3 replies to this topic

[dark_lord]

Hijack.ControlPanelStyle and Hijack.Help

please confirm genre of mbam.exe message

hi there

On my first scan of a newly rebuilt machine running XP pro sp 3 slipstreamed i got these

Hijack.ControlPanelStyle and Hijack.Help

From what i read on the forums they are not false positives but seem to be settings that are not set to defaults?

Can someone confirm that?

Spybot S&D showed up the IE 8 - files and settings wizard firewall backdoor
Superantispyware showed nothing
Mbam.exe just the above

Below is the log ~ could someone please clarify the output?

thanks
J

Malwarebytes' Anti-Malware 1.38
Database version: 2400
Windows 5.1.2600 Service Pack 3

09/07/2009 21:56:08
mbam-log-2009-07-09 (21-55-53).txt

Scan type: Quick Scan
Objects scanned: 83854
Time elapsed: 2 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> No action taken. [3857535134304144385864365451513847536454523851615248395356345138614674688380848
07185615674796980888461368683837079855570838474807961498077746874708461388981778
0
83708393398083687036776684847468368079858380774966797077]

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (Hijack.Help) -> Bad: (1) Good: (0) -> No action taken. [5138494534363830414438586436545151384753645452385161524839535634513861467468838
08480718561567479698088846136868383707985557083847480796149807774687470846138898
1
77808370839347805246417077813018130117]

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Attached Images

• 

[nosirrah]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel

Indicates that the ability to change control panel display mode has been locked out .

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp

Indicates that help will be prevented from being displayed in the start menu .


Both malware and legit actions can cause and since there is no way to tell which is the cause we choose to help novice users assuming that expert users will understand what the detection(s) indicate and then use the ignore function to hide their custom modifications .

[dark_lord]

hey there

thank you!

much appreciated

DL

[n0_l33t_g33k]

A similar post talked about this, but was closed. In that post the user indicated that they cleaned the machine in question and the next day it would have this 'infection' again. These items can be set by Group Policy in a domain policy. So, that setting may get changed back to '0', but the domain admins intentionally have it set to '1'. I know I have a policy in place that sets the home page for all the users in the company. So, like the gentleman said, if you know what you are seeing, this can definitely be ignored if you know that it was set to '1' for a reason. I doubt most home users would have this set.