False Positive - Virtumonde.sdn

[jambon]

The details:
XP, sp2; Firefox v.3.6.3

The Spybot version 1.6.0.31

the log:


--- Report generated: 2010-05-28 19:26 ---

Hint of the Day: Click the bar at the right of this to see more information! ()


Virtumonde.sdn: [SBI $4FB65AD4] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...wmfhotfix.dll...

Virtumonde.sdn: [SBI $F0A24574] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs


--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-30 blindman.exe (1.0.0.8)
2008-07-30 SDMain.exe (1.0.0.6)
2008-07-30 SDWinSec.exe (1.0.0.12)
2008-07-30 Update.exe (1.6.0.7)
2008-07-30 SDUpdate.exe (1.6.0.9)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-07-30 SDFiles.exe (1.6.0.4)
2008-07-30 SDShred.exe (1.0.2.3)
2008-08-08 unins000.exe (51.49.0.0)
2009-03-05 TeaTimer.exe (1.6.6.32)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-09-15 SDHelper.dll (1.6.2.14)
2008-10-22 Tools.dll (2.1.6.8)
2009-07-28 advcheck.dll (1.6.3.17)
2010-01-25 Includes\Cookies.sbi (*)
2010-05-25 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-05-25 Includes\Malware.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-05-25 Includes\HijackersC.sbi (*)
2010-05-18 Includes\PUPSC.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-05-25 Includes\MalwareC.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-05-25 Includes\KeyloggersC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2010-05-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-05-26 Includes\Trojans.sbi (*)
2010-05-25 Includes\SpywareC.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-02-17 Includes\Adware.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-05-25 Includes\TrojansC-02.sbi (*)
2010-05-25 Includes\TrojansC-03.sbi (*)
2010-05-25 Includes\TrojansC-04.sbi (*)
2010-05-25 Includes\TrojansC-05.sbi (*)
2010-05-25 Includes\TrojansC.sbi (*)
2010-05-25 Includes\AdwareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll

I checked the registry (with regedit) and those keys are empty. wmfhotfix.dll, as you know, is a legitimate file.

I ran full scans with Norton antivirus, Superantispyware, and MalwareBytes, all negative. Only Spybot shows a virtumonde.sdn infection during a scan.

Do you need any other information or logs?
many thanks

[Yodama]

hello,

did you install the unofficial wmf fix?
The file wmfhotfix.dll is only legitimate if it is part of the unofficial wmf fix.
However it is better to use the official fix by Microsoft.

If possible please send the file to detections@spybot.info with a reference to this thread.

[jambon]

No, it's the official Microsoft patch.

[jambon]

I stand corrected. I don't see the MS information in the properties tab....

[Yodama]

this will be regarded as a false positive and will be fixed with the next detection update scheduled for Wednesday 2010-06-09.

[spybotsandra]

Hello,

By the way....you are using an old Spybot version.
I would recommend to upgrade. You can download the latest version 1.6.2 here.

Best regards
Sandra
Team Spybot