Hi All,
I'm sittin here saying a whole bunch of not nice words this morning!:mad: I did a restart of my computer and AVG immediately came up with the warning that "Trojan Downloader.Easto.B" had been found on my system. I've already taken the necessary steps to neutralize it,found 2 infected files in my WINNT folder the names of the files were 7F1357.EXE and WINHLP32.EXE can't heal them but they are in the vault, I'm curious as to how it got there in the first place. I've done a Google search and a search here for that name but have come up with nothing. Most very likely it goes by another name. Any one know what the devil this thing is?? I can't figure out how it got past everything I run. AVG, Sygate firewall,SpywareBlaster. I scan almost every day with Spybot S&D, Adaware. What else can I do to keep this stuff out??
Thanks much,
LG;)

Are you sure about the virus name?
I couldn't find anything on Google or on the Grisoft site.

LadyG
Here is a link to What looks like removers from KASPERSKY LABS. The main page is in one of those foreign lingos, and as it take me all my time to speak/read Englixh I am stumped as to what it actually says. The download is centre column 7th from bottom.

Get someone else to check out that it is safe to download


http://www.idepro.fr/kaspersky/infovirus/kav_virlistjjmmaa.asp?JJ_vir=3&MM_vir=7&AA_vir=2004

Since I took Spanish in high school almost 30 years ago and I know a little Yiddish and German, my high school freshman daughter says:

Detecté et/ou nettoyé/mis en quarantaine par KAV Scanner

Means:

Detects and or cleans items placed in quarantine by the KAV scanner.

The link provides no download only information.

I would perform an on-line scan at Symantec or Trend Micro and let us know what they find

Thanks for the help!! I've done the scan online at TrendMicro and it came up clean!:confused: Ran it again to be sure then ran it on the Grisoft file itself, all clean. I'm putting the log from AVG here in hopes that it will help to figure this out. I want to know what this is and how it got on my computer. This is making me crazy. I hate it when something has invaded my computer and I can't figure out why or where it came from. Thanks much, LG;)


Results of Complete Test, date and time 8/9/2004 22:05:29 :

Testing C:\ volume MAINDRIVE serial F4C9-730D
C:\WINNT\SYSTEM32\7F1357.EXE Downloader.Easto.B
C:\WINNT\SECURITY\EDB.LOG Cannot open; not checked!
C:\WINNT\SECURITY\TMP.EDB Cannot open; not checked!
C:\WINNT\Downloaded Program Files\WINHLP32.EXE Downloader.Easto.B
C:\Documents and Settings\Administrator\NTUSER.DAT Cannot open; not checked!
C:\Documents and Settings\Administrator\ntuser.dat.LOG Cannot open; not checked!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\WINDOWS\USRCLASS.DAT Cannot open; not checked!
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\WINDOWS\UsrClass.dat.LOG Cannot open; not checked!

Test finished, duration 00:04:03.4 s
41517 objects tested, 2 found infected

Do you use MS Exchange? Please Read This (http://techrepublic.com.com/5100-6268-1031703.html) about the EBD.LOG file. If you do not use MS-Exchange, I would rename this file and boot windows to make sure all is OK then dump it. Also,
read this (http://support.microsoft.com/default.aspx?scid=kb;EN-US;197971) about TMP.EBD.

Don't worry about the other files, they are your registry and open and in use and that's why they cant be scanned.

I would search for WINHLP32.EXE and see if it is located elswhere. I would delete the one in the downloaded programs folder especially if you find a copy of the file in the windows folder.


Also, post back the properties of the WINHLP32.EXE file in Download programs folder.

Still cannot find any more information on the virus.

Ok, finally got around to doing a search for WINHLP32.EXE
I searched for that exact name and got 4 hits.
C:\WINNT
C:\WINNT\system32
C:\WINNT\$NtServicepacUninstall
C:\WINNT\Servicepacfiles\i386
All of them with the big yellow ? and winhlp32 at the beginning. There are two dates for the 4 files. 12-7-1999 and 6-19-2003.
I show nothing in downloaded programs folder. Maybe AVG took it out and put it in the vault??? Sorry classic but if I can't find the darn file I can't give ya the properties.:( I searched for the other file too but came up empty.
I've had limited time to look around for info on this thing but the places I've looked at show nothing. The only place that even mentions it is the link that Ernie gave us. No information on it at all but at least it's mentioned! From what I can tell there is an A version too. I've even looked at a few of the WildLists but they show nothing either. It's got to be real AVG saw it as an infection but it's not listed in their own virus lists. I've looked there and tried every variation of the name to find it and still come up with nothing. As I use the free version I don't have access to any help. Maybe someone who has the pro version could ask for us?? I've looked for virus forums too but the few I found didn't look very active at all! This is nuts, how can an antivirus program tag files as a virus and yet there is no information on it anywhere?? There has got to be something I'm missing here.
Well, now I'll go look at the links classic gave me. I don't even know what MS Exchange is much less use it!:D I'm the building type of geek not the user type remember??:p
Thanks very much for all the help.
LG;)

Dear LG:

I would dump the files in question that are in the vault or quarantine ow whataver your AV program calls it.

I would double check with an on-line scan at Trend Micro or Symantec. If your really paranpid you can downlaod a 30 day free trial of Trojan Hunter but I think you are probably ok.

Thanks so much classic! I've done the online scans and come up clean. The computer seems to be booting up fine and running right along. Better than ever actually.
I'm gonna keep looking for whatever this thing is. As long as it's off my computer I'm not too worried, but it would be nice to know what it is and how the devil it got on there in the first place. Might help someone else sometime, ya never know.
I've been thinking about dumping those files but just wasn't sure what would happen. I think I'll give it a shot.
Thanks and Thanks!
LG;)

LG,
Check this out, seems a buffer overrun can occur, also this from Trend Micro:WINHLP32.exe (http://www.securitytracker.com/alerts/2004/Jun/1010446.html)
Also this:
symantec (http://securityresponse.symantec.com/avcenter/venc/data/pf/w32.lovit.html)
a different name but said to be the same thing.
Another site said it is related to Lovegate worm.

While performing a scan with Ad-Aware, a background antivirus monitor may issue an alert, stating that a virus has been found in the temporary directory (%temp%) for the current user. This does not necessarily mean your computer has been infected with an active virus. Most antivirus resident scanners will not scan compressed files and only monitor your memory for the sign of an active viral process.During a scan, Ad-Aware will temporarily decompress files to scan their contents without activating the content, but in doing so, the file is noticed by the antivirus' resident scanner.Also, some antivirus applications include an option to quarantine infected files, and when Ad-Aware decompresses these quarantined files, the antivirus background scanner detects the virus moving outside the quarantine area.

This thread is over 4 and a half years old...the problem has been long solved. And the original post had nothing to do with Ad-Aware...except state that she ran it all the time.

Plus a 'cut and paste' from the Ad-Aware help file isn't all that helpful...

BTW...remove that blatant advertising signature, or it will be removed. Consider this your only warning.