Solved

bo: Stack virus related messages in McAfee VirusScan and problems with Internet

Posted on 2006-11-04
9
10,532 Views
Last Modified: 2013-12-04
I am at the end of my tether on this problem and think I have a nasty virus here.

IU am runnning Windows XP Professional.

Whenever I access the internet, I get a message in the McAfee Virus scanner indicating "bo:Stack" error in iexplore.ext: loadLibraryA. The problem is detected as Buffer Overflow.

Note that what i am also finding is that when I try to browse to certain sites, the Browser gets overwritten and ends up going to www.msn.com.

Other issues I appear to have are:

1) Cannot do a System Restore successfully. When it reloads the restore point after reboot - Windows informs me it cannot switch to the Restore point

2) On logging in , i get a message indicating that it cannot find some component of MywebSearch - MSSBAR.dll

3) When running regedit, I get a message indicating regedit is not a valid Win32 application

Below is a copy of the HijackThis log.

I would be grateful if you could give me anything I can do to get rid of the virus- Have tried virus checkers Adaware, Firelite.

*** Hijack This log removed by humeniuk PE ***


Regards,

Eliot Minn
0
Comment
Question by:e2e01
  • 5
  • 3
9 Comments
 
LVL 23

Expert Comment

by:phototropic
ID: 17876359
What makes you think the bo:stack error is a virus?  "Buffer Overflow" usually refers to a program exceeding its allocated memory.   It may also indicate a problem with Virtual Memory...

http://en.wikipedia.org/wiki/Virtual_memory
http://www.theeldergeek.com/paging_file.htm

Other issues:

1) System Restore requires at least 250Mb free space in order to run...check your HDD;
2) MyWebSearch is a known piece of spyware...if you have run Adaware, it will probably have removed it. There may still be an item in your startup folder: Start - Run - msconfig - startup.  Remove the tick from the box next to MyWebSearch or MyWayWhatever...reboot;
3) This issue is discussed here:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21535940.html

0
 

Author Comment

by:e2e01
ID: 17876654
OK, have run through the Hijack this analysis and deleted most of the unknowns. There is some improvement in that i don't get the can't find MSSBAR.dll

However, I still have the follwoing symptoms:

1) Whenever I access the internet, I get a message in the McAfee Virus scanner indicating "bo:Stack" error in iexplore.ext: loadLibraryA. The problem is detected as Buffer Overflow.

2) When I try to browse to certain sites, the Browser gets overwritten and ends up going to www.msn.com.

3) When running regedit, I get a message indicating regedit is not a valid Win32 application

Below is a link to the HijackThis analysis

http://www.hijackthis.de/logfiles/4967c971fdaa39879a40d5d74450087b.html

I would be grateful if you could give me anything I can do to get rid of the virus- Have tried virus checkers Adaware, Firelite.

Regards,

Eliot
0
 

Author Comment

by:e2e01
ID: 17876681
In answer to phototropic:

1)  Looks like I have removed MyWebSearch stuff anyway so this doesn't seem to be ap orblem anymore
2) HAve already done a Disk Cleanup successfully
2) I have around 34.5 Gb of disk space which should be more than enough for System Restore
3) I still keep getting the bo: Stack error message in the McAfee Virus Checker and this is only when I start Internet Explorer
4) My browser keeps being diverted to www.msn.com

This would appear to me to point to some kind of virus/takeover of the Browser rather than a problem with Virtual Memory which I have never had before.

See my comment above relating to the hijackthis analysis

Regards,

Eliot
0
 
LVL 23

Expert Comment

by:phototropic
ID: 17877305
e2e01,

What is your homepage set to?  If it is about:blank, it's possible that Adaware is detecting this as a hijack and resetting your homepage to the default, which is msn.  Windows defender does something similar.

 
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 23

Expert Comment

by:phototropic
ID: 17877428
e2e01,

Some viruses attack windows system files and change the extension .exe to .com. Try typing "regedit.exe" in the run box. What happens when you type "cmd" in the run box.  If it's also giving this error message, do a search for regedit.com.  If you find it, delete it.  Further details here:

http://www.experts-exchange.com/Operating_Systems/WinXP/Q_21535940.html

As an interim measure, you can create a usable copy of regedit using dougknox's download:

http://www.dougknox.com/xp/utils/xp_emerutils.htm
0
 
LVL 23

Expert Comment

by:phototropic
ID: 17877503
e2e01.

There are many forums with people reporting this issue. Always with McAfee detecting bo:Stack error in iexplore.ext: loadLibraryA. In most cases, the resolution appears to involve running a different av. If you can, try running an online scan. Bit defender is good:

http://www.bitdefender.com/scan8/ie.html

So is Trendmicro's Housecall:

http://housecall.trendmicro.com/

Both of these scanners will delete/quarantine what they find, without obliging you to pay for a download.
0
 

Author Comment

by:e2e01
ID: 17901849
Dear Phototropic,

Have run both BitDefender and Housecall above ands both hangup, BitDefender during its run and Housecall when it tries to download.

Have attached link to my last Hijack analysis and would appreciate any advice on how to delete the offending items from the registry

The analysis is at:

http://www.hijackthis.de/logfiles/1efb7ddbcc4c722df48446ab1fff3d74.html

Also I am now getting  bo:Heap error in iexplore.ext: loadLibraryA as well as bo:Stack

Is there a solution here or is it just a case of reloading Windows??

Regards,

e2e01
0
 
LVL 23

Accepted Solution

by:
phototropic earned 500 total points
ID: 17902854
OK. Your HJT log looks pretty clear. According to McAfee, there is a known false positive problem here:

http://forums.mcafeehelp.com/viewtopic.php?t=46706&postdays=0&postorder=asc&start=0

One of the people posting in the above forum actually experienced the same hangup with Bitdefender on line scan. Bottom line seems to be that no one knows what is causing this. A selection of suggested resolutions:

"...going into command prompt and going to the internet explorer directory in program files and typing "IExplore.exe /rereg" seemed to fix it..."

"...for now just turn off buffer overflow protection..."

"...Install patch 13 This addresses the buffer overflow problem..."

"...I  have finally found the cause of the random VirusScan 8 bo:heap messages from our side. It appears to be an issue with the Lookout search bar when it is indexing in the background as noted on their forum: http://www.lookoutsoft.com/Forums/topic.asp?TOPIC_ID=706 ..."

And so on...

To dig deeper on this, I would suggest contacting McAfee direct:

https://mysupport.mcafee.com/eservice_enu/default.htmstart.swe?SWECmd=Start&SWEHo=mysupport.mcafee.com

BTW, did you get regedit back?
 
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now