Buffer Overrun

[woodworks]

I am running IE 7.  Out of the blue it will come up with a box that says buffer overrun.  When I click on either the X or the OK box, it will  make my taskbar dissapear.  Usually the only way I have to make it come back is to reboot.  Also, IE will shut down when I click on either, but this doesn't happen all the time.  It is just hit & miss with that. 

[Broni]

Is only IE affected? Did you try Firefox? What Windows version?

[woodworks]

I don't have firefox and don't really want it.  I am running win XP Prof.
Other then the current problem, I am very happy with IE. 

I don't know if this is a virus or spyware or what.  I keep running spy sweeper and anti virus and am continually getting the same ones.  I keep deleting them, but they keep coming back.  That is why I don't know what is going on with IE.

Thanks for your response.  I hope you (or anyone) can help me figure this out.

[Broni]

First of all, I'm not forcing you to use Firefox. It's always a good idea to have two browsers, simply for cross reference. If things work fine in Firefox, then we know, it's something wrong with IE, and vice versa.

You may also...

Download HijackThis:
http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis/download
Click on Download HijackThis Installer
Post HijackTHis log.

[woodworks]

Sorry it took me so long to answer.  I am having to get on another computer.  I d/l firefox, but am unable to install it.  I did d/l and ran highjack this and it just made things worse.  After I did a scan it had so many things I couldn't even count them.  Plus afterwards it just frozzzze up and wouldn't do anything.  I had to uninstall it.  Now I'm lucky if I can even get it to do anything.

I have been continually running spy sweeper and AVG.  I have some kind of virus or something.  It is called malware and no matter what I do I can't get rid of it.  Spy sweeper doesn't find it.  AVG doesn't seem to find it.  It keeps finding other virus's and then every time I reboot or try to go to safe mode to run it again, it finds more.  I go back and reboot and it finds more. So I have no idea how it is getting on there.  Sometimes it's the same and sometimes it's different.  Spy sweeper says to sweep while in safe mode, but it doesn't do any good. 

One of the things is called  MalWarrior alert
One is  AntispywareMaster
The one that is the buffer overrun is called  Microsoft Visual C++  I went into add/remove programs and removed this one, but it still comes up. 
I had one that made my task manager disappear, but I got that fixed for now.
Another one is call Virtumond and this one keeps coming back.
Anothe one is called Rouge Security Products and it keeps coming back.

Any suggestions from anyone???  Other then dousing it with lighter fluid.  I've already thought of that. 

[Broni]

You're definitely infected...

Print these instructions out.

1. Download SUPERAntiSpyware Free for Home Users:
http://www.superantispyware.com/

    * Double-click SUPERAntiSpyware.exe and use the default settings for installation.
    * An icon will be created on your desktop. Double-click that icon to launch the program.
    * If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: http://www.superantispyware.com/definitions.html.)
    * Close SUPERAntiSpyware.

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

    * Open SUPERAntiSpyware.
    * Under "Configuration and Preferences", click the Preferences button.
    * Click the Scanning Control tab.
    * Under Scanner Options make sure the following are checked (leave all others unchecked):
          o Close browsers before scanning.
          o Scan for tracking cookies.
          o Terminate memory threats before quarantining.
    * Click the "Close" button to leave the control center screen.
    * Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
    * On the left, make sure you check C:\Fixed Drive.
    * On the right, under "Complete Scan", choose Perform Complete Scan.
    * Click "Next" to start the scan. Please be patient while it scans your computer.
    * After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
    * Make sure everything has a checkmark next to it and click "Next".
    * A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
    * If asked if you want to reboot, click "Yes".
    * To retrieve the removal information after reboot, launch SUPERAntispyware again.
          o Click Preferences, then click the Statistics/Logs tab.
          o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
          o If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
          o Please copy and paste the Scan Log results in your next reply.
    * Click Close to exit the program.
Post SUPERAntiSpyware log.

RESTART COMPUTER!

2. Download Malwarebytes' Anti-Malware: http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html to your desktop.

    * Double-click mbam-setup.exe and follow the prompts to install the program.
    * At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    * If an update is found, it will download and install the latest version.
    * Once the program has loaded, select Perform full scan, then click Scan.
    * When the scan is complete, click OK, then Show Results to view the results.
    * Be sure that everything is checked, and click Remove Selected.
    * When completed, a log will open in Notepad.
    * Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

3. Download HijackThis again. Rename hijackthis.exe to woodworks.exe, and double click on it.
Post HijackThis log.
DO NOT FIX ANYTHING.

[woodworks]

I'm trying to do what you said.  Right in the middle of printing, the power went out in the whole neighborhood.  I'm just now getting back on here.  I keep getting highjacked and redirected.  I'm lucky to even get here, IE keeps freezing up.  I have gotten the first d/l completed and am now going for the second one so I can get off  line and do the install. 

How do I post highjackthis log?

[Broni]

Run first application, before you download second one. It may remove some garbage, and your computer may be better.
Logs, you can either copy/paste, or attach.

[woodworks]

Update;

I can't get to this forum from infected computer.  I can get to the web site, but am not able to get into forum.  I have d/l superantispyware and it did it's thing and so far so good.  I found that I didn't uninstall highjack this.  I went into add/remove and tried to remove it when it was giving me a problem and it said that it could not be found and that just the name was in there and it asked me if I wanted to delete the name and I said yes. I did a search and came up with nothing.  I then displayed my icons on desktop and happened to see shortcut.  Clicked on that and up came highjackthis.  I have no idea what is going on with it.  I did a scan and I am going to try and post it as asked.

BTW, I d/l firefox and it will not go into forum either.  I can access all other places in web site, except forum.  I have done nothing with the malware you said to d/l as of yet.  To do a scan with these things, it takes just about 2 1/2 hrs each.  Again, since I am not able to access this forum from the infected computer, it is hard for me to get to another one to post anything.  Any suggestions as to why I can't get here from there??? As I said, I can get to the home page and all other sub pages, except forum.

Thank you for the help you are giving me.  I'm at least making headway.

[recovering space - attachment deleted by admin]

[woodworks]

Update;

I did the malwarebytes one and guess what?  I can get to this forum.  Both on IE & firefox. 

Now what would you like me to do?  Is that the end of it, or what?  I am curious about the highjackthis log.  I would like to know what you think about it.  Do I need to do anything concerning it?

This is the final scan I did with highjackthis.
BTW, how do I get it off my computer?  I can't go to add/remove and do it, it isn't in there.  It's not in my programs list and it doesn't show up on a search.

And once again, thank you for your help.

[recovering space - attachment deleted by admin]

[Broni]

I'm glad, things are little bit better.
I'd like to see, Superantispyware's, and Malwarebyte's logs, however.
Was the latest HJT run after the other two programs?

[woodworks]

Yes it was.
I'll try and find the logs.
Also, whenever I boot up, I have a box pop up that says

Error Loading
C:\WINDOWS\system32\dnqhxle.dll
The specified module could not be found.

What is this?  A better question is how do I get rid of it?


[recovering space - attachment deleted by admin]

[Broni]

Error Loading
C:\WINDOWS\system32\dnqhxle.dll
The specified module could not be found.

Don't worry about it. This is normal error during clen up.
Let me check your logs....

[Broni]

*** Is Windows firewall on?

*** Download HostsXpert (http://www.majorgeeks.com/Hoster_d4626.html) and then follow the below steps.

    * Unzip HostsXpert.zip
    * It will create a folder named HostsXpert in whatever folder you extract it to.
    * Run HostsXpert.exe by double clicking on it.
    * click the Make Writeable? button.
    * click Restore Microsoft's Hosts File and then click OK.
    * Click the X to exit the program

Restart computer. Post new HJT log.

[woodworks]

I don't believe firewall is on.  But I don't know how to tell and/or turn it on or off.

Next:  I d/l hostsexpert and did what you said.  Spy sweeper blocked it.  I allowed it but when it started it said it couldn't create the file.

Now what?

[Broni]

Post fresh HJT log, please.

[woodworks]

Here it is

[recovering space - attachment deleted by admin]

[Broni]

Open HJT, checkmark all O1 entries.
Click "Fix checked".
Restart computer. Post new log.

[woodworks]

Here's the log.

How do I get rid of the pop up that can't load the dll file or whatever it is?

[Broni]

I see no log. Don't worry about pop-ups. We're in the middle of cleaning process.

[woodworks]

I guess I forgot to send it.  Sorry.



[recovering space - attachment deleted by admin]

[Broni]

Restart in Safe Mode (keep tapping F8 key, when computer restarts, until menu appears), and run HostsXpert from there one more time.
Restart in Normal Mode, and post new HJT log.

[woodworks]

It says it can't create file and when I click ok, it exit's the program.

[Broni]

OK. Let's remove some other stuff, first, and we'll worry about it later. I'll post back in a moment.

[Broni]

Temporarily disable Spysweeper, and wait for my next instructions:

If you have Spy Sweeper version 4:

    * Open it, Click Options over on the left, then Program options
    * Uncheck load at windows startup.
    * Over to the left, Click shields and Uncheck all there.
    * Uncheck home page shield.
    * Uncheck automatically restore default without notification.
    * Reboot your machine for the changes to take effect before running HJT.

+++++++++++++++++++++++++++++

If you have SpySweeper version 5:

To disable SpySweeper Shields

    * Open SpySweeper.
    * Click Shield Settings on the right

(or Shields on the left, depending what screen you're on).

    * Click Internet Explorer and uncheck all items.
    * Click Windows System and uncheck all items.
    * Click Hosts File and uncheck all items.
    * Click Startup Programs and uncheck all items.
    * Close SpySweeper.

Reboot you computer, and ensure Spy Sweeper is disabled.

[woodworks]

I don't have just Interne Explorer.

Under Browser Shields I have
IE Cookies
IE Favorites
IE Security
Browser helped object
IE highjack
I am running 5
But I think I unchecked everything.  Going to reboot now.

[woodworks]

Ok, I believe it is shut down.

[Broni]

When you're done with Spysweeper...

*** Is Windows firewall on?

*** Go Start>Control Panel>Add\Remove, and uninstall Hotbar, and QdrPack

1. Print this post out, since you won't have an access to it, at some point.

2. Close all windows, except for HijackThis.

3. Put a checkmark next to the following HijackThis entries (some entries will be checkmarked to disable unnecessary startups; in those cases (marked with *), no actual program will be removed):

- O2 - BHO: WhgHelper Class - {00000000-0000-11D1-ABED-709549C10000} - C:\Program Files\WHG\Instant Help Application Update 1.2\IEHelper.dll
- *O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
- O4 - HKLM\..\Run: [HotbarOE] "C:\Program Files\Hotbar\bin\10.0.412.0\OEAddOn.exe"
- *O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
- *O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
- *O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
- O4 - HKLM\..\Run: [0e651c44] "rundll32.exe" "C:\WINDOWS\system32\dnqhlxle.dll",b
- O4 - HKLM\..\RunServices: [Microsoft Taskhide Driver] taskhide.exe
- *O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
- *O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] J:\CAMEFR~1\COMCAS~1\COMCAS~1\data\Xtras\mssysmgr.exe
- O4 - HKCU\..\Run: [QdrPack15] "C:\Program Files\QdrPack\QdrPack15.exe"
- *O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
- O4 - HKCU\..\RunServices: [Microsoft Taskhide Driver] taskhide.exe
- O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
- *O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
- O20 - Winlogon Notify: jkkHXNDV - jkkHXNDV.dll (file missing)

4. Click on Fix checked button.

5. Restart your computer in Safe Mode (keep tapping F8 key, when your computer starts, until menu appears)

6. Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.

7. Delete following files/folders (if present):

- WHG, Hotbar, QdrPack folders from C:\Program Files
- dnqhlxle.dll file from C:\WINDOWS\system32
- search computer for taskhide.exe, and delete all instances

8. Restart in Normal Mode.

9. Post new HijackThis log.

[woodworks]

There is no Hotbar or QdrPack

[Broni]

if present

[woodworks]

Ok, I'm a bit confused.

I did what you said. When I rebooted this time, I didn't see superantispyware load up.

Second, I had only one folder WHG, but while doing a search for the others I did a search for that and it had several things, but I couldn't delete them while in safe mode.  Do I delete them?  All the others, there was nothing.

Here is the log.

[recovering space - attachment deleted by admin]

[Broni]

I didn't see superantispyware load up

It shouldn't. It's not real-time protection program, so, no need for it to start.

while doing a search for the others I did a search for that and it had several things, but I couldn't delete them while in safe mode.

I need to know EXACTLY, what items, which ones couldn't be deleted, and what happened when you tried.

You answer my questions while I'll be checking your HJT log, please.

[Broni]

You also didn't answer my question about Windows firewall...

[Broni]

Your HJT log looks much better, but I can't proceed before you answer my previous questions.

[woodworks]

You will need to tell me how to find out if firewall is on or off.  I don't know how.
The WHG are the ones that actually wouldn't open while in safe mode. I have it in add/remove programs.  I have it in start/all programs.  I clicked on them now and it comes up that it is missing shortcut.  

Always before super would load at start up.  

BTW do you still want spy sweeper shut down?

[woodworks]

I went and deleted the shortcuts that had to do with WHG

[Broni]

Always before super would load at start up.

As I said, we disabled in on purpose. It doesn't scan anything by itself. Leave it alone. You still have it on your computer, if you need to perform scan. It doesn't need to start with Windows.

The WHG are the ones that actually wouldn't open while in safe mode. I have it in add/remove programs.

You mean delete, right?
That's fine. It'll, go in next step.

You will need to tell me how to find out if firewall is on or off.

Go Start>Control Panel. Double click on the Security Center icon. Click on the Windows Firewall icon beneath the status updates. See, if it's listed as ON.

BTW do you still want spy sweeper shut down?

Yes. Do it again, and when you're back in Windows...

Open HJT, and checkmark:
- O2 - BHO: WhgHelper Class - {00000000-0000-11D1-ABED-709549C10000} - C:\Program Files\WHG\Instant Help Application Update 1.2\IEHelper.dll (file missing)
Click "Fix checked".
Restart in Safe Mode, and try to delete WHG folder from C:\Program Files again.

Restart in Normal Mode, let me know about Windows firewall, and post new HJT log.

[woodworks]

Firewall is OFF

[woodworks]

Ok, I was able to delete WHG in program files the first time.  I'm talking about the shortcuts.  I was wrong about not being able to delete them, I was unable to open them.  Sorry

[woodworks]

Log

[recovering space - attachment deleted by admin]

[Broni]

Firewall is OFF

Turn it on immediately!

I'm talking about the shortcuts.

In Add\Remove, and under Start? If so, don't worry about it, now.

I was unable to open them.

I didn't ask you to open anything.

If you restarted computer already, give me new HJT log.

[Broni]

Got it. I didn't see it.

[woodworks]

Firewall is on.

[Broni]

You've been doing very well
Now, disable Spysweeper again, and run HostsXpert again.
Let me know, if it refuses to replace the file again.

[woodworks]

Ok, first it has always been coming up with a box that says my host's file is marked as "a system file" and can NOT be manipulated.  Press ok to remove hidden and system file attributes, CANCLE to quit.
Hostexpert will not reset these attributes.

I click ok and then it comes up with it can't create file C\windows\system32\
DRIVERS\ETC\host

[Broni]

You have to take ownership of that file (hosts). See here: http://www.winxptutor.com/ownership.htm
Very important part:

For Microsoft Windows XP Professional, you need to disable Simple File Sharing, in order to see the Security tab. To disable simple file sharing, follow these steps: Click Start, and then click My Computer. On the Tools menu, click Folder Options, and then click the View tab. In the Advanced Settings section, clear the Use simple file sharing (Recommended) check box. Click OK.

When you're done, run HostsXpert again.

Ask, if you don't understand anything.

[woodworks]

Just checking;
Did you call it a night?  I don't blame you, I'm getting tired myself.

[woodworks]

Ok, did it and came up with same thing.

[Broni]

You took ownership of "hosts" file?

you must start the computer in safe mode
You must be logged on to the computer with an account that has administrative privileges.

Did you?

[Broni]

Don't worry about "night". Your computer is mostly clean except for this last issue.

[woodworks]

My mistake.  I thought it said I didn't have to be in safe mode if I had XP Pro.  I'll go do it now.

[Broni]

Oh, is Spysweeper still disabled?

[woodworks]

Yes it is

[Broni]

I thought it said I didn't have to be in safe mode if I had XP Pro

You're correct. My mistake. Sorry.

[woodworks]

Ok, so now what do we do if it's still doing the same thing?

[woodworks]

A while back I tried to make this computer so I could share with my other computer.  I have no idea what I did at that time, but maybe that is what is causing the problem now???

[Broni]

Try this.
Click Start Start button , click All Programs, click Accessories, right-click Notepad, and then click Run as administrator.
Go File>Open, and navigate to C:\Windows\System32\drivers\etc, and open hosts file.
Delete everything, except for:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

...means everything below 127.0.0.1       localhost line.

When done, go File>Save.
If problems, let me know.
If not, restart computer, and post new HJT log.

[woodworks]

It keeps asking for a password I don't have a password.

[Broni]

Hmm...I assume, you're the Administrator?
Try to open Notepad in normal mode, then.

[woodworks]

I went in under my name.  I deleted, but when I went to save, it said it couldn't create the file.

[Broni]

Also, make sure, under right click>Properties, hosts file is NOT set to "read only".

[woodworks]

Yes I'm the administrator.

[woodworks]

Ok, when I tried to cancel out, it said text in folder has changed, do I want to save it? 

What do I do?

[Broni]

Save it, open it again, and see how it looks.

[Broni]

Are you in Safe, or Normal Mode?
Did you check Properties?

[woodworks]

I'm in normal mode
I didnot check property, I don't know where you want me to right click.
I checked and nothing is in there execpt the 127.0.0.1

[Broni]

So, it looks like this:

# Copyright (c) 1993-2006 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

[woodworks]

No

It has this

127.0.0.1      local host

And that's it, nothing else.

[Broni]

Perfect!
We did it:)

Restart computer, and give me final HJT log.

[woodworks]

Ok, here it is.

[recovering space - attachment deleted by admin]

[Broni]

I can't believe this.
The hosts file is back to where it was before.
It must have something to do with Spysweeper, because it's running again.
Uninstall Spysweeper totally.
Restart computer, and try to edit hosts file again.
I'll be up for another 15-20 minutes.

[Broni]

Also, right click hosts file, then Properties, and make sure, there is no checkmark next to "read only".

[woodworks]

I just looked and there is nothing in the host file.  You are talking about notepad, right?

I'm not comfortable with uninstalling spy sweeper.  I didn't have it shut down when I did the last HJT.  Maybe that had something to do with it.  

[Broni]

Wait, then.

[woodworks]

It is marked archive

[Broni]

Open HJT, checkmark all O1 entries, click "Fix checked".
When HJT is done, it'll rescan.
Do you still see O1 entries now?

[woodworks]

Ok
I did not restart between them.  In fact I didn't restart at all.  I hope I wasn't supposed to.

[recovering space - attachment deleted by admin]

[woodworks]

BTW, it didn't rescan, I had to rescan.  Does that make a difference?

[Broni]

WOW! We got it! Oh, man!

Your computer is clean!

Very last cleaning step. You can do it by yourself. I need to go to bed.

1. Download, and install CCleaner: http://www.ccleaner.com/download/builds. Get "Slim" version.
Read CCleaner instruction here: http://www.jahewi.nl/ccleaner/ccleaner.html.
Run CCleaner.

2. Turn off System Restore:

- Windows XP:
   1. Click Start.
   2. Right-click the My Computer icon, and then click Properties.
   3. Click the System Restore tab.
   4. Check "Turn off System Restore".
   5. Click Apply.   
   6.  When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
   7. Click OK.
- Windows Vista:
   1. Click Start.
   2. Right-click the Computer icon, and then click Properties.
   3. Click on System Protection under the Tasks column on the left side
   4. Click on Continue on the "User Account Control" window that pops up
   5. Under the System Protection tab, find Available Disks
   6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
   7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
   8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Let me know, how your computer is doing.

[woodworks]

Oh yea, the hard part's done so you take off and go to bed. 

Hey thank you very much. I too am going to bed, I'll finish this tomorrow.

[Broni]

Just do that last step as a very first thing, so no other crap sets in.
Good night