan
Objects scanned: 38554
Time elapsed: 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[nosirrah]

If malware disabled it then its a legit correction .

If its disabled intentionally then its obviously something to whitelist (people without Vista64 can disable this for legit reasons and we will detect it so its not just a V64 thing) .


It comes down to fixing it for the noob that does not know how to on their own after an malware cleanup or an advanced user being happy that they don't have to white list a single entry .

We choose to help the noob and keep in mind that there is no way to tell how it got disabled , only that it is .


We may add a 64 bit detection switch at some point , but there are already major projects in the works that will help millions .

You should also note that malware , adware , trojan , rootkit , spyware or any other malicious term is not used here . I am sure that Hijack.Displayproperties is named well enough to male it clear that display properties is modified , not a rootkit or other actual malware component .

[corabeth]

I'm the ultimate defintion of a noob. Just set up a new PC with 64 bit today. Ran a scan at the start and zero infections, now the same ones being discussed here are showing up in my last scan of the night.

I am new to MWB too, we got this new computer after the old one got totally infested (before I had heard about MWB).

Do I ignore both of the infections below?

Thanks!

Database version: 1640
Windows 6.0.6001 Service Pack 1

1/11/2009 12:24:32 AM
mbam-log-2009-01-11 (00-24-26).txt

Scan type: Quick Scan
Objects scanned: 47467
Time elapsed: 1 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[corabeth]

Sorry, it won't let me edit my first post. I also ran a full Norton scan and it showed zero infections.

[dw17dw17]

I had the same thing happen but I deleted it

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Should I put it back in?

thanks

[exile360]

If you are running Vista then this is a false positive and should be added to the Ignore List. Even in XP this detection isn't actually malware, it's a setting that is often modified by malware to prevent changing the desktop settings. If you've removed it, then just restore it from quarantine and the next time you scan, just add it to the ignore list.