"sign of Vienna-4 found"

A scan of my pc found that C:\windows\memory.dmp has signs of Vienna-4 in it. Its now safely tucked away in the Virus Chest but now what? I’ve read many posts here and have learned it’s fine just to let it stay there… I’ve been trying to find out if I can repair or restore this file so I can put it back in the system. Is this possible? Is it necessary?

Also being the novice that I am, a year ago I deleted \imscan.dll as it was suspicious. After researching the Vienna-4 thing, I found out about Panda files and that my ‘infected’ imscan.dll was probably a false positive. (Win32:Kuang2). Do I need to download/upload this file to my pc again?

Thanks for any advice

The memory.dmp is created at the time of a crash and has the contents of memory, which may have had a virus.

This file is of very limited use and only to someone who knows how to analyse it, if this is old even a few days it is of little use to anyone and you can safely send it to the chest and I would go a step further and say it is safe to delete.

If you have another system crash a new copy of the memory.dmp file would be created, it isn’t a critical file.

However, there is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest (you won’t have), scan them again (inside the chest) and if they are still detected as viruses (it probably will), delete them.

vinenna-4 is a backdoor trojan, a member of the vienna family

I’d try Malware Bytes Anti Malware
check mark all hits
Click Remove
post log

also
SuperAntiSPy

also F-secure on line remover
http://support.f-secure.com/enu/home/ols.shtml

post the logs back and see what else we find
this is not likely to be the only infection

what OS?

Hi TysonV,

Make sure that all traces of this malware have left your computer.
Kill the following processes
646.exe, bob.exe, sound4.exe, vienna.exe, vienna~2.exe
Remove the following files
646.exe, bob.com, bob.exe, entwives.com, ghost.c-m, grither.com, iraqui.com, lisbon.com, sound4.exe, v#-b.com, v#-f.com, v#-opt.com, v-637.com, v-645b.com, v-822.com, v-b645a.com, v-b645b.com, v-drop1.com, v-ghostb.com, vien822.com, vienna.679.a.com, vienna.exe, vienna~2.exe, violate.com.

How to elegantly kill a process from the commandline: (Go to Start - Run )
If you know the name of a process to kill, for example 646.exe, use the following command from a command prompt to end it:

taskkill /IM 646.exe

This will cause the program to terminate gracefully, asking for confirmation if there are unsaved changes. To forcefully kill the same process, add the /F option to the command line. Be careful with the /F option as it will terminate all matching processes without confirmation.

To kill a single instance of a process, specify its process id (PID). For example, if the desired process has a PID of 827, use the following command to kill it:

taskkill /PID 827

or click Ctrl+Alt+Del to bring up the WindowsTaskManager and kill the process there.

To delete the files go to Start - Search - 646.exe When found - delete!

polonus

Guys, lets not lose sight of the fact that this was found in a memory.dmp file (date of origin unknown) and no detections by avast outside of this memory.dmp file.

Additional scan with the usual tools as a precaution should suffice to check there are no elements outside of the memory.dmp file.

@ TysonV
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

  1. SUPERantispyware On-Demand only in free version.
  2. MalwareBytes Anti-Malware freeware version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. Also Try this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php

Hi DavidR,

Polonus wants the facts first. Hear a malware name dropped, look for all of the manual cleansing info and make SURE it is not (or have not been) on that particular machine. Better safe than sorry, is my credo. If the malware was only contacted and nipped in the bud by avast, etc. so much the better, but a bit of searching and proof of a non-existent infection traces never did a user any wrong. Later they feel confident when nothing is there, and then again they learned something during the process. That is my opinion, give a person a fish and he has a meal for to-day, learn him to fish and he can fend for himself,

polonus

Thanks for the fast responses!

The only infected file was the memory.dmp file. A second scan showed no more infected files.

I’m interested in learning how to defend my pc so I’ll try what’s been suggested. There was a time about a year ago when I had 2 Anti-Virus programs running and banging heads, so I should try do a thorough job with this little nasty now.

I’m not on my own pc until tomorrow but I’ll post the results…

I think we have some info to work with as in the location of the infection a memory.dmp file, which means it was in memory at the time of a system crash. It isn’t outside the bounds of possibility that it could have been an FP in the strings inside the dump file.

Also being the novice that I am,

Given the above statement it would probably be better and easier for TysonV to run the two general anti-malware tools.

Hi Guys

I’ve installed and run SuperAntispyware, Malwarebytes, and Rogue Remover. All that popped up was some adware and cookies.
It looks like it was really only as the message read, “signs of…”.

Thanks for your help.

Tyson

You’re welcome, the SAS and ManwareBytes AntiMalware programs are worth keeping as anti-spyware/malware on-demand scanners. The RogueRemover is more of a specific tool that is run if there is a suspicion of a fake alert issue on your system.

A belated welcome to the forums.