Virtumonde detected by SpyBot

Please attach the log from Spybot. Typically this is just some benign registry entry that it should be able to remove but does not. In all cases we have seen, it is really a non-issue, but let's see the log to be sure.

Are you running more than the firewall from Comodo? Double check to be sure it is only the firewall running.

 

Okay but my question is about what protection from Comodo is active. Comodo Internet Security also can be an antivirus, antispyware, firewall....etc. What do you actually have active?

When it finishes running, right click in the scan window and create the log to attach.

 

You need to check what Comodo says not what Windows says. Double click the Comodo icon in your tray and see what protection it indicates you have.

C:\WINDOWS\system32\mfc40.dll is a file for Microsoft Visual C++. Locate the file in Windows Explorer. Right click on it and select Properties. Now see if there is a Version[ tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

All of the below files on your PC are just from an older version of the files from Visual C++

Code:

----a-w           924,432 2004-08-04 12:00:00  C:\WINDOWS\system32\mfc40.dll
----a-w           927,504 2008-04-14 00:11:56  C:\WINDOWS\system32\mfc40u.dll
----a-w         1,028,096 2008-04-14 00:11:56  C:\WINDOWS\system32\mfc42.dll
----a-w            53,248 1998-06-17 23:06:34  C:\WINDOWS\system32\MFC42ENU.DLL
----a-w           981,760 2007-04-03 03:14:47  C:\WINDOWS\system32\mfc42u.dll

 

I went around to a few of my PCs and found one where I still had mfc40.dll on the PC. I then ran Spybot and it FALSELY detects mfc40.dll as Virumonde. This is a bug with Spybot. It is not malware.

 

No! It is a valid file. I now remember why I removed Spybot from the READ & RUN ME. It is basically junk. It finds lots of false detections which are absurd ( 31 on my last scan just run ). All were valid files or bookmarks to websites with info on malware. They were not malware. These problems have existed with Spybot for years and have never been fixed. Also their logs are basically useless as they do not even point out the exact location of where they "think" a problem is with bookmarks. You have to try and wade thru all the bookmarks you have just to try and fiigure out what it thinks it is finding. Then you find, it is not a problem. It is just a link to something you saved. Funny thing is that it finds these bookmarks a problem with FireFox but they are not problems in IE when the same one exist. This is a bug!

The only reason to keep Spybot around is for the Immunization and SDhelper features. I don't recommend scanning with it as it is way too slow and is not really that useful against real current malware problems ( the same is true for Ad-Aware which is not useful at all anymore and I tell people to uninstall it ). SUPERAntiSpyware and Malwarebytes are 1000 times more useful then either Spybot or Ad-Aware.

 

You're welcome.

Follow the below.

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix" and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Go back to step 6 oof the READ ME and renable your Disk Emulation software with Defogger if you had disabled it.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders
   related to MGtools and some other items from our cleaning procedures.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

You're welcome. Surf safely!