PDA

View Full Version : Fixed: Virtumonde.ddc FPs?


Lwood
2008-02-01, 17:42
Hello,

I think I'm having a problem with two false positive detections having to do with Virtumonde.ddc, also two bookmark detections having to do with net-integration that I cannot locate, but the main thing is this Virtumonde thing.

XP Home Edition, SeaMonkey 1.1.7, Firefox 2.0.0.11, IE 7 (hardly used except for updating Windows). Spybot 1.5.2, latest definitions.

Here are some screenshots:

http://img87.imageshack.us/img87/1589/virtumonde1ii5.png

http://img222.imageshack.us/img222/999/virtumonde2zt1.png

This is what I find when I jump to location(s):

http://img222.imageshack.us/img222/3483/jump1jk9.png

http://img86.imageshack.us/img86/8030/jump2nl5.png

Thanks for any advice.
Lwood
2008-02-01, 18:03
--- Report generated: 2008-02-01 10:25 ---

Virtumonde.ddc: [SBI $B451B415] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

Virtumonde.ddc: [SBI $01D0F2C0] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\

Net-Integration: [SBI $61F39AC8] Bookmark (Mozilla: profile name) (Bookmark, nothing done)


Net-Integration: [SBI $61F39AC8] Bookmark (Firefox: profile name) (Bookmark, nothing done)


Common Dialogs: [SBI $61F39AC8] History (57 files) (Registry key, nothing done)
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU

Log: [SBI $61F39AC8] Activity: SchedLgU.Txt (Backup file, nothing done)
C:\WINDOWS\SchedLgU.Txt

Log: [SBI $61F39AC8] Activity: imsins.log (Backup file, nothing done)
C:\WINDOWS\imsins.log

Log: [SBI $61F39AC8] Activity: ntbtlog.txt (Backup file, nothing done)
C:\WINDOWS\ntbtlog.txt

Log: [SBI $61F39AC8] Install: comsetup.log (Backup file, nothing done)
C:\WINDOWS\comsetup.log

Log: [SBI $61F39AC8] Install: Directx.log (Backup file, nothing done)
C:\WINDOWS\Directx.log

Log: [SBI $61F39AC8] Install: ocgen.log (Backup file, nothing done)
C:\WINDOWS\ocgen.log

Log: [SBI $61F39AC8] Install: setupapi.log (Backup file, nothing done)
C:\WINDOWS\setupapi.log

Log: [SBI $61F39AC8] Install: wmsetup.log (Backup file, nothing done)
C:\WINDOWS\wmsetup.log

Log: [SBI $61F39AC8] Shutdown: System32\wbem\logs\wbemcore.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemcore.log

Log: [SBI $61F39AC8] Shutdown: System32\wbem\logs\wbemess.lo_ (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.lo_

Log: [SBI $61F39AC8] Shutdown: System32\wbem\logs\wbemess.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wbemess.log

Log: [SBI $61F39AC8] Shutdown: System32\wbem\logs\wmiprov.log (Backup file, nothing done)
C:\WINDOWS\System32\wbem\logs\wmiprov.log

Ahead Nero Burning Rom: [SBI $DE353278] Browser directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Ahead\Nero - Burning Rom\Settings\BrowserDir

Ahead Nero Burning Rom: [SBI $F3FD92E9] Working directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Ahead\Nero - Burning Rom\Settings\WorkingDir

Ahead Nero Burning Rom: [SBI $055C754D] Last ISO directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\ahead\Nero - Burning Rom\General\OFDLastISODir

Ahead Nero Burning Rom: [SBI $505FB952] Last Audio directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\ahead\Nero - Burning Rom\General\OFDLastAudioDir

Internet Explorer: [SBI $1E8157BE] Typed URL list (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer: [SBI $0BC7B918] User agent (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent

MS Management Console: [SBI $ECD50EAD] Recent command list (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Microsoft Management Console\Recent File List

MS Media Player: [SBI $E48560B4] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\MediaPlayer\Player\RecentFileList

MS Media Player: [SBI $8E65C0EE] Last opened playlist (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\MediaPlayer\Preferences\LastPlaylist

MS Media Player: [SBI $1BDA487B] Last selected track index (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\MediaPlayer\Preferences\LastPlaylistIndex

MS Direct3D: [SBI $7FB7B83F] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name

MS Direct3D: [SBI $C2A44980] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Direct3D\MostRecentApplication\Name

MS DirectDraw: [SBI $EB49D5AF] Most recent application (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication\Name

MS DirectInput: [SBI $9A063C91] Most recent application (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\DirectInput\MostRecentApplication\Name

MS DirectInput: [SBI $7B184199] Most recent application ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\DirectInput\MostRecentApplication\Id

MS Regedit: [SBI $C3B62FC1] Recent open key (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit\LastKey

MS Search Assistant: [SBI $AE0C4647] Typed search terms history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Search Assistant\ACMru

MS Wordpad: [SBI $4C02334D] Recent file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List

Windows.OpenWith: [SBI $3A7F8A99] Open with list - .BZ2 extension (2 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.BZ2\OpenWithList

Windows.OpenWith: [SBI $7E93AD81] Open with list - .CSS extension (3 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.CSS\OpenWithList

Windows Explorer: [SBI $A2C7B3CD] Recent wallpaper list (43 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\Wallpaper\MRU

Windows Explorer: [SBI $7308A845] Run history (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Windows Explorer: [SBI $AA0766B5] Stream history (10 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\StreamMRU

Windows Explorer: [SBI $2026AFB6] User Assistant history IE (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF-A12B-00AA004AE837}\Count

Windows Explorer: [SBI $6107D172] User Assistant history files (128 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count

Windows Explorer: [SBI $B7EBA926] Last visited history (7 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU

Windows Explorer: [SBI $D20DA0AD] Recent file global history (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Windows Explorer: [SBI $85C2C910] Last Copy/MoveTo folder (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CopyMoveTo\LastFolder

Windows Media SDK: [SBI $37AAEDE6] Computer name (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows Media\WMSDK\General\ComputerName

Windows Media SDK: [SBI $CAA58B6E] Unique ID (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows Media\WMSDK\General\UniqueID

Windows Media SDK: [SBI $BACCD0DA] Volume serial number (Registry value, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\Microsoft\Windows Media\WMSDK\General\VolumeSerialNumber

WinRAR: [SBI $0B56E92B] Recent file list (4 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\WinRAR\ArcHistory

WinRAR: [SBI $A59A1C0A] Recent exe file list (1 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\WinRAR\DialogEditHistory\ArcName

WinRAR: [SBI $B84F9965] Last used directory (Registry change, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\WinRAR\General\LastFolder

WinRAR: [SBI $B510882E] Extraction directory history (5 files) (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1766569649-2188278862-2612450137-1005\Software\WinRAR\DialogEditHistory\ExtrPath

Cookie: Cookie (10) (Cookie, nothing done)


Cache: Cache (130) (Cache, nothing done)


History: History (2) (History, nothing done)


Cookie: Cookie (122) (Cookie, nothing done)


Cookie: Cookie (87) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2007-10-07 SDShred.exe (1.0.1.2)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-01-31 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-01-30 Includes\Cookies.sbi
2007-12-26 Includes\Dialer.sbi (*)
2008-01-30 Includes\DialerC.sbi (*)
2008-01-30 Includes\HeavyDuty.sbi (*)
2007-12-26 Includes\Hijackers.sbi (*)
2008-01-30 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2008-01-30 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-01-16 Includes\Malware.sbi (*)
2008-01-30 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2008-01-30 Includes\PUPSC.sbi (*)
2008-01-30 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-01-30 Includes\SecurityC.sbi (*)
2008-01-23 Includes\Spybots.sbi (*)
2008-01-30 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti (*)
2008-01-16 Includes\Trojans.sbi (*)
2008-01-30 Includes\TrojansC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
Lwood
2008-02-03, 17:29
No opinions eh? Thanks anyway.
Yodama
2008-02-04, 07:35
hello,

thank you for reporting.
The 2 Virtumonde.ddc entries are false positives, none of the entries shown in your registry are targeted. We will change the detection rules with the upcoming update to avoid this false positive.

Your Net-integration bookmarks also appear to be false positives. We are going to check on this issue, please post a feedback if the bookmarks are still found after the next update. A report with the scan result, like yours above will do.
Lwood
2008-02-05, 18:00
You're welcome, and thank you.

I will report back if the bookmarks etc. are still detected after the next update.
Lwood
2008-02-06, 18:25
I updated SSD and ran another scan, no more problem with the Virtumonde.dds false positives and I finally located the two bookmark entries for net-integration and deleted them from my SeaMonkey and Firefox bookmarks, so my problems seem to be resolved now.

Thanks very much.
tashi
2008-02-07, 02:56
Thank you for letting us know. :bigthumb: