Jump to content

False Positive?


JeremyWW
 Share

Recommended Posts

Like other users I ran a full scan today and had a bitsadmin.exe file in c:\\Windows\winsxs flagged as Trojan.FakeMS. Is this a false positive? The fact that the file in question is dated 2009 on my computer leads me to think that it might be (as does the fact that a quick scan earlier today and a full scan last night didn't detect any problems).

Results of scan in developer mode attached.

(Apologies if I should have posted this to the post below, but the instructions said don't reply to other users' posts so I wasn't sure)

mbam_log_2011_01_04__18_42_35_.zip

Link to post
Share on other sites

Uh, I had MB delete the offending file. What have I done? What should I do now?

This is what was shown in the report:

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Link to post
Share on other sites

  • Staff
Uh, I had MB delete the offending file. What have I done? What should I do now?

This is what was shown in the report:

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

What you have posted is not related to the subject of this thread. In your log you can see that your desktop has been locked out from making changes. If you have done this intentionally just set it to ignore and you will not see that displayed again.

Link to post
Share on other sites

What you have posted is not related to the subject of this thread. In your log you can see that your desktop has been locked out from making changes. If you have done this intentionally just set it to ignore and you will not see that displayed again.

Sorry, I'm not sure what you mean. How would I have locked my desktop? I haven't encountered any difference in operation. I received this "infected registry key" when I ran a scan and got a positive for trojan.fakems (adminbits) and so I thought the two were related.

Link to post
Share on other sites

  • Staff

The file was in backup location and not currently active.

The one and only time this file would ever be needed is if you wanted to uninstall all of the windows updated that took plan on and after the update that placed this file in backup.

In any event you should be able to restore the file from quarantine.

Link to post
Share on other sites

The file was in backup location and not currently active.

The one and only time this file would ever be needed is if you wanted to uninstall all of the windows updated that took plan on and after the update that placed this file in backup.

In any event you should be able to restore the file from quarantine.

Thank you for the information. That is a relief. Unfortunately, I cleared the file from quarantine, so it's gone for good I think. Next time I'll check for false positives before stupidly deleting from quarantine.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.