1 2 3 Previous Next 27 Replies Latest reply on Dec 14, 2009 12:26 AM by orth04

    Virus Scan Alert! BO

      Our users are getting Buffer overflow pop up. We got this from the buffer overflow log file from infected machines. But there are no more clue about this. How can we find details regarding the buffer overflow incident and from where it is infected:

      12/3/2008 12:53:09 PM Blocked by Buffer Overflow Protection NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe:KERNEL32.LoadLibraryA BO:Writable BO:Stack
      12/3/2008 12:59:57 PM Blocked by Buffer Overflow Protection NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe:KERNEL32.LoadLibraryA BO:Writable BO:Stack
      12/3/2008 1:06:07 PM Blocked by Buffer Overflow Protection NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe:KERNEL32.LoadLibraryA BO:Writable BO:Stack
      12/3/2008 1:10:31 PM Blocked by Buffer Overflow Protection NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe:KERNEL32.LoadLibraryA BO:Writable BO:Stack
      12/3/2008 1:21:30 PM Blocked by Buffer Overflow Protection NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe:KERNEL32.LoadLibraryA BO:Writable BO:Stack
      12/3/2008 1:27:20 PM Blocked by Buffer Overflow Protection NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe:KERNEL32.LoadLibraryA BO:Writable BO:Stack
        • 1. RE: Virus Scan Alert! BO


          Which version of VirusScan Enterprise and which patch-level?

          reg, Henno.
          • 2. RE: Virus Scan Alert! BO
            It looks like an infection.. Just a thought.. In addition to giving us the information requested by Henno, please try visiting one of the problem machines and using the free Malwarebytes and SuperAntispyware tools and the intructions below. If there is an infection, you'll be able to identify and remove the problem. Clearly, McAfee isn't removing the bug..:

            Please download Malwarebytes' Anti-Malware from the link below:

            http://www.majorgeeks.com/Malwarebyt...are_d5756.html

            Double Click mbam-setup.exe to install the application. (If the file won't run correctly, try renaming it to something else, like "gogetup.exe", then double click it to install it. Some variants of malware will prevent the "mbam-setup.exe" file from running.)

            * Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
            * If an update is found, it will download and install the latest version.
            * Once the program has loaded, select "Perform Full System Scan", then click Scan.
            * The scan may take some time to finish,so please be patient.
            * When the scan is complete, click OK, then Show Results to view the results.
            * Make sure that everything is checked, and click Remove Selected.
            * When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
            * The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

            Extra Note:
            If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
            _____________________

            If you can't download or install the program from the infected machine, then please use a separate "clean" computer and download the Malwarebytes tool and it's manual update from the link below.. Once downloaded, rename the program installer "mbam-setup.exe" file to something else like "Gogetum.exe", then copy the installer file and the update file to a CD or flash drive.. Transfer the file to the problem machine, then install the "Gogetum.exe" file, then run the update to get the program current.. After that, run a full system scan and delete anything it finds.

            Malwarebytes Download Link (Clicking on the links below will immediately start the download dialogue window.)
            http://www.besttechie.net/tools/mbam-setup.exe

            Malwarebytes Manual Updater link
            http://www.malwarebytes.org/mbam/dat...mbam-rules.exe

            If the program installs correctly but then won't run, please access the "C:\Program Files\ Malwarebytes Antimalware folder and rename the "mbam.exe" file to something else.. Make sure it has a .exe file extension and then double click on the newly named file. Malwarebytes should run correctly now..
            ___________________

            After running the scan with Malwarebytes, then download, install, update, then run a full system scan with a second tool below:

            As before, attempt to download and install on your current computer but if it's unable to do so, you'll need to download the program on a different "clean" computer, then transfer it to your machine.. After it's installed on the problem machine, update it, then restart the computer into "Safe Mode" and run a full system scan and delete all it finds. While you're in Safe Mode, then run a second scan with Malwarebytes. (As before, it be necessary to rename the installer and program files to get the program installed and running.)

            SUPERAntispyware Removal Tool

            After doing so, restart into "normal" windows and run another scan with both tools.. It frequently takes multiple scans till the scan comes up clean.

            Hope this helps.

            Grif
            • 3. Buffer Overflow Problem
              My computer has just recently had the analytic checks google virus. I seem to have gotten rid of it, but now every time I log on I get a message from McAfee that a buffer overflow was detected and blocked on my computer. The process was C:\WINDOWS\System32\svchost.exe. I have the SUPERAntiSpy ware system, Spybot - S&D, Malwarebytes' Anti-Malware, and of course McAfee. They have all found a trojan all having tdss in the name. When I log on I get the buffer overflow message and all I see is the desktop background (not toolbar or icons). The only way I get it to work is to open task manager and run a new task such as Firefox or windows explorer. The overflows are annoying and I do not know how to get rid of them or if my computer is still infected with something. Any help?
              • 4. Any Joy?
                We have just started experiencing this exact problem on a number of PC's at one of our sites. Scans do not pick up anything and i cannot find any useful information regarding this. I have logged a service request with McAfee but they have not gotten back yet!! 4days!!

                I was just wondering if you have found out what is causing this buffer overflow problem?

                Cheers,

                Iain
                • 5. RE: Any Joy?
                  Pear4You,

                  In your case, because you keep finding the trojan, you're machine is still infected and the Buffer Overflow message is exactly correct. It sounds like you've got "Brastk.exe". You might want to check manually by following the steps in the link below:

                  http://community.mcafee.com/showpost.php?p=538659&postcount=12

                  So, please update SuperAntispyware and Malwarebytes to the most current versions, then restart the computer into Safe Mode and run full system scans with both tools.. Run repeated scans till nothing is detected.. If there is a final "tdss" file which can't be removed by any of the tools, then restart the computer into the XP Recovery Console and use a command prompt to manually remove the file.

                  http://support.microsoft.com/kb/314058

                  Hope this helps.

                  Grif
                  • 6. RE: Any Joy?
                    Bakeston,

                    And have you run scans with the tools I mentioned above? McAfee won't find many of the new spyware programs that are out there.. Unfortunate, but true. It sees the Buffer Overflow issue but not the actual infection..

                    Hope this helps.

                    Grif
                    • 7. Still Nothing
                      Ran both the tools but just picked up a few cookies. Checked for the Brastk.exe virus but no signs of it on the PC's. Contacted McAfee and they gave me the Stinger program to run but picked up nothing. More and more PC's are now getting this BO:Stack alert!!!!

                      Any more ideas??

                      Iain
                      • 8. RE: Still Nothing
                        Please collect the Log files from the tools below, It might help you to isolate the malicious applications.

                        Process Explorer -
                        http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx

                        File monitor --
                        http://technet.microsoft.com/en-us/sysinternals/86a95979-23f8-45f5-9480-f4ed9dab 3aab.aspx

                        HijackThis! --
                        http://www.download.com/Trend-Micro-HijackThis/3000-8022_4-10227353.html

                        I am in corresponding with McAfee, will update you all accordingly.
                        • 9. RE: Still Nothing
                          I followed your steps and could not find brastk.exe or karna.exe.
                          Also, i already had a good file of beep.sys.

                          I ran Super Anti-Spyware, Malwarebytes' and Spybot search and destroy, as well as the alsmost usesless scan from McAfee. All the scans came up clean except an Adware.Tracking Cookie from Super Anti-spyware called

                          C:\DocumentsandSettings\Family\Cookies\family@warnerbros.112.2o7[1].txt

                          i did not get the usual file with tdss involved.

                          For the last couple days on startup McAfee was saying the computer was not secure (computer files and email & IM) and that it needed to be fixed which was not a problem.

                          The usual is still occurring as well. Buffer overflows at login and a blank desktop with just a background (not icons or taskbar). I have to open up the taskmanager and start a new task for the icons and taskbar to appear.

                          Any Ideas?
                          1 2 3 Previous Next