Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VirusScan - SVCHOST.EXE Buffer Overflow

Status
Not open for further replies.
HaierIT

HaierIT

IS-IT--Management
Nov 4, 2005
70
US
Good morning Tech's, I am having a very strange issue on a large amount of our PC's in our remote location. This remote location is connected to my centeral office via a Point-to-Point. All servers reside in the central office and so does the Internet Gateway. Reason for the above is this issue is only happening in our remote location.

The issue is that McAfee VirusScan keeps popping up on users computers with the following message:

c:\windows\system32\svchost.exe::loadlibraryA
bo:stack
Buffer OverFlow
Blocked by Buffer Overflow Protection

I also notice but do not know if this is related that on the users PC their Windows Credintials has changed to "Debug User", we usually have everyone as Administrator.

If anyone can shed some light or direction it will he greatly appricated. Virus Def is 5533 and Scan Engine 5300.
 
Sort by date Sort by votes
You might have covered this, but we saw this a while ago, and it was caused by the Conficker.worm.
 
Upvote 0 Downvote
Hi VampireJ, can you lead where can i find the Conflicker.worm forum.

I could not find it on tek-tips.

Thanks. Any idea how we can track down what is spreading this worm.
 
Upvote 0 Downvote
Hey dude,

The quick and easy way is to first of all download the Microsoft Malicious Removal Tool from MS website (KB890830). Then download the MS patch, KB958644, which prevent confiker from coming back.

I have a document from McAfee about Conficker, but I can't attach it here, so if you want a copy, PM me and I'll send it across. To be honest though, I didn't read through it, and just did the steps above and the conficker was removed from our machines.

Good luck,

Jon
 
Upvote 0 Downvote
Hi All

1) I would suggest that you apply MS08-067 which is the Microsoft fix for Conficker.

2) With most recent DAT files, run a SCHEDULED On Demand Scan > Reboot > SCHEDULED On Demand Scan

The reason for it being scheduled is because Conficker requires elevated priveledges to be removed. A scheduled On Demand Scan uses the "System" account whereas running the scan by right click system tray > On Demand Scan uses the locally logged on user account.

Even if the logged on user is Domain Admin, Conficker can lock out Domain Admin accounts.

McAfee recently posted a knowledge base article on conficker:


Hope this helps.

Also I would recommend using VSE 8.5 or 8.7 as they have better rootkit scanning ability than VSE 8.0, considering that Conficker also has a variant that infects memory.

McAfeeGeek
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

moorsey1982
  • Locked
  • Question
Cisco ASDM 6.2 Log Buffer
Replies
0
Views
54
moorsey1982
moorsey1982
James99999
  • Locked
  • Question
Virusscan 8.7 upgrade cannot edit processes to exclude
Replies
0
Views
29
James99999
James99999
bigg22
  • Locked
  • Question
VirusScan
Replies
0
Views
41
bigg22
bigg22
Molenski
  • Locked
  • Question
Pushing VirusScan 8.5 out via Group Policy 1
Replies
3
Views
73
Molenski
Molenski
fdservices
  • Locked
  • Question
VirusScan Enterprise 8.5i and SBS 2003
Replies
2
Views
56
fdservices
fdservices

Part and Inventory Search

Sponsor

Back
Top