Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Memtest.exe possible virus/infection-- multiple issues


  • Please log in to reply
3 replies to this topic

#1 fight_the_fallen

fight_the_fallen

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:12:41 PM

Posted 31 May 2013 - 03:07 AM

So a few days ago I noticed my computer was being kinda douchey.

I believe this started when i was looking for a game to play and I downloaded one and it didn't work(opened command prompt and said the game could not be started), so i speedily deleted the files (one particular file was called "run.bat").

 

NOW every time i start up my computer, there is a Run.bat file on my desktop, even when i delete it and restart, it appears again. the contents of this file are as follows:

===================

@ECHO OFF

java -xmx500m EGIU

Title Demolishscape v7

===================

 

I am pretty sure this is a file being created on Boot, because i have seen files being created on startup with other malware and viruses, but i cannot find what is creating this file for the life of me.

 

ANOTHER issue, is that my task manager WINDOW will not open, it appears in the system tray on startup, and it will create a bunch of icons for it every second, and when i move the mouse over them, they disappear (although this is probably having to deal with my next issue). As a fix, i downloaded a pretty useful tool called Process Explorer from the Microsoft website. before anyone says anything on the task manager note, i have searched high and low through my registry, and cannot find a disable for task manager, and i do not believe that is the issue, seeing as how the process is opening, and the icon is in my taskbar. There is always 2 taskmgr.exe processes switching on and off really fast (about 1/sec) and the task manager scheduling process coming on every once in a while. and when i look at what process keeps starting the task manager in Process Explorer it says "memtest.exe" (which i will discuss in a little bit).

 

When I start my computer, and i log into my user, 2 command prompt windows open for "Demolishscape v7" saying the same thing in both, the same thing it says on the Run.bat. and when I am in ANY window, it will repeatedly go on and off (like i am clicking out of the window to unselect it, and back onto it to select it in rapid succession, like i am clicking back and forth between two windows really fast) and in the process explorer, it says that my explorer.exe is using 45%-60% cpu at all times, even right now as i am typing, and it only seems to affect explorer windows and the start menu and task bar (they go realllllyyyy slow) but everything within my browser is running like normal.

 

this issue is probably the roots of all of this: In the process explorer, there is an EXTREMELY suspicious process named "memtest.exe" and the description is "Cookbook+Calendar Setup" and it is by a company called "Binary House Software". The path of the started program was in my /AppData/Local/Temp/ folder, and when i searched there, i found nothing called memtest.exe. I did a little searching and found that the legit memtest.exe was NOT ONLY not made by the Binary House Software and didnt have anything to do with calendars or cookbooks, but it also wasnt supposed to be in that location to begin with. I will attach a text file on what the contents of the Strings scan for the process in its entirety.

 

ANY help would be appreciated, I have done all i can think of to gather this much information on my own, but i feel like this one may be a little out of my reach.

 

here is the "memtest.exe" Process String File

hopefully you can spot something i couldn't, this is my first time dealing with this crap, so i dont know what exactly to look for.

 

 

Memtest.exe String

Spoiler

 

 

EDIT: I have found the solution, after making sure my "Show hidden files and folders" option was on (it wasnt) i found the files memtest.exe, windisplay.exe, and in another directory (named sky.exe) a Skype.exe.

 

i wrestled with them for a little bit before deciding to get FileAssasin to complete the job, now my task manager works, my explorer.exe isnt using high cpu, and everything seems back to normal


Edited by fight_the_fallen, 31 May 2013 - 08:21 PM.


BC AdBot (Login to Remove)

 


#2 bloopie

bloopie

    Bleepin' Sith Turner


  • Malware Response Team
  • 7,927 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New York
  • Local time:01:41 PM

Posted 01 June 2013 - 07:36 AM

Hello fight_the_fallen,

Glad you got it sorted out, and thanks for sharing your solution! :)

bloopie

#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 PM

Posted 01 June 2013 - 05:08 PM

Now you should Create a New Restore Point (alternate method) to prevent possible reinfection from an old one. Some of the malware you picked up could have been backed up, renamed and saved in System Restore. Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point. Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to "roll-back" to a clean working state.

The easiest and safest way to do this is:
  • Click the Start Orb and in the Search box type: Create a restore point.
  • When the System Properties window opens, under the System Protection tab, select the Create... button at the bottom. Give the restore point a name, then click "Create". The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Then use Disk Cleanup to remove all but the newly created Restore Point.

Windows 8, Vista and Windows XP users can refer to these links:
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,272 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:41 PM

Posted 01 June 2013 - 05:18 PM

I forgot to mention...you may want to read Best Practices for Safe Computing - Prevention of Malware Infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users