Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: virtumonde trojan

  1. #1
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default virtumonde trojan

    My elderly neighbor has run SB tonight and she told me it found one Problem. It states: Virtumonde - 1 entry Trojan.
    How would we go about helping her get it off of her old Vaio notebook which is using Win98?

    I posted the above on your regular SB forum and was told:

    "Can you give me the path and filename(I want to eliminate the possibility that it is a false positive (FP) )?
    "To be really on the safe side, I would like you to report a possible FP here."

    I looked at the virtumonde in the Recovery and right clicked on it and see:
    C:\Windows\System\DOSFNT01.dll

    When my neighbor saw the virtumonde, she clicked on the Fix-It and then ran another scan. Nothing was found after this 2nd scan. Does she have to do anything else? Can she remove the virtumonde from her SB Recovery?

    Please do not get too 'technical' as neither one of us is computer experts.
    Thank you
    Vista also Win7 (64-Bit) IE 9; MSE; SpywareBlaster; MalwareBytes; SpyBot

  2. #2
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Hello,
    are you able to send the file to detections@spybot.info ? Or maybe even the recovery file?

    Best regards,
    Markus
    Team Spybot

  3. #3
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default

    I would not know how to do that.
    I am now corresponding with you via my own desktop computer.
    Vista also Win7 (64-Bit) IE 9; MSE; SpywareBlaster; MalwareBytes; SpyBot

  4. #4
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default

    Quote Originally Posted by alicez View Post
    I would not know how to do that.
    I am now corresponding with you via my own desktop computer.
    How would I do this?
    Vista also Win7 (64-Bit) IE 9; MSE; SpywareBlaster; MalwareBytes; SpyBot

  5. #5
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Manually navigate to the path:
    C:\Windows\System\DOSFNT01.dll

    using Windows Explorer. Start with "My Computer".

  6. #6
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default

    Thank you.
    I do not see "DOSFNT01.dll" in the Windows/System (in her Win98).

    Would that file be there after SB did the 'fix?' I thought it (the file) would be removed from there and placed in the SB Recovery (where it now is).

    Is that the only place it would now be located? If I am supposed to make a copy of that file (in the Recovery), how would that be done? I tried to copy/paste, but nothing happened. How could I send that file in Recovery to you?

    When I was told "are you able to send the file to detections@spybot.info ? Or maybe even the recovery file?" I took that to mean I would copy the file and paste it in an email and email it to: detections@spybot.info.
    Is that correct?
    I would like to clear up this matter for her so she doesn't worry about it too much more.
    Thanks.
    Alice

    (P.S. Funny thing is I cannot access this forum via my IE7. I sign-in and then get sent back to the sign-in screen again. Over and over. When I switch to Mozilla, I can get in with no problem. Any suggestions how I can get into the forum using my IE7.)
    Vista also Win7 (64-Bit) IE 9; MSE; SpywareBlaster; MalwareBytes; SpyBot

  7. #7
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    Sorry about being unclear. I missed the part about her removing that entry...

    I was thinking about how since Virtumonde was detected only as one entry, one file, it could be like a "trace". Or a mark. Like it's parent files are missing. For example, a car without an engine.

    Do not try this technique yet, I'll need most likely Mr. W's confirmation:
    Recover the file from Quarantine, navigate to that path, make a copy of that file and email it to Spybot's detection area. detections (at) spybot. info.

  8. #8
    Senior Member alicez's Avatar
    Join Date
    Apr 2008
    Posts
    179

    Default

    Thanks.
    You said: "Do not try this technique yet, I'll need most likely Mr. W's confirmation:
    Recover the file from Quarantine, navigate to that path, make a copy of that file and email it to Spybot's detection area. detections (at) spybot. info."

    I shouldn't do anything now, is that correct? I should wait until I hear from you?

    When you say Quarantine, do you mean Recovery?

    If it is removed from the Recovery (and then restored) and then I make a copy of it and email to detections@spybot.info, what do I do next? Do I do another scan and then remove it again?

    Sorry for all the questions but this is all quite confusing.
    Alice
    Vista also Win7 (64-Bit) IE 9; MSE; SpywareBlaster; MalwareBytes; SpyBot

  9. #9
    Senior Member drragostea's Avatar
    Join Date
    Jan 2008
    Location
    @Home
    Posts
    3,674

    Default

    The forums are here to give the users a friendly support environment.

    I've PM'ed (Private Messaged) him, and I'm awaiting a response.
    Basically when you recovery an item from the Quarantine/Recovery, it'll literally bring back the item to where it was originally found.

    So, yes you should recover it, find it in the 'system' folder, send it to the detections email, most preferably with a link to this thread, and then rescan and proceed to remove that flagged entry again.

  10. #10
    Retired
    Join Date
    Oct 2005
    Posts
    566

    Default

    Hello,
    Before you restore the file what would mean a possible risk for your computer please have a look at the recovery files itself. They are stored at

    c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

    There should be one file named something like Virtumonde.zip. Please send this file to us via mail.

    Best regards,
    Markus

    @drragostea: Sorry for my late reply to your pm!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •