Fixed: False Positive - Virtumonde.sdn

jambon · May 30, 2010

The details:
XP, sp2; Firefox v.3.6.3

The Spybot version 1.6.0.31

the log:

--- Report generated: 2010-05-28 19:26 ---

Hint of the Day: Click the bar at the right of this to see more information! ()

Virtumonde.sdn: [SBI $4FB65AD4] Settings (Registry value, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=...wmfhotfix.dll...

Virtumonde.sdn: [SBI $F0A24574] Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

--- Spybot - Search & Destroy version: 1.6.0 (build: 20080729) ---

2008-01-28 SDDelFile.exe (1.0.2.4)
2008-07-30 blindman.exe (1.0.0.8)
2008-07-30 SDMain.exe (1.0.0.6)
2008-07-30 SDWinSec.exe (1.0.0.12)
2008-07-30 Update.exe (1.6.0.7)
2008-07-30 SDUpdate.exe (1.6.0.9)
2008-07-30 SpybotSD.exe (1.6.0.31)
2008-07-30 SDFiles.exe (1.6.0.4)
2008-07-30 SDShred.exe (1.0.2.3)
2008-08-08 unins000.exe (51.49.0.0)
2009-03-05 TeaTimer.exe (1.6.6.32)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2008-06-19 sqlite3.dll
2008-09-15 SDHelper.dll (1.6.2.14)
2008-10-22 Tools.dll (2.1.6.8)
2009-07-28 advcheck.dll (1.6.3.17)
2010-01-25 Includes\Cookies.sbi (*)
2010-05-25 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2010-05-25 Includes\Malware.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-05-25 Includes\HijackersC.sbi (*)
2010-05-18 Includes\PUPSC.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-05-25 Includes\MalwareC.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-05-25 Includes\KeyloggersC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2010-05-25 Includes\SecurityC.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-05-26 Includes\Trojans.sbi (*)
2010-05-25 Includes\SpywareC.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2010-03-02 Includes\Spyware.sbi (*)
2010-02-17 Includes\Adware.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-05-25 Includes\TrojansC-02.sbi (*)
2010-05-25 Includes\TrojansC-03.sbi (*)
2010-05-25 Includes\TrojansC-04.sbi (*)
2010-05-25 Includes\TrojansC-05.sbi (*)
2010-05-25 Includes\TrojansC.sbi (*)
2010-05-25 Includes\AdwareC.sbi (*)
2007-12-24 Plugins\TCPIPAddress.dll
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll

I checked the registry (with regedit) and those keys are empty. wmfhotfix.dll, as you know, is a legitimate file.

I ran full scans with Norton antivirus, Superantispyware, and MalwareBytes, all negative. Only Spybot shows a virtumonde.sdn infection during a scan.

Do you need any other information or logs?
many thanks

Yodama · May 31, 2010

hello,

did you install the unofficial wmf fix?
The file wmfhotfix.dll is only legitimate if it is part of the unofficial wmf fix.
However it is better to use the official fix by Microsoft.

If possible please send the file to detections@spybot.info with a reference to this thread.

jambon · Jun 4, 2010

False positive

No, it's the official Microsoft patch.

jambon · Jun 4, 2010

False Positive

I stand corrected. I don't see the MS information in the properties tab....

Yodama · Jun 8, 2010

this will be regarded as a false positive and will be fixed with the next detection update scheduled for Wednesday 2010-06-09.

spybotsandra · Jun 8, 2010

Hello,

By the way....you are using an old Spybot version.

I would recommend to upgrade. You can download the latest version 1.6.2 here.

Best regards
Sandra
Team Spybot

Fixed: False Positive - Virtumonde.sdn

jambon

New member

Yodama

New member

jambon

New member

jambon

New member

Yodama

New member

spybotsandra

New member