Malwarebytes false positive?

Just updated to latest definitions and ran a scan and it is showing the
below issue. I believe this is a false positive. Correct?

Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 6.0.6001 Service Pack 1

11/21/2008 09:47:53
mbam-log-2008-11-21 (09-47-33).txt

Scan type: Quick Scan
Objects scanned: 42055
Time elapsed: 1 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChange s
(Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nope. It's actually a policy setting. If you did it on purpose, select to
ignore it. If not, let MBAM fix it.

Well, I don't know what the policy change is exactly so don't know if it is
something I set ot not. I use limited user account on the internet so
nothing could have changed a registry setting. I did use TweakUAC to put
UAC into quiet mode and I also have a 3rd party file manager
(Freecommander) that is set to read hiddent files. Does that reg change
apply to either of those?

The HKLM\...\NoActiveDesktopChanges registry key above determines
whether or not the users of the machine have the ability to change
their active desktop configuration. There are a large number of
trojans and malware that change that registry entry to "1" in order to
prevent users from removing the displayed content within the active
desktop. You can also set this to 1 to prevent users from changing
their wallpaper, for instance. It is not necessarily an indication
that you are compromised, but by default user are allowed to change
their active desktop settings. The Malwarebytes program flagged the
registry entry because it is more often than not an indication that
malware may be present. If you are comfortable with the appearance
and functioning of your Windows desktop, and don't plan on allowing
other users to change the desktop settings, then leave the registry
entry set to 1, otherwise set it to zero or allow Malwarebytes to do
it for you.

[cgriffy]

I have run the full scan 9 times and have started my 10th run over the course of a month. Each time I run it, the tool reports:
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpap er (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

I have had the tool do the repair each time. However, the problem keeps returning. Why could it be returning? It seems like there is a sleeper somewhere on my disk that Malwarebytes is not finding to clean off?

Got any suggestions?

So my no active desktop change policy is set to 1 also but I'm able to change wallpaper and access display properties. What are my limitations with this policy set? Maybe it's not alive because I have user account control turned off?

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveD
esktop\NoChangingWallpaper

If you have another program, such as SpyWareBlaster which allows you to lock
your homepage, MBAM will see it as a HiJack and bring it to your attention.
If that is the case, just set MBAM to 'ignore' that entry.
A similar situration may be with your 'Not Changing Wallpaper'.

1.CCleaner - Free
Cleans temporary internet files, cookies, history, recent urls, application
MRUs, etc. ...
The toolbar offered prior installation is not required!
If Windows Defender is utilized go to Applications, under Utilities
uncheck "Windows Defender" (so it won't delete the history of WD).
If you wish, click 'Options' button the 'Settings' [check] 'Run CCleaner
when the computer starts'.

2.Download and execute HiJack This! (HJT)
http://www.trendsecure.com/portal/en...ols/hijackthis

Please, do not post HJT logs to this newsgroup.

Fora where you can get expert advice for HiJack This! (HJT) logs.

Is this computer part of a network? If so, group policies will override
our efforts to undo them.

Have MBAM ignore them. We have no way of knowing if you set those keys,
or if malware did. As such, we offer to remove policies that are found
and commonly set by malware.

[Security helper]

Yes, I have the same problem. I do not believe, however that it is of any concern. After "fixing" it, Spyware doctor (that's right, a security program) had to restart IntelliGuard. This simply could be one security program not liking the processes of another.
I have a free trial version of Malwarebytes, Norton 2010, and Spyware Doctor 2010, and nothing is wrong with my computer (no slow down or etcetra.)
I'm not sure if this works, but if you are seeming to have a virus problem, you could try clearing all browser history, and use Firefox. I happened to get some non-malicious tracking cookies and adware, and my computer is clean. Not all adware is bad, though.

[IRnuts2]

I bought a brand new Acer laptop from newegg, and opened it today. After initial setup with first boot etc i logged on to the net and
1. Went to Acer website to register the laptop,
2. Went to windows updates and downloaded updates for win7
3. downloaded ms security essentials and installed, and ran scan, came up green, and then
4. downloaded and installed MBytes, ran scan, and came up with the same scan results....
Hijack.DisplayProperties

Now, i am thinking it is extremely unlikely i picked up a trojan "out there" that quickly while working at 3 very reliable and safe sites. So...
My question is...Was this hijack routine;
a) created by Acer when doing an info seek to see if i'm a legitimate Acer laptop (??) yet MS SE missed the registry change while doing the initial scan immediately after (hmmmm, unlikely?)
b) MS did this when checking my win7 version and checking if i have admin rights while installing the desktop icons for MS Sec. Essentials?? , OR
c) MBytes did it while installing desktop and startmenu icons, then unknowingly flags the traces of its own activity?? wouldn't that be funny.

I'm a mechanical engineer and think in terms of function, but a complete novice to this stuff, so its a bit frustrating that i don't (at present) know how to begin researching this problem. If i knew a little more about win code i'd go digging and find out what is really happening, but it sure would be nice if someone who really knows what he's doing could explain to us exactly what must occur for this string to be deposited in the registry, and what legitimate processes could do it. because it SURE seems like a false positive to me.
Or should i say a "safe" positive. By that i mean a tracking routine deposited during a noninjurious process, but junk that certainly doesn't need to be on our systems and needs cleaning.

[rogerd]

I had the same issue, and did some reading on the web (Google search for Hijack.DisplayProperties) -- some of the items on the MalwareBytes forum were pretty helpful.

From what I gather, on older OSes (XP vintage), this registry setting was normally turned off, and was often turned on by malware (as well as some legitimate software) that messed with your Active Desktop to make it harder for you to undo what they'd done, so seeing it turned on was a suspicious sign (though not conculusive proof that you were infected). On newer OSes (I'm running Vista 64-bit) the setting is turned on by default, so it's simply a false positive. So how much you need to worry about seeing this depends on what OS you're running. On a brand new laptop, I'd guess you have Vista or Win 7, in which case don't worry, just set MalwareBytes to ignore this (and if you removed it, you can restore it from quarantine, though it's not a big deal).

Basically, what the setting does is stop you changing the contents of the Windows Active Desktop (the ability to use a webpage as your desktop - MS added this feature during the legal fight about whether IE was a web browser competitor to Netscape or a part of the operating system, I imagine to strengthen their case that IE was part of the operating system. Very few people use it, since it's clunky, though it's actually kind of a cool idea to be able to have have something off the web as your desktop -- I wish MS had made it not clunky rather than disabling it, though it did have potential security issues since you were basically running IE immediately on startup).

So the short answer is that if Hijack.DisplayProperties is detected, you're on XP, and you have a Viagra advert site as your desktop and can't get rid of it, you have a problem. But if you're on Vista or Win 7, it's going to be detected, and if your desktop looks normal, it's almost certainly a false alarm.

I wish MalwareBytes was smart enough to know that on some OSes this is the default setting so it should ignore it, even though on other OSes it's a useful warning sign.