Hijack.Drives

[Kathy100]

I did a scan yesterday with Malwarebytes. It found Hijack.Drives and quarantined it. My question is, is this Hijack.Drives as dangerous as it sounds? Does it take user information, etc.? I may be paranoid but I do my banking, etc. online but I don't keep my banking passwords stored on my hard drive. I am also using Avira Premium Antivir and Online Armor Firewall. When I do my banking, I put my firewall in the banking mode before I go to their home page. Just what does this malware do and do you think I have exposed my information to someone out there? If I have, what should I do now? Thanks for your time.

[melboy]

Hi Kathy

I suspect the detection was something similar to:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0)

The NoDrives registry setting allows you to control which drives are visible in My Computer and Explorer.

This setting can be changed by malware, as well as legitimately by a System Administrator.

From the example above you can see the "Bad" data was set to 12, meaning that the icons for drives C & D would not have been visible in My Computer. What MBAM has done is replace that data with the "Good" default data: 0, meaning that that all drives appear.

If your computer is running otherwise fine, then I wouldn't be overly concerned with this detection.

Feel free to ask any further questions.

[Kathy100]

Hi Kathy

I suspect the detection was something similar to:

The NoDrives registry setting allows you to control which drives are visible in My Computer and Explorer.

This setting can be changed by malware, as well as legitimately by a System Administrator.

From the example above you can see the "Bad" data was set to 12, meaning that the icons for drives C & D would not have been visible in My Computer. What MBAM has done is replace that data with the "Good" default data: 0, meaning that that all drives appear.

If your computer is running otherwise fine, then I wouldn't be overly concerned with this detection.

Feel free to ask any further questions.

Thank you for your reply. I went back and checked the quarantined item and it says it is a registry entry. This is what it says it is: HKEY_CLASSES_ROOT/DRIVE/SHELL/{DEFAULT}{DATA:OPEN} Does this tell you anything about what is going on? I should have posted this information this morning. My computer is working fine. If I hadn't scanned, I wouldn't have noticed it. Thank you for your reply.

[melboy]

Hi Kathy

It is always better if you can post the log when querying any detection so we can give you a more accurate analysis.

HKEY_CLASSES_ROOT\Drive\shell\(default) (Hijack.Drives) -> Bad: (open) Good: (none) -> Quarantined and deleted successfully.

That is slighlty different to what I suspected it was initially, but again what MBAM has done is reset the data back to the default for that key (which setting's control what action is performed when clicking on a drive letter in My Computer)

It's a setting that can be changed by malware, but unless you are seeing symptoms of what you think could be a malware infection - again I wouldn't be overly concerned.

[Kathy100]

Hi Kathy

It is always better if you can post the log when querying any detection so we can give you a more accurate analysis.

That is slighlty different to what I suspected it was initially, but again what MBAM has done is reset the data back to the default for that key (which setting's control what action is performed when clicking on a drive letter in My Computer)

It's a setting that can be changed by malware, but unless you are seeing symptoms of what you think could be a malware infection - again I wouldn't be overly concerned.

I'm afraid that is the best I can do. Apparently I have deleted the most recent log. It wasn't listed. But, my computer is doing fine so I'll quit worrying about it and thank you for your kind help.

[melboy]

You're welcome.

Don't hesitate to post back if you have any other problems.