Fixed: virtumonde trojan

A

alicez

New member
My elderly neighbor has run SB tonight and she told me it found one Problem. It states: Virtumonde - 1 entry Trojan.
How would we go about helping her get it off of her old Vaio notebook which is using Win98?

I posted the above on your regular SB forum and was told:

"Can you give me the path and filename(I want to eliminate the possibility that it is a false positive (FP) )?
"To be really on the safe side, I would like you to report a possible FP here."

I looked at the virtumonde in the Recovery and right clicked on it and see:
C:\Windows\System\DOSFNT01.dll

When my neighbor saw the virtumonde, she clicked on the Fix-It and then ran another scan. Nothing was found after this 2nd scan. Does she have to do anything else? Can she remove the virtumonde from her SB Recovery?

Please do not get too 'technical' as neither one of us is computer experts.
Thank you
 
Manually navigate to the path:
C:\Windows\System\DOSFNT01.dll

using Windows Explorer. Start with "My Computer".
 
Thank you.
I do not see "DOSFNT01.dll" in the Windows/System (in her Win98).

Would that file be there after SB did the 'fix?' I thought it (the file) would be removed from there and placed in the SB Recovery (where it now is).

Is that the only place it would now be located? If I am supposed to make a copy of that file (in the Recovery), how would that be done? I tried to copy/paste, but nothing happened. How could I send that file in Recovery to you?

When I was told "are you able to send the file to detections@spybot.info ? Or maybe even the recovery file?" I took that to mean I would copy the file and paste it in an email and email it to: detections@spybot.info.
Is that correct?
I would like to clear up this matter for her so she doesn't worry about it too much more.
Thanks.
Alice

(P.S. Funny thing is I cannot access this forum via my IE7. I sign-in and then get sent back to the sign-in screen again. Over and over. When I switch to Mozilla, I can get in with no problem. Any suggestions how I can get into the forum using my IE7.)
 
Sorry about being unclear. I missed the part about her removing that entry...

I was thinking about how since Virtumonde was detected only as one entry, one file, it could be like a "trace". Or a mark. Like it's parent files are missing. For example, a car without an engine.

Do not try this technique yet, I'll need most likely Mr. W's confirmation:
Recover the file from Quarantine, navigate to that path, make a copy of that file and email it to Spybot's detection area. detections (at) spybot. info.
 
Thanks.
You said: "Do not try this technique yet, I'll need most likely Mr. W's confirmation:
Recover the file from Quarantine, navigate to that path, make a copy of that file and email it to Spybot's detection area. detections (at) spybot. info."

I shouldn't do anything now, is that correct? I should wait until I hear from you?

When you say Quarantine, do you mean Recovery?

If it is removed from the Recovery (and then restored) and then I make a copy of it and email to detections@spybot.info, what do I do next? Do I do another scan and then remove it again?

Sorry for all the questions but this is all quite confusing.
Alice
 
The forums are here to give the users a friendly support environment. :rockon:

I've PM'ed (Private Messaged) him, and I'm awaiting a response.
Basically when you recovery an item from the Quarantine/Recovery, it'll literally bring back the item to where it was originally found.

So, yes you should recover it, find it in the 'system' folder, send it to the detections email, most preferably with a link to this thread, and then rescan and proceed to remove that flagged entry again.
 
Hello,
Before you restore the file what would mean a possible risk for your computer please have a look at the recovery files itself. They are stored at

c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

There should be one file named something like Virtumonde.zip. Please send this file to us via mail.

Best regards,
Markus

@drragostea: Sorry for my late reply to your pm!
 
Similar to this thread started above, I visited my out-of-state sister last weekend, and updated her Spybot (she is not computer savvy). After running a scan, it turned up two instances of virtumonde trojan on her PC. One is cqsccol.dll, and the other dosfnt01.dll. I clicked the fix problem button, and Spybot said both instances were fixed. Then I re-scanned her PC, and it again turned up the two instances of virtumonde trojan. I repeated the fix problem, but the re-scan again showed the virtumonde trojan. I rebooted her PC, and again Spybot was not able to successfully permanently remove the trojan.

She runs Windows ME.

Any suggestions on how to permanently remove the virtumonde trojan? What is the danger of not being able to delete it?

Thanks for the help....
 
Hello,
it would be very helpful if you could provide us these files. Please send it to detections@spybot.info . If it is a false positive we will solve it with our next update scheduled for wednesday

Best regards,
Markus
Team Spybot
 
Tashi - Thank you for the quick reply. Spybot runs well on Windows ME (unlike some other programs that are not backwards compatible). It's too bad that MicroSoft does not support the older software at all. My sister will probably unfortunately keep running the Windows ME until it gets totally corrupted. :sad:

MisterW - I have returned home, so I cannot forward you the affected .dll files. I'll try to talk my sister through the process of sending them to you.:scratch:
 
MisterW said:
Hello,
Before you restore the file what would mean a possible risk for your computer please have a look at the recovery files itself. They are stored at

c:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery

There should be one file named something like Virtumonde.zip. Please send this file to us via mail.

Best regards,
Markus

@drragostea: Sorry for my late reply to your pm!
Click to expand...
=======================

How do I send via email?
 
Hello,
we got your mail and we can confirm that it is a false positive and will be fixed in the next update scheduled for Wednesday

Best regards,
Markus
 
MisterW said:
Hello,
we got your mail and we can confirm that it is a false positive and will be fixed in the next update scheduled for Wednesday

Best regards,
Markus
Click to expand...

Thank you.

What should I do now? Should I remove the Virtumonde from Recovery?
Should I restore the Virtumonde? If so, how would I do that?
 
@alicez

yes please recover these 2 files,
  • start Spybot S&D
  • click on recovery
  • look for the 2 files named above
  • select them and click on the check boxes until there are green checkmarks
  • click on recover selected items
 
What do you mean by:
"look for the 2 files named above"

I think there is only one files, namely: Virtumonde

I'll be going to my neighbor's house tomorrow when I can see what actually is in the Recovery.

AliceZ (Sorry for posting under my husband's sign-in name!)
 
Last edited:
GhanGuy said:
Similar to this thread started above, I visited my out-of-state sister last weekend, and updated her Spybot (she is not computer savvy). After running a scan, it turned up two instances of virtumonde trojan on her PC. One is cqsccol.dll, and the other dosfnt01.dll. I clicked the fix problem button, and Spybot said both instances were fixed. Then I re-scanned her PC, and it again turned up the two instances of virtumonde trojan. I repeated the fix problem, but the re-scan again showed the virtumonde trojan. I rebooted her PC, and again Spybot was not able to successfully permanently remove the trojan.

She runs Windows ME.

Any suggestions on how to permanently remove the virtumonde trojan? What is the danger of not being able to delete it?

Thanks for the help....
Click to expand...

Just a thought = Think it would be proper for you to have posted your question as a separate thread as I am getting messages when answers are posted to your question(s). Thank you.
 
You must log in or register to reply here.
Back
Top