Jump to content
Hardhead

(Hijack.DisplayProperties)

Recommended Posts

Thanks - a bit modified since I first used it on CastleCops 5 years ago, but I relate to (hide behind :)) it quite well.

Share this post


Link to post
Share on other sites

I knew I'd seen that one somewhere. That explains it, I used to go on castlecops (computercops.biz) quite a bit myself, didn't post there much, but learned LOTS from reading.

Share this post


Link to post
Share on other sites

Exile...you said...

"but further documentation for the user should be implemented so they understand why it's detected so the user can make up their own mind, and if indeed the user was the one making these changes, then they should have no trouble doing so, as long as MBAM provides proper documentation of what exactly the detection means (listing a reg key and saying "hijack" and "bad" or "good" isn't quite adequate in my opinion."

I agree..if it was explained more thoroughly I might not have had a problem...but ...

Then I wouldn't have learned something new...like I did with this discussion with you and reading your discussion with Digerati..

thanks guys...DW

Share this post


Link to post
Share on other sites

Rootkits for Dummies huh? I'll bet that's an interesting read.
I had a minor contributing input for that book - but still good resume material! :)

Share this post


Link to post
Share on other sites

I had deleted it too (well, not deleted it but I clicked the "fix checked" button but it's not in my quarantine list. I was afraid to leave it because our previous computer had the desktop hijacked.

What do I do now?

Share this post


Link to post
Share on other sites
Just to clear this up, I believe the reason it doesn't quarantine these particular issues is because it isn't actually deleting anything, it's simply changing the number 1 to a 0 in that reg key, not removing it, so there's nothing to quarantine. Perhaps the developers could implement something to back up the 1 key so that it could be restored (sort of like quarantine, but not quite). With normal malware where a key or file is deleted off of the system, it is actually quarantined by MBAM.

Apologies, I saw the fix upthread. (I run a message board with similar software but we have an edit button so I can edit out my stupid posts!)

So, for entries like this, which I got at the same time

Vendor Hijack.startmenu

Hkey_current_user\software\Microsoft\Windows\Current Version\Explorer\Advanced\start_showsearch 0 bad, 1 good

That really isn't malware and should be ignored?

Share this post


Link to post
Share on other sites

No it is not malware - but it "could" be an indication of previous malware infestations if you did not change the setting manually.

Share this post


Link to post
Share on other sites

It was the first scan on the first day of a brand new computer. So, I take it the answer is ignore since it is not technically malware.

Share this post


Link to post
Share on other sites

You can ignore it yourself, for now and hope MB fixes it in an upcoming release. Or you can tell MBAM to ignore it. Or you can edit the entry to display Search. Or you can go into Start Menu Properties and change the option to display Search.

I personally do not like using ignore for FPs because that is a work-around for something not right. Ignore, IMO, should be used for legitimate programs that MBAM does not recognize at all, but you know to be safe - not for items it improperly identifies.

I feel I must say again that MBAM is, by far, worth keeping and using regularly. And if you don't have a real-time anti-malware solution, or your current subscription is about to run out, it should be on your short list.

Share this post


Link to post
Share on other sites
If you are running Vista then this is a false positive and should be added to the Ignore List. Even in XP this detection isn't actually malware, it's a setting that is often modified by malware to prevent changing the desktop settings. If you've removed it, then just restore it from quarantine and the next time you scan, just add it to the ignore list.

I'm using Vista 64bit as well. My MWB automatically quarantined and deleted. Do I need to worry? What, if anything, should I enter back into the registry? Thanks!!

Share this post


Link to post
Share on other sites
No need to worry. If you'd like to put it back the way it was simply follow my instructions in this post.

Thank's Exile! As long as there's nothing to worry about, it's cool. Registry stuff freaks me out!

Share this post


Link to post
Share on other sites

No problem. Did you go ahead and follow the instructions I linked to? If you didn't it shouldn't do any harm, but if you want it set the way it was you should follow them. If you need clarification on how to do it just let me know.

Share this post


Link to post
Share on other sites

We have been experiencing allot of this bug on our network lately. We have noticed that if a machine starts to slow down or act erratic. Run the Malwarebytes scan and you will probably find this bug. Remove the bug and everything is fine again.

Share this post


Link to post
Share on other sites
Actually, if you're somewhat comfortable with the registry then you can navigate to here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges

and change it back to 1 instead of 0 (this is assuming you're running Vista, if XP then Malwarebytes' simply set it to it's normal default).

Just installed this program myself, and had the same thing come up. I am using 64-bit Vista, for the record. I have nothing in the quarantine file to restore, either, but have no issues with getting into the registry. Went to the location, and it seems, oddly enough, that this is already (still?) set to a value of 1. The "NoActiveDesktop", type REG_DWORD is set to a value of 0x00000001. Does this mean the MalwareBytes didn't change it after all?

Share this post


Link to post
Share on other sites

This doesn't appear to be a false positive in my case

I was having some issues with Norton IS 09 not showing up in the task bar and identity safe on Firefox not working on vista x64, after those issues appeared i was no longer able to log into windows.

So i booted into safe mode and scanned with malware bytes and it picked up the "Hijack.DisplayProperties", after removing this issue i was able to successfully log into windows and Norton appears to be working fine

Share this post


Link to post
Share on other sites

Actually, I really have no idea how exactly this came about, but my computer slowed down massively today after my roommate borrowed it... and while i have your software installed already and a good AV (i use avg free) i was worried that something might have slipped past. first things first i wanted to see what was hogging the cpu and memory if possible so i tried to start task manager, but i could not. the program would seem to run as i would not get any error messages and i could see the small cpu meter in my system tray notification area, but the actual window would never display. also for some reason on the graph it would fluctuate from 0 to 100% cpu usage rapidly nonstop.

computer seemed stable and usable albeit very bogged down. strange.

the only thing a scan with mbam pulled up was that same Hijack.displayproperties and i read this whole thread and dismissed it initially until some more googling pulled up a few sporadic accounts of people who had changed this registry entry back and had their performance problems go away...

so i am not really sure still what changed it and how, but for me, setting it back to 0 has eliminated the problem as far as i can see, although i am going to run another full AV and mbam scan on my computer and leave it running as i go sleep!

let me know if you need anymore information for your purposes, and also thanks for a great piece of software!

~chris

Share this post


Link to post
Share on other sites
Actually, I really have no idea how exactly this came about, but my computer slowed down massively today after my roommate borrowed it... and while i have your software installed already and a good AV (i use avg free) i was worried that something might have slipped past. first things first i wanted to see what was hogging the cpu and memory if possible so i tried to start task manager, but i could not. the program would seem to run as i would not get any error messages and i could see the small cpu meter in my system tray notification area, but the actual window would never display. also for some reason on the graph it would fluctuate from 0 to 100% cpu usage rapidly nonstop.

computer seemed stable and usable albeit very bogged down. strange.

the only thing a scan with mbam pulled up was that same Hijack.displayproperties and i read this whole thread and dismissed it initially until some more googling pulled up a few sporadic accounts of people who had changed this registry entry back and had their performance problems go away...

so i am not really sure still what changed it and how, but for me, setting it back to 0 has eliminated the problem as far as i can see, although i am going to run another full AV and mbam scan on my computer and leave it running as i go sleep!

let me know if you need anymore information for your purposes, and also thanks for a great piece of software!

~chris

Hi Chris and welcome to the forum! :)

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?

2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs

3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.

* Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.

* Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.

* Using these other tools often makes the cleanup task more difficult and time consuming.

* If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.

* Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.

* There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review

* NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.

Share this post


Link to post
Share on other sites

The same @ Windows 7 Ultimate (rtm)

Malwarebytes' Anti-Malware 1.40

Datenbank Version: 2746

Windows 6.1.7600

05.09.2009 23:17:42

mbam-log-2009-09-05 (23-17-39).txt

Scan-Methode: Quick-Scan

Durchsuchte Objekte: 78371

Laufzeit: 1 minute(s), 56 second(s)

Infizierte Dateiobjekte der Registrierung:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.

Its a fresh install - no way that it is infected!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.