Results 1 to 6 of 6

Thread: False Positive for Virtumonde on Spybot-S&D?

  1. #1
    Junior Member
    Join Date
    Feb 2009
    Posts
    3

    Default False Positive for Virtumonde on Spybot-S&D?

    Hello. Let me please start by saying that Vista is my O/S. I hope you can help me.

    This morning, I uninstalled an older version of Spybot-S&D (SSD) and downloaded and ran SSD v. 1.6.2. All worked well, I think: During the scan, no malware was detected.

    However, prior to uninstalling/installing this morning, over the past three days, I was receiving red alerts from SSD about a Virtumonde infection, as well as notices from SSD that there had been deletions to my registry regarding SSD. Whenever I received those notices, I tried to "deny changes" to the registry, but that didn't work; those S&D notice boxes kept jumping into view. I also repeatedly asked SSD to clean up the Virtumonde infection, but that didn't work, either.

    I was, therefore, very nervous and ran, two days ago, Vundofix.exe (which specifically roots out and supposedly destroys Virtumonde) and also installed Malwarebytes-AntiMalware (MWAB). To my surprise, neither Vundofix nor MWAB found any Virtumonde infection (nor did Norton Internet Security (NIS), which I already had installed), but despite repeated reboots, SSD continued to alert me to this infection. (Please note that it has always been my practice to run SSD updates and immunizations prior to each scan.) I began to suspect a false-positive reading from SSD regarding Virtumonde, especially since I have not been subjected to any pop-up windows (although it's true that I have blocked all pop-ups in my Windows security settings), nor have I noticed any other system problems at all.

    This morning (after deleting SSD's older version), as part of the process of installing SSD v. 1.6.2, I allowed SSD to make a back-up of my [registry?]. Now, I am wondering if, by my having made a back-up, whatever changes to my registry that Virtumonde -- if it did or does exist on my laptop -- may have made prior to this morning's back-up, would no longer be detectable by SSD. Should I NOT have made the back-up with today's date???

    In short, should I take SSD's previous red alerts about Virtumonde seriously and believe that my laptop was indeed (and may still be) infected with this Trojan -- or was this a false positive from an older version of SSD?

    I'm sorry that I didn't record the exact name of the Virtumonde infection that SSD was detecting or the registry changes to which it was alerting me. I hope this is sufficient information for you to address my concern. Thanks in advance for your help!

    P.S.: Please note that MWAB found and removed two other infections (Rogue.SpyCleaner and Rogue.WinAntivirus) that neither SSD nor NIS were able to detect.

  2. #2
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    PleaseAdvise, welcome to SaferNetworking Forums.

    There seems to be a misunderstanding here because the symptoms after a Virtumonde/Vundo cleanup usually follows with prompts from TeaTimer about a registry change and startup entries being removed. This is normal because this has indicated that the infection has been successfully removed. The problem was that you Denied the changes that TeaTimer presented you. After the cleanup the registry changes were normal because the malicious registry keys were gone. However by pressing Deny you are not allowing the registry key to be "removed".

    If you suspect that your machine may still have Virtumonde/traces, run a full anti-spyware scan with MBAM and Spybot-SD to cleanup the traces.

    The next time Spybot prompts you (actually TeaTimer) about a deleted registry key I would suggest you allow it. I'm referring to this situation, not for future events.

  3. #3
    Junior Member
    Join Date
    Feb 2009
    Posts
    3

    Default False Positive for Virtumonde on Spybot-S&D?

    Thank you very much for your reply!

    I'm sorry about the confusion. As you surmised, when I received those TeaTimer alerts that important changes had been made to my registry and that start-up entries had been removed, I thought that meant that a Trojan had made all those changes without my knowledge or permission and that TeaTimer was alerting me to that maliciousness. I did not realize that those were changes made by TeaTimer as part of its clean-up process!

    I guess the confusion arises because the alerts are ambiguous and, as currently worded, may give other people, as well, the impression that malware has caused the changes. Perhaps the alerts could be changed to read clearly: "TeaTimer has made the following important changes to your registry as part of its clean-up measures: [whatever the changes are]...." Would this be possible?

