Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Buffer overflow explorer.exe , security


  • Please log in to reply
13 replies to this topic

#1 Seda145

Seda145

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 05 July 2014 - 01:59 AM

hello,

 

using process monitor (procmon.exe) I see a really big number of buffer overflow notifications on explorer.exe .

I have made a copy of one notification:

 

"Frame","Module","Location","Address","Path"
"0","fltmgr.sys","FltAcquirePushLockShared + 0x907","0xfffff880010b5067","C:\Windows\system32\drivers\fltmgr.sys"
"1","fltmgr.sys","FltIsCallbackDataDirty + 0xa39","0xfffff880010b6329","C:\Windows\system32\drivers\fltmgr.sys"
"2","fltmgr.sys","fltmgr.sys + 0x16c7","0xfffff880010b46c7","C:\Windows\system32\drivers\fltmgr.sys"
"3","ntoskrnl.exe","NtSetInformationFile + 0x1093","0xfffff800035b2573","C:\Windows\system32\ntoskrnl.exe"
"4","ntoskrnl.exe","NtQuerySecurityObject + 0xe6","0xfffff80003567a36","C:\Windows\system32\ntoskrnl.exe"
"5","ntoskrnl.exe","KeSynchronizeExecution + 0x3a23","0xfffff800032d2e53","C:\Windows\system32\ntoskrnl.exe"
"6","ntdll.dll","ZwQuerySecurityObject + 0xa","0x7782255a","C:\Windows\SYSTEM32\ntdll.dll"
"7","KERNELBASE.dll","GetKernelObjectSecurity + 0x14","0x7fefd8d6a54","C:\Windows\system32\KERNELBASE.dll"
"8","ADVAPI32.dll","GetKernelObjectSecurity + 0x13","0x7fefdd541f3","C:\Windows\system32\ADVAPI32.dll"
"9","ntmarta.dll","AccRewriteSetEntriesInAcl + 0x633","0x7fefae62293","C:\Windows\system32\ntmarta.dll"
"10","ntmarta.dll","AccRewriteSetEntriesInAcl + 0x842","0x7fefae624a2","C:\Windows\system32\ntmarta.dll"
"11","ntmarta.dll","AccRewriteGetNamedRights + 0x12a","0x7fefae6285a","C:\Windows\system32\ntmarta.dll"
"12","ADVAPI32.dll","GetNamedSecurityInfoW + 0xa4","0x7fefdd52224","C:\Windows\system32\ADVAPI32.dll"
"13","ntshrui.dll","DllGetClassObject + 0xd7c","0x7fef7cd2444","C:\Windows\system32\ntshrui.dll"
"14","ntshrui.dll","DllGetClassObject + 0x16e3","0x7fef7cd2dab","C:\Windows\system32\ntshrui.dll"
"15","ntshrui.dll","DllGetClassObject + 0x1634","0x7fef7cd2cfc","C:\Windows\system32\ntshrui.dll"
"16","SHELL32.dll","Ordinal876 + 0x2140","0x7fefe25fd10","C:\Windows\system32\SHELL32.dll"
"17","SHELL32.dll","Ordinal876 + 0x2081","0x7fefe25fc51","C:\Windows\system32\SHELL32.dll"
"18","SHELL32.dll","Ordinal876 + 0x1f72","0x7fefe25fb42","C:\Windows\system32\SHELL32.dll"
"19","SHELL32.dll","ILLoadFromStreamEx + 0x1b3c","0x7fefe185f58","C:\Windows\system32\SHELL32.dll"
"20","SHELL32.dll","Ordinal241 + 0x11bb","0x7fefe18e707","C:\Windows\system32\SHELL32.dll"
"21","PROPSYS.dll","Ordinal424 + 0x69","0x7fefbbf4cc9","C:\Windows\system32\PROPSYS.dll"
"22","PROPSYS.dll","PSCreateMultiplexPropertyStore + 0x3de","0x7fefbbf5c1e","C:\Windows\system32\PROPSYS.dll"
"23","PROPSYS.dll","PSCreateMultiplexPropertyStore + 0x2f2","0x7fefbbf5b32","C:\Windows\system32\PROPSYS.dll"
"24","PROPSYS.dll","PSCreateDelayedMultiplexPropertyStore + 0x144d","0x7fefbc1a7e1","C:\Windows\system32\PROPSYS.dll"
"25","PROPSYS.dll","PSCreateDelayedMultiplexPropertyStore + 0x437","0x7fefbc197cb","C:\Windows\system32\PROPSYS.dll"
"26","PROPSYS.dll","PSFormatForDisplay + 0x552","0x7fefbc057e2","C:\Windows\system32\PROPSYS.dll"
"27","PROPSYS.dll","PSFormatForDisplay + 0x5a6","0x7fefbc05836","C:\Windows\system32\PROPSYS.dll"
"28","PROPSYS.dll","PSCreateMultiplexPropertyStore + 0xcea","0x7fefbbf652a","C:\Windows\system32\PROPSYS.dll"
"29","PROPSYS.dll","PSCreateMultiplexPropertyStore + 0xc2d","0x7fefbbf646d","C:\Windows\system32\PROPSYS.dll"
"30","PROPSYS.dll","Ordinal424 + 0x69","0x7fefbbf4cc9","C:\Windows\system32\PROPSYS.dll"
"31","PROPSYS.dll","PSCreateMultiplexPropertyStore + 0x3de","0x7fefbbf5c1e","C:\Windows\system32\PROPSYS.dll"
"32","PROPSYS.dll","PSCreateMultiplexPropertyStore + 0x2f2","0x7fefbbf5b32","C:\Windows\system32\PROPSYS.dll"
"33","PROPSYS.dll","Ordinal424 + 0x69","0x7fefbbf4cc9","C:\Windows\system32\PROPSYS.dll"
"34","PROPSYS.dll","DllGetClassObject + 0x851","0x7fefbbf4bb9","C:\Windows\system32\PROPSYS.dll"
"35","PROPSYS.dll","DllGetClassObject + 0x789","0x7fefbbf4af1","C:\Windows\system32\PROPSYS.dll"
"36","PROPSYS.dll","DllGetClassObject + 0x6f6","0x7fefbbf4a5e","C:\Windows\system32\PROPSYS.dll"
"37","SHELL32.dll","Ordinal893 + 0x109a5","0x7fefe282fdd","C:\Windows\system32\SHELL32.dll"
"38","SHELL32.dll","Ordinal893 + 0x10cdc","0x7fefe283314","C:\Windows\system32\SHELL32.dll"
"39","SHELL32.dll","Ordinal893 + 0x107ae","0x7fefe282de6","C:\Windows\system32\SHELL32.dll"
"40","SHELL32.dll","Ordinal893 + 0xfd3f","0x7fefe282377","C:\Windows\system32\SHELL32.dll"
"41","SHELL32.dll","Ordinal902 + 0x108c","0x7fefe18c54c","C:\Windows\system32\SHELL32.dll"
"42","SHELL32.dll","Ordinal767 + 0x63b","0x7fefe1befcb","C:\Windows\system32\SHELL32.dll"
"43","SHELL32.dll","SHGetPropertyStoreForWindow + 0x1616","0x7fefe1c2b56","C:\Windows\system32\SHELL32.dll"
"44","SHELL32.dll","SHGetPropertyStoreForWindow + 0x1772","0x7fefe1c2cb2","C:\Windows\system32\SHELL32.dll"
"45","SHLWAPI.dll","IUnknown_GetWindow + 0x68f","0x7fefde43843","C:\Windows\system32\SHLWAPI.dll"
"46","ntdll.dll","TpCallbackMayRunLong + 0x32b","0x777f15db","C:\Windows\SYSTEM32\ntdll.dll"
"47","ntdll.dll","RtlRealSuccessor + 0x136","0x777f0c56","C:\Windows\SYSTEM32\ntdll.dll"
"48","kernel32.dll","BaseThreadInitThunk + 0xd","0x776c59ed","C:\Windows\system32\kernel32.dll"
"49","ntdll.dll","RtlUserThreadStart + 0x21","0x777fc541","C:\Windows\SYSTEM32\ntdll.dll"
 

 

Malwarebytes does not find anything. Am I infected?

