Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Just a small question.


  • Please log in to reply

#1
Menos

Menos

    Member

  • Member
  • PipPipPip
  • 139 posts
Ok, recently, I got a registry change alert from Spybot S&D. It was from"scrnsave.exe" (new data:"C:\WINDOWS\system32\BMA_IL~1.SCR") changed in Desktop settings!" (this was from the logs in Spybot S&D.) so, I was wondering, is this a legit reg change, or is it something masquerading?

I checked the "BMA_IL~1.SCR" and it was from Blue Mountain Screensavers, a place we get Screensavers from, obviously. The main thing here is I don't know if Scrnsave.exe exists, or if it's just a virus prentending to be official.

Any help would be appreciated, thanks.
  • 0

Advertisements


#2
Whiskeyman

Whiskeyman

    Member

  • Member
  • PipPipPip
  • 469 posts
It exists as a legitimate file.

http://www.microsoft...9.mspx?mfr=true
  • 0

#3
pip22

pip22

    Trusted Tech

  • Banned
  • PipPipPipPipPip
  • 2,663 posts
Scrnsave.exe exists in the Registry here: HKEY_CURRENT_USER\Control Panel\Desktop\SCRNSAVE.EXE
It's a genuine Windows entry in this location. It's responsible for starting the set screensaver but does not exist as an actual file. If it does, it's malware.
  • 0

#4
Menos

Menos

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Well, is there some way I can check if it's an actual file, or something?

If it's not an actual file, could it do a registry change?
  • 0

#5
Whiskeyman

Whiskeyman

    Member

  • Member
  • PipPipPip
  • 469 posts
Do a search for it. If it is found other than in the registry it is probably malware.
  • 0

#6
Menos

Menos

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Ok, thank you. If I find it, I'll post a log in the malware forum and take it from there.

Good luck on quitting smoking, BTW. :whistling:

EDIT: Ok, this may be getting redundent, but, it found three files, I'm assuming the one with the blue name is in the registry.

The other two looked... kinda legit. I just decided I'd post the file path here, and make sure, before I went through the long dog and pony show of the Malware forum.

The first one is "scrnsave" and it's in C:\WINDOWS\system32.

The second one is (with the blue name) "scrnsave" is in C:\WINDOWS\system32\dllcache

Both of these have the file type as "Screen Saver" this was what made me wonder..

And the least legit looking of them, is... "scrnsave.sc_", and it is in C:\WINDOWS\I386. It's file type is SC_file, which I have never seen before.

Then again, until a few months ago, I hadn't seen a .ogg either. Just one more set of identifications, please. *cough*

Edited by Menos, 27 March 2007 - 03:59 PM.

  • 0

#7
Whiskeyman

Whiskeyman

    Member

  • Member
  • PipPipPip
  • 469 posts
It's scrnsave.exe you would be searching for not scrnsave. :whistling:

scrnsave.sc_ is scrnsave.scr

Your Screen Savers (.scr) are located in the System32 folder.
  • 0

#8
Menos

Menos

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Oh, ok. Well, it didn't find any screensave.exe then.: p

I actually searched for that first, didn't realize I was actually doing it right. XD

EDIT: Just checking, was I supposed to find something, or do registry entries not show up on the file search?

Edited by Menos, 28 March 2007 - 02:41 AM.

  • 0

#9
Whiskeyman

Whiskeyman

    Member

  • Member
  • PipPipPip
  • 469 posts
No, registry entries do not show up.
  • 0

#10
Menos

Menos

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 139 posts
Ok, so I'm good, and can accept the registry change next time it happens. Thank you.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP