win 32 enistery question

I did a scan yesterday and Avast detected a ton of positives for the win32 Enistery [susp].

Following the advice in one forum I uninstalled Spyware Doctor, rebooted, did another scan. Same thing.

Updated MBAM, ran a quick scan, again, nothing. Finally, followed the advice from essexboy elsewhere on the forum: downloaded OTS ran a scan. (Log attached)

Not sure what to do now. Suggestions?

I reviewed your OTS log. I am going to refer you to our Certified Malware expert, named Essexboy. He will also review your log and give you further instructions, however he comes on the forum late UK time. He will respond to you in this thread, so remember to check this thread daily.

Please do not make any further changes to your machine after you have provided the logs.

IMPORTANT: If you are on a home network, disconnect the affected machine from the network. Do not share a USB/flash drive with this affected machine. Do not use this machine unless Essexboy instructs you do to malware removal instructions; use a different machine to check email, sync your phone, etc. if possible.

Please let me know how your machine is behaving that prompted you to scan for malware.

Let me know if you have any questions. Thank you.

Hi you have been using an infected USB drive - they will all need to be cleaned

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls]
[Registry - Safe List]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> "Media Codec Update Service" -> [C:\Program Files\Essentials Codec Pack\update.exe -silent]
< Standard Profile Authorized Applications List > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
YN -> "C:\Program Files\PPMate\ppamnet.exe" -> [C:\Program Files\PPMate\ppamnet.exe:*:Enabled:PPMate]
YN -> "C:\Program Files\PPMate\ppmate.exe" -> [C:\Program Files\PPMate\ppmate.exe:*:Enabled:PPMate]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{bc89d935-3eb3-11de-b8e3-001d09c0f111} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc89d935-3eb3-11de-b8e3-001d09c0f111}\shell\AutoRun\command -> 
YN -> \{bc89d935-3eb3-11de-b8e3-001d09c0f111}\shell\AutoRun\command\\"" -> [iqe68o.bat]
YN -> \{bc89d935-3eb3-11de-b8e3-001d09c0f111} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc89d935-3eb3-11de-b8e3-001d09c0f111}\shell\explore\Command -> 
YN -> \{bc89d935-3eb3-11de-b8e3-001d09c0f111}\shell\explore\Command\\"" -> [iqe68o.bat]
YN -> \{bc89d935-3eb3-11de-b8e3-001d09c0f111} -> 
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bc89d935-3eb3-11de-b8e3-001d09c0f111}\shell\open\Command -> 
YN -> \{bc89d935-3eb3-11de-b8e3-001d09c0f111}\shell\open\Command\\"" -> [iqe68o.bat]
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
  

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here

I will review the information when it comes back in.

Thanks, guys, you’re awesome.

@safesurf
The machine was just moving kind of slow, especially for web browsing, etc. Seems not to be a problem anymore, we’ll see.

@essexboy
Ran the fix in OTS. The log is attached.

So the machine is running better now after running the fix?

Essexboy will also review your log when he comes on the forum. Thank you for posting.

Total Files Cleaned = 10.965,00 mb

Could you now run malwarebytes to see if there are any orphans around - once done could you let me know what your current problems are

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Please download Malwarebytes’ Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Hello again. Here’s the log from the quick scan I did on MBAM. (It’s in Spanish but the results are pretty clear, didn’t find anything.)

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Versión de la Base de Datos: 6623

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.19048

20/05/2011 7:58:51
mbam-log-2011-05-20 (07-58-51).txt

Tipos de Análisis: Análisis Rápido
Objetos examinados: 170108
Tiempo transcurrido: 9 minuto(s), 51 segundo(s)

Procesos en Memoria Infectados: 0
Módulos de Memoria Infectados: 0
Claves del Registro Infectadas: 0
Valores del Registro Infectados: 0
Elementos de Datos del Registro Infectados: 0
Carpetas Infectadas: 0
Archivos Infectados: 0

Procesos en Memoria Infectados:
(No se han detectado elementos maliciosos)

We’ll see how she runs today and I’ll let you know.
Also, you mentioned something about infected USB drive. Any recommendations as to how to clean that up?

Again, thanks so much for the help.

MBAM looks clean, which is good. :slight_smile:

How to format or cleanse your USB / flash drive:

  • Right click from Windows Explorer and do a full format to cleanse your USB flash drive.
  • Essexboy may have more to say on this.

I would recommend installing Panda USB Vaccine for USB devices
http://research.pandasecurity.com/panda-usb-and-autorun-vaccine/ and it can be run on any drive on your machine for removable devices.

You are given the option to “vaccinate” your machine, which means to disable autoruns.inf [worm] from infecting your machine, and you can enable it again (although I wouldn’t). Plus you can “vaccinate” any USB/flash or removable device so that it cannot infect your machine. This type of malware is easily transmittable because many people use USB’s.

You can see from my Signature, that I use this software and it does not conflict with Avast.

Please run your machine normally for the next 24 - 48 hours and check back later for Essexboy’s reply.

Less typing for me ;D

Please report back immediately if you have any problems, otherwise, just report back that everything is going well with your machine.

In the meantime, here are a few suggestions to keep you and your machine safer in the future:

  1. Keep your definitions up to date for both Avast and MBAM.
  2. Keep all your shields on with Avast for maximum protection.
  3. Update MBAM prior to scanning, then do Quick scans.
  4. Keep your MS/Windows Updates current.
  5. Add security related Add-on’s to your browsers for safer browsing. See my Signature as an example.
  6. Use common sense when browsing and do not go to risky sites.
  7. When downloading software, read what you are clicking and do not download adware toolbars which are commonly opted in; look before you click or do a Custom install to avoid putting unwanted toolbars on your machine that lead to spyware tracking or adware.
  8. Download [b]CCleaner[/b], a free system optimization, privacy and cleaning tool.  There is a [u]Slim version[/u] available as well at http://www.piriform.com/ccleaner/builds – scroll down.  It removes unused files (cache, temporary Internet files, etc.) from your system, allowing Windows to run faster and freeing up valuable hard disk space.  It also cleans traces of your online activities such as your Internet history.  Additionally it contains a fully featured registry cleaner; you can make a back up prior to making a fix.  
    
  9. Check to see that your software is up to date with the free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since software is changing all the time. This site gives you the vendor’s direct download link making it easy to upgrade your software. Many of us here scan our machines weekly.
  10. Do not share your USB sticks with others or use on non-vaccinated machines.

I would run the MS/Windows Update and Secunia PSI scan while you are testing your machine over the next 24 - 48 hours to see if anything needs to be patched. Remember, if you install anything, reboot your machine after each install. The same goes for any uninstall…reboot after each uninstall. Let us know if you have any questions.

I have the same problem with this trojan. Pls help me !!!

Start your own thread and follow the instructions:
https://forum.avast.com/index.php?topic=53253.0