MarkusR Report post Posted December 21, 2010 SUPERAntiSpyware Scan Log https://www.superantispyware.com Generated 12/20/2010 at 11:40 PM Application Version : 4.47.1000 Core Rules Database Version : 6044 Trace Rules Database Version: 3856 Scan type : Quick Scan Total Scan Time : 00:04:06 Memory items scanned : 532 Memory threats detected : 0 Registry items scanned : 2435 Registry threats detected : 2 File items scanned : 7762 File threats detected : 0 Security.HiJack[imageFileExecutionOptions] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 11:27:26 PM, on 12/20/2010 Platform: Windows 7 (WinNT 6.00.3504) MSIE: Internet Explorer v8.00 (8.00.7600.16700) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskhost.exe C:\Windows\Explorer.EXE C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe C:\Windows\System32\igfxtray.exe C:\Windows\System32\hkcmd.exe C:\Windows\System32\igfxpers.exe C:\Program Files\LogMeIn\x86\LogMeInSystray.exe C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe C:\Windows\system32\SearchProtocolHost.exe C:\Windows\system32\SearchFilterHost.exe C:\Users\POSAdmin\Desktop\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O4 - HKLM\..\Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe -s O4 - HKLM\..\Run: [igfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe O4 - HKUS\S-1-5-19\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE') O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe Share this post Link to post Share on other sites
Seth Report post Posted December 21, 2010 Welcome to the SAS forum Markus. Those files do indeed look like false positives. Update SAS and run the scan again. If those files appear, then please see: https://www.superantispyware.com/supportfaqdisplay.html?faq=28 Share this post Link to post Share on other sites
wendyjo Report post Posted December 30, 2011 i have a fresh install of SAS and just got the same results .. it is more than a year since the original post above.. is this still considered a false positive ? this post was never answered https://forums.superantispyware.com/index.php?/topic/4645-is-this-a-false-positive/ this one mentions it a couple times, https://forums.superantispyware.com/index.php?/topic/4332-cant-remove-securityhijack/ but I can't find any clear CURRENT information on the nature of the reported entries what is the proper way to address them ? Registry threats detected : 2 Security.HiJack[imageFileExecutionOptions] HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EHSHELL.EXE#Debugger thank you in advance. wendy Share this post Link to post Share on other sites
datasafe Report post Posted January 12, 2012 So is there a resolution to this? I have the same issue! Regards John Share this post Link to post Share on other sites
adethomp Report post Posted March 27, 2012 Same issue here! Any resolution as yet please. ta Ade Share this post Link to post Share on other sites
SAS Customer Service Report post Posted March 27, 2012 That detection is not itself malware but a symptom of malware, create a support ticket at www.superantispyware.com/csr and I can send you a diagnostic to determine if it's a false positive or not. Share this post Link to post Share on other sites
