Results 1 to 4 of 4

Thread: Virus has turned spybot.exe into a read only file, massive slow-down/redirects

  1. #1
    Junior Member
    Join Date
    Oct 2009
    Posts
    16

    Default Virus has turned spybot.exe into a read only file, massive slow-down/redirects

    I'm usually pretty good at bug fixing but this one is a real pain.

    Cause - tried downloading a movie online, not sure what the site was

    Effects -

    Spybot has become a read-only file and is impossible to use. When I reinstall under a different name in a different folder it works until it is about to scan then shuts itself off and becomes another read-only file. The hidden .scr file cannot be located.

    Clicking on unprotected links will redirect to random advertising websites like mom.com and other useless garbage. I have massive slowdown and the computer crashes all the time.

    I tried downloading AVG and it located the viruses and trojans, said they were removed and after I rebooted it was the same problem as before. Except now when I use AVG is freezes up when it's about to scan the infected files. I could really use some help on this one. Can't seem to get anything working.

  2. #2
    Junior Member
    Join Date
    Oct 2009
    Posts
    16

    Default More info

    This is what gmer gave me when I ran the scan.

    GMER 1.0.15.15163 - http://www.gmer.net
    Rootkit scan 2009-10-22 17:29:11
    Windows 5.1.2600 Service Pack 3
    Running: gmer.exe; Driver: C:\DOCUME~1\CARLGR~1\LOCALS~1\Temp\fwryrpod.sys


    ---- System - GMER 1.0.15 ----

    SSDT sptd.sys ZwCreateKey [0xF847E0B0]
    SSDT sptd.sys ZwEnumerateKey [0xF848384C]
    SSDT sptd.sys ZwEnumerateValueKey [0xF8483BEC]
    SSDT sptd.sys ZwOpenKey [0xF847E090]
    SSDT sptd.sys ZwQueryKey [0xF8483CC4]
    SSDT sptd.sys ZwQueryValueKey [0xF8483B44]
    SSDT sptd.sys ZwSetValueKey [0xF8483D56]

    ---- Kernel code sections - GMER 1.0.15 ----

    ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
    .text USBPORT.SYS!DllUnload F79428AC 5 Bytes JMP 829C11B8
    ? win32k.sys:1 The system cannot find the file specified. !
    ? win32k.sys:2 The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\System32\svchost.exe[1352] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1352] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1352] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\WINDOWS\Explorer.EXE[1916] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\WINDOWS\Explorer.EXE[1916] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\WINDOWS\Explorer.EXE[1916] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll

    ---- Kernel IAT/EAT - GMER 1.0.15 ----

    IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F8492580] sptd.sys
    IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F849252C] sptd.sys
    IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84ACAB8] sptd.sys
    IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F8492580] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F847EABA] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F847EC00] sptd.sys
    IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F847EB82] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F847F72E] sptd.sys
    IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F847F604] sptd.sys
    IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8491B9A] sptd.sys

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\System32\svchost.exe[1352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    IAT C:\WINDOWS\System32\svchost.exe[1352] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    IAT C:\WINDOWS\Explorer.EXE[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    IAT C:\WINDOWS\Explorer.EXE[1916] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[2468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll
    IAT C:\Program Files\Mozilla Firefox\firefox.exe[2468] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll

    ---- Devices - GMER 1.0.15 ----

    Device \FileSystem\Ntfs \Ntfs 82BD71D8
    Device \Driver\usbuhci \Device\USBPDO-0 829C01D8
    Device \Driver\usbuhci \Device\USBPDO-1 829C01D8
    Device \Driver\usbuhci \Device\USBPDO-2 829C01D8
    Device \Driver\usbehci \Device\USBPDO-3 8299E1D8
    Device \Driver\Ftdisk \Device\HarddiskVolume1 82B681D8
    Device \Driver\Cdrom \Device\CdRom0 829501D8
    Device \Driver\Cdrom \Device\CdRom1 829501D8
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort0 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdePort1 [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F83F8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
    Device \Driver\NetBT \Device\NetBt_Wins_Export 8286B980
    Device \Driver\NetBT \Device\NetbiosSmb 8286B980
    Device \Driver\NetBT \Device\NetBT_Tcpip_{B51E43F1-0056-46D6-88FD-80BE7E138B70} 8286B980
    Device \Driver\usbuhci \Device\USBFDO-0 829C01D8
    Device \Driver\usbuhci \Device\USBFDO-1 829C01D8
    Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82868980
    Device \Driver\usbuhci \Device\USBFDO-2 829C01D8
    Device \FileSystem\MRxSmb \Device\LanmanRedirector 82868980
    Device \Driver\usbehci \Device\USBFDO-3 8299E1D8
    Device \Driver\Ftdisk \Device\FtControl 82B681D8
    Device \FileSystem\Cdfs \Cdfs FF6683E8
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1124] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1216] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1272] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [1280] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1352] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1916] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [1976] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2468] 0x35670000
    Library \\?\globalroot\Device\__max++>\4BB9D32A.x86.dll (*** hidden *** ) @ C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2620] 0x35670000

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1967336333
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -848722675
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xB4 0x31 0x55 0xC5 ...
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
    Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0x64 0x2E 0xBE ...

  3. #3
    Junior Member
    Join Date
    Oct 2009
    Posts
    16

    Default also

    I can't use the trendmicro program because the virus won't let me. . . .

    could really use some help please.

  4. #4
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,447

    Default

    Hello alwaysatodds,

    Please see this FAQ, "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) and then start a new topic.

    You can include a link back to this one.

    Posting additional comments or logs before a volunteer responds, can push you back instead of forward, because your thread ends up with a newer date. In addition helpers would think you are already being assisted because of the post count. For that reason we may merge such posts if there is time but please do not count on it.
    If the infection prevents HJT from running, please start a topic, make note of the situation and wait for a response. Please do not add logs from other scans.
    Best regards.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •