remote stack buffer overflow

JohnB · Post by **JohnB** » 27 Oct 2009, 05:25

I recently went to an internet café to transfer files via memory stick to my PC. When I plugged it in I got a popup from comodo firewall saying:

Code: Select all

“Restore.exe. is trying to execute remote stack buffer overflow “ Terminate or skip.

I clicked terminate a few times but got the same message. After I restarted things got worse.

It said after the boot screen:

Code: Select all


“autochk program not found – skipping AUTOCHECK”

Then I got a BSOD saying :

Code: Select all


“stop: c0000zIA [Fatal system error]. The session manager initiation system process terminated unexpectedly with a status of 0XC0000022 (0X00000000 0X00000000)

the system has been shutdown”

Knowing conficker was spread this way I feel kind of stupid.
Is there anyway I can get my data back? At the moment I feel all I can do is format. Could I use that GETDATABACK program? Wouldn’t reinstalling an OS overwrite the data? Could I access my data using a Linux Live CD?

Also Should I wipe the memory stick in linux?

Any help is much appreciated as my internet access is sporadic and I haven’t the time to google myself.

Post by **ph0bYx** » 27 Oct 2009, 05:35

I think you should definitely try out using a linux livecd. And check the memory stick for a jwgkvsq.vmx or jwgkvsq.exe usually contained in the RECYCLER folder, that's the conficker worm. Although I've never heard that the conficker worm behaves like that before so I doubt that's the case.
Good luck anyway, keep us posted

Post by **lilrofl** » 27 Oct 2009, 07:02

I found this process linked to that exact error... i have never tested it, but it will leave you no worse then you are now. Backup your files before over-writing them and you can always undo it if it proves unsuccessful.

Cheers =)

1. Boot up your computer from the CD drive with and live linux distro (knoppix for instance)

2.At this point you’ll see, with any luck the hard drive in question appear represented by an icon at the upper left as mounted and available for use.

3. Click on the drive icon that contains your Windows operating system. This will open up a file manager. I suggest changing the the display to list the files in ‘detail.’

4. Sort your directory by date in descending order.

5. Expand both the found.000 (our found.001..n, etc) and your Windows/System32 directories.

6. View which files the Windows chkdsk moved into the found.000 path as listed below:

7. Check for the same file names in the System32 directory – back them up of need be, then copy the files from the found.000 path into the /Windows/System32 directory; overwriting the existing files by the same name.

8. Shutdown Linux correctly (don’t be impatient and just pull the plug:-) – remember to remove the CD from the drive when prompted.

9. Reboot under Windows.

JohnB · Post by **JohnB** » 24 Nov 2009, 09:47

Well I finally managed to get a hold of a live CD. And thankfully all my data was still there

I managed to locate the "found" folders. I have two of them: found.000 and found.001

Unfortunately, as I browsed system32 and the windows directory I couldn't find the files described inside those "found" folders. Namely: FILE0000.CHK etc

Do you think I should just copy the files inside the "found" folders and transfer them to the system32 directory?

There isn't a recycler folder on the memory stick but I did find a "tmp.folder" which contains "restore.exe" and "desktop.ini". Though the folder is protected from deletion; which means I'll have to format it.

Post by **lilrofl** » 24 Nov 2009, 20:07

JohnB wrote: I couldn't find the files described inside those "found" folders. Namely: FILE0000.CHK etc

Do you think I should just copy the files inside the "found" folders and transfer them to the system32 directory?

It should be fine to just copy the files yes. Secondly the .CHK file is created when you scan the hard drive with chkdisk, it may not be present according to the information I read. I tried looking for it again but was unsuccessful, I'll keep looking for you though and update this if my knowledge changes.

JohnB · Post by **JohnB** » 25 Nov 2009, 10:07

Thank you both for your assistance

I tried placing the files into the windows and system32 directory with no luck.

If it's any use I can still access safe mode.

EDIT: If anyone's wondering I just used System Restore in Safe mode to fix it. This is a nasty root kit known as "Rimecud.inf"

Post by **lilrofl** » 25 Nov 2009, 10:32

If you have access to the data you want to recover in safe mode, then at least you'd have your data... do you have an install CD for your OS, you could try a repair install which would preserve the data, but occasionally looses registry keys.