PDA

View Full Version : Fixed: Virtumonde all the time


dlbhina
2009-08-15, 00:45
I'm not sure....I'm using Vista. Every time I scan, it detects Virtumonde, in c:Win/sys32/zipfldr.DLL. So I run the program as Administrator, and clean it. Then when I reboot, and Spybot starts it auto search, there it is again! So I'm wondering is it not really cleaning it or what? Anyone have an idea? Thanks!
Matt
2009-08-15, 16:39
Hi dlbhina,

:welcome: to Safer Networking Forums.

Which version of Spybot do you use? :)
kenmur
2009-08-15, 19:36
I too have the same problem. I use Windows XP Media Centre Edition.
Is this a real threat? Event viewer sees c:Win/sys32/zipfldr.DLL as a protected windows file and windows keeps restoring the file after Spybot cleans it up.
Matt
2009-08-15, 19:43
Hi kenmur,

:welcome: to Safer Networking Forums.

It sounds like a false positive from Spybot 1.5.x . But this verison is out of date. If you use this version, I would like to uninstall Spybot 1.5.2, reboot your computer, delete all leavings manually and install Spybot 1.6.2 from here (http://www.safer-networking.org/en/ownmirrors3/index.html).

For the two of you:
Which version of Spybot do you use?
kenmur
2009-08-17, 15:28
Thank you Matt.
I tried as you said and it seemed to work. :thanks:
btw I was using 1.5.2.20 and now 1.6.2.46
Cheers,
Ken.
Matt
2009-08-22, 16:03
Thank you Matt.
I tried as you said and it seemed to work. :thanks:
btw I was using 1.5.2.20 and now 1.6.2.46
Cheers,
Ken.
You're welcome. :bigthumb:
dlbhina
2009-08-24, 17:05
Thanks Matt. Was on vacation and didn't get to your reply until now.
Matt
2009-08-24, 19:20
Thanks Matt. Was on vacation and didn't get to your reply until now.
I hope you enjoyed your time. :bigthumb:

Happy Safe Surfing!
Gerry_D
2009-08-26, 03:38
While I have not seen any classic symptoms of "Virtumonde", I always seem to find it in a scan.

I've been getting a simular false positive on a dll file or dll files that come under different names. Always in the C:\WINNT\system32 area.

Copying one of them and renaming to a txt file displays a company name in the file as: w w w . h e l i x c o m m u n i t y . o r g

This relates to RealPlayer (which I've tried to remove many times).

My version of S&D is 1.5.2.20

What worries me is the advice; "delete all leavings manually".

So if one does miss something, then what?

TIA,
Gerry

PS: While I donated many years ago, as soon as this old retired fart get's some expendable cash, I will do so again.
spybotsandra
2009-08-26, 11:26
Hello,

This is a false positive in older versions.
You seem to be using a dated version of Spybot-S&D.

Please uninstall Spybot - Search & Destroy according to the following link:
http://www.safer-networking.org/en/howto/uninstall.html
Then download our current version Spybot - Search & Destroy 1.6.2. That should fix it.
You will find links to several download locations for this new version on our web site:
http://www.safer-networking.org/en/mirrors/index.html

Best regards
Sandra
Team Spybot