OrionsBelt 0 Posted August 6, 2021 Share Posted August 6, 2021 Greetings. I've discovered a pair of suspicious issues on my office laptop. Regular full system scan with Eset Internet Security doesn't detect any threats. However, on the scan's information report it does show a series of files it "cannot open". Message below says "may be being used by another program or operating system" (translated from spanish). Which seems very strange to me. And I don't know which other system or program could be involved. Would like to know if this is something that might require some deeper attention and intervention. This laptop has been configured with a "liberated" user system, no need for synchronized email account, 2 users, 1 with direct access (no password needed), and 1 for public use, that has never been used. Very sure no one but me has physically accessed it. Well, after receiving it for my tec shop that did the reformat and Windows reinstallation. It's very simple HP laptop, with 1 solid disk, no partition, Windows 10 Pro. I've run Eset Online Scanner. I've installed Firefox, Spybot Search & Destroy Pro, and Eset Internet Security (purchased licence). And that's it. But when scanning through the system with Spybot Search & Destroy Pro, I find the scan tends to slow down and delay on a "virtumonde.dll" file. Spybot doesn't seem to warn me about it, nor send it to quarantine. And searching for this file with Windows Explorer comes out blank. But when searching for this file online, I find it's notified on several online assistance forums (including a pair of microsoft forum threads) as a severe spyware threat, that can develop and cause severe problems. What can you tell me about this file? How worried should I be? And, if necessary, what would you suggest I do with this issue? Just to further contextualize, this is a recently reformated laptop, after a bad malware infection (with keylogger spyware activity). Given the very minimal use this laptop has had untill now, I suspect this file somehow survived the hard reformat and reinstalled Windows. As such, another hard factory reformat is an option, but it doesn't seem to suffice. So I'm assuming some measures must be taken to ensure it doesn't survive the reformat. Unless some other measure is posible. Please help. In much need of trust worthy information and advice. PS: Im attaching 3 pics. In spanish, sorry. But I believe the list of files themselves can be read without issue. Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 (edited) In the Eset scan log, all files that have a [4] log entry reference indicate that the Win OS has a lock on the file. This prevents Eset from scanning them. As your posted log indicates, most of these files are Win OS related. This also is expected Eset default scan behavior. If you run a custom scan as Administrator, this will minimize the number of locked files Eset can't scan. Edited August 6, 2021 by itman Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 6, 2021 Share Posted August 6, 2021 1 hour ago, OrionsBelt said: But when scanning through the system with Spybot Search & Destroy Pro, I find the scan tends to slow down and delay on a "virtumonde.dll" file. Spybot doesn't seem to warn me about it, nor send it to quarantine. And searching for this file with Windows Explorer comes out blank. But when searching for this file online, I find it's notified on several online assistance forums (including a pair of microsoft forum threads) as a severe spyware threat, that can develop and cause severe problems. Most of the postings I found on the web about virtumonde.dll date to 2010 or so. As such, it might no longer be a threat on Win 10. Since Eset didn't exclude the file from scanning, assumed is it was scanned and no threat detected. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,286 Posted August 7, 2021 Administrators Share Posted August 7, 2021 You can upload the file to https://www.virustotal.com to see if other AVs detect it. However, the scan results must be taken with a grain of salt since AVs may also report false positives. You can post a link with scan results here. Link to comment Share on other sites More sharing options...
Most Valued Members peteyt 396 Posted August 7, 2021 Most Valued Members Share Posted August 7, 2021 You mentioned you can't find the file. Try enabling the option to show hidden files first https://support.microsoft.com/en-us/windows/view-hidden-files-and-folders-in-windows-10-97fbc472-c603-9d90-91d0-1166d1d9f4b5 Link to comment Share on other sites More sharing options...
itman 1,754 Posted August 7, 2021 Share Posted August 7, 2021 (edited) Virtumonde is malicious adware associated primarily with Win XP devices. If you were infected with it, there should be visible signs such as desktop icons mysteriously appearing, browser redirect activity, and the like. As far as Spybot's "scan" of virtumonde.dll, one possible explanation is this activity on a Win 8.1 device: Quote Virtumode (aka Vundo) has not been an active infection in several years. I wonder if what you are seeing is Spybot listing it's definitions as it scans. It's been a long time since I ran Spybot, but I seem to recall it had a running list of what it was checking for in it's UI as it scanned. https://www.techsupportforum.com/threads/spybot-2-4-stuck-on-virtumonde-dll.891050/ Edited August 7, 2021 by itman Link to comment Share on other sites More sharing options...
OrionsBelt 0 Posted August 7, 2021 Author Share Posted August 7, 2021 Aha! Okay. Thanks very everyone. For all the clarifications and suggestions. I'll try out scanning as administrator, and searching for hidden files. Yes. I've already been using VirusTotal to scan pages. Didn't think to scan the file itself. Thanks. Would have to find it first, of course, if it's truly in my system. And oh! Spybot may be just showing what it's scanning for... Hm. That could be it, actually. Hm. Sorry. Not sure yet, of course. And no, I haven't seen any suspicious activity on the desktop nor any internet redirection. Though as mentioned, haven't really risked much internet activity yet anyway. I'll try out your advice, and test the laptop with a secondary and less important email account. I assume the custom administrator scan will give me more clarity, too. Link to comment Share on other sites More sharing options...
Recommended Posts