Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Repeated Buffer Overload on Startup targetting IE, Have Exploit.Java.Gimsh.b


  • This topic is locked This topic is locked
2 replies to this topic

#1 mikethompson

mikethompson

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 01 January 2009 - 09:46 PM

Background


On startup: repeated buffer overflows stopped by McAfee, as many as 11 straight ones.

This is the source of each buffer overflow:
Process: C:\Program Files\Internet Explorer\iexplore.exe
API: Kernel32.GetProcAddress

Have AVG and McAfee both running (AVG caught stuff McAfee didnt), have cleaned out with safemode and system restore off. Have also run Malwarebytes' Antimalware with safemode and restore off, as well as running Trojan Remover's Fast Scan at startup.

Antimalware caught some stuff.

A lot of stuff was quarantineed and deleted yet the BO attacks persist.


Kaspersky's Online Scan has caught this malware/worm twice (even though i deleted and cleared temporary java files and installed latest version as was recommended for getting rid of this exploit): Exploit.Java.Gimsh.b, and it exists in the following three files on my computer as of today.

C:\Documents and Settings\Mike Thompson\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-1181d259-576714d7.zip
C:\Documents and Settings\Mike Thompson\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-27e069af.zip
C:\Documents and Settings\Mike ThompsonApplication Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d3811e3-1f4481c4.zip


Please note, I have changed any reference to my name in these logs to a fake name (mike thompson). i dont want my name coming up in google search with this.



DDS (Version 1.1.0) - NTFSx86
Run by mike thompson at 21:19:01.96 on Thu 01/01/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1406.434 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated)
AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\acs.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\Brmfrmps.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\lxdjcoms.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\system32\PSIService.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
c:\TOSHIBA\IVP\swupdate\swupdtmr.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\TODDSrv.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 1400 Series\lxdjamon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\sound.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\palmOne\HOTSYNC.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\EXCEL.EXE
C:\Program Files\Java\jre6\bin\java.exe
c:\PROGRA~1\mcafee\msc\mcshell.exe
C:\PROGRA~1\McAfee\MSC\McLgView.exe
C:\Documents and Settings\mike thompson\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearch Bar = hxxp://www.google.com/ie
uSearch Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://search.yahoo.com/search?fr=mcafee&p=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~2\MEGAUP~1.DLL
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar3.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\2.0.301.7164\swg.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: IeMonitorBho Class: {bf00e119-21a3-4fd1-b178-3b8537e75c92} - c:\program files\megaupload\mega manager\MegaIEMn.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar3.dll
TB: Megaupload Toolbar: {4e7bd74f-2b8d-469e-ccb0-b130eedbe97c} - c:\progra~1\megaup~2\MEGAUP~1.DLL
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: {FE54FA40-D68C-11D2-98FA-00C0F0318AFE} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [Veoh] "c:\program files\veoh networks\veoh\VeohClient.exe" /VeohHide
uRun: [<NO NAME>]
uRun: [Sound] c:\windows\system32\sound.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [lxdjmon.exe] "c:\program files\lexmark 1400 series\lxdjmon.exe"
mRun: [lxdjamon] "c:\program files\lexmark 1400 series\lxdjamon.exe"
mRun: [TrojanScanner] c:\program files\trojan remover\Trjscan.exe /boot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\mikefr~1\startm~1\programs\startup\hotsyn~1.lnk - c:\program files\palmone\HOTSYNC.EXE
StartupFolder: c:\docume~1\mikefr~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office11\ONENOTEM.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: Save Flash - c:\program files\unh solutions\flash saving plugin\FlashSButton.dll/210
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll
AppInit_DLLs: c:\progra~1\google\google~1\GOEC62~1.DLL,avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\mikefr~1\applic~1\mozilla\firefox\profiles\9my8kixn.default\
FF - prefs.js: browser.search.selectedEngine - Godaddy.com
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=utf-8&fr=megaup&p=
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\documents and settings\mike thompson\application data\mozilla\firefox\profiles\9my8kixn.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp07061050.dll
FF - plugin: c:\documents and settings\mike thompson\application data\vusion\npWARPVideoPlugin.153209.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npJoostPlugin.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPLiveSearch.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPStreamPlug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPTURNMED.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npunagi2.dll
FF - plugin: c:\program files\veoh networks\veoh\plugins\noreg\NPVeohVersion.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

ATTENTION: FIREFOX POLICES IS IN FORCE
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("general.useragent.vendorComment", "ax");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.xpconnect.activex.global.hosting_flags", 9);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("security.classID.allowByDefault", false);
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID22D6F312-B0F6-11D0-94AB-0080C74C7E95", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CID6BF52A52-394A-11D3-B153-00C04F79FAA6", "AllAccess");
c:\program files\mozilla firefox\defaults\pref\activex.js - pref("capability.policy.default.ClassID.CIDA9FC132B-096D-460B-B7D5-1DB0FAE0C062", "AllAccess");

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-12-28 97928]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2008-12-28 26824]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-10-7 207656]
R2 tdudf;TOSHIBA UDF File System Driver;c:\windows\system32\drivers\tdudf.sys [2006-6-28 98816]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-10-7 79240]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-10-7 35240]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-10-7 40488]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-10-7 34152]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-1-25 42000]
S3 SVRPEDRV;SVRPEDRV;\??\c:\sysprep\PEDrv.sys []

=============== Created Last 30 ================

2008-12-31 08:09 664 a------- c:\windows\system32\d3d9caps.dat
2008-12-30 21:08 459,264 -c------ c:\windows\system32\dllcache\msfeeds.dll
2008-12-30 21:08 267,776 -c------ c:\windows\system32\dllcache\iertutil.dll
2008-12-30 21:08 52,224 -c------ c:\windows\system32\dllcache\msfeedsbs.dll
2008-12-30 21:08 63,488 -c------ c:\windows\system32\dllcache\icardie.dll
2008-12-30 21:08 383,488 -c------ c:\windows\system32\dllcache\ieapfltr.dll
2008-12-30 21:08 13,824 -c------ c:\windows\system32\dllcache\ieudinit.exe
2008-12-30 21:08 6,066,176 -c------ c:\windows\system32\dllcache\ieframe.dll
2008-12-30 18:48 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Kaspersky Lab Setup Files
2008-12-29 21:21 410,984 a------- c:\windows\system32\deploytk.dll
2008-12-29 08:06 <DIR> --d----- c:\program files\Trend Micro
2008-12-29 00:26 <DIR> --d-h--- C:\$AVG8.VAULT$
2008-12-28 23:51 10,520 a------- c:\windows\system32\avgrsstx.dll
2008-12-28 23:51 97,928 a------- c:\windows\system32\drivers\avgldx86.sys
2008-12-28 23:51 <DIR> --d----- c:\windows\system32\drivers\Avg
2008-12-28 23:51 <DIR> --d----- c:\program files\AVG
2008-12-28 23:51 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2008-12-28 12:05 <DIR> --d----- c:\docume~1\mikefr~1\applic~1\Malwarebytes
2008-12-28 12:05 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-12-28 12:05 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-12-28 12:05 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-12-28 12:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2008-12-28 11:56 162,304 a------- c:\windows\system32\ztvunrar36.dll
2008-12-28 11:56 153,088 a------- c:\windows\system32\UNRAR3.dll
2008-12-28 11:56 77,312 a------- c:\windows\system32\ztvunace26.dll
2008-12-28 11:56 75,264 a------- c:\windows\system32\unacev2.dll
2008-12-28 11:56 69,632 a------- c:\windows\system32\ztvcabinet.dll
2008-12-28 11:56 <DIR> --d----- c:\program files\Trojan Remover
2008-12-28 11:56 <DIR> --d----- c:\docume~1\mikefr~1\applic~1\Simply Super Software
2008-12-28 11:56 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Simply Super Software
2008-12-05 15:24 70 a------- c:\windows\dd.dat
2008-12-05 09:11 69,969 a------- c:\windows\system32\f02ga7.tmp
2008-12-05 09:11 26,606 a------- c:\windows\system32\bo8387.tmp

==================== Find3M ====================

2008-10-23 07:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 15:38 826,368 a------- c:\windows\system32\wininet.dll
2008-10-15 06:27 77,607 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2008-01-07 22:51 35,904 a------- c:\docume~1\mikefr~1\applic~1\GDIPFONTCACHEV1.DAT
2008-01-01 10:43 304 a------- c:\docume~1\mikefr~1\applic~1\wklnhst.dat
2007-04-28 19:38 20,845,323 a------- c:\program files\8244C6C4_051209_2020_potion_free.flv
2007-04-10 10:19 7,718,504 a------- c:\program files\winzip110.exe
2007-04-10 10:13 120,929 a------- c:\program files\sltok13.exe
2007-02-28 22:42 3,541,062 a------- c:\documents and settings\mike thompson\neoteris_read_6993203.reg
2008-09-29 14:57 88 ---shr-- c:\windows\system32\80FBCA84BE.sys
2007-03-09 03:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2006-05-03 04:06 163,328 ---shr-- c:\windows\system32\flvDX.dll
2008-09-29 14:58 2,828 a--sh--- c:\windows\system32\KGyGaAvL.sys
2007-02-21 05:47 31,232 ---shr-- c:\windows\system32\msfDX.dll

============= FINISH: 21:22:07.89 ===============







Thank you for providing your time to anyone who helps out.

Attached Files



BC AdBot (Login to Remove)

 


#2 mikethompson

mikethompson
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:03 PM

Posted 02 January 2009 - 10:16 PM

i think i fixed this.

- Buffer overload was an issue with the sound.exe. it was running on startup

http://www.esecurityplanet.com/alerts/arti...dows-Folder.htm

I downloaded PrevxCSI and did a free scan where it identified sound.exe as an issue (corroborating the McAfee logs). I spent the 16 bucks to purchase the full version to fix it.

As for the Exploit.Java.Gimsh.b worm, I put the url folder path in my IE

C:\Documents and Settings\Mike Thompson\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\

and then just deleted the folder. I believe worms are OK to just delete.

#3 KoanYorel

KoanYorel

    Bleepin' Conundrum


  • Staff Emeritus
  • 19,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:65 miles due East of the &quot;Logic Free Zone&quot;, in Md, USA
  • Local time:12:03 AM

Posted 14 January 2009 - 02:49 AM

If you are sure, Thanks for informing us.

Otherwise, Please start a new topic as this thread is now closed.
The only easy day was yesterday.

...some do, some don't; some will, some won't (WR)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users