*sighs* Virtumonde.sdn

[freakingoutbigtime]

I have the following programs on the computer: McAfee Virus Scanner, Malware Bytes, Spybot Search and Destroy. Scan regularly with all three. Used to have Ad-Aware but ditched it because I was becoming that dissatisfied with that program. Anyway, I updated my Malware and Spybot programs tonight. Closed out of both and went to McAfee and let it scan for viruses. Nothing showed up. I went to Malware Bytes after McAfee was finished and scanned with it. Nothing showed up. Went to Spybot Search & Destroy and one thing showed up. I'm honestly hoping it's a false positive because I dread computer problems almost as going to a doctor. So....here's what's going on in Spybot. I'll post the Hijack Log after that info.

Virtumonde.sdn
(SBI $0B8F80EC) Library
C:\WINDOWS\system32\ialmcoin.dll




Logfile of Trend Micro HijackThis v2.0.2
Edit: Removed HJT log
Please do not post HJT/CF etc logs in the Spybot forum. Thank you


I haven't noticed anything wrong with the computer lately. I've been sticking to familiar sites and not branching out. I haven't been going to a certain site and then getting redirected or anything. The only concern I had was my McAfee virus scanner scanning sites I've never been to before/wouldn't go to. I'd ask on another forum and somebody said that since I have Spybot those might be prevention sites Spybot downloaded onto the computer once I installed it.

Anyway, can somebody please help me. I'd really appreciate it. Please help me if I have the false positive and what to do there or what to do if I've really got something nasty on the computer. Thanks.

[freakingoutbigtime]

Not sure if this is needed as well but here's my malware bytes log.


Malwarebytes' Anti-Malware 1.40
Database version: 2754
Windows 5.1.2600 Service Pack 2

9/7/2009 11:11:11 PM
mbam-log-2009-09-07 (23-11-11).txt

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 148653
Time elapsed: 31 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Yodama]

Thank you for reporting this issue.
It appears to be a false positive. The file C:\WINDOWS\system32\ialmcoin.dll appears to be related to Intel and there are no other traces of Virtumonde.

A correction of the detection rules will be released on Wednesday 2009-09-09.

[freakingoutbigtime]

Thank you for reporting this issue.
It appears to be a false positive. The file C:\WINDOWS\system32\ialmcoin.dll appears to be related to Intel and there are no other traces of Virtumonde.

A correction of the detection rules will be released on Wednesday 2009-09-09.

Thank you for the reply! I can rest easy now. Thank you again for the help. I appreciate it!

[MisterW]

You're welcome

[jacton]

Running Windows XP Service Pack 2 and received these same results 4 times from the current version of Spybot. Hadn't scanned for several months but had been updating the definitions regularly. Cisco System Agent has been installed on my laptop for over a year. Not noticing hijack attempts or most of the other symptoms mentioned by users infected with Virtumonde.

Installed Ad-aware and Malwarebytes today. Ran quick scans (quick scans took almost 3 hours) and both scans were clean. I'm thinking my scenario is similar to the other poster with a false positive.

Spybot scan:

Virtumonde.sdn: [SBI $CFFF47F6] Library (File, fixed)
C:\WINDOWS\system32\csauser.dll
Properties.size=147456
Properties.md5=1C40A90BEA19A10F8B6EF030E6FC0DFB
Properties.filedate=1193176510
Properties.filedatetext=2007-10-23 16:55:10

Virtumonde.sdn: [SBI $BEF36E24] Settings (Registry value, fixing failed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...csauser.dll...


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-30 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-11 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-09-07 advcheck.dll (1.6.4.18)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2009-10-20 Includes\AdwareC.sbi (*)
2009-01-22 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2009-10-13 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-10-27 Includes\HijackersC.sbi (*)
2009-10-20 Includes\Keyloggers.sbi (*)
2009-10-20 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2009-11-03 Includes\Malware.sbi (*)
2009-11-03 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-10-20 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-11-04 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2009-11-03 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-11-03 Includes\Trojans.sbi (*)
2009-11-03 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


Malaware scan:
Malwarebytes' Anti-Malware 1.41
Database version: 3137
Windows 5.1.2600 Service Pack 2

11/9/2009 8:09:15 PM
mbam-log-2009-11-09 (20-09-15).txt

Scan type: Quick Scan
Objects scanned: 558931
Time elapsed: 2 hour(s), 58 minute(s), 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[Yodama]

@jacton
thank you for reporting this issue, I can confirm this false positive. It will be fixed with the next detection update scheduled for Wednesday 2009-11-11.