Constantly getting BSOD: DRIVER_OVERRAN_STACK_BUFFER

By DirtyMetis
Mar 27, 2008
Topic Status:
Not open for further replies.
  1. Working on a friends bogged down laptop, was going through the usual steps in the "preliminary removal instructions" and I got a BSOD while trying to do the online Trend Micro scan.

    Annoyed, I rebooted and loaded up in safe mode, noticed there was still one stubborn one loading even in safe mode (Virus Heat) so I jumped the gun a bit and ran SmitFraudFix to get rid of the little bugger. Everything seemed to go fine so I rebooted afterwards and started up the process again but sure enough, about 5 minutes into the scan again, BSOD struck. Reload into safe mode, same deal after anywhere from 2-5 minutes.

    Did a bit of researching and a bunch of sites indicate this might be a driver corruption issue, and suggest that I should systematically disable devices until I pinpoint which one is causing the problem and update the associated driver. This being a laptop, however, my options are somewhat limited as most of the devices in question are integral to the machines operation, correct?

    I've attached a few of the dump files for review, I'm basically looking for any additional suggestions or some sort of indication of what the problem may specifically be. I'm currently scanning the system with F-PROT in DOS from a flash drive as that's the only thing I can get to run for any amount of time.

    Appreciate the time and feedback!

    Attached Files:

  2. Route44

    Route44 TechSpot Ambassador Posts: 12,113   +23

    If you read the error code DRIVER_OVERRAN_STACK in the minidump description it means that you have an infection from a hacker and the system is shut down so that said hacker does not gain complete control.
  3. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.



    Download and Install SDFix
    • Download SDFix and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

    Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here
  4. DirtyMetis

    DirtyMetis Newcomer, in training Topic Starter

    Here's the hijack log.

    Tried running the SDFix from Safe Mode, got about 25% through when I was greeted with the same suspect BSOD.

    Attached Files:

  5. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Here is who is hacking you:
    UkrTeleGroup Ltd.
    Mechnikova 58/5
    65029 Odessa
    Ukraine
    phone: +380487311011
    fax-no: +380487502499
    person: Andrew Sotov
    address: Mechnikova 58/5 65029 Odessa

    You need to stay offline as much as possible except for while fixing.
    --------------------------------------------------------------------------------------------------
    disable SpySweeper:
    Open the program
    On the left, click: Options, then > Program Options
    Uncheck: Load at windows startup
    Again on the left click: Shields and uncheck all items there.
    Uncheck: Home Page Shield
    Uncheck: Automatically restore default without notification

    -------------------------------------------------------------------------------

    : Download and Run FixWarout
    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://download.bleepingcomputer.com/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    Remove bad HijackThis entries
    • Run HijackThis
    • Click on the Scan button
    • Put a check beside all of the items listed below (if present):

      O17 - HKLM\System\CCS\Services\Tcpip\..\{66496A89-7BCE-4F08-923B-D615C3C6F170}: NameServer = 85.255.113.138,85.255.112.171
      O17 - HKLM\System\CCS\Services\Tcpip\..\{81081EDF-233D-4F80-B243-C08E3898552C}: NameServer = 85.255.113.138,85.255.112.171
      O17 - HKLM\System\CCS\Services\Tcpip\..\{F285963E-903A-48CC-A2A7-CF53E9FFE79F}: NameServer = 85.255.113.138,85.255.112.171
      O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.171
      O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.171
      O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.171

    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.
    Now lets check some settings on your system.
    (2000/XP) Only
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems

    Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
  6. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Sorry for the double post, but just in case I step out for a bit while you are fixing this.

    I don't see a firewall. After we disconnect the hackers from your machine they will still be trying to reconnect. So you need to get a firewall ASAP and block the above IP addresses when they try to connect.

    You aren't running Firewall Software. Please download and install one of these first!

    Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
    Comodo
    Kerio
    Online Armor
    Zonealarm
    -----------------------------------------------------------------------------------------------------

    Once your system stops crashing and you have a firewall installed:

    Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

    If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

    1)AVG log
    2)Combofix log
    3)Hijackthis log (Step 15)

    This thread is for the use of DirtyMetis only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
  7. DirtyMetis

    DirtyMetis Newcomer, in training Topic Starter

    Thanks for the continued efforts Blind :)

    Ran FixWarout, log attached.
    New Hijack log attached as well, none of the items you listed were indicated on the scan, however.

    Was planning on installing a Firewall first thing, was just trying to wade my way through all the other various Anti-Virus, Anti-Malware, etc. to remove what unnecessary stuff I could.

    As an additional interesting note, there appears to be a 'hidden' installation of mIRC that loads when windows boots and masks itself in the taskbar. When closing, it immediately reloads itself. None of the usual traces of mIRC being installed on the system either, no normal processes of mIRC running, etc. Any ideas?

    Thanks again, appreciate all the help.
  8. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    part of the wareout infection connects to a remote IRC server where it waits for commands to execute.

    Any more crashes?

    You should be good to start the preliminary removal instructions if not.

    http://www.techspot.com/vb/topic58138.html

    and can you also attempt SDFix again to see if you crash or can make it through

    * Open the extracted SDFix folder and double click RunThis.bat to start the script.
    * Type Y to begin the cleanup process.
    * It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    * Press any Key and it will restart the PC.
    * When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    * Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    * Attach Report.txt back here
  9. DirtyMetis

    DirtyMetis Newcomer, in training Topic Starter

    *UPDATE*

    Tracked down the mIRC installation, it was in C:/Windows/temp/spoolsv and was also masked as the same process, spoolsv.exe

    Although I tried uninstalling it through the traditional methods, it continues to show up when I reboot windows, though it is no longer hiding itself in the taskbar.
  10. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Indeed that is it. spoolsv.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

    spoolsv.exe is ok if it is in the system32 folder, but anywhere else it is a part of an infection

    You can't simply delete the file, as it is embedded in the registry.

    After you follow the preliminary removal instructions we will see what is still on there.
  11. DirtyMetis

    DirtyMetis Newcomer, in training Topic Starter

    No more crashes thus far! *cheer*

    Made it through a full run of SDFix, log attached

    Starting up with the preliminary removal instructions, will report back when I get through that.
     
  12. Blind Dragon

    Blind Dragon TechSpot Evangelist Posts: 4,048

    Looks like that caught another one.

    Will wait for the rest of the logs
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.