Jump to content

(Hijack.DisplayProperties)

Hardhead

By Hardhead
in File Detections

 Share

Recommended Posts

  • Replies 141
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

dancingwoman

dancingwoman

Posted
Posted
Actually, if you're somewhat comfortable with the registry then you can navigate to here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges

and change it back to 1 instead of 0 (this is assuming you're running Vista, if XP then Malwarebytes' simply set it to it's normal default).

I'm not really comfortable going into the registry..I know how to get into it by going to start and then type in Regedit but thats about it...thanks anyway...the computer seems to be working ok the way it is..can I just leave it this way..thanks...

Link to post
Share on other sites
exile360

exile360

Posted
Posted

OK, I can understand not being comfortable. I'll give you a reg file to automate it for you (I already tested it on my own system to make sure it works properly). Just open notepad and copy the following text into it and save it as Type "All Files" and save the file as fix.reg :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktopChanges"=dword:00000001

Once it's saved to your desktop, just double click it and click Continue at the UAC prompt and click Yes when it asks if you want it added to the registry.

Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
OK, I can understand not being comfortable. I'll give you a reg file to automate it for you (I already tested it on my own system to make sure it works properly). Just open notepad and copy the following text into it and save it as Type "All Files" and save the file as fix.reg :
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]

"NoActiveDesktopChanges"=dword:00000001

Once it's saved to your desktop, just double click it and click Continue at the UAC prompt and click Yes when it asks if you want it added to the registry.

Did as you instructed..scanned again and put it on the ignore list..Thanks for your time and help..Dancing

Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
Did as you instructed..scanned again and put it on the ignore list..Thanks for your time and help..Dancing

As a side note...why didn't anything ever show up in Quarantine..the second time I ran the scan I checked to see if I could quarantine the problem instead of deleting it like I did the first time..no place to do that..I thought maybe the first time I just missed it..but there was no where to quarantine...is it because I have the free version of malwarebytes..thanks...

Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
Hmm, that's odd, I use the free version myself and it quarantined on my machine. Could've just been a "hiccup" in the program. Oh well, at least you've got it all fixed up. Good luck and safe surfing to you.

I found a post from back in August and September with the same problem (no way to quarantine)..I'll see if I can post it for you to read..I didn't see if there was a fix to the problem..thanks...here's the link http://www.malwarebytes.org/forums/index.php?showtopic=6025

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Ahh, that explains it, I never rebooted after doing my scan, but it did ask me to. And considering the way Vista has every user running in non-administrator mode (that's where UAC comes in) would explain why Malwarebytes' would be set to "delete on reboot" for registry keys in Vista instead of just the normal quarantine, it was unnecessary though as it was able to change the reg key without rebooting (I checked my registry after running it).

Link to post
Share on other sites
Digerati

Digerati

Posted
Posted

I think these false positives need to be readdressed, and justifying them simply because malware has been known to make these type changes is not good enough - barely (if that) circumstantial. When I, as the user of this XPPSP3 machine, can very easily right click on the Start Menu > Properties > Customize > Advanced and select "Don't Display this item" for a whole set of display options, MBAM should not report them as infected objects. These are not infections, nor are they vulnerabilities. It does not present a security risk if I decide I don't need to see my Control Panel in my Start menu.

I received the following 4 false positives today.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Interestingly, I also do not have Favorites, My Music, My Network Places, My Pictures, Network Connections, or Printers and Faxes displayed and they were not reported. I did, however, set System Administrative Tools set to "Display on the All Programs menu", but that was not reported as infected either.

False positives are inevitable, but should be used to tweak the code and not allowed to live on. For me, since I never auto-delete anything, and have a few years under my belt, FPs are a minor inconvenience, unless frequent or repeating, then they become annoying, and can eventually become show-stoppers as faith in the product wanes, rendering the product untrustworthy. That would not be good here.

For less experienced users, FPs can be frightening and as we have seen already, often result in users removing totally valid registry keys, BREAKING, in effect, options. How can that be good? Or faith building?

Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
I think these false positives need to be readdressed, and justifying them simply because malware has been known to make these type changes is not good enough - barely (if that) circumstantial. When I, as the user of this XPPSP3 machine, can very easily right click on the Start Menu > Properties > Customize > Advanced and select "Don't Display this item" for a whole set of display options, MBAM should not report them as infected objects. These are not infections, nor are they vulnerabilities. It does not present a security risk if I decide I don't need to see my Control Panel in my Start menu.
I received the following 4 false positives today.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Interestingly, I also do not have Favorites, My Music, My Network Places, My Pictures, Network Connections, or Printers and Faxes displayed and they were not reported. I did, however, set System Administrative Tools set to "Display on the All Programs menu", but that was not reported as infected either.

False positives are inevitable, but should be used to tweak the code and not allowed to live on. For me, since I never auto-delete anything, and have a few years under my belt, FPs are a minor inconvenience, unless frequent or repeating, then they become annoying, and can eventually become show-stoppers as faith in the product wanes, rendering the product untrustworthy. That would not be good here.

For less experienced users, FPs can be frightening and as we have seen already, often result in users removing totally valid registry keys, BREAKING, in effect, options. How can that be good? Or faith building?

Hi..the reason I deleted the FP that showed up for me was because I wasn't given the option to quarantine like other programs give you , (till you can find out more about the infection)...I could delete it or delete all...or restore it..no other choices..In the link to the post I cited others had this same problem..you have to read the whole post in the link..at the end of it Rubber Ducky says.."Something is going wrong with registry quarantining on your systems. I will take a look at the code. " but then I never saw a resolution to the problem....I haven't used mbam since..I was thinking of uninstalling it...because of fps how do I know what is or isn't a real threat?...DW

Link to post
Share on other sites
Digerati

Digerati

Posted
Posted

Hi..the reason I deleted the FP that showed up for me was because I wasn't given the option to quarantine like other programs give you , (till you can find out more about the infection)...I could delete it or delete all...or restore it..no other choices..
You could not "ignore"? If nothing else, you could just cancel out of MBAM without taking any action.
I was thinking of uninstalling it...because of fps
I would not do that - it is still a trustworthy program.
how do I know what is or isn't a real threat?...DW
Google.
Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
You could not "ignore"? If nothing else, you could just cancel out of MBAM without taking any action. I would not do that - it is still a trustworthy program. Google.

Hi..sorry yes I could ignore..and with the help of Exile thats what I ended up doing...after I put the entry back into the registry...ran the scan again and put it on ignore...I guess because it was the first time I used mbam it was a little confusing to me and for the lack of better judgement I deleted it...all the other programs I use have a place to put things in quarantine..thanks..dw

Link to post
Share on other sites
exile360

exile360

Posted
Posted

Just to clear this up, I believe the reason it doesn't quarantine these particular issues is because it isn't actually deleting anything, it's simply changing the number 1 to a 0 in that reg key, not removing it, so there's nothing to quarantine. Perhaps the developers could implement something to back up the 1 key so that it could be restored (sort of like quarantine, but not quite). With normal malware where a key or file is deleted off of the system, it is actually quarantined by MBAM.

Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
Just to clear this up, I believe the reason it doesn't quarantine these particular issues is because it isn't actually deleting anything, it's simply changing the number 1 to a 0 in that reg key, not removing it, so there's nothing to quarantine. Perhaps the developers could implement something to back up the 1 key so that it could be restored (sort of like quarantine, but not quite). With normal malware where a key or file is deleted off of the system, it is actually quarantined by MBAM.

Thanks for the explanation Exile...you've been very helpful...I won't delete anything from now on till I check it out..DW

Link to post
Share on other sites
Digerati

Digerati

Posted
Posted
Perhaps the developers could implement something to back up the 1 key so that it could be restored (sort of like quarantine, but not quite).
Ummm, while a good idea, it is not necessary to reinvent the wheel. This simply requires backing up the Registry before making changes. I use ERUNT.

But the real point is these items (the FPs I received and reported above) should never be reported in the first place, never quarantined, and never deleted. They are not threats, do not represent vulnerabilities, nor are they evidence of malicious activity. These Registry entries reflect simple user settings, easily accessible from Start Menu Properties. Changes from the defaults may provide "clues" to previous malicious activity, but the lines in the Registry themselves are not malicious, were put there by Microsoft - not badguys, and need not be removed.

What makes this bad is how the findings are reported, then handled. The badguys have forced non-IT users like dancingwoman to (correctly) err on the side of safety. The 4 FPs I had were defined as "malware", "Bad", "Infected", and "Hijack.StartMenu" - 4 scary words that, for these 4 FPs, are simply not true!

To make matters worse, the suggested "fix" incorrectly removes (does not change back to default, but removes!) these legitimate options, without the user's knowledge. That's not right.

So this is a problem that needs to be addressed right away. Users should not have to implement a work-around, or manually fix the fix for something that was not broken in the first place.

