virtumonde false positive?

[famouspogs]

With no symptoms of any virus at all I did a scan a couple hours ago and I apparently have virtumonde, it was on DLL file and I deleted it when it came up. I ran Malwarebytes,avast and vondofix, neither of which picked up anything else. I then ran Hijackthis and then ran it again in safe mode and apparently that should cause a BSOD that I can't recover from but didn't. I'm guessing I had a false positive because nothing else came up and I still have no symptoms of the virus that are listed on Wikipedia. Is there anyway I can send the file to someone to see if it's a false positive? Thanks!

[tashi]

Hello famouspogs,

Please see this topic: How to report Possible False Positives

Best regards.

[famouspogs]

I'm not sure if I found a false positive. I'm just thinking it's a small possibility. I searched around the internet and found out that lvcoinst.dll is a common logitech driver that's installed with quickcam software. However, I'm not 100% that's what it is as I reinstalled the cam software to see if it would replace the removed dll and it didn't. However, it did place three other dll's of the same name in different places. Would it be possible for me to send the zip file of the virus that spybot created to someone so they could check the properties to see if it has the version data and see if for certain it is a logitech dll. I would do it myself but I don't want to risk putting it back on my computer somehow.


Here is my data that was requested in the thread you linked me.


Windows XP Home SP3
Firefox 3.6.4
Spybot Version 1.6.2.0
The result came from a scan I did.





here is information from the log which found it.








--- Report generated: 2010-06-23 15:35 ---

Virtumonde.sdn: [SBI $5F58455C] Library (File, nothing done)
C:\WINDOWS\system32\lvcoinst.dll
Properties.size=69632
Properties.md5=25F257C2D43CCB14B90814F6C46D742E
Properties.filedate=1032556832
Properties.filedatetext=2002-09-20 15:20:32


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-09-17 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-16 Includes\Adware.sbi (*)
2010-06-22 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-06-22 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-06-22 Includes\HijackersC.sbi (*)
2010-06-22 Includes\iPhone.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-06-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-06-22 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-06-23 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-06-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-16 Includes\Spyware.sbi (*)
2010-06-22 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-06-01 Includes\Trojans.sbi (*)
2010-06-22 Includes\TrojansC-02.sbi (*)
2010-06-22 Includes\TrojansC-03.sbi (*)
2010-06-22 Includes\TrojansC-04.sbi (*)
2010-06-22 Includes\TrojansC-05.sbi (*)
2010-06-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

[Yodama]

confirmed, the fp will be corrected with the detection update scheduled for Wednesday 2010-06-30

[famouspogs]

Thank you for your time. It's just confusing that the .dll had found it's way into the system32 folder. I don't know how it got there. But I found out it was EXACTLY the same size and had the same date of creation as the other files that were placed on my drive when I installed the logitech quick cam drivers. It seems its 99% likely that's what it was, unless a virus somehow got into the file and magically infected it without changing the file size.

Could I ask how you confirmed the false positive? I'm just curious to find out. Thanks again!

[AustinC62]

Hello. I hope it's ok to tag on here. I seem to have the same as famouspogs. S&D was updated today and following a routine scan, it has notified Virtumonde.sdn in the System32\lvcoinst.dll.

I haven't taken any action yet.

Here are my details:

Windows XP SP3
Firefox 3.6.4; IE8
Spybot S&D v1.6.2 updated 27/06/2010

Routine scan:

--- Report generated: 2010-06-27 21:35 ---

Virtumonde.sdn: [SBI $5F58455C] Library (File, nothing done)
C:\WINDOWS\SYSTEM32\lvcoinst.dll
Properties.size=106496
Properties.md5=6D096E3E9D9616C07770D3239973B437
Properties.filedate=1117181980
Properties.filedatetext=2005-05-27 09:19:40


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2008-07-07 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2005-10-31 unins000.exe (51.41.0.0)
2009-03-05 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2010-06-16 Includes\Adware.sbi (*)
2010-06-22 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-06-22 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-06-22 Includes\HijackersC.sbi (*)
2010-06-22 Includes\iPhone.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-06-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-06-22 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-06-23 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-06-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-16 Includes\Spyware.sbi (*)
2010-06-22 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-06-01 Includes\Trojans.sbi (*)
2010-06-22 Includes\TrojansC-02.sbi (*)
2010-06-22 Includes\TrojansC-03.sbi (*)
2010-06-22 Includes\TrojansC-04.sbi (*)
2010-06-22 Includes\TrojansC-05.sbi (*)
2010-06-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll

Thanks

[pnasman]

This has a different date, length, and MD5 hash than the others reported. No symptoms (pop-up windows, etc.) present, logitech cam installed.

Here's the info. Thanks!


O/S: Windows XP SP3, recently upgraded from SP2

Default Browser: Firefox v3.6.4

Spybot S&D v1.6.2.46, detection update on 6/23/2010

False Positive appeared in scan result - see log below.

Log File Data:

--- Report generated: 2010-06-27 14:54 ---

Virtumonde.sdn: [SBI $5F58455C] Library (File, nothing done)
C:\WINDOWS\system32\lvcoinst.dll
Properties.size=110592
Properties.md5=63A5869AC48150323DA7EB2101995C2C
Properties.filedate=1076755994
Properties.filedatetext=2004-02-14 03:53:14


--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2007-07-15 unins000.exe (51.41.0.0)
2009-04-04 unins001.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2010-06-16 Includes\Adware.sbi (*)
2010-06-22 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-06-22 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-06-22 Includes\HijackersC.sbi (*)
2010-06-22 Includes\iPhone.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-06-22 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-06-22 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-06-23 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-06-22 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-16 Includes\Spyware.sbi (*)
2010-06-22 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-06-01 Includes\Trojans.sbi (*)
2010-06-22 Includes\TrojansC-02.sbi (*)
2010-06-22 Includes\TrojansC-03.sbi (*)
2010-06-22 Includes\TrojansC-04.sbi (*)
2010-06-22 Includes\TrojansC-05.sbi (*)
2010-06-22 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll