TechSpot

Problem with a virus, buffer overrun

By pedro_traveller
Feb 28, 2008
  1. The virus is in "my documents", it came from Limewire. The carpet has 71,2 mb of information that I cannot read or delete. Trying to do that opens a popup saying "buffer overrun" and it comes from two direccions:

    C:\\Windows\explorer.exe
    C:\\Windows\System32\RunDLL32.exe

    That is the only notable symptome of the virus, antivirus programs do not find it.

    I hope someone would be so kind and help me with this, I would appreciate that very much.

    I did all that is said in this post by Julio: "Viruses/Spyware/Malware, preliminary removal instructions" and here are the results:

    AVG Antirootkit

    C:\Windows\System32\Drivers\az1z7r8z.SYS Hidden driver file
     

    Attached Files:

  2. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    I also tried Virustotal and it does not give me any results.
     
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Just having a look in the HiJackThis log

    Disable system restore before you delete the following entries.

    C:\Windows\System32\fppsys.exe
    O4 - HKLM\..\Run: [Warning: do not remove it! (system)] fppsys.exe
    C:\Programs\PartyGaming\PartyPoker\RunApp.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Programs\PartyGaming\PartyPoker\RunApp.exe
    ---------

    Not sure why these two exist:
    C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
    C:\Program Files\Windows NT\Accessories\wordpad.exe
    One is in capitals, and one isn't ?

    ----------

    Also, it may be a good move to run Startup Control Panel, and remove lots of not-required system startups

    I also believe you should run the following in full, to be certain:
    Viruses/Spyware/Malware, preliminary removal instructions

    Re-enable System Restore on completion
     
  4. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    OK, I removed those entries you told me, of the wordpad I don't know what to do, but it wasn't there at the last HJT log.

    Strange thing is that startup control panel doesn't work for me in startup (common) and HKLM/Run modes, it doesn't let me delete anything from there nor disable, trying to delete it adds another entry there.

    I will run all 15 stages again now and post the logs here when I am done.
     
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Good

    Yes if the Startups automatically re-appear, it's usually a sign of Virus / Trojan issue.

    It will take some time, but obviously worth it.
    Don't skip tests or not allow full scan - as all in all we're talking hours not days.
     
  6. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    Ok, here are the results:

    AVG Antirootkit results:

    C:\Windows\System32\Drivers\as5nz038.SYS

    None of the programs did find the virus, although it seems rare why there appears C:\Windows\Explorer.EXE with EXE not exe and C:\Program Files\PowerISO\PWRISOVM.EXE also with big letters, do not know if that is normal?
     
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You should check "Turn windows Features On or Off" section in the Control Panel

    Dwm.exe (Desktop Window Manager) Desktop graphical effects
    Instead switch your Vista into "Classic Mode"

    MSASCui.exe (Windows Defender) I actually turm mine off, it's takes up too much resource

    igfxsrvc.exe Integrated Graphics Service (required)

    hkcmd.exe Intel 810 and 815 chipset graphic drivers (non critical)

    igfxpers.exe NVidia graphics cards (leave alone)

    SynTPEnh.exe Mouse touchpad (leave alone)

    jusched.exe checks for Java updates (turn off in Java Control Panel)

    VCUServe.exe VAIO Camera Utility from Sony Corporation (non critical)

    LaunchApplication.exe mobile phone to your PC (non critical)

    avgnt.exe Avira Internet Security Suite (leave alone)

    PWRISOVM.EXE PowerISO, a CD/DVD imaging program (non critical)

    Reader_SL.exe Adobe Reader load time decreaser (non critical)

    winampa.exe WinAmp (non critical)

    avgas.exe AVG Anti-Spyware (non critical)

    TosBtMng/TosA2dp/TosBtHid/TosBtHsp/TosAVRC/tosOBEX Bluetooth (leave alone)

    mobsync.exe synchronize IE offline pages (non critical)

    taskeng.exe Task Scheduler Engine (leave alone)

    Switcher.exe yourSony Wireless LAN Switch (leave alone)

    unsecapp.exe Microsoft Windows server (leave alone)

    SearchFilterHost.exe Windows Desktop Search (non critical)

    Haven't checked the registry services part yet

    Edit:
    Actually it's best I don't, for two reasons
    1. Way too long - many startups
    2. Actually I'm no malware expert!

    I would suggest that you run Startup Control Panel and remove as many startups as you can
    Also check "Turn windows Features On or Off" section in the Control Panel, and remove any more (not needed) in there too
    Then possible do another HJT after restart (it'll make it a lot easier to check!)
    .
     
  8. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Just a couple comments

    If you do shut off jusched.exe, remember! to periodically check for Java updates yourself, manually. Or you won't get new releases/patches

    Looks like you have Avira Internet Suite running.. i don't know the product but things called "Internet Suites" typically include anti-spyware. Does Avira handle anti-spyware? And do you have AVG anti-spyware loaded and running as well?

    You certainly don't want two different anti-spyware products running at the same time. But double check on your Avira cause you definitely want one running. (Was the AVG freeware version downloaded sometime in the past? If you want to keep it to run it manually to double check Avira is fine. Otherwise, can uninstall it as well)
     
  9. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    Startup control panel still does not work, startups re-appear if deleted. I removed some startups from control panel but it seems I cannot do much more right now.

    Avira should handle antispyware also, AVG anti-spyware is loaded and installed but not running more than when doing checking for this board, it was downloaded a few days ago when I first wrote here.

    Does anyone have any idea what virus/trojan this might be, I just wonder why any of antivirus programs cannot find it at all?

    Attached new HJT log.
     
  10. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Your HJT log is still very, unavoidably, large. (ie many things are loading)

    I'm wondering if you could try to run MSCONFIG and untick (well everything!) and then restart.

    Once back in Normal mode (diagnostic mode - just close msconfig when it pops up)

    Go to Add/Remove programs and remove what-ever you don't want (including Spyware programs)
    Click on Start -> All Programs -> Startup And right click on anything in there and delete-ok
    Go to start-Run- RegEdit and expand:
    HKEY_LOCAL_MACHINE
    SOFTWARE
    Microsoft
    Windows
    CurrentVersion
    Run
    When clicking on Run on the right hand side, delete any entry (default not set. doesn't matter)

    Click on Start-> Run-> %temp%
    Remove as many files as allowed (usually all)

    Click on Start -> Run -> MSCONFIG
    Put it back to normal mode

    Restart

    Check Startup program again

    And reply back

    Now that will give some results !!
     
  11. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Please indicate Yes or No. When you installed Hijackthis.exe did you rename the executable Hijackthis.exe filename to something else, like pedroScan? or are you still running the original executable filename Hijackthis.exe?
     
  12. kritius

    kritius TS Guru Posts: 2,084

    C:\Program Files\Trend Micro\HijackThis\Crusty.exe

    Its running as crusty.
     
  13. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    A couple thingsl
    First, i'm very suspicious of two entries which appeared in your log
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O9 - Extra button: (no name) - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - (no file)

    Did you know the O9 item is linked to Party Poker? I assume you never loaded Party Poker. And even if you did, it's known to add alot more then you asked for.

    i have to run out for a couple hours. So, can;'t do more now but can look further when i return if need be.

    I didn't catch for certain your hardware/operatins system.

    For next steps, recommend (lookup command name, syntaxm and arguments for your computer. Don't rely on my syntax)

    1. Run System File Checker is something like sfc /scannow
    2. Install / run Adaware 2007 Free
    3. Run spybot search and destroy
     
  14. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    So...

    the good news is i now see kimsland had you remove other parts of PartyPoker earlier in this thread so what i glanced at, i think, is just a remnant left befhind. I think the other entry (from what i've seen so far) is also not a problem

    Bad news is you are still having your problem, right? i suggest
    1. Turn off hidden files and Folders
      Click Control Panel -> Folder Options -> View. Then Set or Clear each of the following settings as indicated
      • Set Show hidden files and folders
      • Clear Hide extensions for known file types (i think it just helps to see file extensions when you're trying to spot problems)
      • Clear Hide protected operating system files
    2. Run HijackThis again (now that everything is exposed) and post the output log
    3. Install Autoruns
      • Start it and wait for status in lower left of window to say Ready
      • From the top menu, select Options->Verify Code Signatures
      • From top menu, select File->Refresh and wait for Ready status again
      • From top menu, File->Save and post the txt output file you created
     
  15. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    Kimsland:

    MSCONFIG unticked, I left Antivirus on though. Removed various programs.

    RegEdit will not permit to delete one entry : (preterminado) REG_SZ, that comes with the same sound and popup as virus.

    In temp carpet it does not let me delete JETAD3F.tmp file.

