Hardhead Posted November 21, 2008 ID:35871 Share Posted November 21, 2008 Hello Bruce and Dustin,I know this is place for malware to hide and thought I would post for others to see since its a new location.This is on new notebook Vista Ultimate 64bit.I will whitelist the entrie. Correct me if I'm wrong please.Malwarebytes' Anti-Malware 1.30Database version: 1414Windows 6.0.6001 Service Pack 111/21/2008 2:39:56 AMmbam-log-2008-11-21 (02-39-53).txtScan type: Quick ScanObjects scanned: 43184Time elapsed: 1 minute(s), 22 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
exile360 Posted November 21, 2008 ID:35881 Share Posted November 21, 2008 Interesting, I'm on Vista Ultimate x64 and have never seen this detection with an MBAM scan. I'll have to run a quick scan when I get home (currently at work) and see what I come up with. I'll post back and let you know.edit: Just got home, updated to database 1414 and did a quick scan. Mine came back with the same result.Malwarebytes' Anti-Malware 1.30Database version: 1414Windows 6.0.6001 Service Pack 111/21/2008 11:08:10 AMmbam-log-2008-11-21 (11-08-04).txtScan type: Quick ScanObjects scanned: 36814Time elapsed: 1 minute(s), 38 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
exile360 Posted November 22, 2008 ID:36003 Share Posted November 22, 2008 Hey Hardhead, are you using dreamscene? I am and was wondering if maybe that was causing it. I don't see why it would but who knows. I can't scan again now as I'm at work, but I will turn off dreamscene when I get home and give MBAM another go and see what happens. Link to post Share on other sites More sharing options...
Hardhead Posted November 22, 2008 Author ID:36019 Share Posted November 22, 2008 Hey Hardhead, are you using dreamscene? I am and was wondering if maybe that was causing it. I don't see why it would but who knows. I can't scan again now as I'm at work, but I will turn off dreamscene when I get home and give MBAM another go and see what happens.Hello exile360,Yes I do have all components of DreamScene installed. Link to post Share on other sites More sharing options...
nosirrah Posted November 22, 2008 ID:36023 Share Posted November 22, 2008 It is a new restriction correction , one that seems to be disabled on Vista by default .For now whitelist it and I will look into whitelisting it for Vista only in defs . Link to post Share on other sites More sharing options...
Hardhead Posted November 22, 2008 Author ID:36025 Share Posted November 22, 2008 It is a new restriction correction , one that seems to be disabled on Vista by default .For now whitelist it and I will look into whitelisting it for Vista only in defs .Thanks Bruce I whitelisted after I posted.This is only in Vista 64bit for me. Link to post Share on other sites More sharing options...
Nitrius Posted November 25, 2008 ID:36405 Share Posted November 25, 2008 Got this myself, vista x64 here as well. So this can be ignored for sure? Link to post Share on other sites More sharing options...
nosirrah Posted November 25, 2008 ID:36408 Share Posted November 25, 2008 Thanks Bruce I whitelisted after I posted.This is only in Vista 64bit for me.yes Link to post Share on other sites More sharing options...
Guest kiamori Posted December 23, 2008 ID:41676 Share Posted December 23, 2008 I'm also getting this in XP Pro x64 Link to post Share on other sites More sharing options...
Hardhead Posted December 23, 2008 Author ID:41687 Share Posted December 23, 2008 I'm also getting this in XP Pro x64Hello kiamori,You can whitelist it. Link to post Share on other sites More sharing options...
Justsuern Posted January 4, 2009 ID:44597 Share Posted January 4, 2009 I also have a new laptop with Vista 64 bit. Today I updated Malwarebytes and ran a scan. Now receiving the same message.Malwarebytes' Anti-Malware 1.31Database version: 1607Windows 6.0.6001 Service Pack 11/3/2009 9:05:58 PMmbam-log-2009-01-03 (21-05-25).txtScan type: Quick ScanObjects scanned: 43466Time elapsed: 2 minute(s), 19 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)I ran Windows Defender and it did not discover anything. My desktop and computer are running fine. Can I add this to ignore list? Is this still a problem since November for Vista 64 bit?Thanks. Link to post Share on other sites More sharing options...
exile360 Posted January 4, 2009 ID:44603 Share Posted January 4, 2009 Yup, you can whitelist it. It's a false positive (note I'm running Vista x64 as well). Link to post Share on other sites More sharing options...
Urban-uk Posted January 7, 2009 ID:45621 Share Posted January 7, 2009 HiI didnt realise this was a false positive, when malwarebytes flagged it has an infection, how do i put the registry key back as it should be?thanks Link to post Share on other sites More sharing options...
Tigger93 Posted January 7, 2009 ID:45692 Share Posted January 7, 2009 This isn't a false positive. If it was a program that set that and you would like to restore it, in the quarantine click restore. Link to post Share on other sites More sharing options...
