My elderly neighbor has run SB tonight and she told me it found one Problem. It states: Virtumonde - 1 entry Trojan.
How would we go about helping her get it off of her old Vaio notebook which is using Win98?

I posted the above on your regular SB forum and was told:

"Can you give me the path and filename(I want to eliminate the possibility that it is a false positive (FP) )?
"To be really on the safe side, I would like you to report a possible FP here."

I looked at the virtumonde in the Recovery and right clicked on it and see:
C:\Windows\System\DOSFNT01.dll

When my neighbor saw the virtumonde, she clicked on the Fix-It and then ran another scan. Nothing was found after this 2nd scan. Does she have to do anything else? Can she remove the virtumonde from her SB Recovery?

Please do not get too 'technical' as neither one of us is computer experts.
Thank you

Hello,
are you able to send the file to detections@spybot.info ? Or maybe even the recovery file?

Best regards,
Markus
Team Spybot

I would not know how to do that.
I am now corresponding with you via my own desktop computer.

I would not know how to do that.
I am now corresponding with you via my own desktop computer.

How would I do this?

Manually navigate to the path:
C:\Windows\System\DOSFNT01.dll

using Windows Explorer. Start with "My Computer".

Thank you.
I do not see "DOSFNT01.dll" in the Windows/System (in her Win98).

Would that file be there after SB did the 'fix?' I thought it (the file) would be removed from there and placed in the SB Recovery (where it now is).

Is that the only place it would now be located? If I am supposed to make a copy of that file (in the Recovery), how would that be done? I tried to copy/paste, but nothing happened. How could I send that file in Recovery to you?

When I was told "are you able to send the file to detections@spybot.info ? Or maybe even the recovery file?" I took that to mean I would copy the file and paste it in an email and email it to: detections@spybot.info.
Is that correct?
I would like to clear up this matter for her so she doesn't worry about it too much more.
Thanks.
Alice

(P.S. Funny thing is I cannot access this forum via my IE7. I sign-in and then get sent back to the sign-in screen again. Over and over. When I switch to Mozilla, I can get in with no problem. Any suggestions how I can get into the forum using my IE7.)

Sorry about being unclear. I missed the part about her removing that entry...

I was thinking about how since Virtumonde was detected only as one entry, one file, it could be like a "trace". Or a mark. Like it's parent files are missing. For example, a car without an engine.

Do not try this technique yet, I'll need most likely Mr. W's confirmation:
Recover the file from Quarantine, navigate to that path, make a copy of that file and email it to Spybot's detection area. detections (at) spybot. info.

Thanks.
You said: "Do not try this technique yet, I'll need most likely Mr. W's confirmation:
Recover the file from Quarantine, navigate to that path, make a copy of that file and email it to Spybot's detection area. detections (at) spybot. info."

I shouldn't do anything now, is that correct? I should wait until I hear from you?

When you say Quarantine, do you mean Recovery?

If it is removed from the Recovery (and then restored) and then I make a copy of it and email to detections@spybot.info, what do I do next? Do I do another scan and then remove it again?

Sorry for all the questions but this is all quite confusing.
Alice

The forums are here to give the users a friendly support environment. :rockon:

I've PM'ed (Private Messaged) him, and I'm awaiting a response.
Basically when you recovery an item from the Quarantine/Recovery, it'll literally bring back the item to where it was originally found.

So, yes you should recover it, find it in the 'system' folder, send it to the detections email, most preferably with a link to this thread, and then rescan and proceed to remove that flagged entry again.

Hello,
Before you restore the file what would mean a possible risk for your computer please have a look at the recovery files itself. They are stored at

c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

There should be one file named something like Virtumonde.zip. Please send this file to us via mail.

Best regards,
Markus

@drragostea: Sorry for my late reply to your pm!

Similar to this thread started above, I visited my out-of-state sister last weekend, and updated her Spybot (she is not computer savvy). After running a scan, it turned up two instances of virtumonde trojan on her PC. One is cqsccol.dll, and the other dosfnt01.dll. I clicked the fix problem button, and Spybot said both instances were fixed. Then I re-scanned her PC, and it again turned up the two instances of virtumonde trojan. I repeated the fix problem, but the re-scan again showed the virtumonde trojan. I rebooted her PC, and again Spybot was not able to successfully permanently remove the trojan.

She runs Windows ME.

Any suggestions on how to permanently remove the virtumonde trojan? What is the danger of not being able to delete it?

Thanks for the help....

Hello GhanGuy :welcome:

The issue "False Positives > virtumonde trojan" has not been marked as resolved yet. :)



She runs Windows ME.

Meanwhile please see: End of support for Windows 98 and Windows ME (http://forums.spybot.info/showpost.php?p=28501&postcount=3)

Best regards.

Hello,
it would be very helpful if you could provide us these files. Please send it to detections@spybot.info . If it is a false positive we will solve it with our next update scheduled for wednesday

Best regards,
Markus
Team Spybot

Tashi - Thank you for the quick reply. Spybot runs well on Windows ME (unlike some other programs that are not backwards compatible). It's too bad that MicroSoft does not support the older software at all. My sister will probably unfortunately keep running the Windows ME until it gets totally corrupted. :sad:

MisterW - I have returned home, so I cannot forward you the affected .dll files. I'll try to talk my sister through the process of sending them to you.:scratch:

Hello,
Before you restore the file what would mean a possible risk for your computer please have a look at the recovery files itself. They are stored at

c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

There should be one file named something like Virtumonde.zip. Please send this file to us via mail.

Best regards,
Markus

@drragostea: Sorry for my late reply to your pm!
=======================

How do I send via email?

Hello,
we got your mail and we can confirm that it is a false positive and will be fixed in the next update scheduled for Wednesday

Best regards,
Markus

Hello,
we got your mail and we can confirm that it is a false positive and will be fixed in the next update scheduled for Wednesday

Best regards,
Markus

Thank you.

What should I do now? Should I remove the Virtumonde from Recovery?
Should I restore the Virtumonde? If so, how would I do that?

@alicez

yes please recover these 2 files,

start Spybot S&D
click on recovery
look for the 2 files named above
select them and click on the check boxes until there are green checkmarks
click on recover selected items

What do you mean by:
"look for the 2 files named above"

I think there is only one files, namely: Virtumonde

I'll be going to my neighbor's house tomorrow when I can see what actually is in the Recovery.

AliceZ (Sorry for posting under my husband's sign-in name!)

Similar to this thread started above, I visited my out-of-state sister last weekend, and updated her Spybot (she is not computer savvy). After running a scan, it turned up two instances of virtumonde trojan on her PC. One is cqsccol.dll, and the other dosfnt01.dll. I clicked the fix problem button, and Spybot said both instances were fixed. Then I re-scanned her PC, and it again turned up the two instances of virtumonde trojan. I repeated the fix problem, but the re-scan again showed the virtumonde trojan. I rebooted her PC, and again Spybot was not able to successfully permanently remove the trojan.

She runs Windows ME.

Any suggestions on how to permanently remove the virtumonde trojan? What is the danger of not being able to delete it?

Thanks for the help....

Just a thought = Think it would be proper for you to have posted your question as a separate thread as I am getting messages when answers are posted to your question(s). Thank you.

I download newest updates for S&D and then removed the virtumonde from Recovery and then did another scan. Nothing was found! Do you still need me to send you a report from my neighbor's computer. Or isn't that needed any longer?
Can we consider this matter completed and closed?

Re:
Hello, thank you for sending in the requested file.
I can confirm that it is a false positive. This file is a font file for a Lexmark printer. You should use the recovery function within Spybot S&D to recover this file.
To fix this issue within our detection rules we need you do a scan after recovering the file.
Do not fix the found item but right click the scan result and choose to save a full report to your desktop. Please send us the report file with your next email.
You can also right click the scan result and choose to exclude it from further searches, so this false positive will not occur on your computer again.
best regards Van Vi Truong

It has been confirmed. No need for any reports.