    Hijackthis.exe is renamed as crusty.exe.

    HJT log attached. It still seems big to me.
     
  16. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    LookinAround:

    A friend downloaded PartyPoker, it should be uninstalled now.

    I will run now the programs you told me.
     
  17. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    The entries you can't delete are using a trick having to do with embedded blanks (i'll spare the detail). This tool will help find and delete. Gotta run. If you need help using the tool i'm sure kimsland or someone else on here can explain.
    RegDelNull v1.1
     
  18. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    System file checker just pops up and disappears, impossible do something with that. Adaware found parts of Smitfraudfix, deleted them and Spybot did not found anything.

    HJT and Autorun logs attached. Autorun is in two parts, as it was really too big to send here.

    Thank you friends very much for the effort with this, I really appreciate this :)
     
  19. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    Incredibly, RegDelNull does the same thing as System file checker, it pops up for tenth part of the second and then disappears forever, cannot do anything with that either.
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    spybot S&D
    Go to Mode and select advanced. then expand tools in the left pane, then double click system startup uncheck items that don't need to be started everytime you turn on your computer. If you don't know what something is you can post here or google for it. Don't uncheck anything in green.

    Run HiJackThis and click on Open the Misc Tools section.
    * Click the Open ADS Spy... button.
    * Uncheck "Quick scan (Windows base folder only)"
    * Click the Scan button to the left of the Save log... button.
    * When the scan has completed, click the Save log... button.
    * When the "Save ADS Spy log..." window open, click the Save button.
    * The log will be displayed in a Notepad window and when you close it, it will be saved by default to your Desktop.
    * Attach the file adsspy.txt into your next reply.
     
  21. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Good morning everybody. And Welcome, Blind Dragon.

    i was in a hurry yesterday morning when i first saw the thread and posted before running out. Again, in the evening. Blind Dragon, glad you're here. And it's good for Pedro to use the tools and follow your instructions as indicated and reply with the logs.

    when i went to bed last night i thought it worthwhile to stop and reassess what' s been done, where we are and what types of problems are still seen before moving forward.

    With that as a goal, i suggest to pedro_traveller
    1. Do not try running RegDelNull until indicated to again.
    2. Complete Blind Dragon's instructions
    3. Tell us just what keys you were trying to delete that gave you the problem and the associated values you tried deleting. Within Regedit you should be able to click Edit->Copy Key Name to easily get the current key name.
    4. Also, you are running vista and you reported problems with sfc and RegDelNull which are both command line commands
    5. Are you aware that in order to run thse types of commands you must first be running an elevated cmd prompt which has admin privileges? Do you know how to do that? Were you doing it at the time of the problem.
    6. I'm also now wonderiif any of your problems with the command line commands and being unable to delete registry values might also be related to real time control monitors like S&D Teatimer
    7. haven't combed thru all your autoruns log yet. Tho the HijackThis log created after i had you show hidden files, etc. didn't show anything new... just the remnant of PartyPoker and another remnant seeming to just be related to Microsoft Live.
    So if you could just state if you were running elevated command prompts with admin rights when you tried running sfc? And what registry key(s) were you trying to delete that wouldn't delete?
     
