jak Posted January 8, 2009 ID:45786 Share Posted January 8, 2009 I disabled "My Documents" in START when I first set up my computer since I have a "My Doc" key on my Logitech keyboard. A day or so ago I found "My Documents" once again occupying the top right hand slot in START. I disabled it once again and went on about my computing. The next morning I found "My Documents" had again been enabled. I blinked a couple of times and disabled it. Yesterday I installed Trend Micro Internet Security 2009 to replace Comcast's free version of McAfee Internet Security Suite, which had let in AntiVirus 2009 (as well as disabling its own firewall without warning and self-aborting scans). After running the Trend Micro scan, I decided to run a MBAM scan as a double check on the cleanliness of my system. MBAM found Hijack.StartMenu affecting my Start Menu at Start_ShowMyDocs. I Removed it and checked the log to see that it had been "Quarantined and Deleted Successfully". Cool, I thought, end of problem. Unfortunately not. This morning when I booted up my machine, there was "My Documents" once again enabled in START. I scanned with Trend Micro and found nothing except a bunch of cookies. Spybot S&D found cookies only as well. MBAM, however, showed that Hijack.StartMenu was still installed somewhere on my system. I can successfully Remove it, but rebooting brings it back.I don't want "My Documents" on my START menu.When I disable it, I want and expect it to stay disabled.Now I realize that it hurts nothing for "My Documents" to be enabled; but if this malware is disturbing that simple Registry Data Item, what else might it infect next? And will it open the door (of my Trend Micro firewall) to let other nasties in for tea and crumpets?How, then, do I permanently get rid of this infection?* * *Here is the latest MBAM scan log (I updated immediately prior to running the scan):Malwarebytes' Anti-Malware 1.32Database version: 1629Windows 5.1.2600 Service Pack 31/7/2009 4:07:42 PMmbam-log-2009-01-07 (16-07-42).txtScan type: Quick ScanObjects scanned: 53828Time elapsed: 5 minute(s), 17 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:(No malicious items detected)Registry Values Infected:(No malicious items detected)Registry Data Items Infected:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)* * *Here is the scan log from ESET:# version=4# OnlineScanner.ocx=1.0.0.635# OnlineScannerDLLA.dll=1, 0, 0, 79# OnlineScannerDLLW.dll=1, 0, 0, 78# OnlineScannerUninstaller.exe=1, 0, 0, 49# vers_standard_module=3749 (20090107)# vers_arch_module=1.064 (20080214)# vers_adv_heur_module=1.064 (20070717)# EOSSerial=6105f8e657b64043ac75b9390a669f86# end=finished# remove_checked=true# unwanted_checked=true# utc_time=2009-01-08 12:41:09# local_time=2009-01-07 05:41:09 (-0700, Mountain Standard Time)# country="United States"# osver=5.1.2600 NT Service Pack 3# scanned=312236# found=0# scan_time=4673* * *Here is the scan log from Hijack This:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 5:47:57 PM, on 1/7/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\brsvc01a.exeC:\WINDOWS\system32\brss01a.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exeC:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exeC:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exeC:\Program Files\Logitech\iTouch\iTouch.exeC:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exeC:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exeC:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exeC:\Program Files\Common Files\Real\Update_OB\realsched.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Logitech\MouseWare\system\em_exec.exeC:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exeC:\Program Files\Messenger\msmsgs.exeC:\Program Files\Registry Mechanic\RegMech.exeC:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exeC:\Program Files\MSI\PC Alert 4\PCAlert4.exeC:\Program Files\PrintKey2000\Printkey2000.exeC:\PROGRA~1\Webshots\Webshots.scrC:\Program Files\Trend Micro\BM\TMBMSRV.exeC:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeC:\Program Files\AGI\common\win32\PythonService.exeC:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXEC:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exeC:\WINDOWS\System32\nvsvc32.exeC:\Program Files\Trend Micro\Internet Security\SfCtlCom.exeC:\Program Files\Trend Micro\Internet Security\TmPfw.exeC:\Program Files\Trend Micro\Internet Security\TmProxy.exeC:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exeC:\WINDOWS\System32\ups.exeC:\WINDOWS\System32\alg.exeC:\Program Files\Malwarebytes' Anti-Malware\mbam.exeC:\Program Files\Internet Explorer\IEXPLORE.EXEC:\Program Files\Trend Micro\HijackThis\HijackThis.exeC:\WINDOWS\System32\wbem\wmiprvse.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://*.mcafee.comO16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1223574872781O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1223574926484O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cabO23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeO23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exeO23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exeO23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exeO23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exeO23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exeO23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmPfw.exeO23 - Service: Trend Micro Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exeO23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe--End of file - 11188 bytes* * *Whatever you can do to help, I would really appreciate. I'm getting some other weird stuff (like a warning from Google that some other search engine is trying to become the default! Internet Explorer having to shut down because of encountered problems - several times a day! Error code messages popping up when closing applications.), but let's just work on this "Hijack.StartMenu" problem first.Thank you.JAK Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 8, 2009 Root Admin ID:45830 Share Posted January 8, 2009 Hello JackRun a quick scan, when it finds Hijack.StartMenu just select it and tell MBAM to ignore it. Often home users don't use this feature but Malware and Corporate does, but there is no way to tell if the user did it or if Malware did it. Once you tell MBAM to ignore it then you should be able to set it any way you want it again. Link to post Share on other sites More sharing options...
jak Posted January 8, 2009 Author ID:45897 Share Posted January 8, 2009 Thank you. I clicked on "Ignore". It seems to be working. I re-disabled "My Documents" on the Start Menu, and it seems to be holding. I'll keep watching. If the problem comes back, I'll be back on this topic. For now, though, all seems well once again.And Google didn't alert me that it was being replaced as my default Search Engine. And so far IE7 hasn't shut down. And no strange messages when I've exited from applications.Perhaps things are back to normal?Thanks again. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted January 8, 2009 Root Admin ID:46005 Share Posted January 8, 2009 Well that's sounds good then. I'll close this post and you can open a post in the General forum if this particular issue with the menu comes up again.Thanks. Link to post Share on other sites More sharing options...
Recommended Posts