BTW, while grumbling, these are minor issues, but they do detract from an otherwise most excellent product. The dynamics of malware, and the methods to thwart it make FPs inevitable. Nevertheless, zero FPs should be a goal sought as aggressively as identifying 100% of the malware if the "perceived integrity" of the program is to remain beyond reproach. If a security program regularly (and over several updates) mis-identifies multiple legitimate objects as "malware", "Bad", "Infected", and "Hijack.StartMenu" it is not much of a stretch to at least wonder if it is also mis-identifying malicious objects as "safe".

The expectation for zero-defects may not be fair, but that's the price you pay for being one of the good guys - you are always held to a higher standard. A few small specks of mud on a white hat quickly makes it look dirty.

Link to post
Share on other sites
dancingwoman

dancingwoman

Posted
Posted
You're welcome dancingwoman, and remember, as I said normal malware (not entries where it says 0 bad 1 good or vice versa) MBAM will actually quarantine it so it can later be restored.

One more question if you don't mind..

When I ran the scan and deleted what I thought was a problem...I had just installed MBAM..Could I have uninstalled MBAM ...then gone back to the day before's restore point and restored things to the way they were the day before the installation?..Would that have brougt back the registry to the way it was before MBAM found the fp and I deleted it?...DW

Link to post
Share on other sites
exile360

exile360

Posted
Posted

@Digerati: I think the reason these "FP's" as you call them are detected and modified is meant to be as a service to a user whose settings have (at least potentially) been modified by malware, although I do agree that the implementation at least could be better. Perhaps instead of a detection in a normal scan, these could be part of a special section of "fixes" within MBAM that say things like "restore Help item to Start Menu" or something similar, or at least identify the detections in the scans a bit more descriptively so they aren't percieved by users as actual threats, simply as modified settings that are often changed by malware, and perhaps with a message along the lines of "if you made these changes yourself please ignore this detection." And maybe even going as far as not having these items marked for removal by default, instead maybe show that they were detected, but force the user to check a box next to them to remove them so hopefully they'll read what they are.

Just a few ideas.

edit: just saw your post DW, yes, a system restore would have rolled back the changes, but it doesn't matter, as the fix I posted restored it to exactly as it was before MBAM changed it so no worries.

Link to post
Share on other sites
Digerati

Digerati

Posted
Posted
these "FP's" as you call them
I call them that because that is what they are - right or wrong, whether we like it or not - a legitimate item falsely tagged as malware (or bad, infected, or a hijack) is a False Positive.
Perhaps instead of a detection in a normal scan, these could be part of a special section of "fixes"
:) I agree with the separate but "fixes" automatically "implies" "broken" and in "need of fixing". I did not break Windows, or make it less secure, or vulnerable to compromise when I selected the option via the Start Menu Properties menu to not display Control Panel in the Start Menu. Agree?
perhaps with a message along the lines of "if you made these changes yourself please ignore this detection.
:) "Items of Interest" or the like may be a good fit instead of "Fixes" - as long as the program explains why, and does not mislabel them prematurely with "trigger words".

But still, it should do so only when necessary. A single "clue" about a harmless user setting in the Registry should not be reported at all, IMO. However, IF there are other substantiating clues, such as the Control Panel also missing from My Computer, or entering control in the Run box fails to open Control Panel, then I would want to be alerted to this still unverified, potential "Item of Interest". There are certainly hundreds (1000s) of possible user settings that may be changed by user choice, legitimate installed programs, and/or by malicious code. Does (should?) MBAM report on each?

And maybe even going as far as not having these items marked for removal by default
I agree with that completely.
0 bad 1 good
And in this case, when "0" = Do not Display, "1" = Display, and "2" = Display as Menu, none are "Good" or "Bad". :)
Link to post
Share on other sites
exile360

exile360

Posted
Posted

Yeah, I can certainly see where you're coming from but I still think it's good to have such "detections" in a malware removal tool, but further documentation for the user should be implemented so they understand why it's detected so the user can make up their own mind, and if indeed the user was the one making these changes, then they should have no trouble doing so, as long as MBAM provides proper documentation of what exactly the detection means (listing a reg key and saying "hijack" and "bad" or "good" isn't quite adequate in my opinion. I know I wigged out the first time I saw it hit on my old XP system (I always disable "Help and Support" on the start menu). After analyzing the detection string, I quickly recognized what it was, but initially I was worried.

Link to post
Share on other sites
Digerati

Digerati

Posted
Posted
I wigged out the first time I saw it hit on my old XP system (I always disable "Help and Support" on the start menu). After analyzing the detection string, I quickly recognized what it was, but initially I was worried.
Exactly! I did the same thing. But to many, their computer is simply a tool or communications "appliance" they use at home, work or school. They should not need to know how to analyze a detection string - it should be spelled out in front of them.

Oh well - good discussion!

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.