PDA

View Full Version : Virus has turned spybot.exe into a read only file, massive slow-down/redirects



alwaysatodds
2009-10-22, 23:36
I'm usually pretty good at bug fixing but this one is a real pain.

Cause - tried downloading a movie online, not sure what the site was

Effects -

Spybot has become a read-only file and is impossible to use. When I reinstall under a different name in a different folder it works until it is about to scan then shuts itself off and becomes another read-only file. The hidden .scr file cannot be located.

Clicking on unprotected links will redirect to random advertising websites like mom.com and other useless garbage. I have massive slowdown and the computer crashes all the time.

I tried downloading AVG and it located the viruses and trojans, said they were removed and after I rebooted it was the same problem as before. Except now when I use AVG is freezes up when it's about to scan the infected files. I could really use some help on this one. Can't seem to get anything working.

alwaysatodds
2009-10-23, 00:32
This is what gmer gave me when I ran the scan.

GMER 1.0.15.15163 - http://www.gmer.net
Rootkit scan 2009-10-22 17:29:11
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\CARLGR~1\LOCALS~1\Temp\fwryrpod.sys


---- System - GMER 1.0.15 ----

SSDT sptd.sys ZwCreateKey [0xF847E0B0]
SSDT sptd.sys ZwEnumerateKey [0xF848384C]
SSDT sptd.sys ZwEnumerateValueKey [0xF8483BEC]
SSDT sptd.sys ZwOpenKey [0xF847E090]
SSDT sptd.sys ZwQueryKey [0xF8483CC4]
SSDT sptd.sys ZwQueryValueKey [0xF8483B44]
SSDT sptd.sys ZwSetValueKey [0xF8483D56]

---- Kernel code sections - GMER 1.0.15 ----

? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload F79428AC 5 Bytes JMP 829C11B8
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\System32\svchost.exe[1352] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1352] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1352] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\Explorer.EXE[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\Explorer.EXE[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\WINDOWS\Explorer.EXE[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2468] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F8492580] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F849252C] sptd.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84ACAB8] sptd.sys
IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F8492580] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F847EABA] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F847EC00] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F847EB82] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F847F72E] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F847F604] sptd.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8491B9A] sptd.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\System32\svchost.exe[1352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\WINDOWS\Explorer.EXE[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
IAT C:\Program Files\Mozilla Firefox\firefox.exe[2468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82BD71D8
Device \Driver\usbuhci \Device\USBPDO-0 829C01D8
Device \Driver\usbuhci \Device\USBPDO-1 829C01D8
Device \Driver\usbuhci \Device\USBPDO-2 829C01D8
Device \Driver\usbehci \Device\USBPDO-3 8299E1D8
Device \Driver\Ftdisk \Device\HarddiskVolume1 82B681D8
Device \Driver\Cdrom \Device\CdRom0 829501D8
Device \Driver\Cdrom \Device\CdRom1 829501D8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\NetBT \Device\NetBt_Wins_Export 8286B980
Device \Driver\NetBT \Device\NetbiosSmb 8286B980
Device \Driver\NetBT \Device\NetBT_Tcpip_{B51E43F1-0056-46D6-88FD-80BE7E138B70} 8286B980
Device \Driver\usbuhci \Device\USBFDO-0 829C01D8
Device \Driver\usbuhci \Device\USBFDO-1 829C01D8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82868980
Device \Driver\usbuhci \Device\USBFDO-2 829C01D8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82868980
Device \Driver\usbehci \Device\USBFDO-3 8299E1D8
Device \Driver\Ftdisk \Device\FtControl 82B681D8
Device \FileSystem\Cdfs \Cdfs FF6683E8
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1124] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1216] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1272] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [1280] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1352] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1916] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1976] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2468] 0x35670000
Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2620] 0x35670000

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1967336333
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -848722675
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...

alwaysatodds
2009-10-23, 00:58
I can't use the trendmicro program because the virus won't let me. . . .

could really use some help please.

tashi
2009-10-23, 02:28
Hello alwaysatodds,

Please see this FAQ, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) and then start a new topic. ;)

You can include a link back to this one.


Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts if there is time but please do not count on it.
If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans. :)
Best regards.