Constantly getting BSOD: DRIVER_OVERRAN_STACK_BUFFER

Status
Not open for further replies.
D

DirtyMetis

Posts: 13   +0
Working on a friends bogged down laptop, was going through the usual steps in the "preliminary removal instructions" and I got a BSOD while trying to do the online Trend Micro scan.

Annoyed, I rebooted and loaded up in safe mode, noticed there was still one stubborn one loading even in safe mode (Virus Heat) so I jumped the gun a bit and ran SmitFraudFix to get rid of the little bugger. Everything seemed to go fine so I rebooted afterwards and started up the process again but sure enough, about 5 minutes into the scan again, BSOD struck. Reload into safe mode, same deal after anywhere from 2-5 minutes.

Did a bit of researching and a bunch of sites indicate this might be a driver corruption issue, and suggest that I should systematically disable devices until I pinpoint which one is causing the problem and update the associated driver. This being a laptop, however, my options are somewhat limited as most of the devices in question are integral to the machines operation, correct?

I've attached a few of the dump files for review, I'm basically looking for any additional suggestions or some sort of indication of what the problem may specifically be. I'm currently scanning the system with F-PROT in DOS from a flash drive as that's the only thing I can get to run for any amount of time.

Appreciate the time and feedback!
 

Attachments

  • Mini032308-01.dmp
    92 KB · Views: 8
If you read the error code DRIVER_OVERRAN_STACK in the minidump description it means that you have an infection from a hacker and the system is shut down so that said hacker does not gain complete control.
 
Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.



Download and Install SDFix
  • Download SDFix and save it to your Desktop.
  • Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  • Attach Report.txt back here
 
Here's the hijack log.

Tried running the SDFix from Safe Mode, got about 25% through when I was greeted with the same suspect BSOD.
 

Attachments

  • hijackthis.log
    9.3 KB · Views: 15
Here is who is hacking you:
UkrTeleGroup Ltd.
Mechnikova 58/5
65029 Odessa
Ukraine
phone: +380487311011
fax-no: +380487502499
person: Andrew Sotov
address: Mechnikova 58/5 65029 Odessa

You need to stay offline as much as possible except for while fixing.
--------------------------------------------------------------------------------------------------
disable SpySweeper:
Open the program
On the left, click: Options, then > Program Options
Uncheck: Load at windows startup
Again on the left click: Shields and uncheck all items there.
Uncheck: Home Page Shield
Uncheck: Automatically restore default without notification

-------------------------------------------------------------------------------

: Download and Run FixWarout
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://download.bleepingcomputer.com/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Remove bad HijackThis entries
  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O17 - HKLM\System\CCS\Services\Tcpip\..\{66496A89-7BCE-4F08-923B-D615C3C6F170}: NameServer = 85.255.113.138,85.255.112.171
    O17 - HKLM\System\CCS\Services\Tcpip\..\{81081EDF-233D-4F80-B243-C08E3898552C}: NameServer = 85.255.113.138,85.255.112.171
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F285963E-903A-48CC-A2A7-CF53E9FFE79F}: NameServer = 85.255.113.138,85.255.112.171
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.171
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.171
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.138 85.255.112.171
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt
 
Sorry for the double post, but just in case I step out for a bit while you are fixing this.

I don't see a firewall. After we disconnect the hackers from your machine they will still be trying to reconnect. So you need to get a firewall ASAP and block the above IP addresses when they try to connect.

You aren't running Firewall Software. Please download and install one of these first!

Use a Firewall - It is very important that you use a Firewall on your computer. If you use the Windows Firewall you might think that's enough but it only controls inbound traffic. Simply using a Firewall in its default configuration can lower your risk greatly. Here are some firewalls which are free for personal use and most commonly used:
Comodo
Kerio
Online Armor
Zonealarm
-----------------------------------------------------------------------------------------------------

Once your system stops crashing and you have a firewall installed:

Please have a read here-> Is your system infected? Read this before Cleaning or Formatting

If you decide to clean your system please follow these Viruses/Spyware/Malware, preliminary removal instructions and post back in this thread with the requested logs. There should be at least 3.

1)AVG log
2)Combofix log
3)Hijackthis log (Step 15)

This thread is for the use of DirtyMetis only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
 
Thanks for the continued efforts Blind :)

Ran FixWarout, log attached.
New Hijack log attached as well, none of the items you listed were indicated on the scan, however.

Was planning on installing a Firewall first thing, was just trying to wade my way through all the other various Anti-Virus, Anti-Malware, etc. to remove what unnecessary stuff I could.

As an additional interesting note, there appears to be a 'hidden' installation of mIRC that loads when windows boots and masks itself in the taskbar. When closing, it immediately reloads itself. None of the usual traces of mIRC being installed on the system either, no normal processes of mIRC running, etc. Any ideas?

Thanks again, appreciate all the help.
 
part of the wareout infection connects to a remote IRC server where it waits for commands to execute.

Any more crashes?

You should be good to start the preliminary removal instructions if not.

https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

and can you also attempt SDFix again to see if you crash or can make it through

* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
* Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
* Attach Report.txt back here
 
*UPDATE*

Tracked down the mIRC installation, it was in C:/Windows/temp/spoolsv and was also masked as the same process, spoolsv.exe

Although I tried uninstalling it through the traditional methods, it continues to show up when I reboot windows, though it is no longer hiding itself in the taskbar.
 
Indeed that is it. spoolsv.exe is a process registered as a backdoor vulnerability which may be installed for malicious purposes by an attacker allowing access to your computer from remote locations, stealing passwords, Internet banking and personal data. If unaccounted for, this process should be removed immediately.

spoolsv.exe is ok if it is in the system32 folder, but anywhere else it is a part of an infection

You can't simply delete the file, as it is embedded in the registry.

After you follow the preliminary removal instructions we will see what is still on there.
 
No more crashes thus far! *cheer*

Made it through a full run of SDFix, log attached

Starting up with the preliminary removal instructions, will report back when I get through that.
 
Status
Not open for further replies.

Similar threads

Daniel Sims
Linux is getting a BSOD that might actually be helpful
Replies
10
Views
410
ZedRM
ZedRM
D
Google Chrome gets real-time phishing and malware protection with upgraded Safe Browsing...
Replies
7
Views
258
Evrsr
E
E
I have been taken over by a software called Astanda using XML to Log everything and roaming to an SQL server.
Replies
0
Views
480
eriksnyman1
E

Latest posts

Back