False Positive for Virtumonde on Spybot-S&D?
Hello. Let me please start by saying that Vista is my O/S. I hope you can help me. :)
This morning, I uninstalled an older version of Spybot-S&D (SSD) and downloaded and ran SSD v. 1.6.2. All worked well, I think: During the scan, no malware was detected.
However, prior to uninstalling/installing this morning, over the past three days, I was receiving red alerts from SSD about a Virtumonde infection, as well as notices from SSD that there had been deletions to my registry regarding SSD. Whenever I received those notices, I tried to "deny changes" to the registry, but that didn't work; those S&D notice boxes kept jumping into view. I also repeatedly asked SSD to clean up the Virtumonde infection, but that didn't work, either.
I was, therefore, very nervous and ran, two days ago, Vundofix.exe (which specifically roots out and supposedly destroys Virtumonde) and also installed Malwarebytes-AntiMalware (MWAB). To my surprise, neither Vundofix nor MWAB found any Virtumonde infection (nor did Norton Internet Security (NIS), which I already had installed), but despite repeated reboots, SSD continued to alert me to this infection. (Please note that it has always been my practice to run SSD updates and immunizations prior to each scan.) I began to suspect a false-positive reading from SSD regarding Virtumonde, especially since I have not been subjected to any pop-up windows (although it's true that I have blocked all pop-ups in my Windows security settings), nor have I noticed any other system problems at all.
This morning (after deleting SSD's older version), as part of the process of installing SSD v. 1.6.2, I allowed SSD to make a back-up of my [registry?]. Now, I am wondering if, by my having made a back-up, whatever changes to my registry that Virtumonde -- if it did or does exist on my laptop -- may have made prior to this morning's back-up, would no longer be detectable by SSD. Should I NOT have made the back-up with today's date???
In short, should I take SSD's previous red alerts about Virtumonde seriously and believe that my laptop was indeed (and may still be) infected with this Trojan -- or was this a false positive from an older version of SSD?
I'm sorry that I didn't record the exact name of the Virtumonde infection that SSD was detecting or the registry changes to which it was alerting me. I hope this is sufficient information for you to address my concern. Thanks in advance for your help!
P.S.: Please note that MWAB found and removed two other infections (Rogue.SpyCleaner and Rogue.WinAntivirus) that neither SSD nor NIS were able to detect.
False Positive for Virtumonde on Spybot-S&D?
Thank you very much for your reply!
I'm sorry about the confusion. As you surmised, when I received those TeaTimer alerts that important changes had been made to my registry and that start-up entries had been removed, I thought that meant that a Trojan had made all those changes without my knowledge or permission and that TeaTimer was alerting me to that maliciousness. I did not realize that those were changes made by TeaTimer as part of its clean-up process!
I guess the confusion arises because the alerts are ambiguous and, as currently worded, may give other people, as well, the impression that malware has caused the changes. Perhaps the alerts could be changed to read clearly: "TeaTimer has made the following important changes to your registry as part of its clean-up measures: [whatever the changes are]...." Would this be possible?
Also, did I make a mistake during the installation of Spybot-SD's latest version in allowing Spybot-SD to back up my registry when I had not approved TeaTimer's previous, suggested changes? Could I thus have left traces (such as malicious registry keys) of the Virtumonde infection on my computer, even though all anti-virus/anti-spyware scans run by Spybot-SD, MBAM and Norton Internet Security are now coming up clean? And could my actions then have caused Spybot-SD and the other programs to miss these remaining traces of the Virtumonde infection? Could I now, in effect, be receiving false negatives for Virtumonde?
I guess this all means that there have been no recent reports of Spybot-SD raising a Virtumonde false alarm. Is this the case? If so, the infection on my laptop must have been real. It's strange, though, that Vundofix.exe never found any evidence of infection with Virtumonde, nor did MBAM and Norton Internet Security.
Thanks so much for your time. I appreciate your help very much!
Sincerely,
PleaseAdvise