Heur.Suspicious@159158952 Heur.Suspicious@159281796

I have a problem with Windows XP. All important applications are down. Computer said it have corrupted user profile and at start rundlll32.exe fails. And the best part is that all folders are protected, I can’t use any .exe files and USB’s and DVD-writers can’t be used.

I think this is a really nasty virus. Comodo internet security premium found only these:
Heur.Suspicious@159158952 E:\Windows$NtServicePackUninstall$\netsetup.exe
Heur.Suspicious@159281796 E:\Windows$NtServicePackUninstall$\rcimlby.exe
Applicunsaf.win32.RemoteAdmin.WinVN.~D@9174513 E:\Program Files\UltraVNC\vnchooks.dll
Applicunsaf.win32.RemoteAdmin.UltraVNC.~B@15440807 E:\Program Files\UltraVNC\winvnc.exe

I already deleted these files and I’m running Comodo for the second time.

I’m running these from the second hard drive. On the second hard disk I installed Win 7 and Comodo. Windows 7 did overrun XP, so the folder protection doesn’t matter any more and I can take copies from older hard drive. I have made safe copies. I have very important information and applications in this hard drive so I don’t want to format it and use DOD level overwriting…

What should I do next?

We would very much appreciate it if you would edit your first post to create an issue report in line with the bug forum guidelines and format here. You can copy and paste the format from this topic.

To understand the reasons why we ask you to follow these guidelines please see below.

WHY WE ASK YOU TO FOLLOW THESE GUIDELINES
Bugs/issues can be impossible or very time consuming to fix if developers don’t have enough information to reproduce them. Since CIS is free, development time is limited. So if you want your issue fixed, please use the format below to describe it.

To avoid clutter, issues not described in the format below your post will not be moved to the ‘moderator verified’ issues topic. This means that the developers may not look at it.

Best wishes and many thanks in anticipation

Dennis

TOPIC TITLE
This should summarise the issue. May be best to write it after drafting the issue report. A good title makes sure the right mods and the right devs look at the report


The bug/issue

  1. What you did: I send a large e-mail file and took some coffee.
  2. What actually happened or you actually saw: When I came back, there was a blue screen with some of these informations:
    STOP:0x0000007E
    (0xC0000005, 0xEE6A58E7,
    0xEE5DFC2C, 0xEE5DF928)
    srv.sys
    at
    EE674000,
    datestramp
    4c766ea4
  3. What you expected to happen or see:
    Windows XP in a normal mode.
  4. How you tried to fix it & what happened:
    Reboot, and then I saw these:
    PC said it have corrupted user profile. After this it starts to install some of the most important applications. And when I finally get to my desktop rundlll32.exe fails. All important applications are down, including antivirus softwares. And the best part is that all folders are protected, I can’t use any .exe files and USB’s and DVD-writers can’t be used. I couldn’t copy any files with cut/copy and even cmd wouldn’t copy files.
    I tried to repair XP from CD, but it only did open command prompt that only allowed to copy files from hard drive to another.

I also jumpered BIOS so it has now original manufacturer settings.

After this I installed Windows 7 to separated hard drive and then I installed Comodo Internet Security. Problematic hard drive wasn’t plugged until Comodo was installed.

Comodo internet security premium found only these:
Heur.Suspicious[at]159158952 E:\Windows$NtServicePackUninstall$\netsetup.exe
Heur.Suspicious[at]159281796 E:\Windows$NtServicePackUninstall$\rcimlby.exe
Applicunsaf.win32.RemoteAdmin.WinVN.~D[at]9174513 E:\Program Files\UltraVNC\vnchooks.dll
Applicunsaf.win32.RemoteAdmin.UltraVNC.~B[at]15440807 E:\Program Files\UltraVNC\winvnc.exe

I already deleted these files and I’m running Comodo for the second time.

  1. If its an application compatibility problem have you tried the application fixes here?:
  2. Details & exact version of any application (execpt CIS) involved with download link:
  3. Whether you can make the problem happen again, and if so exact steps to make it happen:
  4. Any other information (eg your guess regarding the cause, with reasons):

Files appended. (Please zip unless screenshots).

  1. Screenshots illustrating the bug: Prt Scr is good, but cut/copy and most of the programs are not working. So no screenshots available… (I’m writing this on my laptop and Windows 7 was working on Symantec Security Check, found nothing…)
  2. Screenshots of related CIS event logs and the Defense+ Active Processes List:
    Heur.Suspicious[at]159158952 E:\Windows$NtServicePackUninstall$\netsetup.exe
    Heur.Suspicious[at]159281796 E:\Windows$NtServicePackUninstall$\rcimlby.exe
    Applicunsaf.win32.RemoteAdmin.WinVN.~D[at]9174513 E:\Program Files\UltraVNC\vnchooks.dll
    Applicunsaf.win32.RemoteAdmin.UltraVNC.~B[at]15440807 E:\Program Files\UltraVNC\winvnc.exe
  3. A CIS config report or file.
  4. Crash or freeze dump file: No minidump- or dmp- files found from yesterday, btw I can’t use see Start button, so run option is where and is it exe file?

Your set-up

  1. CIS version, AV database version & configuration used: 5.3.175888.1227, 7431,
  2. a) Have you updated (without uninstall) from CIS 3 or 4: No, clean CIS install 18.1.2011 from Comodo site.
    b) if so, have you tried a clean reinstall (without losing settings - if not please do)?:
  3. a) Have you imported a config from a previous version of CIS: No
    b) if so, have U tried a standard config (without losing settings - if not please do)?:
  4. Have you made any other major changes to the default config? (eg ticked ‘block all unknown requests’, other egs here.): Block all on firewall, when possible, On access on antivir, Paranoid mode on defence+ (this is the reason why I use Comodo…)
  5. Defense+, Sandbox, Firewall & AV security levels: D+= , Sandbox= , Firewall = , AV = see above
  6. OS version, service pack, number of bits, UAC setting, & account type:Windows XP, SP3, 32 bit, None in XP, Admin account.
  7. Other security and utility software installed: Avast! Antivirus licenced version
  8. Virtual machine used (Please do NOT use Virtual box):

PS. I think it may be easier to try to make copies and reinstall the whole thing. I may have to buy some of my applications again…

Hi LKO,

We have verified and found that

Heur.Suspicious[at]159158952 E:\Windows$NtServicePackUninstall$\netsetup.exe
Heur.Suspicious[at]159281796 E:\Windows$NtServicePackUninstall$\rcimlby.exe

are confirmed as false-positives. Detection will be removed soon, with CIS virus database updates.

Regarding
Applicunsaf.win32.RemoteAdmin.WinVN.~D[at]9174513 E:\Program Files\UltraVNC\vnchooks.dll
Applicunsaf.win32.RemoteAdmin.UltraVNC.~B[at]15440807 E:\Program Files\UltraVNC\winvnc.exe

  • the files were confirmed to be part of a potentially unsafe application. If you installed it on purpose to use it, you can safely add them to exclusion list. For more information regarding such type of applications, please visit this link.

Thanks and regards,
Ionel

Hi LKO,

The false-positive with

have been fixed. You can update virus database to version 7446 and verify.

Regards,
Ionel

The VERY FIRST THING YOU SHOULD DO is to backup your important information onto external media.

Before you do anything else.

Was your Windows installation done with a customised setup - nlite etc.?

Ewen :slight_smile: