Bufferoverflow attacks

Recently while starting a game called combat arms, a bufferoverflow is detected. In order to troubleshoot and diagnose these errors, I skipped or disabled D+ to get the game to open and play. Once in the game i have re-enabled D+

During gameplay nvcpl.dll/exe requests full access rights. Again, i allowed these… as nvcpl should be trusted and is needed to have this access to play the game properly. Again this was to attempt to log data and troubleshoot further.

I need some assitance finding the data produced by the blocking / allowing of these attacks. I beleive comodo might have this documentation since it detected these things, and offered to block them. It should document the errors, and associated data. Or am i wrong?

I would like to try my best to gather all related data, before removeing the software and re-installing. Doing this might erase registry and files that hold the data i’m seeking to submit, for further troubleshooting. The devs at nexon, might find this kind of data helpful in preventing future attacks and exploits of their software. And help me protect my system from these attacks in general.

If you’re using ■■■■■, get a clean one from gamecopyworld
If using original game, upload main exe file of the game to virustotal to see if it’s clean.
If it is, grant trusted or installer rights for that file.
But still, VERY UNUSUAL activity for a video game…

combat arms is a free game… no need for illegal cracking or tools… >:(

Dude, I ^%$^$ LOVE YOU!!!
No, wait…
I %^$^$&^ LOVE YOU!!!

Downloading this thing now, will try for myself… :-TU
Just make it installer/updater and you’re good to go! :-TU
If not, report back and we will try something else :slight_smile:
USA only… :cry:

There is a high chance that this executable contains a real buffer overflow, please ask the developers of the game to have a look at it.

yes combat arms is based in the us, only mexico is banned, as well as a few other southern american places, like brazil. people used ip’s from these locations to use exploits. So they generally banned them, until which point it can be verified, and tracked down. And neutralized.

Yes this issue i am having is for real, and not a false positive. I have installed the software on pc’s that can run it but not play it. both use win7. without issues. So far…The buffer overflow warning does appear, So i would suggest not trying or playing this game right now. XD it is an awesome game and nexon tries very hard to enfore a no tolerance policy. But because of this, and their success so far, they have been targeted. This also suggests that at this point, un-installing and re-installing is not enough!

But ii want to do more this time, As these attacks have damaged the targeted pc. a 1 gig DDR was infected or burned up, only one chip had pins that showed signs of an overvoltage, it can not be used again! I did not mess with anything outside of this things range i believe it’s manufacture date was feb 09. Both slots work. Using my only good ddr 400mhz 256mb ram stick to continue.

It continues to re-infect it. This makes this a serious risk to peoples pc’s and should be stopped here at this point in time, if at all possible. Nexon has been contacted, and encouraged to work with comodo. xD

1 of 5 infections found so far:

totalram.dll

found in atitool.exe an overclocking tool I’ve had it about a month, previously know to be clean. From a trusted source

all of nexon’s software was infected by some unknown, vindicus, combat arms,and hackshield. I’d also look into Pando Media Booster as well, this has also been known to spread over p2p networks and bittorrents.

Comodo’s geekbuddy and CIS became hijacked after a popup suggesting a websites certificate was expired or not valid, after clicking view certificate, it was a comodo labeled cert. said it expired in 2013

this happens during windows start up. if not ignored cis will update, a re-installed version found totalram. and seems to be clean. And not clicking the popup, seems to allow comodo to work.

When i gain access again, i’ll include more info, Right now the monitor, a crt from dell, model e773c system is a dim4400 i was using windows xp sp3’s plug n play drivers i believe. it’is not functioning. Likely apart of this attack. the pc itself works and boots into windows. The pc appeared to freeze, and i reset it, then the monitor doesn’t even display it’s own menu’s or the no source popup. Ithink its part of the attacks because of the ram exploits, may also target other hw and associated memory.

Leaveing the monitor unplugged and off for about 16hrs+ seemed to do the trick last tim

I did gain access for a little while yesterday, comodo wasnt loading right, It’s buy nag screen froze, and didnt load completely and this seemed to stop comodo from fully loading.

I grabbed spyware terminator and spybot search and destroy, updated and disconnected.

Spyware terminator found over 36 infections, various backdoors and agent proggy’s.

I tried to remove them, but 3-4 could not be removed from the ati drivers and various windows components that were in use, so before i shutdown i enable all the clam av and realtime scanners in spyware terminator i could. spyterm actually acknowledged that comodo was installed as my anti-v xD

I also noticed corel photoshop and adobe photo editors were on my pc. I never downloaded these things. I didnt notice this before i submitted crash reports to microsoft =c. And there was no install/uninstall listed. bluetooth software and c++ software was also installed, not by me. bluetooth hardware exists on-board, but can not be accessed by the user… silly dell and their support features. probably got exploited again.

I figured i’d go back later and remove it, I really needed to get this pc clean, and figure out where the stuff came from.

On next boot, comodo ran, loaded… but i let things load, engine.exe,gm.exe NM*.* tried to make firewall exceptions, and run without user interactions, as well as several “windows” files and registries, abnormal! all detected by spyware terminator with no duplicate warnings from comodo, either comodo was modified prior, or simply did not know to block these requests and remove it’s asociated files or infections… I went with spyware terminator’s scanner, as it found things before comodo did not. guard32 was also found inside comodo’s directory, the windows directory. and the users temp folder. All of the users folders. and temp folders.

That scan got to 14% and i had to work, so i stupidly left the pc running… afk. When i got back it was frozen. I shut down.

This time it boots up and says, there is un-bootable media present on that partition. I removed all other devices and tried again. same error. safe mode doesn’t work. Ubuntu loads, but doesnt display icons and the gui blinks…

Hinting at an attempt to completely wipe the drive. Nuts now i Have to re-format… comodo had just started removeing viruses and trojans, agents and exploits… i hope by the time i get an os on here i’ll be able to remove these viruses completely and keep my old data, or investigate more…while i could get comodo to run it found 15 infections and unknowns, i believe i submitted all of these. though i’m unsure as many modifications were made to comodo, that i am unaware of.

Anyone want to donate a ubuntu or windows xp pro cd ?? i can’t find mine =c And i dont think i have another pc to burn a dvd or usb… I’m attempting to use win7 starter on my notebook, but no dice yet. I don’t think starter is able to make boot disks… :cry:

things i changed, before last boot, I removed the dell rage pro glx?? 16mb 1-4x since i could not remove what was being re-installed on boot up. and reconfigured the pci cards, so now i can see what is going on in bios… Think this would cause an un-bootable partition error? Like somehow there was a partition on that device, windows is looking for?

tried for a few hours to make a bootable usb from win7… made a dos bootable with “jame’s format tool”
which seemed to work once, but never actually loaded. I dunno, i’ll try it again tommaro. i’ll need something to help recover any pc, incase this happens to any other pc i am asked to fix…

the downed pc has legacy usb support… phat chance getting that to work…

i dunno when i’m gonna get any cash for cd’s/dvd’s or a new windows xp pro =c

microsoft doesn’t seem to want anyone making anything bootable?

Please offer any tips or advice?

Yo, bro, will this be useful to ya?
http://www.makeuseof.com/tag/the-ultimate-pc-repair-toolkit-in-your-pocket-ultimate-boot-cd-on-a-usb-stick/
:-TU

it would if makeboot or mkboot existed… it was removed from xp sp3 and win 7 maybe a year and a half ago? not sure why? Or comodo allowed it to be removed, by an undetected malware…

Ok, for partitioning tools, use the one on linux, found here:

For troubleshooting Windows 7 startup
http://mscerts.programming4.us/windows/windows%207%20%20troubleshooting%20startup%20-%20recovering%20using%20the%20system%20recovery%20options.aspx

everytime i install a linux distro, my pc gets hijacked by , i think microsoft… and they modify bootmgr/boot.ini, and disable my pc. so i’ve stayed away from it for the time being, as i see no way to protect my systems from these attacks.

recovery, would just re-install everything i have been removeing… mkboot was never installed in win7, and was removed and blocked from my now unbootable xp…but i may go ahead and restore, and then re-remove everything i know to be exploited…as stated before (i think) the xp machine was the first to go, and is completely unbootable, no safe mode. nothing. “unbootable partition has been found” ubuntu boots but it’s all messed up… i dont see an option to boot to terminal or recovery console for ubuntu either. normally i can. all cd’s/dvd’s have been lost or damaged… i’ll try to burn a dvd when i can, but none of us have any money right now… seriously and honestly, me, my family and friends are broke =c I might just give up and turn everything off and go to the library… try and search around for fixes and new protections…

Am i the only one who doesnt have makeboot or mkboot?? Is there a trusted source other then microsoft to obtain this? or another utility? Even new installs haven’t had it…

try these :wink: