6 replies to this topic

[whatmeworry?]

I've been happily using Anti-Malware Pro. Recently, though, I read that SuperAntiSpyware sometimes finds things that Anti-Malware misses (and vice versa). I decided to download the free version of SAS and try it. I first ran a full scan with Anti-Malware Pro; as usual, it found nothing problematic. I then ran a full scan with SAS. It found a few tracking cookies, which didn't surprise or concern me. But to my surprise it also found something called Trojan Hoster. It cited two files:

Trojan.Hoster
C:\WINDOWS\SYSTEM32\ESCLICWD.DLL
C:\WINDOWS\SYSTEM32\ESCSIRIBBON.DLL

I have no idea what this is, nor was I able to find out much from a Google search. I told SAS to quarantine and remove everything it found. My question is, what is Trojan Hoster, and should Anti-Malware Pro have found it?

[AdvancedSetup]

Can you please zip up those 2 files and attach them to a new post here:

You will have to temporarily restore them from the SAS quarantine folder to do that if you've had SAS remove them already.

[indent]How To Use Compressed (Zipped) Folders in Windows XP
Compress and uncompress files (zip files) in Vista
[/indent]


Then post this link in the new post to reference it.

http://www.malwarebytes.org/forums/index.php?showtopic=13758&view=findpost&p=71009

[whatmeworry?]

AdvancedSetup, on Apr 7 2009, 01:19 AM, said:

Can you please zip up those 2 files and attach them to a new post here:

You will have to temporarily restore them from the SAS quarantine folder to do that if you've had SAS remove them already.

Thanks very much for your response. I think/hope I've done what you asked. I'm not sure, though, how I would have proceeded if I didn't have PowerShadow to use as a sandbox. I turned on PowerShadow mode, then restored the files from the quarantine and put them in a zipped folder. But if I hadn't had PowerShadow, wouldn't I have been putting my system at risk by restoring the files?

Anyway, I've now posted a message in the section you indicated, along with the zipped folder which I attached. I'll be interested to know what you find.

Again, thanks very much.

[AdvancedSetup]

In general no. If you had rebooted and had a Registry entry calling that file, or if you still have a live infection then possibly but since SAS removed it in the first place it should be able to remove it again if something did accidentally go wrong. Just having files on a drive does not activate them, something has to load or call them.

[whatmeworry?]

Thanks for your response to my question. That's good to know. I've also now seen a response on the section of the forum where I posted the suspect files. The files turn out to be part of a program I own, and in fact the program was acting very strangely yesterday--probably because SAS had quarantined those two files! Anyway, I'm much relieved and very appreciative for the help Malwarebytes has given me for a problem that wasn't even of your making. I tried to post a note thanking Raid on that other section of the forum, but the topic was apparently locked after the diagnosis was made.

[AdvancedSetup]

Great glad it's all clear and your all set now. You might want to post and let SAS know then that they are not infected files.

Cheers.

[whatmeworry?]

Yes, I was thinking perhaps I should notify SAS. Now I definitely will. Thanks again.