Post reply

Name:
Email:
Subject:
Message icon:

Verification:
Type the letters shown in the picture
Listen to the letters / Request another image

Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

shortcuts: hit alt+s to submit/post or alt+p to preview


Topic Summary

Posted by: Samker
« on: 20. April 2010., 19:07:45 »

Thanks.

Is this MS08-067 works for windows 2000 also. if not what is it for windows 2000.

regards
 


I think that this one is for Win 2000: http://www.microsoft.com/downloads/details.aspx?familyid=E22EB3AE-1295-4FE2-9775-6F43C5C2AED3&displaylang=en

Service Pack 4 is required.

Posted by: dipak0969
« on: 20. April 2010., 06:14:44 »

Thanks.

Is this MS08-067 works for windows 2000 also. if not what is it for windows 2000.

regards
 
Posted by: jake2pointzero
« on: 10. April 2009., 23:46:17 »

Samker is correct. One important tip, if the infected pc is connected to the network, disconnect it first before removing the worm. Scan it on a safe mode.
Posted by: Samker
« on: 19. March 2009., 19:52:12 »

For me probably the best "way" is to first run Microsoft Removal Tool http://scforum.info/index.php/topic,4510.0.html

and after that manually apply MS08-067 : http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

After I'll do all other steps including SP3, AV Full Scans...


Posted by: fish380
« on: 19. March 2009., 18:30:26 »

We got hit by this yesterday. I found a link somewhere (perhaps this forum) to a McAfee document titled "Finding W32/Conficker.worm.  We recieved the BO Writeable BO Stack errors.  The nice thing about this document is Appendix A titled "Using Group Policies to stop W32/Conficker.worm from spreading.  I made the Group Policy changes last evening hoping this will prevent the spread. I have yet to confirm it's the conficker.worm but all symptoms appear to be the same.  If this "prevent" process works using Group Policy, then at least we can get a handle on those infected and clear them out without anyone else falling victim. Only problem I ran into this morning is it appears the Group Policy restrictions won't allow me to install XP Service Pack 3, which fails halfway through, causing a 20 minute rollback.  Our priority was to control the spread first, and then we can take the policy off and update those remaining to Service pack 3.  In the meantime, if we have this under control, we are using re-imaged drives with Service Pack 3 to get 2 of our 4 infections back online.  The other 2 seem to be OK after running Malwarebytes, Windows software removal tool and installation of Service Pack 3.
Posted by: Samker
« on: 27. February 2009., 20:55:44 »

Hi Samker,

I also experience the BO:writable BO:STACK. And we found out the PC is infected with Conficker worm which is going around in our network. We tried running the Microsoft Removal Tool and it detect a conficker worm. What we did is we update and patch our Operating system with MS008-067,068 and MS009-001 and update our mcafee virus scanner. After that the error is gone.


Thank you my friend, your information's about resolving this problem are very useful.  :thumbsup:

Regards,

Samker

Posted by: jake2pointzero
« on: 27. February 2009., 18:09:15 »

Hi Samker,

I also experience the BO:writable BO:STACK. And we found out the PC is infected with Conficker worm which is going around in our network. We tried running the Microsoft Removal Tool and it detect a conficker worm. What we did is we update and patch our Operating system with MS008-067,068 and MS009-001 and update our mcafee virus scanner. After that the error is gone.
Posted by: c2c2
« on: 11. February 2009., 18:27:23 »

Very Good
Posted by: Samker
« on: 27. November 2008., 18:06:08 »

Hi again Futterplop.

I "see" some things in HJT logs but for my opinion it will be better to start with this two things:

1. Upgrade your XP to Service Pack 3: http://scforum.info/index.php/topic,1496.0.html

2. Download and Run McAfee Virtual Technician: http://mvt.mcafee.com/mvt/default.asp


After that, test your McAfee and provide me new information about problems.
Of course don't forget new HJT log.

Regards,

Samker
Posted by: Samker
« on: 27. November 2008., 15:01:23 »

Ok Futterplop, I'll check your log and think about this problem.

Please check later this topic, for my reply.

Regards,

S.
Posted by: futterplop
« on: 27. November 2008., 09:27:36 »

Hi Samker,

I tried to turn BOP on one of the PC's and it was all greyed out...also I tried to upgrade to patch 7 and it gives me a windows installer error...do you have any ideas about these things? the panda and HJT logs I am posting are from the PC i have done the most work on...I have run adaware and spyware doctor as well as trend micros housecall here are the logfiles for hijack this the panda one was pretty useless. pleae let me know if you come up with anything usefull from this.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:21:01, on 27/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\OCS Inventory Agent\ocsservice.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe
c:\program files\lenovo\system update\suservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\WDW\KLOG32.EXE
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\WDW\wdw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.ie/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\Scriptcl.dll
O2 - BHO: (no name) - {B1AF8980-B73E-304C-6C3D-26FF6AD421EC} - C:\DOCUME~1\kspain\APPLIC~1\MEALEL~1\Thirddale.exe (file missing)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: (no name) - {EA10596F-310B-9121-8E9E-77032DA89682} - C:\DOCUME~1\SFITZP~1\APPLIC~1\MEALEL~1\Thirddale.exe (file missing)
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DriverUpdaterPro] C:\Program Files\XPC Tools\Driver Updater Pro\DriverUpdaterPro.exe -t
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ie
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1192535593093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1192535561984
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://82.146.224.245:85/activex/AxisCamControl.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = osmosis.local
O17 - HKLM\Software\..\Telephony: DomainName = osmosis.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{226BD6FD-6759-46C1-AA5B-84A227394EE7}: NameServer = 10.185.21.20
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = osmosis.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = osmosis.local
O23 - Service: Acronis Remote Agent (AcronisAgent) - Acronis - C:\Program Files\Common Files\Acronis\Agent\agent.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: OCS INVENTORY SERVICE (OCS INVENTORY) - http://ocsinventory.sourceforge.net - C:\Program Files\OCS Inventory Agent\ocsservice.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: System Update (SUService) - Lenovo Group Limited - c:\program files\lenovo\system update\suservice.exe
O23 - Service: ThinkVantage Registry Monitor Service - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exe
O23 - Service: TVT Scheduler - Lenovo Group Limited - C:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exe

--
End of file - 8490 bytes



Posted by: Samker
« on: 26. November 2008., 19:34:11 »

Quote
wouldnt turning off buffer overflow protection be a bad idea?

I don't think so, as I said earlier I was also turn BOP off and don't have any kind of security problem.  ;)

If Panda doesn't provide log, just copy text what he found infected. Of course HJT log is very important.

Quote
Thank you for you help

No problem, we are here to help SCF Members. :police:

S.
Posted by: futterplop
« on: 26. November 2008., 16:20:45 »

wouldnt turning off buffer overflow protection be a bad idea? I tried both kaspersky and bitdefender but they wouldnt run. I did get panda to run and it looks like it found something. Does panda still make a log file? I will run hijack this later. Thank you for you help
Posted by: Samker
« on: 26. November 2008., 16:12:44 »

Hi Futterplop,

for this error try to turn off Buffer Overflow Protection (I was also turned off this protection  ;)) :

VirusScan Console/Buffer Overflow Protection/Unchek B.O.P.

Hope this will help you, I'll also later check your logs.

Regards,

Samker
Posted by: futterplop
« on: 26. November 2008., 15:38:14 »

I am getting this error mesage on 6 PC's on the network.
BO:writable BO:stack  blocked by buffer overflow

I am using mcafee 8.5 with patch 7 (thanks for that)

I am running spyware doctor at the moment I will get logs for you soon. I just thought you might have an idea what the problem might be..thank you for the help in advance
Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising