[Menos]

Ok, recently, I got a registry change alert from Spybot S&D. It was from"scrnsave.exe" (new data:"C:\WINDOWS\system32\BMA_IL~1.SCR") changed in Desktop settings!" (this was from the logs in Spybot S&D.) so, I was wondering, is this a legit reg change, or is it something masquerading?

I checked the "BMA_IL~1.SCR" and it was from Blue Mountain Screensavers, a place we get Screensavers from, obviously. The main thing here is I don't know if Scrnsave.exe exists, or if it's just a virus prentending to be official.

Any help would be appreciated, thanks.

[Advertisements]

It exists as a legitimate file.

http://www.microsoft...9.mspx?mfr=true

[Whiskeyman]

It exists as a legitimate file.

http://www.microsoft...9.mspx?mfr=true

[pip22]

Scrnsave.exe exists in the Registry here: HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
It's a genuine Windows entry in this location. It's responsible for starting the set screensaver but does not exist as an actual file. If it does, it's malware.

[Menos]

Well, is there some way I can check if it's an actual file, or something?

If it's not an actual file, could it do a registry change?

[Whiskeyman]

Do a search for it. If it is found other than in the registry it is probably malware.

[Menos]

Ok, thank you. If I find it, I'll post a log in the malware forum and take it from there.

Good luck on quitting smoking, BTW.

EDIT: Ok, this may be getting redundent, but, it found three files, I'm assuming the one with the blue name is in the registry.

The other two looked... kinda legit. I just decided I'd post the file path here, and make sure, before I went through the long dog and pony show of the Malware forum.

The first one is "scrnsave" and it's in C:\WINDOWS\system32.

The second one is (with the blue name) "scrnsave" is in C:\WINDOWS\system32\dllcache

Both of these have the file type as "Screen Saver" this was what made me wonder..

And the least legit looking of them, is... "scrnsave.sc_", and it is in C:\WINDOWS\I386. It's file type is SC_file, which I have never seen before.

Then again, until a few months ago, I hadn't seen a .ogg either. Just one more set of identifications, please. *cough*

Edited by Menos, 27 March 2007 - 03:59 PM.

[Whiskeyman]

It's scrnsave.exe you would be searching for not scrnsave.

scrnsave.sc_ is scrnsave.scr

Your Screen Savers (.scr) are located in the System32 folder.

[Menos]

Oh, ok. Well, it didn't find any screensave.exe then.: p

I actually searched for that first, didn't realize I was actually doing it right. XD

EDIT: Just checking, was I supposed to find something, or do registry entries not show up on the file search?

Edited by Menos, 28 March 2007 - 02:41 AM.

[Whiskeyman]

No, registry entries do not show up.

[Menos]

Ok, so I'm good, and can accept the registry change next time it happens. Thank you.