Urban-uk Posted January 7, 2009 ID:45706 Share Posted January 7, 2009 This isn't a false positive. If it was a program that set that and you would like to restore it, in the quarantine click restore.seems from earlier post in the thread that it is?, I thought it was a little odd getting anything come in mwb, as it was a fresh install, and had not been on the internet, cept to get latest windows updatesI have heard you can get infected while getting these updates so i let mwb sort out the problemThe only problem is, if it is a false positive, I went in to the quarantine folder, but it is not in there, so i can not just restore itso basically im asking if this is definately a false positive, i just need to know what to put back in my registry, "Im not good when it comes to the registry"I am on vista 64heres log from day i installed vista, I ran anti virus progs before i made a disk imageMalwarebytes' Anti-Malware 1.31Database version: 1571Windows 6.0.6000 29/12/2008 23:05:31mbam-log-2008-12-29 (23-05-31).txtScan type: Quick ScanObjects scanned: 38554Time elapsed: 44 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
nosirrah Posted January 7, 2009 ID:45730 Share Posted January 7, 2009 If malware disabled it then its a legit correction .If its disabled intentionally then its obviously something to whitelist (people without Vista64 can disable this for legit reasons and we will detect it so its not just a V64 thing) .It comes down to fixing it for the noob that does not know how to on their own after an malware cleanup or an advanced user being happy that they don't have to white list a single entry .We choose to help the noob and keep in mind that there is no way to tell how it got disabled , only that it is .We may add a 64 bit detection switch at some point , but there are already major projects in the works that will help millions .You should also note that malware , adware , trojan , rootkit , spyware or any other malicious term is not used here . I am sure that Hijack.Displayproperties is named well enough to male it clear that display properties is modified , not a rootkit or other actual malware component . Link to post Share on other sites More sharing options...
corabeth Posted January 11, 2009 ID:46659 Share Posted January 11, 2009 I'm the ultimate defintion of a noob. Just set up a new PC with 64 bit today. Ran a scan at the start and zero infections, now the same ones being discussed here are showing up in my last scan of the night.I am new to MWB too, we got this new computer after the old one got totally infested (before I had heard about MWB).Do I ignore both of the infections below?Thanks!Database version: 1640Windows 6.0.6001 Service Pack 11/11/2009 12:24:32 AMmbam-log-2009-01-11 (00-24-26).txtScan type: Quick ScanObjects scanned: 47467Time elapsed: 1 minute(s), 57 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 2Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected) Link to post Share on other sites More sharing options...
corabeth Posted January 11, 2009 ID:46736 Share Posted January 11, 2009 Sorry, it won't let me edit my first post. I also ran a full Norton scan and it showed zero infections. Link to post Share on other sites More sharing options...
dw17dw17 Posted January 15, 2009 ID:47907 Share Posted January 15, 2009 I had the same thing happen but I deleted itRegistry Data Items Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.Should I put it back in?thanks Link to post Share on other sites More sharing options...
exile360 Posted January 15, 2009 ID:47926 Share Posted January 15, 2009 If you are running Vista then this is a false positive and should be added to the Ignore List. Even in XP this detection isn't actually malware, it's a setting that is often modified by malware to prevent changing the desktop settings. If you've removed it, then just restore it from quarantine and the next time you scan, just add it to the ignore list. Link to post Share on other sites More sharing options...
dancingwoman Posted January 15, 2009 ID:48086 Share Posted January 15, 2009 If you are running Vista then this is a false positive and should be added to the Ignore List. Even in XP this detection isn't actually malware, it's a setting that is often modified by malware to prevent changing the desktop settings. If you've removed it, then just restore it from quarantine and the next time you scan, just add it to the ignore list.I had the same thing happen and deleted it also..now of course I can't restore it..its not in quarantine..do I just not worry about it..thanks.. Link to post Share on other sites More sharing options...
exile360 Posted January 16, 2009 ID:48178 Share Posted January 16, 2009 I had the same thing happen and deleted it also..now of course I can't restore it..its not in quarantine..do I just not worry about it..thanks..Actually, if you're somewhat comfortable with the registry then you can navigate to here:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChangesand change it back to 1 instead of 0 (this is assuming you're running Vista, if XP then Malwarebytes' simply set it to it's normal default). Link to post Share on other sites More sharing options...
dw17dw17 Posted January 16, 2009 ID:48208 Share Posted January 16, 2009 If you are running Vista then this is a false positive and should be added to the Ignore List. Even in XP this detection isn't actually malware, it's a setting that is often modified by malware to prevent changing the desktop settings. If you've removed it, then just restore it from quarantine and the next time you scan, just add it to the ignore list.I did the same "Quarantined and deleted successfully." Link to post Share on other sites More sharing options...
exile360 Posted January 16, 2009 ID:48275 Share Posted January 16, 2009 You can restore it safely (assuming you're running Vista x64). Just go to the Quarantine tab and select that entry then click on Restore. Link to post Share on other sites More sharing options...
dancingwoman Posted January 16, 2009 ID:48280 Share Posted January 16, 2009 You can restore it safely (assuming you're running Vista x64). Just go to the Quarantine tab and select that entry then click on Restore.There is nothing in quarantine to select...because I deleted it ...so I can't restore it that way..Is it ok just to leave it the way it is..thanks... Link to post Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now