 

for some reason when I try to create a log file with hijackthis it ends up with a message, "can't find the file, do you want to create a new one?" it also has no internet connection available...

 

I will be using OTL.

 

-processes = none

-services = none

-modules = none

-drivers = none

-standard registry = use safelist

-extra registry = use safelist

 

purity check X

scan all users X

include 64bit scan X

standard output X

 

files created and modified within 90 days

 

are these the right settings? I hope I can include the OTL log when someone asks for it, next to the attach button it says uploading is not allowed.

 

 

 

 

Seda


Edited by hamluis, 05 July 2014 - 10:21 AM.
Moved from Win 7 to Am I Infected - Hamluis.


BC AdBot (Login to Remove)

 


#2 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:05:24 PM

Posted 05 July 2014 - 08:59 AM

 For starters IE is known to be buggy.  I recommend Firefox and/or Chrome.  The program Minitoolbox has the ability to list the last 10 entries in the system error log so download it and run it with the following boxes checked:

 
List last 10 Event Viewer Errors
 
List Installed Programs
 
List Users, Partitions, and Memory size
 
List Minidump files
 
Copy the resulting log and paste into a reply here.

Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#3 Seda145

Seda145
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 05 July 2014 - 02:38 PM

It is the windows explorer, not the internet explorer who makes buffer overflows.

I am using other browsers than internet explorer.

How can I find out where the buffer overflows come from?

 

 



#4 wpgwpg

wpgwpg

  • Members
  • 1,149 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US of A
  • Local time:05:24 PM

Posted 05 July 2014 - 02:44 PM

 You need to run Minitoolbox like I recommended above.


Everyone with a computer should back his system up to an external hard drive regularly.  :thumbsup:

#5 Seda145

Seda145
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 05 July 2014 - 03:00 PM

MiniToolBox by Farbar  Version: 25-06-2014
Ran by Game (administrator) on 05-07-2014 at 21:57:46
Running from "C:\Users\Game\Downloads"
Microsoft Windows 7 Ultimate  Service Pack 1 (X64)
Boot Mode: Normal
***************************************************************************

========================= Event log errors: ===============================

Application errors:
==================
Error: (07/05/2014 08:24:45 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (07/05/2014 08:00:49 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (07/05/2014 08:00:42 AM) (Source: SideBySide) (User: )
Description: Activation context generation failed for "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest1".Error in manifest or policy file "C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest2" on line C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest3.
A component version required by the application conflicts with another component version already active.
Conflicting components are:.
Component 1: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifest.
Component 2: C:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifest.

Error: (07/05/2014 07:36:57 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/05/2014 07:19:19 AM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/05/2014 07:17:17 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe) (User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

Error: (07/04/2014 05:39:50 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/04/2014 00:56:01 PM) (Source: WinMgmt) (User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/04/2014 11:20:15 AM) (Source: Windows Search Service) (User: )
Description: The index cannot be initialized.


Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2014 11:20:15 AM) (Source: Windows Search Service) (User: )
Description: The application cannot be initialized.

Context: Windows Application


Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)


System errors:
=============
Error: (07/05/2014 10:27:01 AM) (Source: DCOM) (User: )
Description: {F87B28F1-DA9A-4F35-8EC0-800EFCF26B83}

Error: (07/05/2014 07:36:37 AM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (07/05/2014 07:36:37 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (07/05/2014 07:19:05 AM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (07/05/2014 07:19:05 AM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (07/04/2014 05:39:33 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (07/04/2014 05:39:32 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.

Error: (07/04/2014 03:12:16 PM) (Source: Service Control Manager) (User: )
Description: A timeout (30000 milliseconds) was reached while waiting for a transaction response from the Spooler service.

