I've been fighting with a fake rouge antivirus program called AntiVirus Soft over the past month or two. I thought I eliminated it with Malwarebytes, but it keeps coming back. I recently installed Spybot and after removing the entries related to it my system seems fine. However, Spybot picked up Virtumonde.sdn in my Windows NT folder under the file name PFW. I've read that Virtumonde is known to spread fake antivirus software online. Is this a false positive or do I really have it? Spybot wasn't able to remove the Virtumonde entry because it said I needed administrator rights. I'm running Windows Vista.

Also should I use this removal tool to get rid of Vundo/Virtumonde if I have it?

http://www.symantec.com/security_response/writeup.jsp?docid=2004-112210-3747-99

Thanks.

Hello cetuskun,



I recently installed Spybot and after removing the entries related to it my system seems fine. However, Spybot picked up Virtumonde.sdn in my Windows NT folder under the file name PFW. I've read that Virtumonde is known to spread fake antivirus software online. Is this a false positive or do I really have it?
How to report Possible False Positives (http://forums.spybot.info/showthread.php?t=19117)


Spybot wasn't able to remove the Virtumonde entry because it said I needed administrator rights. I'm running Windows Vista.
"On Windows Vista and Windows 7, Spybot-S&D might tell you that you are not authorized to perform some actions, since they require Administrator rights. You can solve this problem as follows:

1. Right-click the Spybot - Search & Destroy entry in your start menu, instead of just left-clicking to start it.
2. Choose Run as administrator from the context menu."

From our FAQ here: http://www.safer-networking.org/en/faq/42.html

There is also a screen shot which should help. :)

I've been fighting with a fake rouge antivirus program called AntiVirus Soft over the past month or two. I thought I eliminated it with Malwarebytes, but it keeps coming back.
If running Spybot-S&D with Administrator rights does not resolve the issue, try running Spybot in safe mode.

Next option would be to follow the instructions in this link to post a preliminary DDS log: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Then start a new topic in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22) and copy paste the log into it, an analyst will advise you as soon as available.

Best regards. :)

Hi cetuskun,


Spybot picked up Virtumonde.sdn in my Windows NT folder under the file name PFW.
Sounds like a confirmed Virtumonde false positive:
Confirmed: Virtumonde.sdn (http://forums.spybot.info/showthread.php?t=57102)