Jump to content


Photo

False Positive?: EHSHELL.EXE


  • Please log in to reply
5 replies to this topic

#1 MarkusR

MarkusR

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 21 December 2010 - 07:55 AM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/20/2010 at 11:40 PM

Application Version : 4.47.1000

Core Rules Database Version : 6044
Trace Rules Database Version: 3856

Scan type : Quick Scan
Total Scan Time : 00:04:06

Memory items scanned : 532
Memory threats detected : 0
Registry items scanned : 2435
Registry threats detected : 2
File items scanned : 7762
File threats detected : 0

Security.HiJack[ImageFileExecutionOptions]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger


Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 11:27:26 PM, on 12/20/2010
Platform: Windows 7 (WinNT 6.00.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16700)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskhost.exe
C:\Windows\Explorer.EXE
C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe
C:\Windows\System32\igfxtray.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Users\POSAdmin\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

#2 Seth

Seth

    Advanced Member

  • Members
  • PipPipPip
  • 1,598 posts

Posted 21 December 2010 - 05:52 PM

Welcome to the SAS forum Markus.

Those files do indeed look like false positives.

Update SAS and run the scan again. If those files appear, then please see:

http://www.superanti...lay.html?faq=28
[

#3 wendyjo

wendyjo

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 30 December 2011 - 12:23 PM

i have a fresh install of SAS and just got the same results ..
it is more than a year since the original post above..
is this still considered a false positive ?

this post was never answered
http://forums.supera...false-positive/

this one mentions it a couple times,
http://forums.supera...securityhijack/

but I can't find any clear CURRENT information on the nature of the reported entries

what is the proper way to address them ?


Registry threats detected : 2

Security.HiJack[ImageFileExecutionOptions]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger




thank you in advance.
wendy

#4 datasafe

datasafe

    Member

  • Members
  • PipPip
  • 17 posts

Posted 12 January 2012 - 10:57 AM

So is there a resolution to this? I have the same issue!

Regards

John

#5 adethomp

adethomp

    Newbie

  • Members
  • Pip
  • 1 posts

Posted 27 March 2012 - 08:33 AM

Same issue here! Any resolution as yet please.

ta

Ade

#6 SAS Customer Service

SAS Customer Service

    Advanced Member

  • Moderators
  • 1,004 posts

Posted 27 March 2012 - 04:41 PM

That detection is not itself malware but a symptom of malware, create a support ticket at www.superantispyware.com/csr and I can send you a diagnostic to determine if it's a false positive or not.
Customer Service
SUPERAntiSpyware
www.superantispyware.com




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users