Error: (07/04/2014 00:55:46 PM) (Source: Service Control Manager) (User: )
Description: The Spybot-S&D 2 Scanner Service service failed to start due to the following error:
%%1053

Error: (07/04/2014 00:55:46 PM) (Source: Service Control Manager) (User: )
Description: A timeout was reached (30000 milliseconds) while waiting for the Spybot-S&D 2 Scanner Service service to connect.


Microsoft Office Sessions:
=========================
Error: (07/05/2014 08:24:45 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Game\Downloads\esetsmartinstaller_enu.exe

Error: (07/05/2014 08:00:49 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Game\Downloads\esetsmartinstaller_enu.exe

Error: (07/05/2014 08:00:42 AM) (Source: SideBySide)(User: )
Description: C:\Windows\WinSxS\manifests\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac.manifestC:\Windows\WinSxS\manifests\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2.manifestC:\Users\Game\Downloads\esetsmartinstaller_enu.exe

Error: (07/05/2014 07:36:57 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/05/2014 07:19:19 AM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/05/2014 07:17:17 AM) (Source: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe)(User: )
Description: C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exeCan't get user token [1008]

Error: (07/04/2014 05:39:50 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/04/2014 00:56:01 PM) (Source: WinMgmt)(User: )
Description: //./root/CIMV2SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA "Win32_Processor" AND TargetInstance.LoadPercentage > 990x80041003

Error: (07/04/2014 11:20:15 AM) (Source: Windows Search Service)(User: )
Description:
Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)

Error: (07/04/2014 11:20:15 AM) (Source: Windows Search Service)(User: )
Description: Context: Windows Application


Details:
    The content index catalog is corrupt.  (HRESULT : 0xc0041801) (0xc0041801)



=========================== Installed Programs ============================
µTorrent (HKCU\...\uTorrent) (Version: 3.4.2.32126 - BitTorrent Inc.)
7-Zip 9.20 (x64 edition) (HKLM\...\{23170F69-40C1-2702-0920-000001000000}) (Version: 9.20.00.0 - Igor Pavlov)
ASIO4ALL (HKLM-x32\...\ASIO4ALL) (Version: 2.10 - Michael Tippach)
Audacity 2.0.5 (HKLM-x32\...\Audacity_is1) (Version: 2.0.5 - Audacity Team)
Blender (HKLM\...\Blender) (Version: 2.70a - Blender Foundation)
BOSS (HKLM-x32\...\BOSS) (Version: 2.1.1 - BOSS Development Team)
BOSS Userlist Manager (HKLM-x32\...\{F0AB569C-99EF-4F4D-992D-2206E354C903}) (Version: 6.7.2 - Surazal)
Broadcom NetLink Controller (HKLM\...\{C91DCB72-F5BB-410D-A91A-314F5D1B4284}) (Version: 15.0.7.1 - Broadcom Corporation)
CCleaner (HKLM\...\CCleaner) (Version: 4.14 - Piriform)
COMODO Antivirus (HKLM\...\{2736B6BD-31EC-4FC8-A48C-F0A5C914C0B6}) (Version: 7.0.55655.4142 - COMODO Security Solutions Inc.)
Comodo Dragon (HKLM-x32\...\Comodo Dragon) (Version: 33.1.0.0 - COMODO)
Comodo IceDragon (HKLM-x32\...\Comodo IceDragon) (Version: 26.0.0.2 - COMODO)
Dark Souls Prepare to Die Edition (HKLM-x32\...\GFWL_{4E4D0FA1-F880-4CCB-999A-501000008200}) (Version: 1.0.0000.130 - NAMCO BANDAI Games Europe S.A.S.)
Dark Souls Prepare to Die Edition (x32 Version: 1.0.0000.130 - NAMCO BANDAI Games Europe S.A.S.) Hidden
Dropbox (HKCU\...\Dropbox) (Version: 2.8.4 - Dropbox, Inc.)
Emsisoft Anti-Malware (HKLM-x32\...\{5502032C-88C1-4303-99FE-B5CBD7684CEA}_is1) (Version: 9.0 - Emsisoft GmbH)
ESET Online Scanner v3 (HKLM-x32\...\ESET Online Scanner) (Version:  - )
FL Studio 10 (HKLM-x32\...\FL Studio 10) (Version:  - Image-Line)
GeekBuddy (HKLM\...\{F495C8DC-107A-4B59-9DB3-0FDA27BAEDD3}) (Version: 4.13.109 - Comodo Security Solutions Inc)
HexEdit (HKLM-x32\...\{083EF76E-0760-4D7A-9508-0B88A3AF1889}) (Version: 4.0.0 - Expert Commercial Software Pty Ltd)
HiJackThis (HKLM-x32\...\{45A66726-69BC-466B-A7A4-12FCBA4883D7}) (Version: 1.0.0 - Trend Micro)
hott notes 4 (HKLM-x32\...\hott notes 4) (Version: 4.1 - Joel Riley)
IL Download Manager (HKLM-x32\...\IL Download Manager) (Version:  - Image-Line)
IL Juice Pack (HKLM-x32\...\IL Juice Pack) (Version:  - Image-Line)
IL Ogun (HKLM-x32\...\IL Ogun) (Version:  - Image-Line)
Intel® Control Center (HKLM-x32\...\{F8A9085D-4C7A-41a9-8A77-C8998A96C421}) (Version: 1.2.1.1007 - Intel Corporation)
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 8.0.2.1410 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.10.3621 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM-x32\...\{3E29EE6C-963A-4aae-86C1-DC237C4A49FC}) (Version: 11.1.0.1006 - Intel Corporation)
Intel® Trusted Connect Service Client (HKLM\...\{09536BA1-E498-4CC3-B834-D884A67D7E34}) (Version: 1.23.605.1 - Intel Corporation)
Java 7 Update 60 (HKLM-x32\...\{26A24AE4-039D-4CA4-87B4-2F03217060FF}) (Version: 7.0.600 - Oracle)
Java Auto Updater (x32 Version: 2.1.60.19 - Oracle, Inc.) Hidden
Launch Manager (HKLM-x32\...\LManager) (Version: 5.1.13 - Acer Inc.)
LEGO Chess (HKLM-x32\...\LEGO Chess_is1) (Version:  - Focus Multimedia Ltd)
LEGO Racers (HKLM-x32\...\LEGO Racers) (Version:  - )
Malwarebytes Anti-Malware version 2.0.2.1012 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.0.2.1012 - Malwarebytes Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Version: 4.5.50938 - Microsoft Corporation) Hidden
Microsoft Games for Windows - LIVE Redistributable (HKLM-x32\...\{F2508213-9989-4E85-A078-72BE483917EF}) (Version: 3.5.88.0 - Microsoft Corporation)
