Want more insight into a positive: enc710.dll

I got 3 positives (on 2 files) after just doing a scan, and I’m not sure I understand them. I’d like to know where they might have come from, why they are so old, and in one case, what could possibly be wrong w/it.

koepishomepage:
It’s a shortcut, the content for which is: http://www.koepi.info/
It’s in C:\Program Files\Xvid
and
Created: March 31, 2010, 2:59:05 AM
Modified: May 25, 2008, 3:39:04 PM
Could whatever program planted it there have set those dates? I can’t believe it’s been there for a year.
http://www.virustotal.com says “File already submitted: The file sent has already been analysed by VirusTotal in the past. This is same basic info regarding the sample itself and its last analysis”. The “view last report” link says that it’s tested positive with nothing.
http://virusscan.jotti.org says that nothing, not even avast! reported anything, which is weird.
Not only that, but http://www.koepi.info/ appears to be the same web site from which Xvid (installed several dozen full system scans ago) came. So how is this dangerous all of a sudden.

C:\Windows\ENC710.dll
I’m not sure what to think about this one. I looked through the registry and the only hit I got on “enc710” that wasn’t part of MRUs is Dsepikagupis which has “rundll32.exe “C:\WINDOWS\ENC710.dll”,Startup” and is found in HKEY_USERS\S-1-5-21-682003330-1645522239-839522115-1004\Software\Microsoft\Windows\CurrentVersion\Run
Created: August 23, 2001, 9:00:00 AM
Modified: April 14, 2008, 5:42:10 AM
http://virusscan.jotti.org gives it names like “Win32:Malware-gen”, “Trojan.Win32.Hiloti” and “Win32/Kryptik.NTD”.
http://www.virustotal.com seems to agree but the only other information it gives is cryptic and unhelpful.
It’s also weird that avast! reported this twice for the same file.

So what am I supposed to think of all this? How does a shortcut to the software’s web site constitute a “threat” (severity “high”), and how do I know where the dll came from, and how long this stuff has been there?

could you post the VirusTotal scan link(s) so we can see…

You can do that? You mean this:

This is for the short-cut: http://www.virustotal.com/file-scan/reanalysis.html?id=299a5ecd452d940248fe54cca7db17670261cf2dd7c5e60b73289e933312769d-1305609660

And this is the dll: http://www.virustotal.com/file-scan/reanalysis.html?id=7a5570c853971bc727987e78554fa2da688eeaa7cfdb67b6c02c8c40e8bf1b02-1305609735

when clicking on reanalyse i get nothing, but if i recsan the URL ( htxp://wxw.koepi.info/ ) i get this

URL scan - 1/16
http://www.virustotal.com/url-scan/report.html?id=5d35445be6aa4604a642c1bf3856fc67-1303926626

index.html scan
http://www.virustotal.com/file-scan/report.html?id=299a5ecd452d940248fe54cca7db17670261cf2dd7c5e60b73289e933312769d-1305608933

The dll file reanalyse gives this

ENC710.dll - 23/43
http://www.virustotal.com/file-scan/report.html?id=7a5570c853971bc727987e78554fa2da688eeaa7cfdb67b6c02c8c40e8bf1b02-1305609735

does not look like a False Positive with so many detecting it

i can have that dll file checked if you send it to me ?

see top right corner here “My messages”

Pondus & PengiunLust,

The site has facebook pastebin malcode, a kind of Stacheldraht-like spyware infection, see the code here:
htxp://jsunpack.jeek.org/dec/go?report=06566e1d1eeb1c06e64d15750c74d9ef340a3480
Only visit the jsunpack link when security aware, with ample script protection and sandboxed!

Make the link non-click through like -http://www.koepi.info/

polonus

So the web site has parasitic code on it, that’s why avast! flagged the file?

About that DDL: I’d be interested to know how long it might have been on my system, why it was only discovered the other day, and when it was added to the virus database.

The dll was detected as a heuristic/generic find as - hiloti-D - malware . As this type of program is not always malicious, it has been known to perform suspicious activity especially in combination with unwanted Browser Helper Objects (did you recently find any), as these BHO’s are usually installed covertly onto an unsuspecting computer system. You can do a freefixer scan, get from here: http://www.freefixer.com/static/freefixersetup.exe and attach a scan report as txt file to your next posting,

polonus

detection for ENC710.dll is good
3 more have added detection for it Ikarus/K7antivirus/TheHacker and McAfee have changed detection name from artemis to Hiloti
http://www.virustotal.com/file-scan/report.html?id=7a5570c853971bc727987e78554fa2da688eeaa7cfdb67b6c02c8c40e8bf1b02-1305753714

malwarebytes also detect it as Trojan.Hiloti

Hi Pondus,

The flag could also have been through the use of a Safestick USB stick,

polonus

Uhm… ok. I’m not sure what you are looking for in the FreeFixer log but here it is. The in-program report doesn’t seem to say very much and this log seems to say even less.

I do see browser things getting in my way from time to time, but I’ve assumed that they were just parts of the web page, not surreptitious software. I guess I still don’t know. How could it be legit, how could it be malicious sort of thing?

You could fix the following with Freefixer:
HKLM..\Run, Bwubor = rundll32.exe “C:\WINDOWS\ahoxuyiru.dll”,Startup
HKCU..\Run, Dsepikagupis = rundll32.exe “C:\WINDOWS\ENC710.dll”,Startup (or you must know where Dsepikagupis stands for)
Rundll Modules (38 whitelisted)
C:\WINDOWS\ahoxuyiru.dll
C:\WINDOWS\ENC710.dll

polonus

Academic at this point. I’ve got an XP Home Security 2011 (and probably a whole family of other viruses) and avast! isn’t doing anything about it! So I’ve got no system.

What is “C:\WINDOWS\ahoxuyiru.dll” anyway? I read the removal instructions for XPHS2011 and it said it usually comes in the guise of these files whose names have random characters, so I disabled that one. 'Didn’t work, of course.

Academic at this point. I've got an XP Home Security 2011 (and probably a whole family of other viruses) and avast! isn't doing anything about it! So I've got no system.

XP Home Security 2011 uninstall guide

read it all before you start
http://www.bleepingcomputer.com/virus-removal/remove-win-7-internet-security-2011

If no success, Essexboy will help you

First run Rogue kliller and then you should be able to run OTS
Download RogueKiller to your desktop

[*]Quit all running programs
[*]For Vista/Seven, right click → run as administrator, for XP simply run RogueKiller.exe
[*]When prompted, type 2 and validate
[]The RKreport.txt shall be generated next to the executable.
[
]If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe

Please post the contents of the RKreport.txt in your next Reply.

THEN

Download OTS to your Desktop and double-click on it to run it

[*]Make sure you close all other programs and don’t use the PC while the scan runs.
[*]Select All Users
[*]Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.exe
/md5start
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

[*]Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Please attach the log in your next post.

Well now I’ve got deeper problems.

you should follow Essexboys advice as he is the removal Expert in here

the OTS log may show what the problem is…

Ok then. I ran RogueKiller and attached the log, but I couldn’t get OTS. This is what I got:
ops! Google Chrome could not connect to oldtimer.geekstogo.com
Suggestions:
Go to geekstogo.­com
Try reloading: oldtimer.­geekstogo.­com/­OTS.­exe
Search on Google:

yes http://oldtimer.geekstogo.com seems to be down, probably some maintenance work
so try again later

Alternate download site http://www.itxassociates.com/OT-Tools/OTS.scr

EDIT: G2G is moving servers at the moment and they had a little hiccup last night