Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Wisesfxdropper, Locked Files, Buffer Overflows And Other Nasty Looking Stuff


  • Please log in to reply
8 replies to this topic

#1 Roadscum

Roadscum

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:usually stuck somewhere on the M1, M25, M4...
  • Local time:02:25 PM

Posted 08 March 2008 - 11:33 AM

Greetings Dear Reader,
after a whole list of things which would take ages to explain i scanned my machine with the Kaspersky online scanner and found WiseSFX, WiseSFXDropper and RiskTool.Win32.PsKill.1101 and a whole list af files marked 'Object is locked' mostly in C:\WINDOWS\SYSTEM32\. I found the same problems on my removable hard drive (I)
I managed to get rid of WiseSFX, WiseSFXDropper and RiskTool.Win32.PsKill.1101 and got a clean result from Kaspersky online but the locked files remain locked.

I downloaded process monitor from system internals and found numerous buffer overflows and some very suspicious looking gobbledygook paths in Explorer.EXE, marked KEY DELETED.

Now i don't even begin to understand these results, My anti virus (Avast free edition), Spybot SD and Adaware are all showing the system as clean and it's not downloading trojans anymore (it was, oh yes indeed it was) but i suspect there is still nastiness lurking within so i'd like to start afresh and reload XP. My machine is an old Dell Dimension 4600 and i believe there's a hidden partition on the C drive with an image of the system as it was shipped...or something, i can probably work out how to do it though any offers of help would be welcome.

Problem; I have music (mp3 files) and pictures on the machine which i really, really don't want to loose, i'd also like to save my old e-mails and address book from Thunderbird which i believe i can do by backing up my profile folder or something (once again, offers of help...?)

Bigger Problem; though Kaspersky online shows my I drive is clean, there are still two locked files on it, I:\System Volume Information\MountPointManagerRemoteDatabase and I:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1208\change.log

Now, i have tried formatting the I drive but as soon as i copy any files on to it the locked files show up again. Is it safe to back up my precious pictures and stuff onto before i wipe my C drive and reload XP. Come to think of it, is it safe to use the disc image on the hidden partition (assuming i've got one that is) or should i start looking for the CDs that came with the machine (they're around here somewhere)?

So, anyone fancy helping me with this little mess?

If anyone does, please bear in mind that i'm a lorry driver and i'm often away from home for a day or two so my replies to your suggestions may take a while, at the moment i'm expecting to be around until monday evening (GMT).

More importantly, please bear in mind that i haven't a clue what i'm doing here, be gentle with me.

Right, that just about sums it up so i'm off,

Ta Ta!

BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 08 March 2008 - 06:34 PM

When you have questions about your scan, its best to post the log results so we can see exactly what your talking about.

"Object is locked skipped" or "Access Denied" notations in a scan are normal. Some files are locked by the operating system or running programs during use for protection, so scanners cannot access them. When the scanner finds such a file, it just skips to the next one. These skipped detections are normally not malware related nor are they infected.

The System Volume Information Folder (SVI) is a part of System Restore, the feature that allows you to set points in time to roll back your computer to a clean working state. The SVI folder is protected by permissions that allow only the system to have access and is hidden by default unless you have reconfigured Windows to show it. This prevents programs from using or manipulating the files that are inside.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Roadscum

Roadscum
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:usually stuck somewhere on the M1, M25, M4...
  • Local time:02:25 PM

Posted 08 March 2008 - 07:16 PM

Thanks for your reply Quietman, i'd have got back to you sooner but i was expecting an e-mail notification and nothing turned up, i thought i'd set things up to get one.

My main concern is that my system may have been hacked while i wasn't looking and that it may now have security problems. As i don't really have much of an idea of what i'm doing here it's difficult for me to tell...

Process Monitor shows a number of buffer overflows and some other stuff that looks suspicious to my inexperienced, paranoid eyes. I believe it's possible to save a copy of what i'm seeing on screen, should i post a copy? If so, PML, CSV or XML format?
I can also give you logs of hijack this and kaspersky online scans if you want them. If so, should i post them here or in a new thread somewhere else (the hijack this forum)?

If you'd like any other information please be as specific as you can, i may appear to know what i'm doing sometimes, but frankly i haven't a clue. A little bit of knowledge is sometimes worse than none at all.

Right, it's late and i'm tired, thanks again for your help, i'm off to bed.

Goodnight all.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 09 March 2008 - 08:28 AM

You can post the Kaspersky scan results here but HijackThis logs are not permitted in this forum.

Process Monitor shows a number of buffer overflows and some other stuff that looks suspicious to my inexperienced, paranoid eyes.

Anytime you come across a suspicious file or one that you do not recognize, search the name using Google or the following links:
BC's File Database
BC's Startup Programs Database
File Research Center
ThreatExpert Malware Search
If no search results are found, you are given the option to "Submit a New Sample".

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer. A file's properties may give a clue to identifying it. Right-click on the file, Properties and examine the General and Version tabs.

You can download and use Process Explorer or System Explorer to investigate all running processes and gather additional information to identify and resolve problems. These tools will show the process CPU usage, a description and its path location. If you right-click on the file in question and select properties, you will see more details about the file.

If you cannot find any information, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to jotti's virusscan or virustotal.com. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Then post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Roadscum

Roadscum
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:usually stuck somewhere on the M1, M25, M4...
  • Local time:02:25 PM

Posted 09 March 2008 - 10:18 AM

Quietman, thank you for your patience and help.
I've now got process explorer and i haven't managed to spot any obvious bad files yet, though my inexperience and lack of patience in dealing with what may well prove to be a complex and time consuming task isn't exactly helping (runs around room screaming 'aaaa, get it off me, get it OFF!).

I have saved some of the process monitor output as CSV files but there's screens and screens of the stuff. I'm trying to prepare an abstract of some of the more interesting bits which i hope to be able to post here later today.

To keep my first post reasonably short i left out a lot of detail which i only imperfectly remember but there are a couple of things i'll mention now in case they're of use, though i suspect at least some are just my paranoia;

1- recently i would hear my cd drive unexpectedly whine for a second or so at odd intervals when nothing should have been going on, also similar with my hard drive though this seems to have cleared up now.

2-Tried installing software for a creative zen mp3 player, had problems and took several attempts but succeeded. Didn't work very well and kept locking up. Uninstalled and cleaned up registry afterwards with ccleaner tools
.
3-HP print screen utility stopped working, tried reinstalling from CD, was unable to even see it as an option.Tried uninstalling the printer (hp dekjet 5150) then reinstalling. Installation hung partway through. Tried several times with same result, only succeeded when i went into process manager when the installation hung and stopped 'install.exe' manually. Installation then proceeded successfully but didn't see an option to install any of the other programmes on the CD (print screen etc) at any point during the process.

I'm using a borrowed laptop at present but i'm now going to reconnect my own machine (the one with problems) and see what i can find.

Thanks for your help.

More follows later...

#6 Roadscum

Roadscum
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:usually stuck somewhere on the M1, M25, M4...
  • Local time:02:25 PM

Posted 09 March 2008 - 04:04 PM

Right, i've had a little look around and done some searching on the google thing and it seems that the suspicious gobbledygook i was worried about may relate to legitimate windows tracks (or something) encoded with a rot13 cipher. I don't really understand what it all is but it looks like it's ok.

Still worried about the buffer overflows though, at the bottom of this post i've copied examples of the different ones i've seen, process monitor shows them repeating for screen after screen so i can't guarantee that i haven't missed any, still, it should give you an idea of what's going on. I noticed that a lot seem to involve hp related files. Process explorer shows three of these running;
hpcmpmgr.exe (unable to verify)
HPWuSchd.exe (unable to verify)
hpztsb09.exe (verified)
i haven't tried a jotti scan on them yet, jotti is rather busy at the moment, but i'll try again when things quieten down a bit. These files have been scanned many times by avast (on my machine), bit defender (online) and kaspersky (online) and have come up clean. i have noticed that they all involve 'ShimCacheMutex' which appears to be involved in security in some way, i've tried searching and haven't managed to find anything that made much sense to me.

I'm beginning to wonder if this might be some kind of software conflict, possibly involving spybot sd, i,ve seen a few grumbles about it on my travels around the www and i had some problems getting the latest version to work properly. I'd be unhappy if it was, it's been a good little tool and the safer networking team seem like a nice (though badly overworked) bunch.

Speaking of which, i'd hate to be wasting your time on non-existent problems, i'm quite prepared, keen even (idiot possibly) to re-format my hard drive and re-install xp, i just want to be sure i can safely back up the stuff i mentioned in my first post and to know if it's safe to use the disc image in the (possibly non existent) hidden hard drive partition. I can probably find out how to do it all by looking around here or elsewhere.

Right, that's enough for now, here are the process monitor excerpts (surely there must be a better way of doing this), do take a look at them and tell me if i'm just chasing shadows here:-

"0","23:57:24.8035386","lsass.exe","708","RegQueryValue","HKLM\SECURITY\Policy\SecDesc\(Default)","BUFFER OVERFLOW","Length: 12","C:\WINDOWS\system32\lsass.exe","Microsoft Corporation","C:\WINDOWS\system32\lsass.exe"

"1637","23:57:25.0744303","csrss.exe","620","QueryInformationVolume","C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.
Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2982.Policy","BUFFER OVERFLOW","VolumeCreationTime: 12/08/2003 09:47:07, VolumeSerialNumber: 34B3-C23C, SupportsObjects: True, VolumeLabel: Loc¨","C:\WINDOWS\system32\csrss.exe","Microsoft Corporation","C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

"1638","23:57:25.0746019","csrss.exe","620","QueryAllInformationFile","C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.
Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.2982.Policy","BUFFER OVERFLOW","CreationTime: 14/10/2006 22:01:46, LastAccessTime: 08/03/2008 23:57:24, LastWriteTime: 14/10/2006 22:01:46, ChangeTime: 09/05/2007 08:43:18, FileAttributes: A, AllocationSize: 4,096, EndOfFile: 621, NumberOfLinks: 1, DeletePending: False, Directory: False, IndexNumber: 0x6400000000eb52, EaSize: 0, Access: Generic Read, Position: 0, Mode: Sequential Access, Synchronous IO Non-Alert, AlignmentRequirement: Word","C:\WINDOWS\system32\csrss.exe","Microsoft Corporation","C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16"

"3546","23:57:25.5688172","TeaTimer.exe","416","RegQueryValue","HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
HP Software Update","BUFFER OVERFLOW","Length: 144","C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Safer Networking Limited","""C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"" "

"3583","23:57:25.5693052","TeaTimer.exe","416","RegEnumValue","HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser","BUFFER OVERFLOW","Index: 3, Length: 220","C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Safer Networking Limited","""C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"" "

"3595","23:57:25.5694673","TeaTimer.exe","416","RegQueryValue","HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{0E5CBF21-D15F-11D0-8301-00AA005B4383}","BUFFER OVERFLOW","Length: 144","C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Safer Networking Limited","""C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe""

"3603","23:57:25.5699224","TeaTimer.exe","416","RegQueryValue","HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBarLayout","BUFFER OVERFLOW","Length: 144","C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Safer Networking Limited","""C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"" "

"3612","23:57:25.5703403","TeaTimer.exe","416","RegQueryValue","HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout","BUFFER OVERFLOW","Length: 144","C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Safer Networking Limited","""C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"" "

"3617","23:57:25.5706948","TeaTimer.exe","416","RegQueryValue","HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{F2CF5485-4E02-4F68-819C-B92DE9277049}","BUFFER OVERFLOW","Length: 144","C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe","Safer Networking Limited","""C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"" "

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 10 March 2008 - 08:24 AM

A buffer is a defined temporary data storage area. Buffers contain a finite amount of information data. A buffer overflow occurs when a process attempts to store (write) more data into the buffer than it was intended to hold. When this happens that excess information can overflow into adjacent buffers, overwriting the valid data they contain. Attackers can exploit this by overwriting data that controls the program execution path and hijack the control of the program to execute the attacker’s code instead the process code.

Buffer Overflow Exploits: The Why and How
Buffer Overflow

hpcmpmgr.exe is the main process belonging to the HP Component Manager
HPWuSchd.exe is a process that will check on the Internet to see if updates are available for your HP hardware's drivers.
hpztsb09.exe is a process related to the system tray icon which you can use to diagnose problems with your HP printer.

When using utilities like Process Monitor it is not unusal to see Buffer Overflows in the "Results" column. Please read Buffer Overflows in Regmon Traces.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Roadscum

Roadscum
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:usually stuck somewhere on the M1, M25, M4...
  • Local time:02:25 PM

Posted 10 March 2008 - 09:56 AM

Once again, thank you for your patience and help Quietman,

It looks like i've been making a fuss about nothing here, all anti virus and spyware scans i've done recently have come up clean and the links you supplied have gone some way to explaining the things i was worried about, though all i can really say about that is (adopts best 'Gumby' pose) my brain hurts!

I'm still keen on re-installing xp and starting afresh and i think my system could do with a little more memory than the 512MB it's currently running on so i'm off to find out what i need to do there, no doubt there will be more questions but i'll deal with them as and when.

Finally, thanks again for your help, it's nice to know that in today's mercenary times there are still people prepared to do some good just for the sake of it. Keep up the good work!

Ta Ta

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,565 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:25 AM

Posted 10 March 2008 - 10:07 AM

Your welcome.

"Knowledge and the ability to use it is the best defensive tool anyone could have. An uninformed user can be his or her own worst enemy when acting in ignorance."
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users