Jump to content


Photo

Cant remove Security.Hijack


  • Please log in to reply
9 replies to this topic

#1 PC_Arcade

PC_Arcade

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 15 November 2010 - 03:52 PM

I have been infected with malware which prevents me from running programs which launch other programs / process (e.g changing the time / date) if I try a popup appears telling me that my "interntd security settings prevented one or more files from being opened"

Also if I search for a program on the start menu in windows 7 (64bit) (e.g SUPERAntiSpyware) a link called "Programs" and only that link appears and if I try to run it I get the same error as above

SAS shows me I have 2 reistry entries but despite rebooting to remove they show up again on the next scan :(

the 2 keys are :

(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE
and
(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE#Debugger

I can't post the log as notyhing happens when I click the link

Can anyone help? it's driving me mad!

#2 Seth

Seth

    Advanced Member

  • Members
  • PipPipPip
  • 1,598 posts

Posted 16 November 2010 - 02:10 PM

Welcome to the SAS forum PC Arcade.

Those files aren't normally associated with malware. However, upload them to Virus Total to confirm: http://www.virustotal.com/

Have you tried a System Restore? Also, please post the version of SAS that you're using (Version/Trace/Core).
[

#3 PC_Arcade

PC_Arcade

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 16 November 2010 - 07:47 PM

That file is clean, I guess whatever has infected my system SAS isn't picking up :(

It's difficult to find out exactly what it is! It's stopping some programs from running and MBAM, SAS etc don't see anything untoward

#4 SAS Customer Service

SAS Customer Service

    Advanced Member

  • Moderators
  • 998 posts

Posted 16 November 2010 - 09:45 PM

What symtoms are you having?
Customer Service
SUPERAntiSpyware
www.superantispyware.com

#5 Seth

Seth

    Advanced Member

  • Members
  • PipPipPip
  • 1,598 posts

Posted 16 November 2010 - 10:29 PM

Shut down SAS by right clicking on its icon in the Notification Area. Now go to your program list, open the SAS folder, right click on "SuperAntiSpyware Professional (or Free)", then click on "Run as Administrator". When SAS opens, right click on its icon and choose "Check For Updates", then run another scan. If the those files show up again, then when the scan completes, you can highlight those files and choose "Report False Positive".

If the system still exhibits issues following the above, then attempt a System Restore to a time just before the problems began.

If all that doesn't help, then please be more specific in regards to the problem.
[

#6 Seth

Seth

    Advanced Member

  • Members
  • PipPipPip
  • 1,598 posts

Posted 16 November 2010 - 10:36 PM

EDIT: Double post
[

#7 PC_Arcade

PC_Arcade

    Newbie

  • Members
  • Pip
  • 3 posts

Posted 19 November 2010 - 01:27 PM

Stupidly I don't have aa restore point :(

This was caused by malware masquerading as a MS Security centre popup which attempted to get CC details byt attempting to force a sale of (obviously fake) malware removal software - I think it was called thinkpoint and I got rid of parts of it, but obviously not all :(

I managed to get back into the system but the following Symptoms remain:

Any program which tries to launch another program (for example clicking the change time option on the clock in the toolar) is stopped from doing so and a popup appears saying that my Internet Security Setting prevent this program from running. This also affects thingsu such as the Blizzard launcher for WoW as it can neither launch the downloader, nor if I do that step manually apply the patch.

I can't access services.msc as if I try to I am prevented from running the activeX controls on the page

If I search for anything in the start menu I get just one option called "Program" irrespective of what I search for if I try to run this I get the security settings popup

I really would appreciate any help I can get as I'd really rather not reinstall windows

#8 SAS Customer Service

SAS Customer Service

    Advanced Member

  • Moderators
  • 998 posts

Posted 19 November 2010 - 07:01 PM

Stupidly I don't have aa restore point :(

This was caused by malware masquerading as a MS Security centre popup which attempted to get CC details byt attempting to force a sale of (obviously fake) malware removal software - I think it was called thinkpoint and I got rid of parts of it, but obviously not all :(

I managed to get back into the system but the following Symptoms remain:

Any program which tries to launch another program (for example clicking the change time option on the clock in the toolar) is stopped from doing so and a popup appears saying that my Internet Security Setting prevent this program from running. This also affects thingsu such as the Blizzard launcher for WoW as it can neither launch the downloader, nor if I do that step manually apply the patch.

I can't access services.msc as if I try to I am prevented from running the activeX controls on the page

If I search for anything in the start menu I get just one option called "Program" irrespective of what I search for if I try to run this I get the security settings popup

I really would appreciate any help I can get as I'd really rather not reinstall windows



Please submit a support ticket so we can get a diagnostic running and try to find out what is infecting your computer.

http://www.superanti...eateticket.html
Customer Service
SUPERAntiSpyware
www.superantispyware.com

#9 Fireytech Repair Services

Fireytech Repair Services

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 19 October 2011 - 03:36 PM

I have ran into the same issue with SAS finding the following files:

(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE
(x86) HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger

When I look up that key in the registry, it looks like it is for Log Me In, which is a valid program I have installed. I have ran Super Antispyware, Avast! boot time scans, ComboFix, Malware Bytes, etc. I am starting to think that this is a false positive as well.

#10 david banner

david banner

    Advanced Member

  • Members
  • PipPipPip
  • 40 posts

Posted 12 January 2012 - 03:33 PM

I have been infected with malware which prevents me from running programs which launch other programs / process (e.g changing the time / date) if I try a popup appears telling me that my "interntd security settings prevented one or more files from being opened"

Also if I search for a program on the start menu in windows 7 (64bit) (e.g SUPERAntiSpyware) a link called "Programs" and only that link appears and if I try to run it I get the same error as above

SAS shows me I have 2 reistry entries but despite rebooting to remove they show up again on the next scan Posted Image

the 2 keys are :

(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE
and
(x86) HKLM\Software\Microsoft\Windows NT\Current Version\Image File Execution Options\EHSHELL.EXE#Debugger

I can't post the log as notyhing happens when I click the link

Can anyone help? it's driving me mad!



Is this it?
http://www.file.net/...shell.exe.html. Think SAS too may FP today says irfanview is trojan :x
Thanks

David




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users