Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I think I am infected with a virus


  • Please log in to reply
6 replies to this topic

#1 caliwildman

caliwildman

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 12 March 2009 - 01:38 AM

Hi,

WinPatrol reports that a new program has been added to my startup programs
DFI-0SACYM.exe -u dfmirage

It says that it's dfmirage-install from DemoForge LLC. The exe (file size 103,424) is in my C:\windows\temp folder which seems awfully suspicious to me and I don't recall installing any software from demoforge recently. I scanned the file with AVG, MalwareBytes, SuperAntiSpyware, Comodo AntiVirus, Ad-aware, Kapersky and they all came up clean. I even submitted the file to VirusTotal and it came up virus free also but some I have the sneaky suspicion that this is a virus.

Can someone help me resolve this? Thanks in advance for your help.
Johnny

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:14 AM

Posted 12 March 2009 - 06:20 AM

Has anyone viewed any animated tutorials lately?
Chewy

No. Try not. Do... or do not. There is no try.

#3 caliwildman

caliwildman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 12 March 2009 - 10:50 AM

Has anyone viewed any animated tutorials lately?


Why yes, I have viewed a couple of animated tutorials recently, I assume they are all flash nowadays but perhaps they are not. Also, I sent an email to DemoForge and they said that it is their DFMirage driver uninstall, so I guess this isn't a virus.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:14 AM

Posted 12 March 2009 - 03:43 PM

There's a lesson here, even if I trust a website, I would research what driver they said I needed before letting it install.
Chewy

No. Try not. Do... or do not. There is no try.

#5 caliwildman

caliwildman
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:01:14 AM

Posted 12 March 2009 - 07:53 PM

There's a lesson here, even if I trust a website, I would research what driver they said I needed before letting it install.


True that but unfortunately this has become an epidemic of sorts, just yesterday, I upgraded Java and it automatically installed the Java FX quick starter plugin for Firefox with the uninstall button grayed out! I had to google for solutions, it's ridiculous but it seems like everyone is doing it nowadays.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:14 AM

Posted 12 March 2009 - 08:04 PM

I had been using McAfee's site advisor with FireFox and the noscript plugin for investigating iffy websites, site advisor decided to do an update and install on IE also with a toolbar no less, got that one killed off and then keep seeing the durn service always running. BYE BYE SA
Chewy

No. Try not. Do... or do not. There is no try.

#7 TerrorBite

TerrorBite

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:14 PM

Posted 24 April 2009 - 02:05 AM

Hi,

WinPatrol reports that a new program has been added to my startup programs
DFI-0SACYM.exe -u dfmirage

It says that it's dfmirage-install from DemoForge LLC. The exe (file size 103,424) is in my C:\windows\temp folder which seems awfully suspicious to me and I don't recall installing any software from demoforge recently. I scanned the file with AVG, MalwareBytes, SuperAntiSpyware, Comodo AntiVirus, Ad-aware, Kapersky and they all came up clean. I even submitted the file to VirusTotal and it came up virus free also but some I have the sneaky suspicion that this is a virus.

Can someone help me resolve this? Thanks in advance for your help.
Johnny


Greetings caliwildman.

No, this is not a virus. What you are seeing is the DemoForge Mirage mirror driver. It installs a virtual video device that software such as VNC or video tutorial recording software can use to see what's happening on your screen. It's a more sophisticated method than just grabbing screenshots over and over again.

The information page is here: http://www.demoforge.com/dfmirage.htm
If the driver is installed, it should show up in device manager like this:
Posted Image

The added startup item has been placed there by the mirror driver installer, in order to start up the virtual video device when you log in. If you don't want this driver installed, you should be able to find and remove it in Control Panel -> Add/Remove Programs.

Now, having said all that, even though it's not a virus itself, it's remotely possible that a virus installed it in order to see what's on your screen and send it to a hacker, in the hopes of capturing a credit card number as you type it into a webpage, for example. This is a hypotheical scenario, however. It's far more likely that the driver was installed by a legitimate program as part of its normal functioning. If you've recently installed any software that needs to see what's on your screen, then that's probably the culprit.

-- TerrorBite




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users