How to check for a false positive virus report?

anti-virus virus avast

Looks like I've been infected by a virus, namely NSIS:Downloader-BX [Drp], in a file named DpiSca.exe, but...

I wasn't visiting any usual suspect sites (warez, pr0n etc) and nobody else was using my computer.

I'm not getting any usual symptoms.

It's been more than 5 years since I've been infected last time, so I'm pretty confident that I know how to take care of myself.

I'm unable to find any information on the Internet about the virus I'm infected with.

According to VirusTotal, only avast! considers it a virus.

Sysinternals Process Explorer, which seems to be well respected program, does not show any suspicious processes.

After running most thorough scan available in free avast! several times, it found no infections. I'll be purging a friend's computer tomorrow and once it is secured, I plan on using it to scan my hard drive just to be safe.

The file seems to be a NSIS installer.  Once extracted, it contained only two .dll files – ExecPri.dll and inetc.dll – and neither of them seems to be infected according to VirusTotal and avast!.  File intec.dll appears to be standard part of NSIS, but I was unable to find information about ExecPri.dll.

After analyzing the installer file, the only suspicious strings are related to RichEdit, which appears to be JavaScript editor, which I'm not using.  The rest seems to be standard NSIS boilerplate.

I'm using OpenDNS and it doesn't report any suspicious connections DNS resolutions.

On the other hand:

The file appeared several times in my \Windows directory even after being deleted and I have no idea what's creating it.  (Any tools which can determine what file is made by what process?)

Only reference I could find about it was on Google cache of a forum dealing with malware infections, and was marked as virus agent.

My question is how do I check if this file is or isn't a part of a virus?


Solution 1:

As it is an exe you can upload it in to Anubis and see what all it might be trying to do. I know you found the two dll's but this might help track down any other things it might do. If you don't see anything fishy from Anubis and with all the other things you have done it is probable inert and you can delete it and ignore it.

Solution 2:

If it is a virus, it's doing a pretty sappy job at it.

I'd suspect it's either a poorly written program or an old one.

One thing you didn't mention is where you found the file or where you downloaded it from. Where did you get it?

Solution 3:

I had the same virus and am still cleaning out my computer. I only found two references to it and they were both at WhatsRunning.com.

I thought that I had removed the program with anti-virus but this morning I found some left over stuff that you might be interested in.

I just happened to be on How-To Geek researching how to open some programs by bypassing the UAC control in Windows 7. I was directed to my Scheduled Tasks.

Well, wouldn't you know it, At1, At2, At3, At4, At5, At6, At7 and At8 (if you look under "properties" they are all DpiSca.exe) were all scheduled to run with the highest privileges seven days a week at 10:00pm using the SYSTEM.

I had to change each one to Vista Configuration to be able to stop and then delete each one, but it worked. Hopefully.

Related

Export google document as csv without quotation marks
How do I set a custom order for folders on Windows 7 and 10?
SSH asks for passphrase three times and authenticates no matter what is entered
Rename OneDrive for Business folder in Explorer
Keyboard shortcut for printing in Windows File Explorer
How to display \r\n as new line in Notepad++
How to configure "-incognito" for default apps on Windows 10?
How to migrate Windows 2012 RAID 1 array to Linux?
Shortcut to MS-DOS Program (.PIF)
How to "re-run with -deprecation for details" in sbt?
Command substitution: backticks or dollar sign / paren enclosed? [duplicate]
When should assertions stay in production code? [closed]