  22. LookinAround

    LookinAround Ex Tech Spotter Posts: 6,491   +183

    Pedro_travller

    I have some answers and insights I wanted to share so we can assess what’s been done so far, where things stand and what happens next.
    1. You definitely had a problem and I was a little confused
      Your Post #1 indicated signs of a virus and explained how it affected file space and the “Limewire carpet”. I Googled all over the place but couldn’t find the meaning of “carpet” “in the the context of Limewire until your Post #15.
      • Your English is quite good. 100% times better then my Spanish. In Post# 15 you used “carpet” again. This time I think I found the answer. You are translating the native Spanish word “carpeta” into “carpet” which in English means a rug or heavy fabric floor covering.
      • I believe you meant “folder” or “directory” for the translation. You said "You couldn’t read 71MB of your folder or directory" and later referred to your "temp folder".
    2. Couldn’t delete a registry key
      • When I read you could delete some registry keys but it stopped you from deleting one key/value
        . My FIRST thought was your infection was using embedded nulls in the registry to make it harder to find and clean.
      • But then it hit me!. I mean, I see it all time (in English) so I guess it took a little longer before it registered for me in Spanish: I’ll bet you were trying to delete the first value for a key. I came to find (preterminado) is Spanish for (Default). I’m not sure if you can (or should) delete (DEFAULT) REG_SZ.
      • It does leave me wondering just what else you deleted directly out of your registry. Maybe would be easiest if you could export what the subkey(s) look like where any of its values were deleted. In regedit, select the subkey whose values changed. If multiple subkeys, you can simply pick a subkey at a higher node in the registry’s tree structure which includes all the changes subkeys. Then in regedit window, click File -> Export. You’ll get an Export window. At bottom of window, you'll see choices for “Export Range”, select “Selected Branch”. Now save and post the registry export file. Be sure to tell us which subkeys you modified.
    3. HijackThis log
      I only saw a couple empty “remnants” of past problems in HijackThis log. They aren't harmful. We’ll delete them later. First, let’s see if anyone else sees anything in the log i might have missed.
    4. AutoRuns log
      • Autoruns was able to verify quite a few of the entries. I went through the list of Unverified entries but, unless I missed it, I didn’t see any problems with them
      • However, you are still running with msconfig so many of the important entries keys aren’t being shown by Autoruns. However, continue running with msconfig! for now I would first like to see what your registry currently looks like after those deletes. After that, we’ll turn off msconfig and look at the other remaining important registry keys.
    5. Questions as to why process filenames appear with different capitalization
      Good question! I must admit I’ve seen and wondered the same at times. But I as I didn’t have an infection at the time as well I just never got around to looking deeper.. until now. And during my search process I found several others with similar questions but not much by way of answers (and none of which completely explained the phenomena). But then it hit me. Cause I’ve only been staring at it for I don’t know how long.
      • This part I read/new: Variations in just capitalization might indicate a virus. But if the variations are in the actual spelling it's almost certain due to a virus. If you suspect one, search for the filename throughout all your storage BUT you must be sure to set your search options to a) Search through all hidden files and folders and b) Search through protected System files. Filenames are case insensitive so you can’t have two identical filenames within a single folder. But they can with identical names if they occur in different folders. You can use a site like ProcessLibrary to tell you the correct folder for a executable.
      • Variation in upper/lower case spellings can imply… nothing! The filename/capitalization you see has nothing to do with the capitalization of the executable's filename Rather, you are seeing the capitalization used in the command line which started the executable in the first place!
      • So if command C:\Windows\StArTmE.Exe is used you might see a process filename of startme.exe but HijackThis (and some other tools) will spell/capitalize it as StArTmE.Exe
     
  23. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    Thank you very much friends for all this help.
     
  24. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    You cannot format drive C whilst being in it (thankfully)

    You will need to use your Windows CD and boot from that.
    Then select to remove the partition fully, from within the setup of Windows
     
  25. pedro_traveller

    pedro_traveller TS Rookie Topic Starter Posts: 27

    First I would like to say I am sorry of a little delay here, I was traveling for 3 days and had no access to internet. Also I would like thank you friends very much for all this help, I really do appreciate the time and the effort put to this.

    But it seems to me this got too complicated and now this virus has started to open a lot of files and folders and stuff, all that have no access or cannot delete them. Or if I can, they just reappear.

    So I would like to format the computer...but it will not let me do even that. Writing format command in command prompt it does the same thing, pops up for tenth of a second and then disappears, in command writing format C: it says I have no rights to do that.

    Any ideas how to format drive C and just reinstall everything later? I have no valuable information here so I can use internet, but I will not open my email or any information that needs passwords (only this forum) to not to have problems later. I am telling this because I need to open my email and do some work in internet and cannot wait much longer this situation to be fixed, so to me it seems better just to format everything and install Ubuntu later. ( No more Vista, it even does not have uninstall as an option, though I guess that wouldn't help right now either.)


    To Lookinaround: Yes, with the problem that occurred with registry keys I was running an elevated cmd prompt which has admin privileges. It goes on with the same problems even that I deleted each & every program like S&D Teatimer, so they do not have anything to do with the problem.

    Oh yes, too much time here in South America, I am losing my english... That about carpet really meant folder :D (Carpeta en español) The thing of preterminado comes because this Vista is in spanish, so obviously everything from the folders to commands come in spanish/ I'll have to translate to spanish... and well, neither english nor spanish is my mother tongue, so I have to take some extra time to find all things here...

    So, please, some ideas how to get rid of the virus and to gain access to command prompt to be able to format the computer. Thank you in advance.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...