Virtumonde.sdn and Lojack False Positive

[kencor]

Hi All
Over at Malware removal we have determined that LoJack for Laptops may cause a false positive for Virtumonde.sdn in the rpcnet.exe and rpcnet.dll files in C:\WINDOWS\System32\
Malware removal thread is:

Aw Nutz Virtumonde.sdn Please Help

I have read the Sticky: How to report False Positives

So System is a Dell Laptop XPS M1730
OS Windows XP Pro Service pack 3
Browser Firefox 3.10
Spybot Version 1.6.2.46 Last Run Today (06/19/2009)
TeaTimer is Off (per instructions)
Scan Result From Checks.txt
--- Report generated: 2009-06-19 07:45 ---

Virtumonde.sdn: [SBI $75457FE7] Library (File, nothing done)
C:\WINDOWS\system32\rpcnet.dll
Properties.size=51200
Properties.md5=D04983957CC85EA60E5B2D8A23B54D8B
Properties.filedate=1245421898
Properties.filedatetext=2009-06-19 07:31:38


Please Note that C:\WINDOWS\System32\rpcnet.exe is also included in this problem.
I have opened a ticket with LoJack inquiring about this and they confirm that both these files are theirs and can safely set as not dangerous. They did not give me an MD5 hash to confirm, However they also stated that they have opened tickets with various companies. Have they done so with you? The files cannot be moved or modified (I believe BIOS Generated). So how can I "whitelist" this until a fix in Spybot is in place? I live on serious pain meds, so if I type something unclear or goofy, or don't respond for a while, please bear with me...
Please advise as to what to do next.
Thanks

Ken Corvino

[Yodama]

Thank you for reporting this false positive.
I can confirm the false positive with the rpcnet.dll, this will be fixed with the update scheduled for 2009-06-24.

To confirm and fix the false positive with the rpcnet.exe however we do require the file for analysis. Please zip the file and send it to detections@spybot.info

Until the fix is applied you can exclude repnet.dll and rpcnet.exe from the scan result by right clicking the items in the Spybot S&D scan result and select "exclude this detection from further searches"

[girlgrg]

the same thing has been happening to me. tbh i really don't knw wut the file does.. i found it in my system32 folder.. it's called rcpnet.dll
spybot has been detecting it as virtumonde.sdn. i have clicked on the fix selected problems for like 10 times now.. and everytime it takes care of it.. and the nxt time i scan it.. it's there AGAIN!!!
could you please let me kno if this is a false alarm of if it really is a worm? any help will be much appreciated!

cheers,
roshni

ps. i tried uploading the files but couldn't! sorry!

[kencor]

Hi Roshni
I should have posted that I had uploaded the files, My Bad, Sorry.
ahem...

I have Uploaded the requested files, and right clicked on the files per direction.



Here's a quick summary of what I am doing/have done/ found out.
Please note
1) I am NOT affiliated with Spybot in anyway nor am I authorized to help.

2) That this is entirely on my own single system and I would advise you, that what has worked for me, may not work for you.

3) That you should open a ticket with the Malware Removal group and ask for their help. They can help you to determine that, Yes, you have a False Positive or No, you have a real Virtumonde.snd infection, and suggest courses of action. Read the Stickies! they do help.

Here is a history of what may be/has been going on.
Spybot did somewhat the same to me, said it found and cleaned a Virtumonde.sdn infection up, when apparently it had not. When I could not find the source of infection, I opened a thread over at Malware Removal. The Thread I opened is

Aw Nutz Virtumonde.sdn Please Help.

with my login kencor
It's in the Archives.

The Malware remover pskelley (Thanks Phil!) took up my case and then waded through miles and miles of log files to determine what was going on. This was an interactive process where he asked for info, and when he got that, had me update, fix and then regenerate logs and resubmit. after a couple of rounds of email back and forth, we got my system current and as hardened as is reasonable for Windoze. This allowed him and I to determine where the possible source of "infection" was, and that it Might, repeat Might, be a False Positive.
I have a Dell laptop with LoJack Software ( from Absolute Software ) preinstalled in my BIOS. It appears that on MY laptop, that LoJack generates the following files from the BIOS on reboot. These files are.

rpcnet both an EXE and a DLL.

And that it was probably not a Trojan or Virus. but that the signature (structure?) of those generated files appears to be Virtumaonde.sdn
He then directed me to the people over here. They asked me to upload the files to continue the investigationl and to Confirm if it was a False Positive (hence the subject line reads in part, Yet Unverified ). Which is where you came in, kinda in the middle of the process.
Virtumode.sdn does lotsa strange things ( I Googled it, and as you probably did, looked at all of the entries under Malware Removal ).

I know that this process looks long and involved, but it is not, most of these files are generated from various software they ask you to run. I am on Morphine for chronic pain, and if I can do it, then it cannot be too bad. Phill, has been very clear and patient with me and deserves all of the praise he can get.

Please read where they have confirmed that MY "infection" is a False Positive. and there is a fix for my "infection" and know that I have applied it to my laptop. if you try my fix, know that it may not work for you, it appears to have worked for me Thanks Spybot.

Once again all I can say is open a thread, over at Malware Removal, these people are doing this for free (!) and the service I have received has been first rate.

Hope This Helps

Good Luck

Ken

[kencor]

So...
This has been confirmed and we can close this thread?
I am sorry I have taken so long to respond, but been really hitting the pain meds, ( Not an excuse an explanation ).
Spybot has not come up with a Virtumonde.sdn
since the update, If I can close this out here, I will close the ticket I have open with Absolute Software (LoJack). and then I will close the thread over at Malware Removal, and turn on my Tea Timer.

Thanks

Ken

[Yodama]

The false positive for rpcnet.dll hast been confirmed and fixed.
But the false positive for rpcnet.exe has still not been confirmed, please send in the file rpcnet.exe to detections@spybot.info.