PDA

View Full Version : Desktop.Explorer: HideIcons.



Rosenfeld
2005-11-04, 21:15
I do not understand why this is flagged by the latest (4 November) beta.sbi, I think it is a False positive.

Desktop.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-3090935711-3204504469-1825801191-1007\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell!=W=1

The value of ClassicShell has data 0 in the registry. Spybot seems to think that it should be 1.

http://www.winguides.com/registry/display.php/1282/

describes the settings for this key in XP. I see nothing wrong in my having it 0, which is the default. Although I do use the classic desktop, I see no reason to disable my ability to switch to active desktop shoulded I want to do so. Setting this to 1 would prevent that. What is the security risk??


Spybot does not flag the same value at HKCU (same user account).


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-06-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-11-04 Includes\Beta.sbi (*)
2005-02-16 Includes\Beta.uti (*)
2005-11-04 Includes\Cookies.sbi (*)
2005-11-04 Includes\Dialer.sbi (*)
2005-11-04 Includes\Hijackers.sbi (*)
2005-11-04 Includes\Keyloggers.sbi (*)
2005-11-04 Includes\Malware.sbi (*)
2005-11-04 Includes\PUPS.sbi (*)
2005-11-04 Includes\Revision.sbi (*)
2005-11-04 Includes\Security.sbi (*)
2005-11-04 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2005-11-04 Includes\Trojans.sbi (*)

Rosenfeld
2005-11-04, 21:37
Sorry, I posted in Spybot board by mistake,
please see

Merged :)

Zenobia
2005-11-05, 00:02
Same here:

--- Search result list ---
Desktop.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2052111302-343818398-1417001333-1006\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ClassicShell!=W=1

tashi
2005-11-05, 00:36
Thank you for reporting and brought to Team's attention.

Yodama
2005-11-07, 10:20
thanks for reporting,

this entry has been falsely added and will be removed

RisingDiamond
2005-11-13, 10:17
Yodama,

According to the following information, desktop.explorer IS spyware, and is a SECURITY RISK:

"The Desktop Explorer allowed us to browse through files and folders on the remote PC, including network shares, and we could view the contents of many documents (Sproqit supports about 200 file types). This would let a user remotely search for a specific document on their system and email it to a client or colleague, for example."

http://72.14.203.104/search?q=cache:q6CMkSi7P9wJ:www.networkitweek.co.uk/itweek/software/2085878/sproqit-personal-edition+%22desktop+explorer%22+browse+%22files+and+folders%22&hl=en

RisingDiamond
2005-11-13, 11:14
It seems that it can be used for both ethical and unethical purposes, depending on the company who uses it.

Rosenfeld
2005-11-14, 03:09
It may or may not be malicious, I don't know. My original post had to do with the flagging of a particulr registry key, which has nothing to do with desktop.explorer. The latest updates have removed that FP, thanks

WDGCR
2005-11-14, 04:30
Since the 2005/11/11 update the following entry appears after running Spybot:

Desktop.Explorer: User settings (Registry change, nothing done)


HKEY_USERS\S-1-5-21-3342786949-2224112030-3715366460-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\A

dvanced\HideIcons!=W=0




--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-07-18 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-11-11 Includes\Cookies.sbi (*)
2005-11-11 Includes\Dialer.sbi (*)
2005-11-11 Includes\Hijackers.sbi (*)
2005-11-11 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-11-11 Includes\Malware.sbi (*)
2005-11-11 Includes\PUPS.sbi (*)
2005-11-11 Includes\Revision.sbi (*)
2005-11-11 Includes\Security.sbi (*)
2005-11-11 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2005-11-11 Includes\Trojans.sbi (*)


This registry entry refers to Desktop icons and deleting the entry means icons are shown on the desktop when the system is next booted.

As I have chosen not to have icons shown on the desktop, this is not what I want.

Apparently, since the 2005/11/11 update, Spybot considers only the default "Show Desktop Icons" to be safe.

I hope this error will soon be corrected.

scoutt
2005-11-15, 21:43
We have also been getting these as of late,

Desktop.ActiveDesktop: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1032224200-1036351794-464265517-1005\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoComponents!=0

Desktop.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1032224200-1036351794-464265517-1005\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl!=W=0

scoutt
2005-11-15, 22:35
forgot one

Desktop.Explorer: User settings (Registry change, nothing done)
HKEY_USERS\S-1-5-21-2092520369-249521480-832726913-1001\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoMovingBands!=W=0

md usa spybot fan
2005-11-15, 23:37
scoutt:

Several of the detections that you are getting seem to point to Windows 2000 policy registry entries. What software are you running and is this a stand-alone system or a workstation?

sbourdon
2005-11-16, 14:44
Since the 2005/11/11 update the following entry appears after running Spybot:

Desktop.Explorer: User settings (Registry change, nothing done)


HKEY_USERS\S-1-5-21-3342786949-2224112030-3715366460-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\A

dvanced\HideIcons!=W=0




--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-07-18 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2005-11-11 Includes\Cookies.sbi (*)
2005-11-11 Includes\Dialer.sbi (*)
2005-11-11 Includes\Hijackers.sbi (*)
2005-11-11 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2005-11-11 Includes\Malware.sbi (*)
2005-11-11 Includes\PUPS.sbi (*)
2005-11-11 Includes\Revision.sbi (*)
2005-11-11 Includes\Security.sbi (*)
2005-11-11 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti (*)
2005-11-11 Includes\Trojans.sbi (*)


This registry entry refers to Desktop icons and deleting the entry means icons are shown on the desktop when the system is next booted.

As I have chosen not to have icons shown on the desktop, this is not what I want.

Apparently, since the 2005/11/11 update, Spybot considers only the default "Show Desktop Icons" to be safe.

I hope this error will soon be corrected.

Same thing here; using WinXP Pro... This happens since 2005-11-13 in the Fixes Logs.

How can I fix this? I DO want to hide my desktop icons but Spybot keeps reactivating them...


Thanks for your help!

md usa spybot fan
2005-11-16, 16:33
WDGCR:
sbourdon:

If you do not want Spybot to scan for these potential security risks on future scans, exclude them from further searches. I suggest that you use the "Exclude this detection from further searches" option as follows:
To "Exclude this detection from further searches":
After a scan and before fix the problems, expand the detection (+ to the left of the detection).
Select the item (entry) that you want to exclude by left clicking on it to highlight it.
Then right click on highlighted detection to bring up the context menu.
In the context menu select "Exclude this detection from further searches".

In other words left click to select then right click to display options. If you don't select (highlight) the item first the options menu is for the entire detection list.
To reverse the exclusion of single detections from scans:
Go into Spybot > Mode > Advanced mode > Settings > Ignore single entries > right click on the item and select "Remove this exclude from the list".

scoutt
2005-11-16, 18:21
scoutt:

Several of the detections that you are getting seem to point to Windows 2000 policy registry entries. What software are you running and is this a stand-alone system or a workstation?
We get them on both XP and 2000. but on XP we only get 2 as in 2000 we get all three. We run Novell Desktop that will let us push down policies to the end user. No other special software running.

sbourdon
2005-11-17, 00:34
WDGCR:
sbourdon:

If you do not want Spybot to scan for these potential security risks on future scans, exclude them from further searches. I suggest that you use the "Exclude this detection from further searches" option as follows:
To "Exclude this detection from further searches":
After a scan and before fix the problems, expand the detection (+ to the left of the detection).
Select the item (entry) that you want to exclude by left clicking on it to highlight it.
Then right click on highlighted detection to bring up the context menu.
In the context menu select "Exclude this detection from further searches".

In other words left click to select then right click to display options. If you don't select (highlight) the item first the options menu is for the entire detection list.
To reverse the exclusion of single detections from scans:
Go into Spybot > Mode > Advanced mode > Settings > Ignore single entries > right click on the item and select "Remove this exclude from the list".

Perfect; thanks! ;)

WDGCR
2005-11-18, 09:42
WDGCR:
sbourdon:

If you do not want Spybot to scan for these potential security risks on future scans, exclude them from further searches. I suggest that you use the "Exclude this detection from further searches" option as follows:
To "Exclude this detection from further searches":
After a scan and before fix the problems, expand the detection (+ to the left of the detection).
Select the item (entry) that you want to exclude by left clicking on it to highlight it.
Then right click on highlighted detection to bring up the context menu.
In the context menu select "Exclude this detection from further searches".

In other words left click to select then right click to display options. If you don't select (highlight) the item first the options menu is for the entire detection list.
To reverse the exclusion of single detections from scans:
Go into Spybot > Mode > Advanced mode > Settings > Ignore single entries > right click on the item and select "Remove this exclude from the list".


Thank you for your reply, although I was aware of how to exclude the entry, and had, indeed, done so.

My reason for posting was a desire to have this false positive detection corrected in a future update.

I hope this will be the case.

WDGCR
2005-11-19, 09:51
I'm pleased to report the Desktop.Explorer: User settings entry,

HKEY_USERS\S-1-5-21-3342786949-2224112030-3715366460-1005\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Advanced\HideIcons!=W=0

isn't detected after the 2005/11/18 update.

Such prompt attention is to be commended.

Yodama
2005-11-21, 11:30
sorry for not replying earlier, I have been sick (actually still at it :( )

well ok, now to these Policy settings:
as you have already found out by now, some are to be considered false positives, actually my fault for forgetting that there are people out there using the XP Style or similar , sorry for that. :p

I added a little description to the entries, so that it will be cleared up a little.

It goes like this: "If this Item is beeing found, it does not necessarily mean an infection.
Some Malware like CWS and Smitfraud variants change these settings.
It is also possible that these settings have been changed by an administrator (if you have one) or by a legitimate software.

These settings can normally not be reversed via the normal Windows User Interface.
Some settings pose security risks and some are just annoyances.
Also , some settings are redundant, meaning that they can be changed at various positions in the registry thus changing one value may not be enough."

This is going to be added with the next update, expected for the end of the week.

Maybe I should add by saying that by using the wrong entries for the policies, one can render a Windows Operatingsystem crippled and totally useless.
At least without external tools to undo the changes.

Forgot to mention, that I also changed the Naming, it is now as follows:
Windows.Explorer
Windows.System
Windows.ActiveDesktop

scoutt
2005-11-21, 18:04
so am I to understand that they will still be reported but indicated not to be a threat?

if this it to be true how can we push those settings down to the user.

the latest update did not show my policy entries either.

thank you very much, job well done.