Spybot 1.6.2 update and Runtime Error 216

Thank you for your input and assistance, spybotsandra. This is distressing news, but I am glad to have an official word.

Rootalyzer found nothing when I ran it, and I was not given the option to pack suspicious files, probably because the deep scan was blank at the end of the run. I find that a little peculiar, because I know that there are some SecuROM related files that RootkitRevealer usually finds when I run it (Harmless and needed for some games, but still they com up during those scans).

Unfortunately I didn't have time to run a gmer scan this morning. I will do so post-haste when I have the time in a few hours.
 
I let GMER run and do a complete scan, but I am uncertain if I used the program correctly. I selected 'scan' while on the 'Rootkit/Malware' tab, and the process began to scroll through every file on my harddrive. After roughly an hour of processing through the data, two discrepancies were found. One was PROCEXP111.SYS - A file almost certainly assocaited with Sysinternals Process Explorer app, which I run constantly. The second was amon.sys - which I believe is associated with NOD32's AMON real-time virus protection.

I selected 'Save' after the process had completed. This is what it saved to a file:


GMER 1.0.15.15011 [vuxkwcqn.exe] - http://www.gmer.net

Rootkit scan 2009-08-04 12:51:26

Windows 5.1.2600 Service Pack 3





---- Kernel code sections - GMER 1.0.15 ----



? C:\WINDOWS\system32\Drivers\PROCEXP111.SYS The system cannot find the file specified. !



---- Devices - GMER 1.0.15 ----



AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )



---- EOF - GMER 1.0.15 ----



I will email this as directed. Again, I apologize for not having a rootalyzer .cab package to send, but the program didn't seem to find anything during a deep scan, and provided no option to package them. Thank you again for your help and consideration.
 
Werewolf said:
If this IS an infection, then why did it only start happening after we all downloaded the latest spybot update?
Click to expand...

It's curious, but not unheard of. I agree that it seems a bit peculiar, but if update caused some behavioral change in the way Spybot works, it might conflict with the trojan in a new way.

Don't get me wrong - I hope to high holy habanero ham heaven that it's not an infection. Because if it is, this is the most insidious thing I've ever seen.
 
Gotcha.

I am running the scans now, and will be sending my logs to spybot. If any infections are found (or not) I will be sure to report back here right away. I hope you all do the same, so that we can all get this under wraps.
 
On a whim, I ran another GMER scan, and got this result:

GMER 1.0.15.15011 [vuxkwcqn.exe] - http://www.gmer.net
Rootkit scan 2009-08-05 00:29:48
Windows 5.1.2600 Service Pack 3


---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
AttachedDevice \FileSystem\Ntfs \Ntfs oUltraf.sys

---- EOF - GMER 1.0.15 ----


I don't know what oUltraf.sys is, but I can't put it in an archive, because it is being currently used by the system(!!). I can't upload it to VirusTotal, either. Googling about it seems to indicate this is possibly a kernal level system file, or some such, well beyond the reach of A/V software. Just keeping everyone posted about this issue.
 
Last edited:
So this is leaning towards being an actual infection???

The runtime error has been worrying me since last week and when I found this thread yesterday it was a big relief. I was really hoping someone would come in by now and say that it was just a bug.

The server I usually update with is Safer-Networking #1 and I'm using XP SP2.
I'll post a GMER log sometime today, if I don't have a heart attack first.
 
Unconvinced - Watching

After todays update (05 Aug) I noted that my error after closing SBot changed to 'instruction at 0x06db40c2' vice 0x06cf40c2 and referenced memory at 0x0705e060 vice 0x0698de68' and the Runtime error 216 changed from 06CF40C2 to 06DB40C2.

I don't know if this means anything significant.

Again, this only happens on computer 1 (below), not on #2. Updates came from SecurityWonks.Net2 (USA) within moments of each other for both computers.

Again, Spybot, Malwarebytes, SuperAntispyware, NIS 2009 and MS Malsoft Removal tool show no problems.

I'm reluctant to run analytical software that I'm not familiar with, especially if it's only partially developed - so if I'm just cluttering this forum, let me know. I'll stop.

I am watching with interest.
 
I have sent in the suspicious file oUltraf.sys for analysis. I could archive and manipulate the file during the first part of system startup. Later in the day is when it seems to be inaccessable, for some reason, perhaps because the backdoor was open at that time? Additionally, I submitted it to Virustotal, which gave back 3/41 positives. I am uncertain as to what to make of the results I've seen for google searching.

