Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

VirusScan - SVCHOST.EXE Buffer Overflow

HaierIT (IS/IT--Management) (OP)
2 Mar 09 8:46
Good morning Tech's, I am having a very strange issue on a large amount of our PC's in our remote location. This remote location is connected to my centeral office via a Point-to-Point. All servers reside in the central office and so does the Internet Gateway. Reason for the above is this issue is only happening in our remote location.

The issue is that McAfee VirusScan keeps popping up on users computers with the following message:

c:\windows\system32\svchost.exe::loadlibraryA
bo:stack
Buffer OverFlow
Blocked by Buffer Overflow Protection

I also notice but do not know if this is related that on the users PC their Windows Credintials has changed to "Debug User", we usually have everyone as Administrator.

If anyone can shed some light or direction it will he greatly appricated. Virus Def is 5533 and Scan Engine 5300.
vampirej (TechnicalUser)
3 Mar 09 5:14
You might have covered this, but we saw this a while ago, and it was caused by the Conficker.worm.
 
HaierIT (IS/IT--Management) (OP)
3 Mar 09 11:02
Hi VampireJ, can you lead where can i find the Conflicker.worm forum.

I could not find it on tek-tips.

Thanks. Any idea how we can track down what is spreading this worm.
vampirej (TechnicalUser)
4 Mar 09 6:16
Hey dude,

The quick and easy way is to first of all download the Microsoft Malicious Removal Tool from MS website (KB890830). Then download the MS patch, KB958644, which prevent confiker from coming back.

I have a document from McAfee about Conficker, but I can't attach it here, so if you want a copy, PM me and I'll send it across. To be honest though, I didn't read through it, and just did the steps above and the conficker was removed from our machines.

Good luck,

Jon  
McAfeeGeek (TechnicalUser)
16 Mar 09 20:31
Hi All

1) I would suggest that you apply MS08-067 which is the Microsoft fix for Conficker.

2) With most recent DAT files, run a SCHEDULED On Demand Scan > Reboot > SCHEDULED On Demand Scan

The reason for it being scheduled is because Conficker requires elevated priveledges to be removed. A scheduled On Demand Scan uses the "System" account whereas running the scan by right click system tray > On Demand Scan uses the locally logged on user account.

Even if the logged on user is Domain Admin, Conficker can lock out Domain Admin accounts.

McAfee recently posted a knowledge base article on conficker:

https://kc.mcafee.com/corporate/index?page=content&id=KB60909&actp=LIST_RECENT

Hope this helps.

Also I would recommend using VSE 8.5 or 8.7 as they have better rootkit scanning ability than VSE 8.0, considering that Conficker also has a variant that infects memory.

McAfeeGeek

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close