Microsoft Games for Windows Marketplace (HKLM-x32\...\{4CB0307C-565E-4441-86BE-0DF2E4FB828C}) (Version: 3.5.50.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{837b34e3-7c30-493c-8f6a-2b0f04e2912c}) (Version: 8.0.59193 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.30319 (HKLM\...\{DA5E371C-6333-3D8A-93A4-6FD5B20BCC6E}) (Version: 10.0.30319 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (Version: 11.0.61030 - Microsoft Corporation) Hidden
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (Version: 11.0.61030 - Microsoft Corporation) Hidden
MISERY version 2.1.1 (HKLM-x32\...\MISERY_is1) (Version: 2.1.1 - MISERY Development Team)
MotioninJoy Gamepad tool 0.7.0000 (HKLM\...\{330DAC67-5B62-452A-A0E4-6B4A5923940F}_is1) (Version: 0.7.0000 - www.motioninjoy.com)
Nexus Mod Manager (HKLM\...\6af12c54-643b-4752-87d0-8335503010de_is1) (Version: 0.50.3 - Black Tree Gaming)
NVIDIA Control Panel 337.88 (Version: 337.88 - NVIDIA Corporation) Hidden
NVIDIA GeForce Experience 2.0.1 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.GFExperience) (Version: 2.0.1 - NVIDIA Corporation)
NVIDIA Graphics Driver 337.88 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.Driver) (Version: 337.88 - NVIDIA Corporation)
NVIDIA Install Application (Version: 2.1002.157.1165 - NVIDIA Corporation) Hidden
NVIDIA LED Visualizer 1.0 (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA Network Service (Version: 1.0 - NVIDIA Corporation) Hidden
NVIDIA Optimus Update 12.4.67 (Version: 12.4.67 - NVIDIA Corporation) Hidden
NVIDIA PhysX (x32 Version: 9.13.1220 - NVIDIA Corporation) Hidden
NVIDIA PhysX System Software 9.13.1220 (HKLM\...\{B2FE1952-0186-46C3-BAEC-A80AA35AC5B8}_Display.PhysX) (Version: 9.13.1220 - NVIDIA Corporation)
NVIDIA ShadowPlay 12.4.67 (Version: 12.4.67 - NVIDIA Corporation) Hidden
NVIDIA Update 12.4.67 (Version: 12.4.67 - NVIDIA Corporation) Hidden
NVIDIA Update Core (Version: 12.4.67 - NVIDIA Corporation) Hidden
NVIDIA Virtual Audio 1.2.23 (Version: 1.2.23 - NVIDIA Corporation) Hidden
OpenOffice 4.1.0 (HKLM-x32\...\{C87EF11D-36E9-479D-9898-7541EA1E8A6A}) (Version: 4.10.9764 - Apache Software Foundation)
PoiZone (HKLM-x32\...\PoiZone) (Version:  - Image-Line)
PowerISO (HKLM-x32\...\PowerISO) (Version: 5.9 - Power Software Ltd)
PunkBuster Services (HKLM-x32\...\PunkBusterSvc) (Version: 0.987 - Even Balance, Inc.)
S.T.A.L.K.E.R. - Call of Pripyat [v1.6.02] (HKLM-x32\...\{406FB8A4-F539-48A9-809C-F94706F9C9F6}_is1) (Version: 1.6.02 - bitComposer Games)
Sakura (HKLM-x32\...\Sakura) (Version:  - Image-Line)
SHIELD Streaming (Version: 2.1.108 - NVIDIA Corporation) Hidden
SimSynth (HKLM-x32\...\SimSynth) (Version:  - Image-Line bvba)
Spybot - Search & Destroy (HKLM-x32\...\{B4092C6D-E886-4CB2-BA68-FE5A99D31DE7}_is1) (Version: 2.3.39 - Safer-Networking Ltd.)
SUPERAntiSpyware (HKLM\...\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}) (Version: 5.7.1026 - SUPERAntiSpyware.com)
Sytrus (HKLM-x32\...\Sytrus) (Version:  - Image-Line)
Toxic Biohazard (HKLM-x32\...\Toxic Biohazard) (Version:  - Image-Line bvba)
VLC media player 2.1.3 (HKLM-x32\...\VLC media player) (Version: 2.1.3 - VideoLAN)
Wolfenstein (x32 Version: 1.0 - Activision) Hidden
Wolfenstein™ 1.11 Patch  (x32 Version: 1.11 - Activision) Hidden
Wolfenstein™ 1.11 Patch (x32 Version:  - ) Hidden
Wolfenstein™ 1.2 Patch  (x32 Version: 1.2 - Activision) Hidden
Wolfenstein™ 1.2 Patch (x32 Version:  - ) Hidden

========================= Memory info: ===================================

Percentage of memory in use: 39%
Total physical RAM: 8010.36 MB
Available physical RAM: 4857.18 MB
Total Pagefile: 16018.89 MB
Available Pagefile: 12255.26 MB
Total Virtual: 4095.88 MB
Available Virtual: 3970.39 MB

========================= Partitions: =====================================

1 Drive c: () (Fixed) (Total:698.54 GB) (Free:487.2 GB) NTFS

========================= Users: ========================================

User accounts for \\GAME-PC

Administrator            Game                     Guest                    

========================= Minidump Files ==================================

No minidump file found


**** End of log ****
 



#6 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:24 PM

Posted 05 July 2014 - 03:28 PM

Go the the Search box and type ins services, when this appears in the results right click on it and choose Run as administrator.

 

When Services opens scroll down to System Event Notification Service and right click on it and then click on Properties.

 

Under Startup type select Manual.

 

Under Service status click on Start.

 

 

You need to reinstall your Nvidia drivers.

 

 
Before installing new NVIDA drivers you must first uninstall the old drivers.  It is very important that the Graphics Driver be the last driver to be uninstalled.  If this is not done you will find yourself repeating the process.
 
Before uninstalling the drivers you should download the new drivers from the NVIDA website.  As you can see in the image below there are two means of finding the correct drivers.  Option 1: is the manual method, Option 2: is a automated scan which will find the correct drivers.  
 
nvidiadownload_zps19003119.png
 
Don't open the drivers until after all of the drivers have been uninstalled and the computer has been restarted.
 
In the Start menu click on Control Panel, when it opens click on Programs and Features and wait until it is populized.
 
The programs are alphabetized, scroll down to the Ns where you will find the list of NVIDIA drivers similar to the one in the image below.
 
Nvidia_zps01e691da.png
 
Important: Users of older motherboards with a Nvidia Chipset may find a ChipsetDriver listed, these are unreleated to the Display Drivers. If you uninstall a NVIDIA Chipset drivers, your system could become non functional and require a installation of the operating system.
 
Remove these drivers one at a time leaving the Graphics Driver the last to be uninstalled
 
Place the mouse pointer over the driver you want to uninstall, this will highlight the choice.  Right click on the driver, a window will open with the word Uninstall, click on this to uninstall the driver.  After the driver is removed from the list go on to the next one. 
 
Note:  If while uninstalling the Nvidia Drivers the system asks for a RESTART after uninstalling a driver and it wont let you proceed when choosing "restart later", then its OK go ahead and restart and pick up in the Control Panel under Programs and Features where you left off.
  
Now that you are left only with Graphics Driver, uninstall it.   
  
The system will ask for a RESTART, you should now do so.
 
Windows has as native graphics driver which will make it possible to continue with the installation of the new NVIDIA drivers.  You should install the new drivers now.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#7 Seda145

Seda145
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 05 July 2014 - 06:51 PM

Thanks!

 

the system event notification service was started and set to automatic, I changed it to manual.

Tomorrow I will reinstall the nvidia drivers.

I still need information about buffer overflows and how it affects my system.

Why is explorer.exe acting so weird? because of the drivers?

 

Seda



#8 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 05 July 2014 - 09:10 PM

Hello, Seda145,

 

In your post #1 you can ignore those they are normal. The Buffer overflow comment is just stating that there is more info than it can output in the procmon query. In addition, the system errors need to be addressed. A browser crashing, a lot of times is caused by addons and extensions. Disable them and see if the crashes continue.

 

Furthermore, Having many programs installed can conflict and cause more problems than they are worth. Especially if they are running in the background at the same time and using up memory resources. As you can see in some of the errors that is already the case. In my humble opinion I would uninstall all but the Comodo since it is already an extensive anti-virus suite that should give you plenty of protection. If you feel you absolutely need these atleast disable the ones from running in the background constantly with the antivirus Comodo. A lot of those programs are known to break things and cause more problems. You have to take extreme caution with programs that change or delete things in the registry without having guidance or know exactly what you're doing. Always before editing anyhting in the registry or changing system settings create a backup of the registry and a create a restore point. CCleaner does make backups of the registry, however be aware that the damage could be so severe that the system wouldn't boot. Kind of hard to repair a system that doesn't boot. With no restore point, boot disk, or backup it's Game Over.

 

CCcleaner

Comodo antivirus

Emsisoft Anti-Malware

ESET Online Scanner v3

HiJackThis

Malwarebytes Anti-Malware version 2.0.2.1012

Spybot - Search & Destroy

SUPERAntiSpyware.



#9 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:24 PM

Posted 06 July 2014 - 08:50 AM

Please download and install Speccy to provide us with information about your computer.  When  FileHippo opens, click on Download latest version in the upper right pane.
 
When Speccy opens you will see a screen similar to the one below.
 
speccy9_zps2d9cdedc.png
 
Click on File which is outlined in red in the screen above, and then click on Publish Snapshot.
 
The following screen will appear, click on Yes.
 
speccy7_zpsfa02105f.png
 
The following screen will appear, click on Copy to Clipboard.
 
speccy3_zps1791b093.png
 
In your next post right click inside the Reply to Topic box, then click on Paste.  This will load a link to the Speccy log.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#10 Seda145

Seda145
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 06 July 2014 - 06:42 PM

thanks :D. To me buffer overflows are very interesting, I first thought it were exploits.

I think I must be paranoid or something, I tried many anti malware/spyware/virus scanners and I keep searching for

viruses even when malwarebytes or comodo does not find anything it is a real problem.

I have repaired heavily infected systems, and security is one of my interests, but then when for example I look at my firewall

and the connected ip adresses the connections show locations all over the world like the netherlands, UK , russia, america , google,

microsoft and then I feel really bad because I don't know why system processes should connect to these ip's when not needed..

That's normal activity when I play games in my browser or download an update in the browser but

when a process like svchost sends 25mb to a random ip adress and it gets whitelisted by my firewall I just feel bad...

That is also the reason why i use so many programs to monitor the system, malwarebytes blocks websites in my browser, emisoft anti malware filters many ad publishers, and comodo offers very secure software indeed (the only problem is that many security (immunization or anti exploit) programs would recognize chrome but not dragon). I should only use comodo antivirus (and I think malwarebytes but only to run scheduled scans not the realtime protection) these programs dont run well together, but without them I don't get the " safe " feeling. I am happy you are all helping me. I almost forgot, when I run comodo firewall, should I turn of the windows firewall? Can windows firewall allow a connection I block with comodo? I will post the speccy log later, I was just reinstalling the nvidia driver as you asked, but the process asks me to restart my computer first. I think you wanted to see the driver installed in speccy ^^

 

Seda



#11 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 07 July 2014 - 02:53 AM

Typically an antivirus suite that also includes it's own firewall will disable windows firewall. Any settings or changes to ports should be done through Comodo. Comodo does have a malware cleaner called BOCLEAN I never tried it myself. Mainly the connections you speak of is Microsoft sending info back and forth and doing security updates. Same with many other programs installed like, Internet explore and Firefox browser, Adobe flash, java etc many of those will be connecting to home base to make sure the software is updated. If you run any servers on your network that could also give rise to unwanted probes.

#12 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:24 PM

Posted 07 July 2014 - 09:45 AM

@technonymous

 

The Windows firewall has to be intentionally disabled, it is not automatically disabled when another firewall is installed.  The only time that Windows does anything of this nature is in Windows 8 which comes with the new version of Windows Defender which is an active antivirus.  In Windows 8 the Windows Defender will automatically be disabled when another antivirus is installed.


Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#13 technonymous

technonymous

  • Members
  • 2,516 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:24 PM

Posted 07 July 2014 - 05:02 PM

@technonymous

 

The Windows firewall has to be intentionally disabled, it is not automatically disabled when another firewall is installed.  The only time that Windows does anything of this nature is in Windows 8 which comes with the new version of Windows Defender which is an active antivirus.  In Windows 8 the Windows Defender will automatically be disabled when another antivirus is installed.

 

Not sure where you got that info from DC3. I have Windows 7 Ultimate and going to control panel, firewall it's disabled and says being managed by Norton. It was automagically done while installing Norton. Under services Windows Defender also says error. I assume Comdo does things similar.


Edited by technonymous, 07 July 2014 - 05:10 PM.


#14 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,714 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:02:24 PM

Posted 08 July 2014 - 10:08 AM

It appears that in many cases if a third party firewall or a antivirus suite with a firewall the Windows firewall will be disabled, but not always.

 

I have Windows 8 installed, when I installed the Avast Pro 2014 it did not disable the Windows firewall.

 

Quietman7 posted the following here.

 

 

 

Note: In many cases the 3rd-party firewall or an Internet Security Suite will automatically turn off Windows built-in firewall in order to manage things but that does not always work as intended.   

Edited by dc3, 08 July 2014 - 10:11 AM.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users