PUM.Hijack.StartMenu, false positive?

[Double]

Hi, i recently reinstalled my system to refresh some things, i do this occasionally. Before I reinstalled I did a scan with MBAM, everything came up clean. After reinstalling all my programs on the new installation, i received a notification from MBAM that it had found 'PUM.Hijack.StartMenu' during a routine scan.

 

The programs I installed were from their official sites, others using Ninite (https://ninite.com/). I then decided to download a paid app called Xplorer2 (http://www.zabkat.com/) which I have abandoned in the past, because i thought it was the cause for a "Hijack.Drives" i caught long ago. For those unaware, Xplorer2 is basically a Windows Explorer replacement.

 

I am beginning to think Xplorer2 is the same reason for the 'PUM.Hijack.StartMenu' i just caught. There is a setting inside Xplorer2 which allows you to make Xplorer2 the 'default' explorer, which does have to make necessary changes to the registry in order for the app to trigger in place of Windows Explorer. I'll attach an image of this feature and the MBAM log in the coming hours. 

 

What do you guys think? Is this a legitimate find, or should i un-quarantine it from MBAM if it's needed for Xplorer2? 'Hijack.Drives' is likely to similar to 'PUM.Hijack.Startmenu', just sounds slightly different because of the new MBAM 2.0 interface.. but i could be wrong.

 

I found this little bit from Malwaretips.com:

PUM.Hijack.StartMenu is a specific detection used by Malwarebytes Anti-Malware and other antivirus products to indicate and detect a Potentially Unwanted Modification.

 

The PUM.Hijack.StartMenu detections are not actually false\positives or actual infections but rather settings which may have been changed by various programs.
A PUM (Potentially Unwanted Modification) is an unwanted change made to your computer’s settings. PUMs can be performed by both legitimate applications and malware, though changes made by malware are more likely to cause serious problems.
PUMs often modify settings at the system level. On Windows systems, this usually involves modifying the Windows registry.
PUM.Hijack.StartMenu is a modification in the Windows Registry, which will hijack your Windows Start Menu while there are a few legitimate programs that may trigger this behavior, in most cases this modification is due to a computer infection.

 

[Firefox]

Interesting find... you can post any False Positives HERE which is the correct section for posting such things...

 

Thanks

[shadowwar]

Being this is an intentional change by you from default windows that most users would not make, It would be safe to unquaranitine the detection add this to the ignore list.

 

Your right in the change you made by installing xplorer2 is what is causes the detection. We have no way of telling if its intentional by you or malware doing it,  that is why we detect it as potentially unwanted modification.

[Double]

Being this is an intentional change by you from default windows that most users would not make, It would be safe to unquaranitine the detection add this to the ignore list.

 

Your right in the change you made by installing xplorer2 is what is causes the detection. We have no way of telling if its intentional by you or malware doing it,  that is why we detect it as potentially unwanted modification.

I am beginning to think the same thing, but how do i know that it's okay to release back into the wild? I've been using the product and it seems to run fine as it is, but I'm wondering if the PUM has since been reapplied. I may do another scan to check.

 

I attached the MBAM log and a screenshot indicating that the 'Windows Explorer replacement' feature is currently enabled. No idea if this PUM would have appeared if i had not asked it to replace Windows Explorer during the install.

 

 

log.txt

[shadowwar]

This is not malicous in this case. Explorer2 made the change to the start menu of showing my computer or not. You can set this to ignore if this is how you want it to be.

[Double]

I asked the question and posted my log over at the Xplorer2 forums, and discovered by a user named Kilmatead that the PUMs were actually related to hiding 'Computer' from the start menu.   

 

The question I have now is, what should i do with the quarantined item? I've already hid 'Computer' twice now.. wouldn't MBAM find this PUM again?

 

 

[shadowwar]

You have to hide it. Run a scan then select on the detection screen instead of quarantine under the action column dropdown you want to select add exclusion. Its the dropdown on the detection line.  Then after thats done hit apply actions.

Then it will no longer be detected on future scans.

[Double]

I unhid 'Computer' from the start menu, then unquantined what MBAM found, then restarted. On bootup, 'Computer' was hidden again (the way it had been before MBAM quarantined it), this confirms that the user hiding 'Computer' from the start menu is certainly a false positive. I can also see how malware might want to fool around with it.

[Double]

I can also see how malware might want to fool around with it.

 

Still, couldn't MBAM do a better job of differentiating a change made by the user, and one made by malware? I'm glad that it is at least labeled as a 'PUM', but this only appears on MBAM 2.0, and isn't as helpful to the less savvy.

 

For the longest time, I had been lead to believe that I was infected with a malware that was extremely conniving and hard to kill, 'jumping' from new installation to new installation, when the real cause was actually customizing the interface every time i setup one these 'new installations'.

 

If i could have been given that answer a lot sooner, i would not have reinstalled my system as many times as i have.

[LadynRed]

This new PUM warning came up this morning (first scan after the upgrade) and had me a little freaked out since it's a company machine. In examining the location shown in the 'warning' for "PUM.Hijack.xxxxx", it shows it's under the "Policies\Explorer". As it is a company-issued laptop, our IT department does put certain policies in place (per group and user permissions)  and I believe that's what MBAM is seeing and screaming "potential threat" about - when it's no threat at all. I also checked the features that MBAM is showing and none of these things are disabled for me, but the fact that these settings exist in the registry at all seems to be getting flagged by MBAM. 

 

Nothing has been recently installed on this machine that doesn't also get scanned by the company anti-virus on the machine. I installed MBAM as an extra layer of protection, since even the best AV program may not catch malware. 

 

So, MBAM threw a scare into my day that was utterly unnecessary. I'm going to have to add exclusions for these and I hope is doesn't mess anything up - I do need to do my work today!

[Firefox]

Hello and

LadynRed being that this is a company computer, you need to check with your companies IT department for a solution. 

As your statement seems to indicate that this is a business you can either try posting in the Malwarebytes Business Support section of the forum => HERE <= or please contact corporate support and they will assist you with this.

You can also fill out this form located => RIGHT HERE <= and someone from corporate support will get in contact with you.

Also make sure you have malwarebytes.org and salesforce.com in your Safe Sender list in email.

In order to assist you better please provide the following information when contacting them.

Cleverbridge Order Reference Number:

Organization name:

Approved Contact name:

If you no longer have access to the order number you can contact Cleverbridge to obtain information about your order.

Cleverbridge customer service

Thank you

PS: If you are using a consumer version of Malwarebytes (as you stated that you installed Malwarebytes and not your IT staff)you are not allowed to use the consumer version of Malwarebytes on a business computer. You need to use a business license of Malwarebytes.

[LadynRed]

My point was that those registry entries are there for a legitimate reason, they are not modifications made by malware. The default settings are to treat any modification as a threat, which I understand, but throws up a lot of unnecessary red flags. Not everyone using a PC is incapable of making their own, legitimate modifications.

[shadowwar]

Its vendorname is PUM which stands for potentially unwanted modification. MBAM has no way of telling if you made the change or malware did. If you did then it must be added to the ignore list to prevent further detections.