Prevx Home and HHCTRL.OCX

So lately (if memory serves me right, it was soon after I completed my latest manual update of Prevx Home) I've been getting these "Potential Intrusion Attempt Detected" warnings in Prevx. So far, they have only appeared when I open iTunes or WinZip. I have always clicked "Deny" so far because the warning mentions that "If you are not viewing the help information in a program, this is probably malicious behaviour." The summar for both instances of iTunes and WinZip are "The application ________ is trying to execute C:\WINDOWS\SYSTEM32\HHCTRL.OCX from a protected area. HTML Help Control (Execution) The Microsoft HTML Help Service may be abused by malicious programs.

I have recently downloaded and ran Bugoff by Merjin, which is supposed to give better protection against html file abuse. Supposedly anyway, I don't know much about I just went off a recomendation in another forum.

So has anyone else encountered anything like this? Should I be worried?

-Spray-on Dust


Oh. Also, despite clicking on "Deny" everytime, the program still runs. Hmmmmm.... It prompts me twice to allow or deny and after the 2nd time it just goes away. But it leaves me with this "red x" windows message: iTunes.exe - Bad Image The application or DLL C:\WINDOWS\System32\hhctrl.ocx is not a valid Windows image. Please check this against your instillation diskette. Then I just click OK.

Pretty odd, huh?

 

is it possible you have prevx pro? then you should have a white list where you can put exe's and dll's in it.

if you haven't got the pro version: you should be able to check some sort of : 'remember for next occasion too' or something like that. sorry I cannot remember it that good anymore (quite long time ago) but I recall an option like that.

Inf.

 

Nope, don't have Prevx Pro.

I know the option you're talking about but that's not what i'm thinking of. I just want to know if this is a known exploit or something else I should be concerned about. I've just never recieved this message before and it seems really odd that the help file is trying to launch when i'm only firing up iTunes and WinZip.

Thanks, though.

Spray-On Dust

 

HHCTRL.OCX is a part of the Windows Help system. If the program you are running is a trusted one, then you don't need to block it. This is a way of covering the new LoadImage vulnerability.

 

I get that message too (when opening WinZip, etc.). I just tell Prevx to ignore it because I trust the programs that I open up.

I can only assume that some legit programs uses this control for their "Help" and Prevx detects that on load, even though you might not be viewing it at the time.

 

Thanks everyone. I'm just clicking on allow from now on.

-Spray-on Dust