Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VirusScan - SVCHOST.EXE Buffer Overflow

Status
Not open for further replies.

HaierIT

IS-IT--Management
Nov 4, 2005
70
US
Good morning Tech's, I am having a very strange issue on a large amount of our PC's in our remote location. This remote location is connected to my centeral office via a Point-to-Point. All servers reside in the central office and so does the Internet Gateway. Reason for the above is this issue is only happening in our remote location.

The issue is that McAfee VirusScan keeps popping up on users computers with the following message:

c:\windows\system32\svchost.exe::loadlibraryA
bo:stack
Buffer OverFlow
Blocked by Buffer Overflow Protection

I also notice but do not know if this is related that on the users PC their Windows Credintials has changed to "Debug User", we usually have everyone as Administrator.

If anyone can shed some light or direction it will he greatly appricated. Virus Def is 5533 and Scan Engine 5300.
 
You might have covered this, but we saw this a while ago, and it was caused by the Conficker.worm.
 
Hi VampireJ, can you lead where can i find the Conflicker.worm forum.

I could not find it on tek-tips.

Thanks. Any idea how we can track down what is spreading this worm.
 
Hey dude,

The quick and easy way is to first of all download the Microsoft Malicious Removal Tool from MS website (KB890830). Then download the MS patch, KB958644, which prevent confiker from coming back.

I have a document from McAfee about Conficker, but I can't attach it here, so if you want a copy, PM me and I'll send it across. To be honest though, I didn't read through it, and just did the steps above and the conficker was removed from our machines.

Good luck,

Jon
 
Hi All

1) I would suggest that you apply MS08-067 which is the Microsoft fix for Conficker.

2) With most recent DAT files, run a SCHEDULED On Demand Scan > Reboot > SCHEDULED On Demand Scan

The reason for it being scheduled is because Conficker requires elevated priveledges to be removed. A scheduled On Demand Scan uses the "System" account whereas running the scan by right click system tray > On Demand Scan uses the locally logged on user account.

Even if the logged on user is Domain Admin, Conficker can lock out Domain Admin accounts.

McAfee recently posted a knowledge base article on conficker:


Hope this helps.

Also I would recommend using VSE 8.5 or 8.7 as they have better rootkit scanning ability than VSE 8.0, considering that Conficker also has a variant that infects memory.

McAfeeGeek
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top