Jump to content
conte rules

Start_ShowRun (Hijack.StartMenu)

Recommended Posts

Hi, I get this result on my laptop which runs Vista premium but not on my desktop which runs the same OS. I am not sure if it is a FP but I can avoid getting this "infection" detected if I allow run in the start menu. I am worried however as to why it happens on one pc but not another.

Malwarebytes' Anti-Malware 1.14

Database version: 819

11:23:17 PM 6/3/2008

mbam-log-6-3-2008 (23-23-14).txt

Scan type: Quick Scan

Objects scanned: 31555

Time elapsed: 1 minute(s), 21 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

There is a common infection that is hijacking this component and this will correct that problrm .

We cant tell if run has been hidden intentionally .

Right click the entry and tell MBAM to ignore it , you wont see it again in scan results .

Share this post


Link to post
Share on other sites
There is a common infection that is hijacking this component and this will correct that problrm .

We cant tell if run has been hidden intentionally .

Right click the entry and tell MBAM to ignore it , you wont see it again in scan results .

Correct me if I'm wrong but I believe the default in Vista is for run to not be on the start menu.

Share this post


Link to post
Share on other sites

The problem is that in XP its not and access is removed by this infection .

We have removed several of the less important ones from defs and this may be another that I consider .

At some point we are adding a tool to correct multiple windows issues both related and unrelated to malware damage and some of these will be moved to that tool .

I am going to ask our coder if I can have the ability to add a , XP flag to this def form to allow filtering by OS , that would also fix this issue .

Share this post


Link to post
Share on other sites
The problem is that in XP its not and access is removed by this infection .

We have removed several of the less important ones from defs and this may be another that I consider .

At some point we are adding a tool to correct multiple windows issues both related and unrelated to malware damage and some of these will be moved to that tool .

I am going to ask our coder if I can have the ability to add a , XP flag to this def form to allow filtering by OS , that would also fix this issue .

Thanks for your speedy replies. I am notoriously careful about what I install on my machine so I was very worried for a while. I am still wondering as to why this "infection" does not appear on my desktop computer which runs the same OS and has the default Vista start menu like my laptop does.

I will take a look at this further tonight when I have access to both computers.

Thanks again.

Share this post


Link to post
Share on other sites

okay I think I figured out the problem. On my laptop I had the "recent items" button removed on the start menu. My desktop had it and after I disabled it I got the same "infection" with MBAM. Strange but I'm sure it's a FP now.

Apparently it only detects it if you have removed the recent items list as well (which I do)

Share this post


Link to post
Share on other sites

I had the same experience of MBAM showing "Hijack.StartMenu" as an infection, which I then had it remove. Subsequently I came across this forum and thread. Can someone explain the effect of removing this? Does it impact any functions of the XP Pro Start menu? If so, in what way(s)? I thought from the above comments that this might be a False Positive and was likely to be removed from the MBAM definitions (was it removed from the definitions? I'm using current definition).

Share this post


Link to post
Share on other sites

If there are missing start menu items this will put them back as there is no way to tell the difference between malware and user modifications.

If you have disabled them yourself please use the ignore function.

Share this post


Link to post
Share on other sites
If there are missing start menu items this will put them back as there is no way to tell the difference between malware and user modifications.

If you have disabled them yourself please use the ignore function.

Thanks for getting back to me so quickly! I've not adjusted the Start menu in ages (as in a couple of years ago or so). Am I correct that having MBAM remove the registry entry, which is what I did, simply resets the Start Menu's general capabilities?

Share this post


Link to post
Share on other sites

Sorry to bump this thread again, but after reading the responses here and the various FAQs on the rest of the site I still have some questions (below). I was hit with an unpleasant mess of malware yesterday, and after cleaning most of it up with a system restore I'm in the process of rooting out any junk that may still be lurking on my various hard drives. Malwarebytes was recommended to me as an excellent on-demand scanner, which is how I found myself here.

I've run a full system scan and got results identical to what conte describes here (I can post a log, but it's not in dev mode). If someone could please answer me these questions three, I would be most grateful:

1) The scan says something's up with my registry data, but also that it's "good." Was there ever a problem here?

2) If so, was it fixed? "No action taken" doesn't exactly fill me with confidence. And finally...

3) If Malwarebytes, Spybot, and AVG all give me clean scans, is my computer officially de-borked? I gather this one's a little harder to answer, but I'd be happy with responses to just 1 & 2.

Thanks in advance!

Share this post


Link to post
Share on other sites

1, Bad shows what is there that should not be, good shows what will be there if you allow the fix. Keep in mind that these settings can be changed intentionally and there is no way to tell if the user set these or if malware did. We list the modification and let the user make the call.

2. "No action taken" is exactly what it says, you did not allow the fix and nothing was changed. This will be displayed is someone does a scan and saves the log but does not have MBAM fix anything. Keep in mind that you can save a log and THEN select fix. If you do this "no action taken" will be displayed in the saved log you saved yourself but in the log saved by MBAM automatically will be the actions taken when you select remove.

3. There is not now nor will there ever be a way to answer this without expert inspection although each additional scanner that comes up clean does increase the likelihood that things are fixed. If this is the case AND there are no unusual things taking place with the system then you could at least say that it is likely that things are fixed.

Share this post


Link to post
Share on other sites

Thanks for the reply; let me just make sure I'm absolutely clear here:

1) The scan is telling me that something/someone changed the default registry values for something in my start menu. I rarely mess with my start menu options and NEVER touch the registry, so this means that malware was involved.

2) "No action taken" means that Malwarebytes hasn't done anything yet, and selecting "remove" will return this registry data back to its default (thereby fixing the problem).

Did I get all that right?

Share this post


Link to post
Share on other sites
1, Bad shows what is there that should not be, good shows what will be there if you allow the fix. Keep in mind that these settings can be changed intentionally and there is no way to tell if the user set these or if malware did. We list the modification and let the user make the call.

2. "No action taken" is exactly what it says, you did not allow the fix and nothing was changed. This will be displayed is someone does a scan and saves the log but does not have MBAM fix anything. Keep in mind that you can save a log and THEN select fix. If you do this "no action taken" will be displayed in the saved log you saved yourself but in the log saved by MBAM automatically will be the actions taken when you select remove.

3. There is not now nor will there ever be a way to answer this without expert inspection although each additional scanner that comes up clean does increase the likelihood that things are fixed. If this is the case AND there are no unusual things taking place with the system then you could at least say that it is likely that things are fixed.

Sorry for being thick here, but I'm not sure what you mean, Nosirrah. I have the same thing, with the result showing one infected "malicious software" file, by the "vendor" Hijack.Startmenu in my Registry. Malwarebytes tells me it's "good" and that it has taken no action. Should I leave that then? Nosirrah seems to suggest it's up to me whether to quarantine/delete that software. It is confusing, however: if my computer is deemed infected and this software is malicious, how can it be good? Also, what do you mean by "allow the fix"? Bottom line, what should I do, delete it or leave it? Many thanks.

Share this post


Link to post
Share on other sites

In those detections BAD shows you what is there currently, GOOD shows you what we will put there if allowed. If you do not select fix nothing will be changed.

Share this post


Link to post
Share on other sites
In those detections BAD shows you what is there currently, GOOD shows you what we will put there if allowed. If you do not select fix nothing will be changed.

Aha. Gotcha. Many thanks, Bruce Nosirrah

Share this post


Link to post
Share on other sites

Windows 7 32bit, ran Malwarebytes earlier today and found this "infection" as well. However, I was stupid enough to trust this companies products and chose to "fix" it. After a reboot my OS failed to load. After another reboot my OS failed to load again. Panic gripped me because this is a work computer and my last backup was a week ago so I would have lost A LOT of work.

Fortunately I had just updated AVG which create a restore point so I used the system restore from the boot CD and now my OS is back to normal.

Am now uninstalling Malwarebytes and will be asking sales for my money back.

DO NOT "fix" this falsely reported hijack, and frankly stop using this product until this company can sort out what is an essential part of the OS and a hijack.

Share this post


Link to post
Share on other sites
Windows 7 32bit, ran Malwarebytes earlier today and found this "infection" as well. However, I was stupid enough to trust this companies products and chose to "fix" it. After a reboot my OS failed to load. After another reboot my OS failed to load again. Panic gripped me because this is a work computer and my last backup was a week ago so I would have lost A LOT of work.

Fortunately I had just updated AVG which create a restore point so I used the system restore from the boot CD and now my OS is back to normal.

Am now uninstalling Malwarebytes and will be asking sales for my money back.

DO NOT "fix" this falsely reported hijack, and frankly stop using this product until this company can sort out what is an essential part of the OS and a hijack.

Hiding or showing the start menu button is not related to booting in any way. There was more going on here and we could look into it if you post a scan log.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.