10 replies to this topic

[malewarebytesuser]

Hi All

I scanned with Malwarebytes and recieved the following results

Malwarebytes' Anti-Malware 1.41
Database version: 3092
Windows 5.1.2600 Service Pack 2

11/3/2009 1:46:19 PM
mbam-log-2009-11-03 (13-46-19).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 167705
Time elapsed: 42 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Delete on reboot.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


It says delete on reboot, but when I rescan after restart it is still there. It doesn't come off and I'm not sure why. Can anybody help me with this?
Also, is it serious/something I should worry about?

Thanks in advance

-MBU

[AdvancedSetup]

Hi malewarebytesuser,

I'm sorry you had to wait so long to hear back on this. No this is not an infection per say. Basically it is a policy entry that has been modified from the default. There is no way to tell if it was set on purpose or by Malware so we flag it to alert you. Now why it remains each time could be due to other protection software you're running that won't allow the registry change or if this system is on a network the Administrator may be resetting it every time you logon.

You can take a look here for more details on what this is for here: http://www.pctools.c...ry/detail/1084/


Please run the following tool and I'll see if I can tell why it's not saving the change.


[indent]Download DDS and save it to your desktop
http://download.bleepingcomputer.com/sUBs/dds.scr

Disable any script blocker if your Anti-Virus/Anti-Malware has it.
Once downloaded you can disconnect from the Internet and disable your Ant-Virus temporarily if needed.
Then double click dds.scr to run the tool.
When done, the DDS.txt will open.
Click Yes at the next prompt for Optional Scan.

When done, DDS will open two (2) logs:

• DDS.txt
  
• Attach.txt

• Save both reports to your desktop
  
• Please include the following logs in your next reply: DDS.txt and Attach.txt

[/indent]

[malewarebytesuser]

Hello Advanced Setup,

Please don't apologize for the wait. I'm perfectly okay with it.

I'm glad to hear it is not an infection! I'd like to mention I run Windows XP on a machine originally installed with VISTA. Could this possibly be triggering this response? However, I've been running XP for the last few years on this computer and earlier scans have proven clean....

If you could look at the two I've attached as you asked that would be great! All of this technical jargon is way over my head

Any help you can offer me would be appreciated

-MBU

Attached Files

•  Attach.txt   7.78K   28 downloads
•  DDS.txt   9.67K   38 downloads

[AdvancedSetup]

All looks okay except you need to uninstall ALL the old java software from Control Panel, Add/Remove as those old ones have compromised code that can make it easier to infect your box.

Then open REGEDIT and browse to this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel
And see if you can remove that key ForceClassicControlPanel

Then see if McAfee or Spybot tries to stop you or some other issue. Then reboot and make sure it's still gone.

The latest version of Java can be found here:

Download and Update Java Runtime
The most current version of Sun Java is: Java Runtime Environment (JRE) 6 Update 17.

• Go to http://java.sun.com/...loads/index.jsp
  
• Go to Java SE Runtime Environment (JRE) - JRE 6 Update 17 about half way down the page and click on the Download button.
  
• In Platform box choose Windows.
  
• Check the box to Accept License Agreement and click Continue.
  
• Click on Windows Offline Installation, click on the link under it which says jre-6u17-windows-i586.exe and save the downloaded file to your desktop.
  
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop, and follow the on-screen instructions.
  
• Uncheck the Toolbar button (unless you want the toolbar)
  
• Reboot your computer

Then also start MBAM and check for UPDATES and run another scan and make sure it comes back clean.
Post back that log too.

[AdvancedSetup]

Please post an update on this.

Thanks

[malewarebytesuser]

Took care of Java and updated MBAM as well. Thanks

However, when I tried to remove the file out of regedit, it came up with a box that said "Unable to delete all specified files." I then clicked okay, but it stays there....So I'm unable to remove it....Any idea as to why?

-MBU

[AdvancedSetup]

Please download the following program to your desktop. Close all other open applications and then run the program.
It will restore file permissions to the system and automatically restart the computer when done.
restoredefaultperms.exe

Please download and run the following fix from Microsoft How do I restore security settings to the default settings?
When completed please reboot your computer.


Then run MBAM and check for Updates and do a Quick Scan and post back the log please.

[AdvancedSetup]

Please post an update. Thanks.

[AdvancedSetup]

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

[AdvancedSetup]

Post reopened at user request.

This is just a policy and not a big issue, but is a bit odd why you would not be able to remove it unless this is a work computer and they're resetting it or some other security software you're running that is putting it back.

Please click on START - RUN and copy/paste the following into the run line and click OK.

cmd /c reg export HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "%userprofile%\desktop\ControlPanel.txt"

This will put a new text file on your desktop named ControlPanel.txt please open that file and copy/paste back what it says here.

[malewarebytesuser]

No this is a school computer. The only security I have on here is...

- My firewall
-Malewarebytes
-McAfee Anti-virus
-Spybot

Here is what the file created from your instructions says

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ForceClassicControlPanel"=dword:00000001
"NoAutoUpdate"=dword:00000000
"NoWindowsUpdate"=dword:00000001
"Intellimenus"=dword:00000001
"NoSMConfigurePrograms"=dword:00000001
"RecycleBinSize"=dword:00000003
"NoSharedDocuments"=dword:00000001
"NoWelcomeScreen"=dword:00000001

Would it make a difference that this computer was originally a VISTA but had someone put an XP operating system in? This was done several years ago though and I've only started having this problem recently....