PC_Arcade

Cant remove Security.Hijack

10 posts in this topic

I have been infected with malware which prevents me from running programs which launch other programs / process (e.g changing the time / date) if I try a popup appears telling me that my "interntd security settings prevented one or more files from being opened"

Also if I search for a program on the start menu in windows 7 (64bit) (e.g SUPERAntiSpyware) a link called "Programs" and only that link appears and if I try to run it I get the same error as above

SAS shows me I have 2 reistry entries but despite rebooting to remove they show up again on the next scan :(

the 2 keys are :

(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE

and

(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE#Debugger

I can't post the log as notyhing happens when I click the link

Can anyone help? it's driving me mad!

0

Share this post


Link to post
Share on other sites

Welcome to the SAS forum PC Arcade.

Those files aren't normally associated with malware. However, upload them to Virus Total to confirm: http://www.virustotal.com/

Have you tried a System Restore? Also, please post the version of SAS that you're using (Version/Trace/Core).

0

Share this post


Link to post
Share on other sites

That file is clean, I guess whatever has infected my system SAS isn't picking up :(

It's difficult to find out exactly what it is! It's stopping some programs from running and MBAM, SAS etc don't see anything untoward

0

Share this post


Link to post
Share on other sites

Shut down SAS by right clicking on its icon in the Notification Area. Now go to your program list, open the SAS folder, right click on "SuperAntiSpyware Professional (or Free)", then click on "Run as Administrator". When SAS opens, right click on its icon and choose "Check For Updates", then run another scan. If the those files show up again, then when the scan completes, you can highlight those files and choose "Report False Positive".

If the system still exhibits issues following the above, then attempt a System Restore to a time just before the problems began.

If all that doesn't help, then please be more specific in regards to the problem.

0

Share this post


Link to post
Share on other sites

Stupidly I don't have aa restore point :(

This was caused by malware masquerading as a MS Security centre popup which attempted to get CC details byt attempting to force a sale of (obviously fake) malware removal software - I think it was called thinkpoint and I got rid of parts of it, but obviously not all :(

I managed to get back into the system but the following Symptoms remain:

Any program which tries to launch another program (for example clicking the change time option on the clock in the toolar) is stopped from doing so and a popup appears saying that my Internet Security Setting prevent this program from running. This also affects thingsu such as the Blizzard launcher for WoW as it can neither launch the downloader, nor if I do that step manually apply the patch.

I can't access services.msc as if I try to I am prevented from running the activeX controls on the page

If I search for anything in the start menu I get just one option called "Program" irrespective of what I search for if I try to run this I get the security settings popup

I really would appreciate any help I can get as I'd really rather not reinstall windows

0

Share this post


Link to post
Share on other sites

Stupidly I don't have aa restore point :(

This was caused by malware masquerading as a MS Security centre popup which attempted to get CC details byt attempting to force a sale of (obviously fake) malware removal software - I think it was called thinkpoint and I got rid of parts of it, but obviously not all :(

I managed to get back into the system but the following Symptoms remain:

Any program which tries to launch another program (for example clicking the change time option on the clock in the toolar) is stopped from doing so and a popup appears saying that my Internet Security Setting prevent this program from running. This also affects thingsu such as the Blizzard launcher for WoW as it can neither launch the downloader, nor if I do that step manually apply the patch.

I can't access services.msc as if I try to I am prevented from running the activeX controls on the page

If I search for anything in the start menu I get just one option called "Program" irrespective of what I search for if I try to run this I get the security settings popup

I really would appreciate any help I can get as I'd really rather not reinstall windows

Please submit a support ticket so we can get a diagnostic running and try to find out what is infecting your computer.

http://www.superantispyware.com/precreateticket.html

1

Share this post


Link to post
Share on other sites

I have ran into the same issue with SAS finding the following files:

(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE

(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger

When I look up that key in the registry, it looks like it is for Log Me In, which is a valid program I have installed. I have ran Super Antispyware, Avast! boot time scans, ComboFix, Malware Bytes, etc. I am starting to think that this is a false positive as well.

0

Share this post


Link to post
Share on other sites

I have been infected with malware which prevents me from running programs which launch other programs / process (e.g changing the time / date) if I try a popup appears telling me that my "interntd security settings prevented one or more files from being opened"

Also if I search for a program on the start menu in windows 7 (64bit) (e.g SUPERAntiSpyware) a link called "Programs" and only that link appears and if I try to run it I get the same error as above

SAS shows me I have 2 reistry entries but despite rebooting to remove they show up again on the next scan sad.gif

the 2 keys are :

(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE

and

(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE#Debugger

I can't post the log as notyhing happens when I click the link

Can anyone help? it's driving me mad!

Is this it?

http://www.file.net/process/ehshell.exe.html. Think SAS too may FP today says irfanview is trojan :x

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now