Solved Explorer.exe buffer overflow

[Zaarbakur]

Dear all,

I've experienced some explorer.exe buffer overflows lately. These happen when I open a folder containing a video file. Now, I'm no big expert in assessing a hijackThis log, so this is why I need your help. It would be greatly appreciated to guide me through the solving process for this annoying buffer overflow event.

Thank you in advance!

 

[Bobbye]

'Buffer overflow' really doesn't give us much to work with.

If you would like us to check the system for malware, please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

When you have finished, leave the logs for review in your next reply .

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[Zaarbakur]

Thank you Bobbye for your reply.

Apologies for the lack of info. For me, the computer is currently a black box I am trying to understand.

I attached some log files already. Step 4 (the GMER rootkit detector) gives some problems when running & me using the pc running on XP. Is it normal that it takes at least 1 hour to complete? Anyway, I will try it again later and attach the log file hopefully within the next 24 hours.
The Attach.zip contains the Attach.txt file. I zipped it as requested by the DDS program.

Kind regards,

Z

 

[Bobbye]

The system was badly infected with Adware.2020search
This is considered as a PUP or a "potentially unwanted application". It is neither a virus nor a Trojan.

This kind of application generally comes bundled with another program, which usually discloses the fact that it is ad-supported. Users agree to have the Adware installed in the license agreement, although they may not realise at first that this file was packaged with the product they installed.

You may have experienced all or some of the following:

• Add's a search bar as a plugin to IE using 2020search2.dll as a BHO.
• It changes default search page to "http://search.2020search.com/../redir.php?"
• It removes start page of IE.
• It removes the "CustomizeSearch" of IE
• It changes the "SearchAssistant" of IE to one of its site http://pop.popuptoat.com/../search.html
• It downloads and installs another Adware bundled with it. Detected as Adware-SRNG

Hopefully Malwarebytes rmoved it, but I'll have you check further for Registry entries.
You may be seeing this:

You have 8 outdated versions of Java till on the system. There are vulnerabilities. Please go to add/remove Programs and uninstall all but v6u21.

Please do not use µTorrent or LimeWire while I'm helping you clean the system.

This- HijackThis 2.0.2- is outdated. You can remove it. I will have you download and run the current version later.

There are some Error Events in the DDS log. Two in particular that you should check out is a possible problem with McAfee and the Nvidia driver Service. They are in Dutch so I can't make out the particulars.
=====================================
Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
Re-enable your Antivirus software.

 

[Zaarbakur]

Thank you very much for your reply!

I have deleted all older versions of Java and I have executed the ComboFix as requested. I translated the dutch parts of the file in English for your convenience (log.txt). I also translated the errors in the DDS log (Attached.txt).
I haven't used IE in a while, so I did not notice any 2020 adware but did notice an elimination of my IE start-up page a long long time ago.

Many thanks for your continuing support,

Z

 

[Zaarbakur]

I haven't had any replies on this one so I am bumping for once.
The buffer overflow thing mentioned in the first post still persists. It always occurs when I enter a folder containing a video file, any video file.
So, are the logs good, not good, problems, suggestions?

Thanks

 

[Bobbye]

Thank you for your patience. This is the third thread that I didn't get the email feedback of a reply made. I am setting up some script to run in Combofix now. I'd like you to run this online scan while I'd doing that:

Run Eset NOD32 Online AntiVirus scan HEREhttp://www.eset.eu/online-scanner

1. Tick the box next to YES, I accept the Terms of Use.
2. Click Start
3. When asked, allow the Active X control to install
4. Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
5. Click Start
6. Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
7. Click Scan
8. Wait for the scan to finish
9. Re-enable your Antivirus software.
10. A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

 

[Zaarbakur]

Thank you for your response. The log file can be retrieved in the attachment

 

[Bobbye]

The scan is clean. I'm going to leave the script I had set up and hope the problems have been resolved as I am unable to continue at this time:

Regarding Buffer Overflow:
In computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This may result in erratic program behavior, including memory access errors, incorrect results, program termination (a crash), or a breach of system security.

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::

Folder::
C:\VundoFix Backups
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=-

RegLock::
[HKEY_USERS\S-1-5-21-3630995285-1101715364-1294219465-1006\Software\Microsoft\SystemCertificates\AddressBook*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
I looked through the errors listed in the log. There were many indicating that operating system programs had not started up.
abp480n5>>>AdvanSys SCSI Controller Driver
agp440>>> This issue may occur if Windows XP tries to use an incompatible motherboard chipset video driver during startup:
See http://support.microsoft.com/kb/324764

Please look in the Device Manager and check the status of the video driver. A yellow triangle with a black exclamation mark indicates and error.

You have a great number of processes loading on boot. They include LimeWire and uTorrent. It is possible that you have exhaust the available RAM after surfing for while.

 

[Broni]

Message from Bobbye:

Due to family matters that require my time and efforts, I am unable to continue helping with malware cleaning at this time. If and when these matters are resolved, I will return to the board.

Since the only other helper in the Virus and Malware forum is Broni, I will ask him to pickup the open threads I have going, if and when he can.

====================================================================

Please, complete Combofix script listed above and let me know how the computer is doing.

 

[Zaarbakur]

Dear Bobbye and Broni,

Please find the log file attached to this message. I took the liberty to translate some sentences for your convenience.

Regards,

Z

 

[Broni]

Good

How is computer doing at the moment?

Uninstall Combofix:
Go Start > Run [Vista users, go Start>"Start search"]
Type in:
Combofix /Uninstall
Note the space between the "Combofix" and the "/Uninstall"
Click OK (Vista users - press Enter).
Restart computer.

======================================================================

Download OTL to your Desktop.

* Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
* Under the Custom Scan box paste this in:



netsvcs
drivers32 /all
%SYSTEMDRIVE%\*.*
%systemroot%\system32\Spool\prtprocs\w32x86\*.dll
%systemroot%\system32\*.wt
%systemroot%\system32\*.ruy
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\system32\spool\prtprocs\w32x86\*.tmp
%systemroot%\*. /mp /s
/md5start
/md5stop
CREATERESTOREPOINT
%systemroot%\system32\*.dll /lockedfiles
%systemroot%\Tasks\*.job /lockedfiles
%systemroot%\System32\config\*.sav
%systemroot%\system32\user32.dll /md5
%systemroot%\system32\ws2_32.dll /md5
%systemroot%\system32\ws2help.dll /md5
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs



* Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

• When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
• Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.

 

[Zaarbakur]

Dear Broni,

Thank you for your help. My computer is actually working a little faster than before starting this thread, but the overrun still persists. The strange thing is that it happens with only one single video file (obtained legally in case you wondered ). The positive thing is that now I can remove it if I want, which was not the case before you guys started helping me. Then it gave the error that a program was using it, although all programs were closed. So I already want to thank you for eliminating the hidden program that used the video file.

Another problem I forgot to mention is that when shutting down, the computer gives an error message just before shutting down. I always forget to wait until the message appears in order to know what the message is telling me. I will give more information on that in a later post. The message started appearing when installing an update of iTunes or another apple inc. application that comes with the update.

To reply to the question about the video drive compatibility raised by Bobbye, I can only state that there is no sign of the mentioned triangle. Under 'display adapters' my NVIDIA card works fine, and under the 'SCSI- and RAID-controllers', the controller also works fine.

I will uninstall all programs I am not using any more in order to reduce the number of processes at start-up.

Here are the documents you asked me to copy paste here. Since the text is otherwise too long, I cannot copy paste them directly. Please find them in attachment:

 

[Broni]

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found.
  O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {C4069E3A-68F1-403E-B40E-20066696354B} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No CLSID value found.
  O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - No CLSID value found.
  O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
  O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
  O9 - Extra Button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm File not found
  O9 - Extra 'Tools' menuitem : Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm File not found
  O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB (Reg Error: Key error.)
  O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab (Reg Error: Key error.)
  [1 C:\Documents and Settings\All Users\Application Data\*.tmp files -> C:\Documents and Settings\All Users\Application Data\*.tmp -> ]
  @Alternate Data Stream - 115 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:D158BAF9
  
  
  :Services
  
  :Reg
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]
  "DisableMonitoring" =-
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]
  "DisableMonitoring" =-
  
  :Files
  
  :Commands
  [purity]
  [emptytemp]
  [emptyflash]
  [Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• You will get a log that shows the results of the fix. Please post it.
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

 

[Zaarbakur]

Hey,

I attached the log of the fix run as well as the quick scan log.

After rebooting after running the "run fix" in OTL, a number of documents that have transparent icons appeared on my desktop. More in precise they are *.docx and *.db files. What happened?

Kind regards,

Z

 

[Broni]

Open Windows Explorer, go Tools>Folder options>View tab and make sure there is a checkmark in "Hide protected operating system files".

Last scans....

1. Download Security Check from HERE, and save it to your Desktop.

• Double-click SecurityCheck.exe
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

2. Download Temp File Cleaner (TFC)

• Double click on TFC.exe to run the program.
• Click on Start button to begin cleaning process.
• TFC will close all running programs, and it may ask you to restart computer.

3. Go to Kaspersky website and perform an online antivirus scan.

• Disable your active antivirus program.
• Read through the requirements and privacy statement and click on Accept button.
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
• When the downloads have finished, click on Settings.
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  
  • Spyware, Adware, Dialers, and other potentially dangerous programs
  • Archives
  • Mail databases
• Click on My Computer under Scan.
• Once the scan is complete, it will display the results. Click on View Scan Report.
• You will see a list of infected items there. Click on Save Report As....
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

 

[Zaarbakur]

Hey,

I tried installing the first link (SecurityCheck). After installing, it doesn't run and it is impossible to remove currently. What should I do?

Regards

 

[Broni]

Skip that step.
You can simply delete it. It doesn't install.

 

[Zaarbakur]

I meant i'm not able to delete it. It says it is still being used while it actually isn't...
I'll continue with the next steps

 

[Broni]

It says it is still being used while it actually isn't...

It may be stuck. Try to restart computer, or try to delete it from safe mode.

 

[Zaarbakur]

Sadly the Kaspersky scan says I don't have a recent version of the java framework (1.5 needed or later), but the control at www.java.com says I do have the latest version?

 

[Broni]

No worries

Please run a free online scan with the ESET Online Scanner

• Disable your antivirus program
• Tick the box next to YES, I accept the Terms of Use
• IMPORTANT! UN-check Remove found threats
• Click Start
• Accept any security warnings from your browser.
• Check Scan archives
• Click Start
• ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
• When the scan completes, push List of found threats
• Push Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.

 

[Zaarbakur]

It only produced this log. There was no button with "List of found threats"

 

[Broni]

That's fine

OTL Clean-Up
Clean up with OTL:

* Double-click OTL.exe to start the program.
* Close all other programs apart from OTL as this step will require a reboot
* On the OTL main screen, press the CLEANUP button
* Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

=======================================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista and 7:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

2. Restart computer.

3. Turn System Restore on.

4. Make sure, Windows Updates are current.

5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

7. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

8. Run Temporary File Cleaner (TFC) weekly.

9. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

10. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

11. Run defrag at your convenience.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Broni]

The issue appears to be solved.