Page 3 of 15 FirstFirst 123456713 ... LastLast
Results 21 to 30 of 144

Thread: Spybot 1.6.2 update and Runtime Error 216

  1. #21
    Junior Member
    Join Date
    Aug 2009
    Posts
    18

    Default

    Thank you for your input and assistance, spybotsandra. This is distressing news, but I am glad to have an official word.

    Rootalyzer found nothing when I ran it, and I was not given the option to pack suspicious files, probably because the deep scan was blank at the end of the run. I find that a little peculiar, because I know that there are some SecuROM related files that RootkitRevealer usually finds when I run it (Harmless and needed for some games, but still they com up during those scans).

    Unfortunately I didn't have time to run a gmer scan this morning. I will do so post-haste when I have the time in a few hours.

  2. #22
    Junior Member
    Join Date
    Aug 2009
    Posts
    18

    Default

    I let GMER run and do a complete scan, but I am uncertain if I used the program correctly. I selected 'scan' while on the 'Rootkit/Malware' tab, and the process began to scroll through every file on my harddrive. After roughly an hour of processing through the data, two discrepancies were found. One was PROCEXP111.SYS - A file almost certainly assocaited with Sysinternals Process Explorer app, which I run constantly. The second was amon.sys - which I believe is associated with NOD32's AMON real-time virus protection.

    I selected 'Save' after the process had completed. This is what it saved to a file:


    GMER 1.0.15.15011 [vuxkwcqn.exe] - http://www.gmer.net

    Rootkit scan 2009-08-04 12:51:26

    Windows 5.1.2600 Service Pack 3





    ---- Kernel code sections - GMER 1.0.15 ----



    ? C:\WINDOWS\system32\Drivers\PROCEXP111.SYS The system cannot find the file specified. !



    ---- Devices - GMER 1.0.15 ----



    AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )



    ---- EOF - GMER 1.0.15 ----



    I will email this as directed. Again, I apologize for not having a rootalyzer .cab package to send, but the program didn't seem to find anything during a deep scan, and provided no option to package them. Thank you again for your help and consideration.

  3. #23
    Junior Member
    Join Date
    Aug 2009
    Posts
    4

    Default

    If this IS an infection, then why did it only start happening after we all downloaded the latest spybot update?

  4. #24
    Junior Member
    Join Date
    Aug 2009
    Posts
    18

    Default

    Quote Originally Posted by Werewolf View Post
    If this IS an infection, then why did it only start happening after we all downloaded the latest spybot update?
    It's curious, but not unheard of. I agree that it seems a bit peculiar, but if update caused some behavioral change in the way Spybot works, it might conflict with the trojan in a new way.

    Don't get me wrong - I hope to high holy habanero ham heaven that it's not an infection. Because if it is, this is the most insidious thing I've ever seen.

  5. #25
    Junior Member
    Join Date
    Aug 2009
    Posts
    4

    Thumbs up

    Gotcha.

    I am running the scans now, and will be sending my logs to spybot. If any infections are found (or not) I will be sure to report back here right away. I hope you all do the same, so that we can all get this under wraps.

  6. #26
    Junior Member
    Join Date
    Aug 2009
    Posts
    18

    Default

    On a whim, I ran another GMER scan, and got this result:

    GMER 1.0.15.15011 [vuxkwcqn.exe] - http://www.gmer.net
    Rootkit scan 2009-08-05 00:29:48
    Windows 5.1.2600 Service Pack 3


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
    AttachedDevice \FileSystem\Ntfs \Ntfs oUltraf.sys

    ---- EOF - GMER 1.0.15 ----


    I don't know what oUltraf.sys is, but I can't put it in an archive, because it is being currently used by the system(!!). I can't upload it to VirusTotal, either. Googling about it seems to indicate this is possibly a kernal level system file, or some such, well beyond the reach of A/V software. Just keeping everyone posted about this issue.
    Last edited by VibrationalMode; 2009-08-05 at 09:37.

  7. #27
    Junior Member
    Join Date
    Aug 2009
    Posts
    1

    Default

    So this is leaning towards being an actual infection???

    The runtime error has been worrying me since last week and when I found this thread yesterday it was a big relief. I was really hoping someone would come in by now and say that it was just a bug.

    The server I usually update with is Safer-Networking #1 and I'm using XP SP2.
    I'll post a GMER log sometime today, if I don't have a heart attack first.

  8. #28
    Member
    Join Date
    Jul 2009
    Posts
    33

    Default Unconvinced - Watching

    After todays update (05 Aug) I noted that my error after closing SBot changed to 'instruction at 0x06db40c2' vice 0x06cf40c2 and referenced memory at 0x0705e060 vice 0x0698de68' and the Runtime error 216 changed from 06CF40C2 to 06DB40C2.

    I don't know if this means anything significant.

    Again, this only happens on computer 1 (below), not on #2. Updates came from SecurityWonks.Net2 (USA) within moments of each other for both computers.

    Again, Spybot, Malwarebytes, SuperAntispyware, NIS 2009 and MS Malsoft Removal tool show no problems.

    I'm reluctant to run analytical software that I'm not familiar with, especially if it's only partially developed - so if I'm just cluttering this forum, let me know. I'll stop.

    I am watching with interest.
    --------------------------------------------
    (1) XP Home SP3, IntelCore2Duo@2GHz, 2GB RAM, IE8
    (2) XP Home SP3, IntelCeleron@1.6GHz, 1GB RAM, IE8
    Wired Home Net

  9. #29
    Junior Member
    Join Date
    Aug 2009
    Posts
    18

    Default

    I have sent in the suspicious file oUltraf.sys for analysis. I could archive and manipulate the file during the first part of system startup. Later in the day is when it seems to be inaccessable, for some reason, perhaps because the backdoor was open at that time? Additionally, I submitted it to Virustotal, which gave back 3/41 positives. I am uncertain as to what to make of the results I've seen for google searching.

    I am quickly reaching a point of exhaustion. If this is an infection (which it seems to be) I am flabbergasted that it got through onto my system. I don't run executables from the web, I run NOD constantly, and MBAM and Spybot weekly, and I have autorun disabled. I am planning on taking the 'Nuke it from orbit' path and reformatting, but given the behavior of this, if it is an infection, I don't know the slightest way to prevent it's happening again.

  10. #30
    Member of Team Spybot roberto's Avatar
    Join Date
    Oct 2005
    Posts
    59

    Default

    Thanks. We got your sample for analysis. The file is using kernel functions but at this moment we are not sure, if this really is a rootkit. This could be a part of a legit software. We give this issue a high priority and are further investigating this.

    You will get a special detection file, in case this is malware and the analysis has been accomplished.

    Best,
    Roberto.
    Please help us improving Spybot and download our distributed testing client.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •