8 Replies Latest reply on Oct 13, 2010 6:52 PM by ArtieRLT

    Help eapp32hst.dll keeps poping up

      I have a Windows XP machine running VS Enterprise 8.7.0i with Scan Engine 5400.1158 DAT version 6115.000 (9/23/2010).

       

      On-Access Scan Messages keep poping up with the following info:

       

      Name: C:\Docum~1\user\local setting\temp\eapp32hst.dll

      Detected As: FakeAlert-OZ

      State: Deleted

       

      ... when I close the window, it comes back up with the same msg.

      An on demand scan finds a trojan that it deletes but problem still presist.

       

      Has anyone seen this before?

        • 1. Re: Help eapp32hst.dll keeps poping up

          I got infected by this on last eve. It came like windows update and was asking permission to install. I think it used some security vulnerability in IE, and the was asking permission continuously. It was my mistake that I gave permission. After that the same issue was happening for me. I restarted in safe mode and scanned my system completely, unfortunately McAfee did not detect anything.

           

          This evening I googled a lot and finally got it resolved.

           

          Following are the steps I did.
          1. Killed the process dfrgsnapnt.exe from task manager
          2. Removed dfrgsnapnt.exe from startup (using msconfig)

           

          This could fix the issue.

           

          Use following link for further reference:
          http://www.spywareremove.com/removeTrojanDownloaderWin32FraudLoadhas.html

          • 2. Re: Help eapp32hst.dll keeps poping up
            ArtieRLT

            Well,

             

            This is in the right direction anyway.  I have a similar situation but not identical.  I supposedly cleaned this FakeAlert-OZ trojan from my computer and it seemed to be gone for a while.  Then it popped back up but didn't get as far this time as I was familiar with it.  I ran McAfee again and it reported it had quarantined a file corresponding to FakeAlert.  Specifically catches eapp32hst.dll in c:\Users\{username}\AppData\Local\Temp\ which is odd that it has caught it multiple times since it also removes and quarantines it .

             

            I can find just one of the referenced programs under c:\Users\{username}\AppData\Local\Temp\dfrgsnapnt.  I had to do a search including hidden and system files.  But, though it appears in the Task Manager as a running process when I start up I can't figure out why it's starting.  When I run msconfig I looked under the Startup, Services, and Tools tabs but couldn't find it in the list or anything I'd suspect would be it.  I did find a leftover (I think) from the first encounter with this.  Under c:\Users\{username}\AppData\Roaming there is a directory called AnVi which I believe contains some leftovers from the first encounter given their date and time.

             

            I looked at the link provided to spywareremove.com.  I can't find anything in the registry as they advise.  Also I can't find the eapp32hst.dll file anywhere.

             

            So questions:

             

            1.) How could dfrgsnapnt.exe be starting up and appearing when it's not in the startup list in msconfig?  Is it safe to delete the file manually and try to reboot?  Perhaps it's existance is causing eapp32hst.dll  to return? It appears to only be known to one of the users on this PC.

            2.)  I plan to also delete the AnVi directory and it's contents.  Both deletions will need to be from a command line prompt.  I can't see the contents or files or folders otherwise. Bad idea or good idea?

            3.) Maybe I could just delete this user and recreate it or start another under a different name?

             

             

            Message was edited by: ArtieRLT on 10/10/10 2:31:27 PM CDT
            • 3. Re: Help eapp32hst.dll keeps poping up

              1) Do the cleanup in Safe Mode...(Press F8 (continuously) after switching on the computer, you will get a menu where you can select the safe mode), also remove all the suspicious items from startup..

              2) Instead of deleting you can rename it to something else, so that if it has some important files and causing the functionality of your system, you can revert it back.

              3) That is not necessary for this kind of minor issues.

              • 4. Re: Help eapp32hst.dll keeps poping up

                Hi,

                 

                This is quite ok when you're users are knowledgeable and also local administrators, but when you have 10000+ users and for each one of those infected, let's say about 20/30, you get 100's of emails per minute, it gets kinda hard to deal with the situation.

                 

                The problem here is the antivirus isn't able to remove the original infection. I think, perhaps, that a fix for the scan engine or an updated detection is in order.

                 

                Cheers

                • 5. Re: Help eapp32hst.dll keeps poping up

                  Hi,

                  I had the same issue and i resolved it by using HijackThis and removed an entry..look at the attached screen shot taken from HijackThis.

                  • 6. Re: Help eapp32hst.dll keeps poping up

                    Hi,

                    I had the same issue and i resolved it by using HijackThis and removed an entry..look at the attached screen shot taken from HijackThis.

                    • 7. Re: Help eapp32hst.dll keeps poping up

                      Hi,

                       

                      I thought this was "Corporate User Assistance", and not "Other Vendor Ways Of Removing a Virus Because The AV Vendor For Which I Pay Thousands of USD's a Year Can't Remove It".

                       

                      Seriously, when will Viruscan be able to remove this?

                      • 8. Re: Help eapp32hst.dll keeps poping up
                        ArtieRLT

                        Thanks for all the advice.  I finally used the admin account to delete the user.  It blew away all the files in the user directory (including the offending ones) which wasn't much (no email or pictures, or anything substantial, so no big loss).  Then I just gave the user a new account.  Appears to have worked for now.  Other users did not appear to have encountered the trojan.  Will post again if problem reappears.

                         

                        However, it does seem as if this should be a fairly easy fix for McAfee and not so difficult to prevent.  Appears the virus scan can catch part but not all the problem.

                         

                        And, it would seem, if I was McAfee I'd assign someone to troll these user community post looking for just this sort of conversation.  It would give me much of the information I needed to improve my product.  Maybe that happens and I just don't know it.

                         

                         

                        Message was edited by: ArtieRLT on 10/13/10 6:52:14 PM CDT