Suspected false positive Virus detection
Recently I install Avira Antivirus and run a few scans in my Compaq Presario and a virus known as APPL/ACLSet is still found in the following location:
Hewlett-Packard HP TCS\SetACL.exe C:\Program
[DETECTION] Contains the recognition of the application APPL/ACLSet model
Since it is in the HP program file I suspect it is a file that is used by HP for some purposes as update or others. So I just ignore it.
October 3, 2009, I run a scan again and this time there are more new detections in addition to the former as below:
Hewlett-Packard HP TCS\SetACL.exe C:\Program
[DETECTION] Contains the recognition of the application APPL/ACLSet model
C:\Program Files\Hewlett-Packard\KBD\KbdStub.exe
[DETECTION] Is the horse of Trojan TR/tr/dropper.Gen
BEGIN scan in "D:\". »
D:\hp\Drv\APP01300\src\KbdStub.exe [DETECTION] Is the horse of Trojan TR/tr/dropper.Gen End of the scan: Saturday, October 3, 2009 10:26 Time: 01:00:06 am While they inspected with Avira website, it is that TR | TR/dropper.Gen is a new virus detected only on October 1, 2009 and it seems to be the superior and most recent threat. Even once since it was associated with the HP program I just ignore it for now. Can someone give me a confirmation of 100% if these detection was just false positive or are they really malicious virus/malware? If I just ignore them or get rid of them? If I get rid of them and they turn out to be legitimate programs from HP, this will affect my PC in anyway? Thank you much in advance. Hello hpfannr1, I checked with the HP Total care email support and they confirmed that they are in fact viruses. The Council was to delete. Tags: HP Desktops McAfee false positive for ThinApped reviews Hello In our Organization, we have the customer view (4.01) using ThinApp (4.0.4 - 204871) and deployed to some users of test (on XP) for a pilot program. Some users reported that our company software antivirus (McAfee VirusScan Enterprise 8.7i) wswc.exe as a generic Trojan virus. The wswc.exe and the folder Thinstall tell me me that it is the Client of the view. Here is a part of the McAfee log file: 2010-10-14 01:12:08 engine version = 5400.1158 2010-10-14 01:12:08 DAT AntiVirus version = 6135.0 2010-10-14 01:12:08 number of EXTRA detection signatures. DAT = None 10/14/2010-01:12:08 names of EXTRA detection signatures. DAT = None 2010-10-14 15:54:32 deleted NT AUTHORITY\SYSTEM C:\WINDOWS\system32\CCM\CcmExec.exe C:\Documents and Settings\ (user name removed) \Local Settings\Application Data\Thinstall\Cache\Stubs\5a21d3a6a2ac166efd290dc64a9bea5988496d\wswc.exe generic.DX!12536d125737! ugk (Trojan) We told our users that ThinApp does not trace on the system package is connected. I guess that now that this is incorrect. Anyone in the community would be to explain what McAfee is actually detecting here and some suggestions about how we can avoid our users to see what kind of "false positive" virus messages? I just want to say that I've only worked with ThinApp for a few months so I'm still learning the application and I appreciate any input given to my question. Thank you Bob > > we told our users that ThinApp does not trace the system whether the package is connected. I guess now that This is incorrect. Anyone in the community would be so good regarding explain what McAfee is in fact detection here Only place that ThinApp change in the system is the location of the Sandbox, which you can simply get rid by deleting the folder. An exception is if the isolation of a certain folder mode is merged (check attribute.ini in any folder to the package). When you capture an application and build a bin ThinApp project resulting folder contains all the installation files with the file of container as read only data. Now When you copy this into deploment machine and run, ThinApp can need to write files in some cases (for example if the application tries to) create a log file). Now ThinApp does not create files in OS system files (windows, program files, etc.) and creates all the sandbox and written. You can locate the default sandbox in %AppData%. So when you say no trace, it should mean that demand will not registers, write the system folders. Of course, if an application creates files, thinApp has to create them because otherwise the application does not work, but instead of creating these files anywhere in the system, ThinApp restrict to a location unique sandbox. I hope you do feel better now. Aditya is this a real threat or false positive? After scanning my local disk with norton 360, malwarebytes, MRT and Prevx 3.0,. ONLY Prevx 3.0 identified "funshioninstall2.0.0.29beta.exe" as a "medium risk Malware." should I worry that it is a true malware? or is this a false positive? EDIT: OK, so here is my log scan Prevx 3.0 Crawl log Prevx - Version v3.0.5.50
End of the Prevx Scan newspaper - http://www.prevx.com (I don't know if the addition of the crawl log would make a difference, but here it is anyway...) .. .so if anyone can read it, including at - it malware in the newspaper? (PS. Sorry for the link, I didn't know he was malware..) MORE EDITING:
OK, so http://www.spywaredetector.net/spyware_encyclopedia/Downloader.agent.yg.htm said that funshion has a virus 'Downloader '... (but I still have to confirm with the support of Prevx and other stuff that I sent the crawl log Prevx support, so it can be checked again) But let me ask you a few questions please... (1) can I just delete it manually? or just uninstall it off my computer? or I have to use tools? (2) If tools are needed, what is recommended? or simply use the one which is available here? [ http://www.spywaredetector.net/spyware_encyclopedia/Downloader.agent.yg.htm ] (3) in your opinion, the downloader viruses are something to be very concerned of? (4) I checked with norton's database. [ http://www.symantec.com/security_response/writeup.jsp?docid=2002-101518-4323-99 ] in the report, it is said it affects not the panoramas, but norton 360 had failed to detect the funshion first thing... Still, I'd be concerned? Hello Here's another report about it - since the site is in Chinese or something, I'd be very worried. http://www.spywaredetector.NET/spyware_encyclopedia/Downloader.agent.YG.htm ===================================================== Try the trial of Hitman Pro that uses methods similar to Prevx and will remove Hitman Pro is a medium one scanner it only runs when you wish and has no resident function. Hitman Pro - 30 days free trial version I hope this helps. I know that means I'd be absolutely convinced that this is not a virus, but what happens if you delete by mistake the false positive, thinking that it is not a false positive? It will have a negative impact on the computer? (I have my suspicions, that the last time norton said I had a virus 'Protector' who put him and panic that I deleted the point suffered. I went looking for virus "Protector", but he is not in a database. currently I use the computer of my mom [.. .as my cell phone has been confiscated...] so I can't really check on it now and know if there are problems that is why I ask) This question) and does anyone know if there is even such a THING as a "protector" virus? and how 1 knows if a virus detected by analysis is a false positive or something that was not only on the basis of data yet? Hello Deleting a file can have a negative influence, that is to the advantage of quarantine especially for the system measures Most system files can be replaced by SFC/scannow assuming the system starts and CFS can be executed. Google is your friend. AVG anti virus detect any ADF application as being infected I remember a similar question 2 or 3 years ago, where this provider software used a false positive. This issue then slipped by Oracle inform the seller of this false positive Frank Virus detected but not deleted My anti virus program (Sophos) has identified a virus, but cannot be removed. It's a Mac using OS X El Capitan. What can I do? Anti-virus programs are not necessary on a Mac. There is no known virus capable of attacking OS X. AV apps are a cure for a disease that does not exist. They often produce false positives. Uninstalling Sophos. It is possible that you have some adware. I download and run MalwareBytes to make sure. It was developed by one of our colleagues here to ASC. He received rave reviews and is on the more proven anti-malware for Mac software. E6420 - Bios A07 - false positive diagnosis - Lcd Cable Hello world! I found a weird bug with update bios A07 on the E6420 (i5 - 2520 m). The utility disgnostics report "error Lcd 2000-0415. When I return to A06, the problem disappear. Anyone can repeat this mistake? I had opened a case to replace my lcd cable and I will contact Dell to cancel the replacement of the cable. But if no one can repeat the problem may be that the cable is really damaged and better A07 bios detects it. I have no problem using the computer. Thank you. There is a long and a short version of this... As I understand it, Dell has implemented a change to the hardware level allowing the cable test for the work they have released newer versions of systems and enabled in the BIOS. For systems with the old cables, it always generates a false positive. It is not an error in the BIOS, it's just this test is not supported by the hardware you have. Hi all Is this a false positive? I just did a clean install of Win 7 64-bit Ultimate on my Dimension 8400 on a new hard drive installed MSE, windows update, download and installed msn version 9 the fly butter, downloaded a driver for my wireless card, downloaded the new version of malwarebytes and it ran, it came with it. Malwarebytes' Anti-Malware 1.45 Database version: 3937 Windows 6.1.7600 31/03/2010 07:15:05 Scan type: quick scan Memory processes infected: 0 Process memory infected: Memory infected: Infected registry keys: The registry is infected: Infected registry data items: Infected files: Infected files: So I ran on my XPS 430 and my 1501 with win 7 64 bit and Vista Ultimate 64 bit, it came with the same thing on my computer! SO I think it's a false positive. I didn't {{remove this to any of my computers still}} What do you think? Thank you Discussion: http://forums.malwarebytes.org/index.php?showtopic=7653 Hello We have ID 4210 box with version 3.1 and using virtual machines to monitor and manage the area ID. We use the perl script for sending email notification whenever the event is triggered. The problem is that we receive a lot of false positives for signatures like 4001, 4003, 5366 etc how can you eliminate false positives detection. Thanks and greetings Salim Hello You could use response to threats of Cisco - who will get a stream directly from the Cisco IDS 3.X and 4.X sensors and could help is to reduce false positives. In a word WHAT CTR will occur a series of controls against the targets of the attack as it is the right operating system system, and in the case of windows systems, it will check the levels of Patch etc. It uses digital fingerprints NMAP and agents currently I think it's free and requires a box of windows 2000 with fast processor to work. The issue you'll have with this is that it increases only events using SNMP - so you should have to rely on your business to generate emails. It should significantly reduce your events. If you use CSPM, you can also set configuration notifications occur on the 1st occurrence of an event, the nth occurrence and a timer reset to reduce the number of recurring events. In the version IDS 4.X, you can perform a range of tuning including fireone, summary events etc. to futher reduce the generated events. I can't stop the pop-up and adware ads in Safari. When I opened a new take, it is locked until I click a place twice, then two new tabs with advertising and virus detected by safari emerge I tried following the instructions on the support page, in Apple, but it did not work. Force to leave Safari, then with the SHIFT key, restart Safari. Also use EtreCheck of www.etrecheck.com and see what else is running. Possible false positive with hamid 3353 problem Here is a packet captured by the ID that triggered hamid 3353 - SMB request overflow evAlert: eventId gravity = 1075708170032493259 = high Author: hostId: cisco-ID - v4.1 appName: sensorApp appInstanceId: 1134 time: 2005-07-18 14:53:30 2005/07/18 14:53:30 UTC interfaceGroup: 0 VLAN: 0 signature: hamid = 3353 sigName = SMB request overflow subSigId = 0 = S180 Malformed SMB Request version context: fromVictim: 000000 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00... 000010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00... 000020 01 00 00 00 00 00 00 00 00 00 00 68 FF 53 4 D 42... h.SMB 000030 25 00 00 00 00 98 07 00 00 00 00 00 00 00 00 C8%... 000040 00 00 00 00 00 50 78 07 01 90 81 0 TO 00 00 30 0C... Px........ 0 000050 00 00 00 00 00 38 00 00 00 30 00 38 00 00 00 00... 8... 0.8... 000060 00 31 00 2 05 00 02 03 10 00 00 00 30 00 00 00.1... 0... 000070 0 A 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00... 000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 000090 00 00 00 00 00 00 00 68 FF 53 4 D 42 25 00 00 00... h.SMB%... 0000A 0 00 98 07 C8 00 00 00 00 00 00 00 00 00 00 00 00... 0000B 0 00 50 78 07 01 90 C1 0a 00 00 30 00 00 00 00 .px 0c... 0.... C 0000 0 00 00 00 00 38 30 00 38 00 00 00 00 00 31 00 2. 8... 0.8... 1, 0000D 0 05 00 02 03 10 00 00 00 30 00 00 00 0 B 00 00 00... 0....... 0000E0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... 0000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00... fromAttacker: 000000 00 00 00 00 00 54 00 2 00 54 00 02 00 26 00 0F... T.. T...&.. 000010 70 3D 00 00 5 00 50 00 49 00 50 00 45 00 5 00 p =.... P.I.P.E.------. 000020 00 00 00 00 05 00 00 03 10 00 00 00 2 00 00 00...... 000030 0 A 00 00 00 14 00 00 00 00 00 01 00 00 00 00 00... 000040 BB E2 20 19 4 C 0D 4 B 17 DF 44 00 52 40 B9 B7 9TH... L.K.... D-R @. 000050 00 00 00 80 FF 53 4 42 25 00 00 00 00 18 07 C8... % SMB... 000060 00 00 00 00 00 00 00 00 00 00 00 00 00 50 78 07... PX. 000070 01 90 C1 0C 10 00 00 2 00 00 00 54 05 00 00 00...... T.... 000080 00 00 00 00 00 00 00 00 00 54 00 2 00 54 00 02... T... T... 000090 00 26 00 0F 70 00 00 5 00 50 00 49 00 50 00 3D. &... p =... \.P.I.P. 0000A0 45 00 5 00 00 00 00 00 05 00 00 03 10 00 00 00 E. \... 0000B0 2 00 00 00 0 B 00 00 00 14 00 00 00 00 00 01 00,... C 0000 0 00 00 00 00 15 FD E7 DD E4 8A 40 7 39... E9 7 D ED} ... @..| 9 C3 0 30 15 BC D 0000 00 00 00 80 FF 53 4 25 42 00 00 00 0...SMB%... 0000E0 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 00... 0000F0 00 F0 50 06 01 90 00 10 00 00 2 00 00 00 80 0D. P.........,.... participants: Attackers: attacking: proxy = false addr: location = IN 10.24.238.193 Port: 1071 victim: addr: location = IN 10.24.4.42 Port: 139 alertDetails: Traffic Source: int0; As you can see, looks like a pretty normal SMB packet. This sensor is on an internal network, so Windows file and printer sharing is the norm. I think there is a false positive problem that was introduced with the signature s tuning via the S180 update. As a result, I have two questions: (1) am I right, or is the signature works as it should? (2) does anyone else have this problem? All your comments will be greatly appreciated, Alex Arndt We have identified the problem; an updated version of this signature will be in an update of the upcoming signature. IPS 5.0 change action causes false positives Hello I've updated a 4215 and 4 port running 4.1 to 5.0. The unit is not "inline", always using a single sniff int when I add the (reset) action on a GIS (5126) or that relate to IIS and apply the change to the sensor starts go crazy picking off all kinds of web traffic as a hit and then resets the stream. Problem is that these are false positives... If I can go back to IDM and turn off the action of "reset" and use only the default value (alarm), the alarms keep coming. If I restart the sensor alarms stop. What I don't understand is this signature has been activated before and its default action is 'alarm '... I never received any alarm. As soon as I change the action for the alarm and reset becomes crazy? A sensor reboot solves the problem. Someone at - it given the similar problems? Thanks in advance MK MK I think that you encounter a known, fixed bug in update 5.0 (2) has just been released. It looks like: CSCeh36719 False positives after upgrading to 5.0 IPS It affects signatures in HTTP after engine they were listening. Try to install the service pack 5.0 (2) located here: http://www.Cisco.com/cgi-bin/tablebuild.pl/ips5 SC How to report a false positive in the Web reputation Score I raised this issue already in the sub-heading 'Firewall', but apparently I was off-topic there... so I would try here again: An Ironport using the websites Web reputation Score is currently the list with a score from under-7,0 www.juliabase.org . It is a false positive because of the heavy traffic that the site currently generates because, well, it's just popular right now (the first public announcement was yesterday). It is certainly no malware on it. How can we get rid of this list of bad reputation? SenderBase.org it is at zero, this is where you can request modifications. Right now my WSA returns-4.9... So it's probably just a matter of time before it happens. Ephemeral sites are generally bad, so it doesn't surprise me that they want you to stick around for a bit until they call you own. When I try to download from Microsoft I get a virus detected error erased file Original title: carnt download anything When I try to download from Microsoft I get a virus detected error erased file When I try to download from Microsoft I get a virus detected error erased file Probably because your computer is infected with a rootkit. See if these steps in removing viruses, marked as the answer, apply to you: False positive hit... or not? -Solved Hello I work with Sourcefire customers and ran into this file being blocked by the system. AAFlash_setup.exe https://www.VirusTotal.com/en/file/8e13f9c500757b2822c8c36a5ee32b820ff27... I can't seem to find any reason anywhere to explain why the file which is blocked others the Sourcefire don't like this. So it does not contain malware, or is this a false positive? And where can I find this information because my almighty google did not help me. Photo with the hit is attached Brian Then it must be a false positive. How to disable keyboard backlight Please help how to disable keyboard backlight on laptop computer sony Vaio Veriton X4620G replace UEFI bios legacy, possible? Hi guys, I have the Veriton X4620G SFF with Windows 7 Pro 64 office so I wonder if I can change the UEFI bios legacy? Thanks in advance... John Touchscreen and keyboard questions? Warranty abroad? Hi all Recently, I went to the United States and received a Motorola Cliq as a gift from a friend. It has worked perfectly well for recent months, until about an hour before. I used Nimbuzz, when all of a sudden the touchsceen stopped working. So, I Image JPG files corrupted in Microsoft Office/Vista Ultimate I had recently several incidents where I loaded photos on my hard drive using Olympus Master 2, I have seen andmanipulated several times photos by using the Microsoft Office Picture Manager on Vista Basic. After about a week I opened the files again Does not load before the Welcome screen I get to the sign in screen on vista and I put my password and sign in however it will not load past the loading screen.Similar Questions
Generated journal: 2010-05-02 09:59, Type: 0.1
Windows Vista Home Premium Service Pack 2 (Build 6002) 32 bit | 1033
HostName: Laura-laptop
Some non malicious files are not included in this journal.
The heuristic settings: age: 1, Pop: 1, er: 2 (Dir: 1)
Last Scan: Game 2010-02-04 18:28:24 standard time from the Malay Peninsula. Number of reviews: 18. Last Scan duration: 11 seconds.
[B] c:\users\hp\documents\funshioninstall2.0.0.29beta.exe [PX5: D95BFA4F8032110946EE3EBC37159F00C796261D] Malware Group: medium risk Malware
[U] c:\users\hp\appdata\local\temp\idc2.tmp\esetsmartinstaller.exe [PX5: 55DCEDE9B89E059BC60B28F558D3F200E91255CE]
[G] c:\users\hp\appdata\local\temp\mpengine.dll [PX5: A5A4683D50CAB446FF534A1C8C998100147F70B9]
[G] c:\program 8.0\reader\plug_ins\acroform.api Adobe [PX5: 85713B076347D1CB5818848EA68AD10081B35FB6]
[G] c:\program 8.0\reader\plug_ins\annots.api Adobe [PX5: 977D2D4D632A22EBF0133E90489E7100C29D41B2]
[G] c:\program 8.0\reader\plug_ins\checkers.api Adobe [PX5: 1DA23B766366CBB9CC380C00D9DA8D0083001567]
[G] c:\program 8.0\reader\plug_ins\digsig.api Adobe [PX5: 96451BDD63ED7BD28AF811CC6180C80012291CE0]
[G] c:\program 8.0\reader\plug_ins\dva.api Adobe [PX5: CF8C8685639350CCE8A501C78E0EEC00D8972603]
[G] c:\program 8.0\reader\plug_ins\ebook.api Adobe [PX5: 08F5A46A630E7B98C88400FBD94321003DA193EC]
[G] c:\program 8.0\reader\plug_ins\escript.api Adobe [PX5: 6D277404631FB929A0EF1538CC31D200B97F36B5]
[G] c:\program 8.0\reader\plug_ins\ewh32.api Adobe [PX5: 01643ADA63E0ED85EC450168F37740000277C605]
[G] c:\program 8.0\reader\plug_ins\hls.api Adobe [PX5: 64E5397E6392E3FAC8CB00E1284D7F000640BCFA]
[G] c:\program 8.0\reader\plug_ins\ia32.api Adobe [PX5: F5CD2359633A03BB4A6D01D5015DC300F91E3ACA]
[G] c:\program 8.0\reader\plug_ins\imageviewer.api Adobe [PX5: FB81CE176346B3F122F307D430166C00565464B8]
[G] c:\program 8.0\reader\plug_ins\makeaccessible.api Adobe [PX5: 1212EDBD6371F2050C911F82431E0800409F620D]
[G] c:\program 8.0\reader\plug_ins\multimedia.api Adobe [PX5: C156BCDA637B83048E0B148B8BC49E00F9CCACFE]
[G] c:\program 8.0\reader\plug_ins\pddom.api Adobe [PX5: 1E18E20C6301EF26101C068B6D4CBD00B9DDBFFA]
[G] c:\program 8.0\reader\plug_ins\ppklite.api Adobe [PX5: 79BCD6E163A5EF9E264A5898FAC10C0013EF159E]
[G] c:\program 8.0\reader\plug_ins\readoutloud.api Adobe [PX5: 2EBDB16E63B7C630A02D01E7429B0B00E64C86A6]
[G] c:\program 8.0\reader\plug_ins\reflow.api Adobe [PX5: 6099E98463701FFF8A8D0589DF58AB00657EAB78]
[G] c:\program 8.0\reader\plug_ins\saveasrtf.api Adobe [PX5: 4A437003634ED92F967B045F61F0720051BC0C37]
[G] c:\program 8.0\reader\plug_ins\search.api Adobe [PX5: 9D0419C76310DA8C622405F7446BCE006A4883BA]
[G] c:\program 8.0\reader\plug_ins\search5.api Adobe [PX5: 17E305A9635073714E2F01AFF4C21C00BF9458B9]
[G] c:\program 8.0\reader\plug_ins\sendmail.api Adobe [PX5: 128AC56663F2B51EE6720183AAC2C000E5AAACDD]
[G] c:\program 8.0\reader\plug_ins\spelling.api Adobe [PX5: 774DC83B63D1960C18AA042B9D3B8300D3026D21]
[G] c:\program 8.0\reader\plug_ins\updater.api Adobe [PX5: F38F4C3D63D92E08860702D457276F0044688EFB]
[G] c:\program 8.0\reader\plug_ins\weblink.api Adobe [PX5: E78768DE63755C28CEEE022492A69C00CBF38439]
[G] c:\program 8.0\reader\cryptocme2.dll Adobe [PX5: F76819DC00C5883310E8067EA24A5200817BD6B4]
[G] c:\program 8.0\reader\ccme_base.dll Adobe [PX5: D752984600DFDFC340B707252C1A1900BA338606]
[G] c:\program 8.0\reader\adobelinguistic.dll Adobe [PX5: C7D63C6200D92F4F206507D3786F8A0087E1E5E9]
[G] c:\program 8.0\reader\adobeupdater.dll Adobe [PX5: D8D9E35378D1FFEEB1A507C20217D2007E14A855]
[G] c:\windows\system32\vdmdbg.dll [PX5: C3E08FF1009FFB0144CB00609249C00003CA5EB4]
[G] c:\program 8.0\reader\bibutils.dll Adobe [PX5: 96DE17E200C25AC252AE02C33C6D0700D2FB1CBF]
[G] c:\program ESET ESET online scanner\onlinescanner.ocx [PX5: E90A101F4896CB413603336803AA3E00039AEFD0]
Malware - free 30 day trial. You can uninstall it when the trial is up.
http://www.SurfRight.nl/en/hitmanpro
Rob - bicycle - Mark Twain said it is good.
files. For the file system, it even being removed from the quarantine area may have a dramatic effect on the system
What is the function of the file.
Rob - bicycle - Mark Twain said it is good.
Until someone asks even the demo hosted by Oracle to http://jdevadf.oracle.com/adf-richclient-demo/faces/index.jspx component causes AVG trigger, it is not only our application do.
Any ideas on what can be done to get AVG to fix this fast (I think Oracle could carry more weight with them so we would do).
www.Malwarebytes.org
Internet Explorer 8.0.7600.16385
MBAM-log-2010-03-31 (15/07/05) .txt
Objects scanned: 100023
Time elapsed: 2 minute (s), 27 second (s)
Memory Modules infected: 0
Registry keys infected: 0
Registry values infected: 0
The infected registry data: 1
Folders infected: 0
Infected files: 0
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
(No malicious items detected)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties)-> Bad: (1) Good: (0) not-> no action taken.
(No malicious items detected)
(No malicious items detected)Maybe you are looking for