I got 3 positives (on 2 files) after just doing a scan, and I’m not sure I understand them. I’d like to know where they might have come from, why they are so old, and in one case, what could possibly be wrong w/it.
koepishomepage:
It’s a shortcut, the content for which is: http://www.koepi.info/
It’s in C:\Program Files\Xvid
and
Created: March 31, 2010, 2:59:05 AM
Modified: May 25, 2008, 3:39:04 PM
Could whatever program planted it there have set those dates? I can’t believe it’s been there for a year. http://www.virustotal.com says “File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis”. The “view last report” link says that it’s tested positive with nothing. http://virusscan.jotti.org says that nothing, not even avast! reported anything, which is weird.
Not only that, but http://www.koepi.info/ appears to be the same web site from which Xvid (installed several dozen full system scans ago) came. So how is this dangerous all of a sudden.
C:\Windows\ENC710.dll
I’m not sure what to think about this one. I looked through the registry and the only hit I got on “enc710” that wasn’t part of MRUs is Dsepikagupis which has “rundll32.exe “C:\WINDOWS\ENC710.dll”,Startup” and is found in HKEY_USERS\S-1-5-21-682003330-1645522239-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run
Created: August 23, 2001, 9:00:00 AM
Modified: April 14, 2008, 5:42:10 AM http://virusscan.jotti.org gives it names like “Win32:Malware-gen”, “Trojan.Win32.Hiloti” and “Win32/Kryptik.NTD”. http://www.virustotal.com seems to agree but the only other information it gives is cryptic and unhelpful.
It’s also weird that avast! reported this twice for the same file.
So what am I supposed to think of all this? How does a shortcut to the software’s web site constitute a “threat” (severity “high”), and how do I know where the dll came from, and how long this stuff has been there?
The site has facebook pastebin malcode, a kind of Stacheldraht-like spyware infection, see the code here:
htxp://jsunpack.jeek.org/dec/go?report=06566e1d1eeb1c06e64d15750c74d9ef340a3480
Only visit the jsunpack link when security aware, with ample script protection and sandboxed!
So the web site has parasitic code on it, that’s why avast! flagged the file?
About that DDL: I’d be interested to know how long it might have been on my system, why it was only discovered the other day, and when it was added to the virus database.
The dll was detected as a heuristic/generic find as - hiloti-D - malware . As this type of program is not always malicious, it has been known to perform suspicious activity especially in combination with unwanted Browser Helper Objects (did you recently find any), as these BHO’s are usually installed covertly onto an unsuspecting computer system. You can do a freefixer scan, get from here: http://www.freefixer.com/static/freefixersetup.exe and attach a scan report as txt file to your next posting,
Uhm… ok. I’m not sure what you are looking for in the FreeFixer log but here it is. The in-program report doesn’t seem to say very much and this log seems to say even less.
I do see browser things getting in my way from time to time, but I’ve assumed that they were just parts of the web page, not surreptitious software. I guess I still don’t know. How could it be legit, how could it be malicious sort of thing?
You could fix the following with Freefixer:
HKLM..\Run, Bwubor = rundll32.exe “C:\WINDOWS\ahoxuyiru.dll”,Startup
HKCU..\Run, Dsepikagupis = rundll32.exe “C:\WINDOWS\ENC710.dll”,Startup (or you must know where Dsepikagupis stands for)
Rundll Modules (38 whitelisted)
C:\WINDOWS\ahoxuyiru.dll
C:\WINDOWS\ENC710.dll
Academic at this point. I’ve got an XP Home Security 2011 (and probably a whole family of other viruses) and avast! isn’t doing anything about it! So I’ve got no system.
What is “C:\WINDOWS\ahoxuyiru.dll” anyway? I read the removal instructions for XPHS2011 and it said it usually comes in the guise of these files whose names have random characters, so I disabled that one. 'Didn’t work, of course.
Academic at this point. I've got an XP Home Security 2011 (and probably a whole family of other viruses) and avast! isn't doing anything about it! So I've got no system.
First run Rogue kliller and then you should be able to run OTS
Download RogueKiller to your desktop
[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe
Please post the contents of the RKreport.txt in your next Reply.
THEN
Download OTS to your Desktop and double-click on it to run it
[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check
[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.
Ok then. I ran RogueKiller and attached the log, but I couldn’t get OTS. This is what I got:
ops! Google Chrome could not connect to oldtimer.geekstogo.com
Suggestions:
Go to geekstogo.com
Try reloading: oldtimer.geekstogo.com/OTS.exe
Search on Google: