infection found in only one of three identical downloads

[Bubbator]

Hi,
I am wondering why Spybot found virtuamond.dii in one of three 'identical' downloaded files.
I updated a program on three computers on my home network. One Vista with defender, IE8 and Spybot, one XP with defender firefox and Spybot, one XP with firefox and only Spybot--I didn't like Windows Defender. I have Avast on all three with auto update and I apply all Windows and Spybot updates while they're still warm and fresh. Always one right after the other going from room to room.
When I opened my new version file of another app, Spybot stopped and deleted virtuamonde.dii on the third (xp/ff/spybot) machine, but not the other two. Spybot scans were clean on the other two immediately after. This has happened before, on the second machine, I think.
So, where does the malware come from? The publisher, but only sometimes? Hitching a ride from cyberspace?
Just wondering,
Bub

[tashi]

Hello Bubbator,

Hi,
I am wondering why Spybot found virtuamond.dii in one of three 'identical' downloaded files.

Could you provide more information as per this topic, (ignore the title). How to report False Positives

Best regards.

[Bubbator]

Hi,
pc #1= Windows Vista Home Premium, Internet Explorer 8.0.6001.18813, Spybot S&D 1.6.2.0 with latest update as of August 8, 2009*. No positive result.

tablet pc #2= Windows XP tablet, Firefox 3.5.2, Spybot S&D 1.6.2.0 with same update. No positve result.

pc #3= Windows XP Professional, Firefox and Spybot as above. "Teatimer message when a program was executed" Log: "8/9/2009 9:07:42 AM Encountered and terminated Virtumonde.Dll in C:\DOCUME~1\DRFAC8~1.BRU\LOCALS~1\Temp\nst52.tmp\AnyDVDTray.exe!"

*Latest update on all three pc's, log quote:"8/5/2009 9:01:37 AM Downloaded update info file. (http://www.safer-networking.org/updates/spybotsd.ini)
8/5/2009 9:01:52 AM downloaded update Detection rules: Supplemental
8/5/2009 9:01:52 AM - URL: http://spybot.grailit.com/updates/supplemental.zip
8/5/2009 9:01:52 AM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\supplemental.zip
8/5/2009 9:02:04 AM downloaded update Detection rules: Update
8/5/2009 9:02:04 AM - URL: http://spybot.grailit.com/updates/includes.zip
8/5/2009 9:02:04 AM - Local file: C:\Program Files\Spybot - Search & Destroy\Updates\includes.zip"[mm/dd/yyyy]

I hope this is what you needed.

B

[Yodama]

hello Bubbator,

it looks like we need to take a further look.
The AnyDVDTray.exe normally should not be started from a temporary directory but from Slysofts program files folder.
Use your Explorer to navigate to this temporary files folder:
C:\DOCUME~1\DRFAC8~1.BRU\LOCALS~1\Temp\
then search it and it subfolders for AnyDVDTray.exe, zip the file and attach it to your next email.
Also do a full scan with Spybot S&D, then right click the scan result and choose to save a full report to your desktop, attach this report to your email to detections@spybot.info as well. Make a link to this thread in your email so we can make the connection between the email and this thread.