Fixed: Possible Virtumonde.sdn false positives

md usa spybot fan

md usa spybot fan

Spybot Advisor Team [Retired]
After the 2009-06-17 updates I picked up the following "Virtumonde.sdn" detections:

Code: 
--- Report generated: 2009-06-17 11:50 ---

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005686_.tmp.dll
  Properties.size=132096
  Properties.md5=3CD291A2C4909088B3D1E98DED73D4B2
  Properties.filedate=1155817707
  Properties.filedatetext=2006-08-17 08:28:27

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005687_.tmp.dll
  Properties.size=146432
  Properties.md5=777EB29D0135D81AD9828A2B05443496
  Properties.filedate=1091595418
  Properties.filedatetext=2004-08-04 00:56:58

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005688_.tmp.dll
  Properties.size=101888
  Properties.md5=A1C10F87248529173F39F4B4734DF14B
  Properties.filedate=1091595408
  Properties.filedatetext=2004-08-04 00:56:48

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005689_.tmp.dll
  Properties.size=1845248
  Properties.md5=E0F718290D19531FD10328EFB09808EC
  Properties.filedate=1205920020
  Properties.filedatetext=2008-03-19 05:47:00

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005696_.tmp.dll
  Properties.size=96768
  Properties.md5=0CB3AF149A0BAC0836022CA307C7A0F8
  Properties.filedate=1102447954
  Properties.filedatetext=2004-12-07 15:32:34

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005697_.tmp.dll
  Properties.size=22040
  Properties.md5=3967AEEE12073446C4FB4AF0B681F0FA
  Properties.filedate=1090079324
  Properties.filedatetext=2004-07-17 11:48:44

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005698_.tmp.dll
  Properties.size=50688
  Properties.md5=BD7FB0957C716F1A60333AEE04DE2178
  Properties.filedate=1091595418
  Properties.filedatetext=2004-08-04 00:56:58

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005699_.tmp.dll
  Properties.size=983552
  Properties.md5=7808313CBC634EE08346D5DDFEF1CC5F
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005701_.tmp.dll
  Properties.size=108032
  Properties.md5=C6CE6EEC82F187615D1002BB3BB50ED4
  Properties.filedate=1091595416
  Properties.filedatetext=2004-08-04 00:56:56

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005702_.tmp.dll
  Properties.size=144896
  Properties.md5=532EA80E9F5452928F8426653215BE29
  Properties.filedate=1177510875
  Properties.filedatetext=2007-04-25 10:21:15

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005705_.tmp.dll
  Properties.size=415744
  Properties.md5=E15154E7FDA8A580A8F74C7CC16B1FFE
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005706_.tmp.dll
  Properties.size=64000
  Properties.md5=EBE12F403FDE45E7312E7BF764BFB6C6
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005708_.tmp.dll
  Properties.size=58880
  Properties.md5=1D536BEBC30DD8D0D3B6FF3B0CD2D32B
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005709_.tmp.dll
  Properties.size=61440
  Properties.md5=30E244A707E6CE0A4B099CD6384EC6CA
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005710_.tmp.dll
  Properties.size=657920
  Properties.md5=BA5D5FD3CCA6F64A429E2E0E1A1A0917
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005712_.tmp.dll
  Properties.size=236544
  Properties.md5=CD1F7ED9842138BEADF9ECBF37818BEF
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005715_.tmp.dll
  Properties.size=37888
  Properties.md5=980665E58317B29C9A0F7221D576CC51
  Properties.filedate=1122352789
  Properties.filedatetext=2005-07-26 00:39:49

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005716_.tmp.dll
  Properties.size=550912
  Properties.md5=0144ABC4C4A624B583D432EE478A711C
  Properties.filedate=1196793493
  Properties.filedatetext=2007-12-04 14:38:13

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005718_.tmp.dll
  Properties.size=419840
  Properties.md5=0738F4B53D967E46CC5E51F84BC1EB39
  Properties.filedate=1091595416
  Properties.filedatetext=2004-08-04 00:56:56

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005720_.tmp.dll
  Properties.size=8192
  Properties.md5=C5EF2A4F6CB968B3119B43F43C64A1A6
  Properties.filedate=1091595406
  Properties.filedatetext=2004-08-04 00:56:46

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005721_.tmp.dll
  Properties.size=708096
  Properties.md5=BB5CBFFC096497506167BCE1D9690EF2
  Properties.filedate=1091595398
  Properties.filedatetext=2004-08-04 00:56:38

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005723_.tmp.dll
  Properties.size=129536
  Properties.md5=77C41F9146450C89534704A75836CE56
  Properties.filedate=1091595404
  Properties.filedatetext=2004-08-04 00:56:44

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005726_.tmp.dll
  Properties.size=721920
  Properties.md5=F1C69FD5009CD4219C8DCA5DF475D66B
  Properties.filedate=1194427616
  Properties.filedatetext=2007-11-07 05:26:56

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005728_.tmp.dll
  Properties.size=341504
  Properties.md5=71D3D970127D939A4BB062B5040B6EBA
  Properties.filedate=1091595404
  Properties.filedatetext=2004-08-04 00:56:44

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005729_.tmp.dll
  Properties.size=249270
  Properties.md5=1F3E83A56B5177A22BA9594A37F986BE
  Properties.filedate=1090079324
  Properties.filedatetext=2004-07-17 11:48:44

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005730_.tmp.dll
  Properties.size=13824
  Properties.md5=B3EFF6D938C572E90A07B3D87A3C7657
  Properties.filedate=1091595404
  Properties.filedatetext=2004-08-04 00:56:44

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005731_.tmp.dll
  Properties.size=984576
  Properties.md5=A01F9CA902A88F7CED06884174D6419D
  Properties.filedate=1176738773
  Properties.filedatetext=2007-04-16 11:52:53

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005732_.tmp.dll
  Properties.size=144384
  Properties.md5=5AFCE94E8286B2F57A04DA37F01BF21A
  Properties.filedate=1091595404
  Properties.filedatetext=2004-08-04 00:56:44

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005735_.tmp.dll
  Properties.size=111616
  Properties.md5=EF545E1A4B043DA4C84E230DD471C55F
  Properties.filedate=1148043581
  Properties.filedatetext=2006-05-19 08:59:41

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005736_.tmp.dll
  Properties.size=135168
  Properties.md5=E931B4DD87DFACE46468FD506FDCD262
  Properties.filedate=1091595418
  Properties.filedatetext=2004-08-04 00:56:58

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005737_.tmp.dll
  Properties.size=32768
  Properties.md5=D06EAA8B23BC1F671B11D18CFEA65115
  Properties.filedate=1091595402
  Properties.filedatetext=2004-08-04 00:56:42

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005738_.tmp.dll
  Properties.size=276992
  Properties.md5=1EDB1BB89D021955E6F7265911175B8D
  Properties.filedate=1091595402
  Properties.filedatetext=2004-08-04 00:56:42

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005739_.tmp.dll
  Properties.size=617472
  Properties.md5=B0124CB21D28B1C9F678B566B6B57D92
  Properties.filedate=1156520758
  Properties.filedatetext=2006-08-25 11:45:58

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005744_.tmp.dll
  Properties.size=616960
  Properties.md5=1AFF244CA134956C54474F4E2433E4CE
  Properties.filedate=1091595402
  Properties.filedatetext=2004-08-04 00:56:42

Virtumonde.sdn: [SBI $2CF65D3D]  Library (File, nothing done)
  C:\WINDOWS\system32\_005746_.tmp.dll
  Properties.size=2897920
  Properties.md5=1320AEA7057A26A671D9548CC7BEBDA5
  Properties.filedate=1091595398
  Properties.filedatetext=2004-08-04 00:56:38


--- Spybot - Search & Destroy version: 1.6.2  (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer 1.6.4.26.exe (1.6.4.26)
2009-02-11 TeaTimer 1.6.5.28.exe (1.6.5.28)
2009-03-05 TeaTimer.exe (1.6.6.32)
2009-02-12 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-05-19 Includes\Adware.sbi (*)
2009-06-02 Includes\AdwareC.sbi (*)
2009-04-28 Includes\Beta.sbi
2007-11-06 Includes\Beta.uti
2009-01-22 Includes\Cookies.sbi (*)
2009-05-19 Includes\Dialer.sbi (*)
2009-06-02 Includes\DialerC.sbi (*)
2009-01-22 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2009-06-09 Includes\HijackersC.sbi (*)
2009-06-16 Includes\Keyloggers.sbi (*)
2009-06-16 Includes\KeyloggersC.sbi (*)
2009-06-10 Includes\Malware.sbi (*)
2009-06-16 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2009-06-17 Includes\PUPSC.sbi (*)
2009-01-22 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2009-06-02 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-04-07 Includes\Spyware.sbi (*)
2009-06-02 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-06-17 Includes\Trojans.sbi (*)
2009-06-17 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Although I am continuing to research the source of the "C:\WINDOWS\system32\_nnnnnn_.tmp.dll" files that were detected, it appears that the files were generated over a period of time and only were detected after the 2009-06-17 updates. Therefore, I suspect that these detections may be false positives.

I am sending an email to detections@spybot.info containing:
  1. A reference to this thread.
  2. With attachments:
    • Of my Checks.090617-1150.txt file.
    • A zipped folder (named "2009-06-17 detections.zip") containing the 35 files "C:\WINDOWS\system32\_nnnnnn_.tmp.dll" files identified in the Checks.090617-1150.txt file as "Problems".
 
I believe you are right - I also had this problem after today's update. I have sent them for determination of whether they are false positive, too.
 
Thank you for reporting this issue.

I analyzed your files and they appear to be temporary files installed by the Service Pack 2 and maybe other Windows updates.

So it should not cause any problems if the files get deleted, however we will treat this as a false positive and adjust our detection rules accordingly with the next update scheduled for 2009-06-24.
 
Yodama said:
Thank you for reporting this issue.

I analyzed your files and they appear to be temporary files installed by the Service Pack 2 and maybe other Windows updates.

So it should not cause any problems if the files get deleted, however we will treat this as a false positive and adjust our detection rules accordingly with the next update scheduled for 2009-06-24.
Click to expand...

I had 199 virtumonde.sdn the 23 june 2009. All cleaned and deleted, however my PC functions OK. I had one start problem, repeat start solved that.
 
Removing these files will not compromise the computer since they are temporary copies of Windows update files only. In most cases Windows does not leave these files on the hard disk.
 
You must log in or register to reply here.
Back
Top