View Full Version : Need User Feedback: Virtumonde
Updated Spybot this morning and it suddenly detected a bunch of Trojans
http://img32.imageshack.us/img32/5082/sbsdfp.gif
http://img34.imageshack.us/img34/5576/sbsdfp2.gif
I have run other scanners and they returned clean results, so I'm pretty sure these are false positives and have not yet removed them.
This is possibly a false positive, however these files appear to have properties they are not supposed to have. In your case, if you have not manually set these 48 files to be "hidden" another software did that. If you do not know which software could have done that it is possible that it was done by a malicious software. Other manipulations of these files is also possible.
We also need more information on this issue.
Please do the following:
do a scan with Spybot S&D again
right click the scan result and select to save a full report to your desktop
attach this full report to an email to detections@spybot.info
zip these 48 files and also attach them to the email
you can quickly gather the files into a cab archive by using the spf (http://forums.spybot.info/downloads.php?id=15)
and copy and pasting the following text into it:
c:\windows\system32\actmovie.exe
c:\windows\system32\auditusr.exe
c:\windows\system32\autoconv.exe
c:\windows\system32\blastcln.exe
c:\windows\system32\bootvrfy.exe
c:\windows\system32\cidaemon.exe
c:\windows\system32\cleanmgr.exe
c:\windows\system32\cliconfg.exe
c:\windows\system32\dcomcnfg.exe
c:\windows\system32\ddeshare.exe
c:\windows\system32\dfrgntfs.exe
c:\windows\system32\diskpart.exe
c:\windows\system32\diskperf.exe
c:\windows\system32\dmremote.exe
c:\windows\system32\dplaysvr.exe
c:\windows\system32\dpvsetup.exe
c:\windows\system32\drwatson.exe
c:\windows\system32\dvdupgrd.exe
c:\windows\system32\esentutl.exe
c:\windows\system32\eudcedit.exe
c:\windows\system32\eventvwr.exe
c:\windows\system32\fastopen.exe
c:\windows\system32\fontview.exe
c:\windows\system32\forcedos.exe
c:\windows\system32\freecell.exe
c:\windows\system32\gpresult.exe
c:\windows\system32\gpupdate.exe
c:\windows\system32\hostname.exe
c:\windows\system32\iexpress.exe
c:\windows\system32\ipconfig.exe
c:\windows\system32\ipxroute.exe
c:\windows\system32\logagent.exe
c:\windows\system32\mountvol.exe
c:\windows\system32\mpnotify.exe
c:\windows\system32\mscdexnt.exe
c:\windows\system32\mshearts.exe
c:\windows\system32\narrator.exe
c:\windows\system32\nddeapir.exe
c:\windows\system32\netsetup.exe
c:\windows\system32\nslookup.exe
c:\windows\system32\ntbackup.exe
c:\windows\system32\ntkrnlpa.exe
c:\windows\system32\ntoskrnl.exe
c:\windows\system32\nwscript.exe
c:\windows\system32\odbcconf.exe
c:\windows\system32\osuninst.exe
c:\windows\system32\packager.exe
c:\windows\system32\pathping.exe
E-mail + attachments sent, should I be expecting a reply here or through e-mail? Also I know some of these processes are important but is it okay if I remove/quarantine them for now? Thanks for your help
For the time being do not remove the files.
After analysis you will receive an answer here and via email.
We have analyzed the files you send in.
The good news is that the files have not been compromised. We will change our detection rules to make sure they do not get detected.
This correction will be release with our next detection update scheduled for 2009-05-20.
However the reason why the file attributes were set to "hidden" could not be determined. I have sent you further instructions by email so we can make sure that there is nothing malicious hiding on your computer.
E-mail + attachments sent, I appreciate the help!