WallysBlues

Hi! This laptop I'm using now used tobe infected with Vista AntiMalware but I have removed it already using the instructions from this link. So I'm surfing the web now using this laptop BUT still showing some weird behaviour like the (1)AVG Tray Icon is missing in the system tray in Limited account(it's there in the Admin account). (2)Also I cannot install a third party firewall(I've tried installing Online Armor Free & ZoneAlarm Free) without making the laptop go into a crawl...very very slow...so I'm stuck with Windows Firewall. (3)Also if I try to open an executable in the Limited account(like Firefox or AVG for example) it would give me a dialog box "What would you like to open with"...followed by enumeration of various legitimate programs...when in fact it should simply open in itself when double-clicked just like how it is in the Admin account. Here below is the HijackThis log. I hope you help me identify if there are anymore nasties lurking in this laptop. Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 22:33:25, on 26/03/2011 Platform: Windows Vista SP2 (WinNT 6.00.1906) MSIE: Internet Explorer v8.00 (8.00.6001.19019) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\AVG\AVG10\avgtray.exe C:\Windows\system32\wbem\unsecapp.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe C:\Users\keiko\Desktop\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.facebook.com/login.php R3 - URLSearchHook: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O1 - Hosts: ::1 localhost # IPv6 O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG10\avgssie.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: Windows Live Messenger Companion Helper - {9FDDE16B-836F-4806-AB1F-1455CBEFF289} - C:\Program Files\Windows Live\Companion\companioncore.dll O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O4 - HKLM\..\Run: [AVG_TRAY] C:\Program Files\AVG\AVG10\avgtray.exe O4 - HKCU\..\Run: [ccleaner] "C:\Program Files\CCleaner\CCleaner.exe" /AUTO O9 - Extra button: @C:\Program Files\Windows Live\Companion\companionlang.dll,-600 - {0000036B-C524-4050-81A0-243669A86B9F} - C:\Program Files\Windows Live\Companion\companioncore.dll O9 - Extra button: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1004 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra 'Tools' menuitem: @C:\Program Files\Windows Live\Writer\WindowsLiveWriterShortcuts.dll,-1003 - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O18 - Protocol: dssrequest - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG10\avgpp.dll O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O18 - Protocol: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: AVGIDSAgent - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\Identity Protection\Agent\Bin\AVGIDSAgent.exe O23 - Service: AVG WatchDog (avgwd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG10\avgwdsvc.exe O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: McAfee SiteAdvisor Service - McAfee, Inc. - C:\Program Files\McAfee\SiteAdvisor\McSACore.exe O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 4999 bytes When I removed the Vista AntiMalware after running rkill(as per the instruction in the link above) I got this MBAM log(first running, quick scan): Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6171 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.19019 25/03/2011 20:40:20 mbam-log-2011-03-25 (20-40-20).txt Scan type: Quick scan Objects scanned: 162480 Time elapsed: 5 minute(s), 13 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 24 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\Users\Efraim\AppData\Roaming\defender.exe (Rogue.Installer.Gen) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\acs.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\agd.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\asf.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\bbc.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\cap.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\cwt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\ddb.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\fsa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\grk.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\gyn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\gyv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\iyw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\jte.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\kab.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\meg.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\nax.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\plt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\qxl.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\rts.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\tgw.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\local settings\application data\yio.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Windows\Tasks\{22116563-108c-42c0-a7ce-60161b75e508}.job (Trojan.Downloader) -> Quarantined and deleted successfully. c:\Windows\Tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. And on MBAM second running(Full Scan) I got this: Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 6171 Windows 6.0.6002 Service Pack 2 Internet Explorer 8.0.6001.19019 25/03/2011 22:44:28 mbam-log-2011-03-25 (22-44-28).txt Scan type: Full scan (C:\|D:\|E:\|) Objects scanned: 324340 Time elapsed: 1 hour(s), 47 minute(s), 40 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 11 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\36F1A852\3E688669\MyDll.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\6216A4BD\3E688669\stbyahoo8.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\628759C1\3E688669\stbOLEX.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\A26F7F7\3E688669\stbOL.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\A53562F1\3E688669\aimactivexdll.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\B3AC8875\3E688669\stbMsn.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\C41B8701\3E688669\stbAol.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\D5797E3B\3E688669\stbyahoo9.dll (Adware.DoubleD.Gen) -> Quarantined and deleted successfully. c:\programdata\{d9010fdd-3eed-44d9-9863-33b2d7362ec5}\OFFLINE\mfilebagide.dll\bag\setup.exe (Adware.DoubleD) -> Quarantined and deleted successfully. c:\Users\Efraim\AppData\LocalLow\Sun\Java\deployment\cache\6.0\22\31a06d6-109762e3 (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Efraim\AppData\LocalLow\Sun\Java\deployment\cache\6.0\59\4708a9bb-7e3adba3 (Rogue.Installer) -> Quarantined and deleted successfully. Currently, when I run MBAM again there'll be no more detections. Running Eset Online Scan also shows no threats found.

Thanks! I'll just await the next update.

You misunderstand me...I don't have anything to unzip. I think I need help here because I've never zipped a file before(in my life)...what I have done lots of times before, however, is unzipping a zipped file using my IZArc. Is it not possible for the MBAM team to just download the AVG Remover from the link I have given(coz that's where i got my AVG Remover anyway) and then do their analysis of the file to settle once and for all if it indeed is a false positive or not?

I don't understand your instruction. Are you referring to the file "AVG Remover" which is currently in my Recycle Bin? That file can be downloaded using the link I have given...here's the link again and the AVG Remover there is the clickable named "32 bit & 64 bit archive." Do you want me to restore the AVG Remover that I have put on my Recycle Bin? How do I zip it(I've never done it, only unzipping) for sending to this forum? I have IZArc.

Hi! My MBAM is detecting the AVG Remover that I have used to properly uninstall my previous AVG. I upgraded my AVG Free to AVG Free 2011 and I followed the instruction from here. After succesfully installing AVG Free 2011 I then proceeded to put the AVG Remover to the Recycle Bin. Now MBAM is detecting it as Trojan Dropper. Here's the screenshot. When I search my computer for the file detected I was pointed to the AVG Remover that I have put into the Recycle Bin. What do I do with this detection? Here's the log: Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Database version: 4966 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 27/10/2010 17:55:11 mbam-log-2010-10-27 (17-55-11).txt Scan type: Quick scan Objects scanned: 160167 Time elapsed: 4 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 1 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\RECYCLER\S-1-5-21-4263893505-2359328278-3045998364-1006\Dc22.exe (Trojan.Dropper) -> No action taken. [213C02F95C294FA85E73B3EF4205D58B] I found this thread in another forum(being referred to in one of the post about this topic in this forum) and the last post seems to indicate that the Trojan Dropper being detected is not a false positive...it seems to be different from AVG Remover...well that's how I interpret the last post.

Hi! I did an update and then a scan today with my MBAM 1.30 and it picked up Rogue.WinAntivirus. I have had quite a number of detections by MBAM in the past but luckily they all turned out to be false alarm easily rectified by quick updates by MBAM...BUT this time I have a feeling this could be a real nasty because of the familiar name of the detection(I hope Im wrong). There's no untoward behaviour that I am noticing from my pc...everything's working fine prior to the detection...BUT just the same I quarantined it and would like to know from this forum if there's a possibility that it could be a false positive. Here's my complete log: Malwarebytes' Anti-Malware 1.30 Database version: 1379 Windows 5.1.2600 Service Pack 3 10/11/2008 08:50:36 mbam-log-2008-11-10 (08-50-36).txt Scan type: Quick Scan Objects scanned: 43847 Time elapsed: 2 minute(s), 38 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 3 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntivirus) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) By the way, the detection was in my pc's Limited account. The 3 detections about Hijack.StartMenu was no problem because I purposely hid Run, Search, and Help in our pc's Limited account(see my previous post about it).

Thanks RubbeR DuckY you're stll there! Well, in that case, I guess I'll just exit from the MBAM scan of the Limited account and do nothing about the detection regarding missing item(s) in the Start Menu of our pc's Limited account knowing fully well that it is me who purposely hide(reason given above) those items. As of now, my MBAM scan is showing 4 detections...all about 4 missing items in the Limited user account's Start Menu. This is because aside from hiding the Control Panel I decided to hide also Run, Search, and Help & Support in the Limited user account's Start Menu(I'll just resort to keyboard shortcuts to bring in those items).

I was already with the impression that RubbeR DuckY is gonna come to my rescue but it's been 4 days of waiting on my side. I hope someone can address my problem of not being able to add to Ignore List the detection(see above for the images of the detection by MBAM on my pc) that was done by MBAM when I scan the Limited account of my PC. Thanks!

Thanks RubbeR DuckY for coming to my rescue! The detection occurred when I scan the Limited account. When I scan the Admin account there was no detection. So my problem now is how can I succesfully add to Ignore List the detection that happened when I scan the Limited account. Also, because of the fact that there was detection when I scan the Limited account but no detection during scanning of the Admin account, is it correct to assume that scanning the Admin account is never enough...and that scanning should also be done on the Limited account if one wants a complete & comprehensive scanning by MBAM? I ask this because I have the impression before that scanning the Admin account is comprehensive enough...but I was surprised when I got different result when I scan the Admin account versus the Limited account in my pc. I hope you can clarify this. Thanks!

It has been explained to me in the other thread that malware often hides the Control Panel...and that is why MBAM was made in such a way that it will alert the user with a detection such as mine because the Contol Panel in our pc's Limited account was hidden in the Start Menu. But in my case, it was me who purposely hide the control panel(to prevent other user in the house who are not that computer literate from tampering settings in our pc sometimes out of curiousity)...so I was advised to just add it(the detection) to Ignore List(because I intend to keep the Control Panel in the Limited account hidden, again, to prevent other user in the house who are not that computer literate from tampering settings in our pc sometimes out of curiousity). And this is where I am having a problem...I cannot add the item/detection to Ignore List. If I right click on the item/detection then click "Add to Ignore List"...the Ignore List remains empty...and a re-scan will again detect the item which I intend to add to Ignore List. What am I doing wrong? How can I succesfully add the item/detection to Ignore List? Thanks!

Hi! I was advised in this MBAM forum thread to add the MBAM detection to Ignore List since it was me, on purpose, who disabled the showing of Control Panel in the Start Menu of our pc's Limited account. But when I try to add the item to Ignore List using right click(see here) and then check again with a re-scan the same detection still is showing and my Ignore List remains empty. It seems I CANNOT add an item to Ignore List. Any help will be greatly appreciated. Thanks!

There is only one Admin account in my pc and one Limited account. When I scan the Admin account there was NO detection BUT when I scan the limited account there was detection(image provided on my first post on this thread)...thus it seems to me that a separate scanning of the limited account is necessary...which means that a scan of the Admin account is not comprehensive enough. This presumption of mine I would like to ask opinion from the MBAM expert. Thanks for the tip about pressing windows key + r to access the Run item...didn't know about it. Now, I am planning to delete the Run item in the Limited account's Start Menu again...will my MBAM complain again about Hijack.StartMenu? BTW, I'll just add to Ignore List the MBAM detection on my pc today as advised in this forum. Thanks!

Yeah, I remember disabling the showing of Control Panel in the limited account's Start Menu in the past. I also remember disabling Run in the Start Menu in the limited account in the past but I decided to have it back again in the Start Menu the next day because it's my habit to run msconfig to look at my startup items...is that enough to have my MBAM detect/complain about it? Also, do you advise to scan with MBAM separately the Limited account? Or does scanning the Admin account enough?

Hi! I did a scan on my pc's limited account today with MBAM(1.26)Free (without updating using Database version 1113) and I get this result showing I'm infected. I immediately went to the Admin account and did a scan with MBAM(this time updating it first and I got Database version 1122) and to my relief>>>no infection. I went back to the limited account and did a re-scan using the updated version of MBAM and still I get the same result showing I am infected. Now, I haven't done anything yet...I just exited from the MBAM and went to google Hijack.StartMenu. I browsed this thread and this thread BUT still I don't know how to proceed regarding MBAM detection on my pc's limited account. The 2 MBAM forum threads I cited above mentioned that it will show up as MBAM detection if one has disabled the "Run" item in the Start Menu...the other thread also mentioned that it will show up as MBAM detection if one has also disabled the "recent items" button(I suppose it's the "Recent Documents List") in the Start Menu. Now, the Start Menu in my pc's limited account looks like this...obviously there is the "Run" item there(though the Recent Documents list is not there)...and so I don't know if my MBAM detection is a FP one or a real threat. My SuperAntispyware detects nothing...my AVG8 Free also detects nothing...and my pc's behaviour seems OK. Also, it is only now that I came to know that MBAM scan done on the Admin account does not include scanning of the limited account...this is just my presumption because scan in my limited account showed infection whereas scan done on the Admin account revealed nothing. Am I right in my presumption? What do I do regarding the Hijack.StartMenu detection? Thanks! Windows XP MCE(SP3),IE7 & FireFox3(default),HostsMan 3.1.57,AVG Free 8,CCleaner,SUPERAntispyware,F-Secure BlackLight AntiRootKit,ZoneAlarm Free 7.0.483