2

Looks like I've been infected by a virus, namely NSIS:Downloader-BX [Drp], in a file named DpiSca.exe, but...

I wasn't visiting any usual suspect sites (warez, pr0n etc) and nobody else was using my computer.

I'm not getting any usual symptoms.

It's been more than 5 years since I've been infected last time, so I'm pretty confident that I know how to take care of myself.

I'm unable to find any information on the Internet about the virus I'm infected with.

According to VirusTotal, only avast! considers it a virus.

Sysinternals Process Explorer, which seems to be well respected program, does not show any suspicious processes.

After running most thorough scan available in free avast! several times, it found no infections. I'll be purging a friend's computer tomorrow and once it is secured, I plan on using it to scan my hard drive just to be safe.

The file seems to be a NSIS installer.  Once extracted, it contained only two .dll files – ExecPri.dll and inetc.dll – and neither of them seems to be infected according to VirusTotal and avast!.  File intec.dll appears to be standard part of NSIS, but I was unable to find information about ExecPri.dll.

After analyzing the installer file, the only suspicious strings are related to RichEdit, which appears to be JavaScript editor, which I'm not using.  The rest seems to be standard NSIS boilerplate.

I'm using OpenDNS and it doesn't report any suspicious connections DNS resolutions.

On the other hand:

The file appeared several times in my \Windows directory even after being deleted and I have no idea what's creating it.  (Any tools which can determine what file is made by what process?)

Only reference I could find about it was on Google cache of a forum dealing with malware infections, and was marked as virus agent.

My question is how do I check if this file is or isn't a part of a virus?

Improve this question

4 Answers 4

Reset to default
4

As it is an exe you can upload it in to Anubis and see what all it might be trying to do. I know you found the two dll's but this might help track down any other things it might do. If you don't see anything fishy from Anubis and with all the other things you have done it is probable inert and you can delete it and ignore it.

Improve this answer
3
  • Me likey the link.
    – digitxp
    Commented Sep 1, 2010 at 3:57
  • Interesting link! Too bad they seem overloaded. Well, I'll know what it does in 42 days.
    – AndrejaKo
    Commented Sep 1, 2010 at 8:14
  • I've selected this one because Anubis seems great! I've received their report and it's here: anubis.iseclab.org/… It seems that my friend whose computer I was fixing got infected with exact same virus. Anubis confirmed information I gained from his computer. DpiSca.exe is indeed downloader for a virus. In the report, file name is different because I submitted file directly from recycle bin. The virus it downloads seems to be Trojan-Spy.Win32.Zbot
    – AndrejaKo
    Commented Sep 1, 2010 at 22:04
1

If it is a virus, it's doing a pretty sappy job at it.

I'd suspect it's either a poorly written program or an old one.

One thing you didn't mention is where you found the file or where you downloaded it from. Where did you get it?

Improve this answer
2
  • I have no idea where the file came from, as I said in my question. It just appears in C:\windows\ directrory every few days. To me it looks like it is part of some program's auto update feature but on the other hand it could be a virus. I'm not brave enough to actually run it. Maybe once I get a virtual machine running, I'll give it a try. And its inactivity is what is concerning me. There were reports back in the day of viruses which do their job only on a specific day or only once they establish contact with rest of their botnet. I'm having ticking bomb sort of feeling about it.
    – AndrejaKo
    Commented Aug 31, 2010 at 23:05
  • Maybe you can reinstall it if you have the time, or maybe you can compliment Avast with a behavioral AV like ThreatFire.
    – digitxp
    Commented Aug 31, 2010 at 23:19
1

I had the same virus and am still cleaning out my computer. I only found two references to it and they were both at WhatsRunning.com.

I thought that I had removed the program with anti-virus but this morning I found some left over stuff that you might be interested in.

I just happened to be on How-To Geek researching how to open some programs by bypassing the UAC control in Windows 7. I was directed to my Scheduled Tasks.

Well, wouldn't you know it, At1, At2, At3, At4, At5, At6, At7 and At8 (if you look under "properties" they are all DpiSca.exe) were all scheduled to run with the highest privileges seven days a week at 10:00pm using the SYSTEM.

I had to change each one to Vista Configuration to be able to stop and then delete each one, but it worked. Hopefully.

Improve this answer
0

The easiest way to check this is to upload the file that avast is flagging to VirusTotal. It will run it through over 40 different antivirus programs. If you only have a few show up, then it's probably a false alarm. Avast does have a habit of false alarms a little more often than others.

Improve this answer
1
  • -1 He already mentioned that he did that.
    – digitxp
    Commented Aug 31, 2010 at 22:52

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .