Solved

bo: Stack virus related messages in McAfee VirusScan and problems with Internet

Posted on 2006-11-04
9
10,540 Views
Last Modified: 2013-12-04
I am at the end of my tether on this problem and think I have a nasty virus here.

IU am runnning Windows XP Professional.

Whenever I access the internet, I get a message in the McAfee Virus scanner indicating "bo:Stack" error in iexplore.ext: loadLibraryA. The problem is detected as Buffer Overflow.

Note that what i am also finding is that when I try to browse to certain sites, the Browser gets overwritten and ends up going to www.msn.com.

Other issues I appear to have are:

1) Cannot do a System Restore successfully. When it reloads the restore point after reboot - Windows informs me it cannot switch to the Restore point

2) On logging in , i get a message indicating that it cannot find some component of MywebSearch - MSSBAR.dll

3) When running regedit, I get a message indicating regedit is not a valid Win32 application

Below is a copy of the HijackThis log.

I would be grateful if you could give me anything I can do to get rid of the virus- Have tried virus checkers Adaware, Firelite.

*** Hijack This log removed by humeniuk PE ***


Regards,

Eliot Minn
0
Comment
Question by:e2e01
  • 5
  • 3
9 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 17876359
What makes you think the bo:stack error is a virus?  "Buffer Overflow" usually refers to a program exceeding its allocated memory.   It may also indicate a problem with Virtual Memory...

http://en.wikipedia.org/wiki/Virtual_memory
http://www.theeldergeek.com/paging_file.htm

Other issues:

1) System Restore requires at least 250Mb free space in order to run...check your HDD;
2) MyWebSearch is a known piece of spyware...if you have run Adaware, it will probably have removed it. There may still be an item in your startup folder: Start - Run - msconfig - startup.  Remove the tick from the box next to MyWebSearch or MyWayWhatever...reboot;
3) This issue is discussed here:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21535940.html

0
 

Author Comment

by:e2e01
ID: 17876654
OK, have run through the Hijack this analysis and deleted most of the unknowns. There is some improvement in that i don't get the can't find MSSBAR.dll

However, I still have the follwoing symptoms:

1) Whenever I access the internet, I get a message in the McAfee Virus scanner indicating "bo:Stack" error in iexplore.ext: loadLibraryA. The problem is detected as Buffer Overflow.

2) When I try to browse to certain sites, the Browser gets overwritten and ends up going to www.msn.com.

3) When running regedit, I get a message indicating regedit is not a valid Win32 application

Below is a link to the HijackThis analysis

http://www.hijackthis.de/logfiles/4967c971fdaa39879a40d5d74450087b.html

I would be grateful if you could give me anything I can do to get rid of the virus- Have tried virus checkers Adaware, Firelite.

Regards,

Eliot
0
 

Author Comment

by:e2e01
ID: 17876681
In answer to phototropic:

1)  Looks like I have removed MyWebSearch stuff anyway so this doesn't seem to be ap orblem anymore
2) HAve already done a Disk Cleanup successfully
2) I have around 34.5 Gb of disk space which should be more than enough for System Restore
3) I still keep getting the bo: Stack error message in the McAfee Virus Checker and this is only when I start Internet Explorer
4) My browser keeps being diverted to www.msn.com

This would appear to me to point to some kind of virus/takeover of the Browser rather than a problem with Virtual Memory which I have never had before.

See my comment above relating to the hijackthis analysis

Regards,

Eliot
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 23

Expert Comment

by:phototropic
ID: 17877305
e2e01,

What is your homepage set to?  If it is about:blank, it's possible that Adaware is detecting this as a hijack and resetting your homepage to the default, which is msn.  Windows defender does something similar.

 
0
 
LVL 23

Expert Comment

by:phototropic
ID: 17877428
e2e01,

Some viruses attack windows system files and change the extension .exe to .com. Try typing "regedit.exe" in the run box. What happens when you type "cmd" in the run box.  If it's also giving this error message, do a search for regedit.com.  If you find it, delete it.  Further details here:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21535940.html

As an interim measure, you can create a usable copy of regedit using dougknox's download:

http://www.dougknox.com/xp/utils/xp_emerutils.htm
0
 
LVL 23

Expert Comment

by:phototropic
ID: 17877503
e2e01.

There are many forums with people reporting this issue. Always with McAfee detecting bo:Stack error in iexplore.ext: loadLibraryA. In most cases, the resolution appears to involve running a different av. If you can, try running an online scan. Bit defender is good:

http://www.bitdefender.com/scan8/ie.html

So is Trendmicro's Housecall:

http://housecall.trendmicro.com/

Both of these scanners will delete/quarantine what they find, without obliging you to pay for a download.
0
 

Author Comment

by:e2e01
ID: 17901849
Dear Phototropic,

Have run both BitDefender and Housecall above ands both hangup, BitDefender during its run and Housecall when it tries to download.

Have attached link to my last Hijack analysis and would appreciate any advice on how to delete the offending items from the registry

The analysis is at:

http://www.hijackthis.de/logfiles/1efb7ddbcc4c722df48446ab1fff3d74.html

Also I am now getting  bo:Heap error in iexplore.ext: loadLibraryA as well as bo:Stack

Is there a solution here or is it just a case of reloading Windows??

Regards,

e2e01
0
 
LVL 23

Accepted Solution

by:
phototropic earned 500 total points
ID: 17902854
OK. Your HJT log looks pretty clear. According to McAfee, there is a known false positive problem here:

http://forums.mcafeehelp.com/viewtopic.php?t=46706&postdays=0&postorder=asc&start=0

One of the people posting in the above forum actually experienced the same hangup with Bitdefender on line scan. Bottom line seems to be that no one knows what is causing this. A selection of suggested resolutions:

"...going into command prompt and going to the internet explorer directory in program files and typing "IExplore.exe /rereg" seemed to fix it..."

"...for now just turn off buffer overflow protection..."

"...Install patch 13 This addresses the buffer overflow problem..."

"...I  have finally found the cause of the random VirusScan 8 bo:heap messages from our side. It appears to be an issue with the Lookout search bar when it is indexing in the background as noted on their forum: http://www.lookoutsoft.com/Forums/topic.asp?TOPIC_ID=706 ..."

And so on...

To dig deeper on this, I would suggest contacting McAfee direct:

https://mysupport.mcafee.com/eservice_enu/default.htmstart.swe?SWECmd=Start&SWEHo=mysupport.mcafee.com

BTW, did you get regedit back?
 
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question