Solved

bo: Stack virus related messages in McAfee VirusScan and problems with Internet

Posted on 2006-11-04
9
10,544 Views
Last Modified: 2013-12-04
I am at the end of my tether on this problem and think I have a nasty virus here.

IU am runnning Windows XP Professional.

Whenever I access the internet, I get a message in the McAfee Virus scanner indicating "bo:Stack" error in iexplore.ext: loadLibraryA. The problem is detected as Buffer Overflow.

Note that what i am also finding is that when I try to browse to certain sites, the Browser gets overwritten and ends up going to www.msn.com.

Other issues I appear to have are:

1) Cannot do a System Restore successfully. When it reloads the restore point after reboot - Windows informs me it cannot switch to the Restore point

2) On logging in , i get a message indicating that it cannot find some component of MywebSearch - MSSBAR.dll

3) When running regedit, I get a message indicating regedit is not a valid Win32 application

Below is a copy of the HijackThis log.

I would be grateful if you could give me anything I can do to get rid of the virus- Have tried virus checkers Adaware, Firelite.

*** Hijack This log removed by humeniuk PE ***


Regards,

Eliot Minn
0
Comment
Question by:e2e01
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
9 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 17876359
What makes you think the bo:stack error is a virus?  "Buffer Overflow" usually refers to a program exceeding its allocated memory.   It may also indicate a problem with Virtual Memory...

http://en.wikipedia.org/wiki/Virtual_memory
http://www.theeldergeek.com/paging_file.htm

Other issues:

1) System Restore requires at least 250Mb free space in order to run...check your HDD;
2) MyWebSearch is a known piece of spyware...if you have run Adaware, it will probably have removed it. There may still be an item in your startup folder: Start - Run - msconfig - startup.  Remove the tick from the box next to MyWebSearch or MyWayWhatever...reboot;
3) This issue is discussed here:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21535940.html

0
 

Author Comment

by:e2e01
ID: 17876654
OK, have run through the Hijack this analysis and deleted most of the unknowns. There is some improvement in that i don't get the can't find MSSBAR.dll

However, I still have the follwoing symptoms:

1) Whenever I access the internet, I get a message in the McAfee Virus scanner indicating "bo:Stack" error in iexplore.ext: loadLibraryA. The problem is detected as Buffer Overflow.

2) When I try to browse to certain sites, the Browser gets overwritten and ends up going to www.msn.com.

3) When running regedit, I get a message indicating regedit is not a valid Win32 application

Below is a link to the HijackThis analysis

http://www.hijackthis.de/logfiles/4967c971fdaa39879a40d5d74450087b.html

I would be grateful if you could give me anything I can do to get rid of the virus- Have tried virus checkers Adaware, Firelite.

Regards,

Eliot
0
 

Author Comment

by:e2e01
ID: 17876681
In answer to phototropic:

1)  Looks like I have removed MyWebSearch stuff anyway so this doesn't seem to be ap orblem anymore
2) HAve already done a Disk Cleanup successfully
2) I have around 34.5 Gb of disk space which should be more than enough for System Restore
3) I still keep getting the bo: Stack error message in the McAfee Virus Checker and this is only when I start Internet Explorer
4) My browser keeps being diverted to www.msn.com

This would appear to me to point to some kind of virus/takeover of the Browser rather than a problem with Virtual Memory which I have never had before.

See my comment above relating to the hijackthis analysis

Regards,

Eliot
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 23

Expert Comment

by:phototropic
ID: 17877305
e2e01,

What is your homepage set to?  If it is about:blank, it's possible that Adaware is detecting this as a hijack and resetting your homepage to the default, which is msn.  Windows defender does something similar.

 
0
 
LVL 23

Expert Comment

by:phototropic
ID: 17877428
e2e01,

Some viruses attack windows system files and change the extension .exe to .com. Try typing "regedit.exe" in the run box. What happens when you type "cmd" in the run box.  If it's also giving this error message, do a search for regedit.com.  If you find it, delete it.  Further details here:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21535940.html

As an interim measure, you can create a usable copy of regedit using dougknox's download:

http://www.dougknox.com/xp/utils/xp_emerutils.htm
0
 
LVL 23

Expert Comment

by:phototropic
ID: 17877503
e2e01.

There are many forums with people reporting this issue. Always with McAfee detecting bo:Stack error in iexplore.ext: loadLibraryA. In most cases, the resolution appears to involve running a different av. If you can, try running an online scan. Bit defender is good:

http://www.bitdefender.com/scan8/ie.html

So is Trendmicro's Housecall:

http://housecall.trendmicro.com/

Both of these scanners will delete/quarantine what they find, without obliging you to pay for a download.
0
 

Author Comment

by:e2e01
ID: 17901849
Dear Phototropic,

Have run both BitDefender and Housecall above ands both hangup, BitDefender during its run and Housecall when it tries to download.

Have attached link to my last Hijack analysis and would appreciate any advice on how to delete the offending items from the registry

The analysis is at:

http://www.hijackthis.de/logfiles/1efb7ddbcc4c722df48446ab1fff3d74.html

Also I am now getting  bo:Heap error in iexplore.ext: loadLibraryA as well as bo:Stack

Is there a solution here or is it just a case of reloading Windows??

Regards,

e2e01
0
 
LVL 23

Accepted Solution

by:
phototropic earned 500 total points
ID: 17902854
OK. Your HJT log looks pretty clear. According to McAfee, there is a known false positive problem here:

http://forums.mcafeehelp.com/viewtopic.php?t=46706&postdays=0&postorder=asc&start=0

One of the people posting in the above forum actually experienced the same hangup with Bitdefender on line scan. Bottom line seems to be that no one knows what is causing this. A selection of suggested resolutions:

"...going into command prompt and going to the internet explorer directory in program files and typing "IExplore.exe /rereg" seemed to fix it..."

"...for now just turn off buffer overflow protection..."

"...Install patch 13 This addresses the buffer overflow problem..."

"...I  have finally found the cause of the random VirusScan 8 bo:heap messages from our side. It appears to be an issue with the Lookout search bar when it is indexing in the background as noted on their forum: http://www.lookoutsoft.com/Forums/topic.asp?TOPIC_ID=706 ..."

And so on...

To dig deeper on this, I would suggest contacting McAfee direct:

https://mysupport.mcafee.com/eservice_enu/default.htmstart.swe?SWECmd=Start&SWEHo=mysupport.mcafee.com

BTW, did you get regedit back?
 
0

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question