I am quickly reaching a point of exhaustion. If this is an infection (which it seems to be) I am flabbergasted that it got through onto my system. I don't run executables from the web, I run NOD constantly, and MBAM and Spybot weekly, and I have autorun disabled. I am planning on taking the 'Nuke it from orbit' path and reformatting, but given the behavior of this, if it is an infection, I don't know the slightest way to prevent it's happening again.
 
Thanks. We got your sample for analysis. The file is using kernel functions but at this moment we are not sure, if this really is a rootkit. This could be a part of a legit software. We give this issue a high priority and are further investigating this.

You will get a special detection file, in case this is malware and the analysis has been accomplished.

Best,
Roberto.
 
roberto said:
Thanks. We got your sample for analysis. The file is using kernel functions but at this moment we are not sure, if this really is a rootkit. This could be a part of a legit software. We give this issue a high priority and are further investigating this.

You will get a special detection file, in case this is malware and the analysis has been accomplished.

Best,
Roberto.
Click to expand...

Roberto, you are a professional and a gentleperson. Thank you and your team for giving this the attention and effort you have. Even if it turns out to be an infection, I'm still happy to have hard working people like you guys in our corner.

As a note I forgot to include in the email, or here: That oUltraf.sys file was located in C:\Documents and Settings\{My username}\Local Settings\Temp\ , which seems somewhat suspicious in it's own right.
 
VibrationalMode said:
As a note I forgot to include in the email, or here: That oUltraf.sys file was located in C:\Documents and Settings\{My username}\Local Settings\Temp\ , which seems somewhat suspicious in it's own right.
Click to expand...

I too have been having this error for sometime now. I run McAfee 8.7i nightly as well as Spybot. Nothing has ever popped up. The scan actually completes, and once the program closes, then the error pops up. I would have thought that if it were an infection, it would prevent spybot from running in the first place. I haven't run a rootkit program yet. Seems to me that it's an incompatibility issue and not infection. Also, I didn't find the oUltraf.sys file in that directory or anywhere else.
 
NotGeordie said:
After todays update (05 Aug) I noted that my error after closing SBot changed to 'instruction at 0x06db40c2'...

I'm reluctant to run analytical software that I'm not familiar with, especially if it's only partially developed - so if I'm just cluttering this forum, let me know. I'll stop.
Click to expand...

After today's two includes updates, I no longer get errors on program close! I hope that's good.

Are you reluctant to run Sandra's suggested GMER and/or RootAlyzer?
Today, GMER didn't find two hidden processes in red text, as it did on the 4th.

I don't want to cause clutter either, but this is helping me keep in touch, thus I'm hoping this is ok. This thread seems fine for general chatter on this topic.

Question: can .JPGs contain rootkit or other malware, or can I disregard JPG and other graphic files, i.e. BMP, etc.?
 
FWIW, I ran Spybot S&D from a system account (i.e., in a WinXP Command Prompt from C:\WINDOWS\system32\>...) and I was unable to reproduce any of the earlier errors.

I'll leave it to you more-experienced people to decide if this is really as important as I think it is.
 
same error pop-ups here, i guess the newest definitions are checked last in the scan and in my case more than 566000 items are checked during the scan. when i abort the scan at say 545000 checked items the error will not occur. my guess would be faulty latest definitions files.

Logically this makes a lot more sense to me than all of us being infected (i hope ...)
 
Last edited:
i guess some part of the definitions of late causes something in the program / process to lock(?) when closing down resulting in a crash. i guess all updates are exactly the same from the different servers?
 
According to kinos post after deactivating the trojans.sbi the runtime error did not occur any longer on his system. To make sure that this is not just a coincidence, please give it a try and report in. :thanks:
 
[To make sure that this is not just a coincidence, please give it a try and report in. :thanks:[/QUOTE]

No luck, Buster. I deactivated the Trojans.sbi, ran a scan twice and got the same error messages.
 
@ NotGeordie Thanks for reporting so quickly. Lets try something else. Please turn off all file sets but the usage tracks.
 
Another possible reason may be the new advcheck.dll, which has been released last week. Hence we would like you to install the old advcheck.dll, which can be found here. Please download the zip file, unzip and start the included .exe file. Thanks!
 
You must log in or register to reply here.
Back
Top