Having problems with mfc40.dll . Is this a false positive or is it really infected? There seems to be no problem caused so far but I'm still really worried. It's been 4 weeks and file is still detected on the heuristic portion. Cannot be deleted as the file is recreated even if secure shredder was used to delete it, probably because it is a critical Windows file. Really need help here.

Hello Ravic,

Please see How to report possible False Positives (http://forums.spybot.info/showthread.php?t=19117) :)

Best regards.

It is not a critical system file in any case. If you have Visual C++ installed, the file may belong to that.
It is best to follow the instructions linked by Tashi above and send in the file to detections@spybot.info with a reference to this thread.

I can report the same issue since yesterdays update. SBI $DB0322C4.

Started seeing this with he latest update of S&D. Had me spooked, it's been a few years since I did a fresh install of Windows, so now was as good of time as any; mfc40.dll still shows, has to be a false positive of some type. When I did a fresh install I also did some repartitioning, so I know there is nothing left of the old file system at all.

Operating System: Windows XP Professional, fully updated
Browser and Version: FireFox v3.6.12
Version of Spybot S&D and Date: 1.6.2.46, 11/24/2010
Where did the false positive occur: Scan result


Virtumonde.dll: [SBI $4792FFB9] Library (File, nothing done)
C:\WINDOWS\system32\mfc40.dll
Properties.size=924432
Properties.md5=8F4CE043F4F6401EB05D21E8EC16D566
Properties.filedate=1091620800
Properties.filedatetext=2004-08-04 07:00:00

If you need more info, please let me know.

After updating yesterday and running scan - reports as a "Virtumonde.dll" in C:\Windows\System 32\mfc40.dll. Heuristic - Trojan c-05.

Spybot - offers to refix - and reboot ....but after doing that, on re-scan it show up again.

None of my other malware programs show it.

I can also report this same issue ($DBO322C4), happened immediately after I had Spybot updated today. Prior scan just before the update did not show this.

I've experienced the same problem since updating yesterday as well, also Spybot Search & Destroy has stated that my registry has been corrupted since I turn-off the Automatic Update Alert Me option on the Security Center on Windows XP.

Also mfc40.dll is not an trojan, it is an genuine microsoft application which should not be deleted. Check here for more details: http://www.processlibrary.com/directory/files/mfc40/

Hello,
I can confirm that this is a false positive that will be fixed with our next update scheduled for Wednesday

Best regards,
Markus
Team Spybot

Could those of us who deleted it get some instructions on restoring it? :thanks:

Probably won't need to as it keeps coming back anyway lol

It is on c:\Windows/system32/mfc40.dll and
c:\Windows/system32mfc40.dll_tobe_deleted
(Kind: trojan c-05) everytime

S&D found this file on my pc, then a strange message about reboot to remove now yes/no still half way through the scan.

So I deleted the file (no qurantine?) and rebooted, then it started on some other type of scan which went on forever.

Then it turns out to be a false positive, if it wasn't for the fact that this could happen with any malware scanner I would uninstall S&D.

I am now doing another scan so don't know if its still there.

I found the file on another pc if anyone wants to download it (win7)

http://www.mediafire.com/?byaufxrnj2v9bzh

Glad I came here and saw Namrepus's post about the alleged Virtumonde. I have exactly the same (mfc40.dll)
and have been worrying what on earth it is, and why my Norton hasnt picked it up. So what is it please??
Thankyou.

Unfortunatly, in my post. Mfc40.dll is not mentioned as well as it not being in any log from spybot. Its a different file that I keep getting than mfc40.dll

I just think spybot is giving a false positive because other checkers specifically for vundo infections aren't finding the same thing or anything at all.

The mfc40.dll ist used by older versions of Visual C++ and Visuals Studio, it could also be used by other C/C++ based software.
Yesterday on Monday 29.12.2010 we released an update to fix this false positive.

If somehow Spybot S&D managed to remove the mfc40.dll you can restore it with the built in recovery function from Spybot S&D.

@Namrepus221
if you have a different possible false positive follow the steps here (http://forums.spybot.info/showthread.php?t=19117)
on how to report a false positive. Just posting that it is about Virtumonde.dll is not enough since our database has several hundred thousand entries concerning Virtumonde.

The mfc40.dll ist used by older versions of Visual C++ and Visuals Studio, it could also be used by other C/C++ based software.
Yesterday on Monday 29.12.2010 we released an update to fix this false positive.

If somehow Spybot S&D managed to remove the mfc40.dll you can restore it with the built in recovery function from Spybot S&D.

@Namrepus221
if you have a different possible false positive follow the steps here (http://forums.spybot.info/showthread.php?t=19117)
on how to report a false positive. Just posting that it is about Virtumonde.dll is not enough since our database has several hundred thousand entries concerning Virtumonde.

@Yodama
Apologies this is my first post (yes I'm a newbie) and if I was supposed to start a new thread then let me know and I will. My question is not about mfc40.dll or false positive.

It's about dectecting and removing Virtumonde. I have SpybotS&D (version 1.6.2.46) using from a USB of HirensBootCD running its MiniXP. I did a scan on my laptop which I know has issues trojans etc. The SpybotS&D scan has reported many. One in particular is :-
Vitumonde.dll (threat TrojansC-05). Reading the bottom of the description it says:
"Removal requires reboot, the internet Explorer should not be used when infected with Virtumonde. For further help with removal please contact Team Spy S&D via email detections@spybot.info or furums: http://forums.spybot.info/"
That is why I am here.

So if I allow spybotS&D to clean this trojan and reboot is that enough and I can start using IE again?

OR is there some extra steps to do from this forum to remove Vitumonde.dll (threat TrojansC-05)?

Many Thanks.
Kind Regards,
Sleep

If you are using Spybot S&D from a bootcd it will be able to remove all entries it finds since the malware is not able to run and protect itself. However with a threat like Virtumonde it is possible that parts of it evade detection by pure diversity. So before you start using the IE again you should make sure that there are no more Virtumonde files on your computer that can be started.

To do that you can send in a Spybot S&D report file (right click the scan results screen and choose to save a full report) or you can check this yourself by looking at the entries for BHO and System Startup and looking up the entries you find. Most Virtumonde infection use random names for dynamic library files (dll) and tries to load them via BHO, System Startup and Winlogon.