    Also, did I make a mistake during the installation of Spybot-SD's latest version in allowing Spybot-SD to back up my registry when I had not approved TeaTimer's previous, suggested changes? Could I thus have left traces (such as malicious registry keys) of the Virtumonde infection on my computer, even though all anti-virus/anti-spyware scans run by Spybot-SD, MBAM and Norton Internet Security are now coming up clean? And could my actions then have caused Spybot-SD and the other programs to miss these remaining traces of the Virtumonde infection? Could I now, in effect, be receiving false negatives for Virtumonde?

    I guess this all means that there have been no recent reports of Spybot-SD raising a Virtumonde false alarm. Is this the case? If so, the infection on my laptop must have been real. It's strange, though, that Vundofix.exe never found any evidence of infection with Virtumonde, nor did MBAM and Norton Internet Security.

    Thanks so much for your time. I appreciate your help very much!

    Sincerely,

    PleaseAdvise

  4. #4
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    PleaseAdvise:

    Quote Originally Posted by PleaseAdvise View Post
    ... Perhaps the alerts could be changed to read clearly: "TeaTimer has made the following important changes to your registry as part of its clean-up measures: [whatever the changes are]...." Would this be possible? ...
    When you receive a TeaTimer dialog message TeaTimer is not making a change to the registry. It is alerting you to the fact that a change was made. At the point that TeaTimer recognizes that a change was made it does not know what process changed it or why the change was made. TeaTimer is merely giving you the opportunity let the registry change stand with an "Allow change" or backing the registry change out with a "Deny change".

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz IntelŪ PentiumŪ 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  5. #5
    Senior Member Matt's Avatar
    Join Date
    Aug 2006
    Location
    Bavaria
    Posts
    1,169

    Default

    Hi PleaseAdvise,



    Quote Originally Posted by PleaseAdvise View Post
    Perhaps the alerts could be changed to read clearly: "TeaTimer has made the following important changes to your registry as part of its clean-up measures: [whatever the changes are]...." Would this be possible?
    Spybot 2.0 will have a new kind of "real-time" protection which won't be called TeaTimer any longer. You can ask PepiMK on this if you like.


    Quote Originally Posted by PleaseAdvise View Post
    Also, did I make a mistake during the installation of Spybot-SD's latest version in allowing Spybot-SD to back up my registry when I had not approved TeaTimer's previous, suggested changes? Could I thus have left traces (such as malicious registry keys) of the Virtumonde infection on my computer, even though all anti-virus/anti-spyware scans run by Spybot-SD, MBAM and Norton Internet Security are now coming up clean? And could my actions then have caused Spybot-SD and the other programs to miss these remaining traces of the Virtumonde infection? Could I now, in effect, be receiving false negatives for Virtumonde?
    You can now (if you're sure that the computer is clean) make a new back up and delete the other one... or?

    If Vundofix, Spybot, Norton and MBAM don't find any Virtumonde... you should be clean...

    If you want to make sure, you can read the thread "BEFORE you POST" from tashi and open a new thread in the Malware Removal Forum. A security expert can help you there.

    Do you have any sings of Malware?

    Best regards,
    -Matt-

  6. #6
    Junior Member
    Join Date
    Feb 2009
    Posts
    3

    Default

    Thanks, everyone! My laptop shows no current signs of malware.

    I guess the problem is that when TeaTimer alerts us to changes, we, as laypeople, don't know whether these changes are good or bad and can't know whether to allow or deny them!

    I would have thought that whenever Spybot-SD makes its own changes to a registry (or whatever! I'm so new to this), then TeaTimer would know that and could reassure us that it was safe to allow Spybot-SD's changes. And if Spybot-SD did not make those changes, then TeaTimer could tell us that, too. This would go a long way to solving our problem!

    I'm going to go on the assumption that my system is now clean of malware. Hope so, anyway. I'm still nervous because I denied Spybot-SD's changes to which TeaTimer alerted me and am afraid that those malicious keys (or traces thereof) may still be on my system but undetectable since I ran a new back-up after denying the changes. (Once I ran the new version of Spybot-SD, those alerts stopped appearing.) But, I guess, if all my scans now run clean, I should relax.

    Thanks again.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •