Expert: Brian Benosky - 3/30/2008

Question
QUESTION: I am using dual boot of Windows Vista and XP in two separate local drives. In Vista I have installed McAfee Virusscan with Anti-spyware and Site Advisor. After downloading an .avi movie file from torrent sites if I ever try to open it with WMP, McAfee provides a warning "Buffer Overflow Blocked". But it is not same case with every .avi files, only some of them. Whereas I can play fine with others including VLC media player, PowerDVD, Winamp etc. Other side in XP (no McAfee) I can play any .avi file with WMP. Is it a serious threats for security?

ANSWER: Hi Supam

From what I can locate on this error, it is a problem with the McAfee program, not a virus issue.  Buffer overflow is writing data outside designated memory blocks when the memory block is full.  VirusScan uses pattern files to detect the buffer overflows.  To configure buffer overflow checking launch the VirusScan console, right click Buffer Overflow Protection and select properties:

A window appears that allows you to enable buffer overflow protection in either Warning or Protection mode. Warning mode will record the activity in the log but not block the process that is detected as causing a buffer overflow. Protection mode will stop a process that is detected as causing a buffer overflow. Exclusions can also be added (to exclude certain processes) as well as enabling an onscreen pop notification of detections.

If you are unable to do this, let me know and we will try something else.  You may also send me a HijackThis log for analysis of any running threats.

Brian

---------- FOLLOW-UP ----------

QUESTION: Hi Brian,
Thanks a lot for your response. I have tried everything as you advised. But whenever this alert occurs only two options are provided - 1). Trust this activity in the future and 2). Close this alert. It originates from file C:\Windows\system32\dllhost.exe.
I also opened in settings and there is no options for Buffer Overflow Protection and properties. It is together with virus detection alerts or warning. So I cannot choose to enable protection mode and disable warning mode. If I disable warning (alert) it stops even when a virus or trojan is detected in a file. I tried to open those .avi files in my friend's PC where he installed Norton Security and Bitdefender. It shows no alert for playing the same .avi files. I think it only matters with McAfee and no other more. Although it is not a virus issue (as you said), can Buffer Overflow affect the memory of the system?

Here is the version of McAfee I have installed -
1. Secuirty Center -
version:8.0
Build:8.0.247
2. VirusScan -
version:12.0
Build:12.0.177 and
3. SiteAdvisor -
Version:2.5
Build:2.5.6172

And here is my Hijackthis log file -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at PM 07:29:02, on 30-03-2008
Platform: Windows Vista  (WinNT 6.00.1904)
MSIE: Internet Explorer v7.00 (7.00.6000.16609)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Nokia\Nokia PC Suite 6\OneTouchAccess.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\DAP\DAP.exe
C:\Program Files\McAfee\MSC\mcshell.exe
C:\Windows\system32\DllHost.exe
C:\Windows\System32\notepad.exe
C:\00000Software\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.in/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~1\Office12\GRA8E1~1.DLL
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
O4 - HKCU\..\Run: [Gadwin PrintScreen] C:\Program Files\Gadwin Systems\PrintScreen\PrintScreen.exe /nosplash
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O10 - Broken Internet access because of LSP provider 'c:\windows\system32\pnrpnsp.dll' missing
O13 - Gopher Prefix:
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{C68AAAE0-CAF1-4ADC-9E48-C0A77DD38951}: NameServer = 202.56.250.5 202.56.250.6
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~1\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: @%SystemRoot%\System32\TuneUpDefragService.exe,-1 (TuneUp.Defrag) - TuneUp Software GmbH - C:\Windows\System32\TuneUpDefragService.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
End of file - 6093 bytes
Please once again help me. Thank you.

Answer
Hi Supam

I cannot say for certain if the overflow will cause damage to the system memory, but I doubt it.  There are a few things to try to resolve this.  First, make sure that you have all the latest Vista updates installed.  Then, as a precaution, run the ESET online scan here:
http://www.eset.com/onlinescan/

If the scan comes out clean, perhaps uninstalling and reinstalling McAfee will fix the problem:

1. Uninstall all McAfee programs through "Add or Remove Programs" in Windows "Control Panel".

2. Use the MCPR tool, see this article: How to remove supported McAfee consumer products using the McAfee Consumer Products Removal tool (MCPR.exe):
http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033
This will remove all McAfee remnants from your computer.

3. Launch Windows Explorer and delete all McAfee files in "Program Files" but especially in "C:\Document and Settings\<user>\Application Data" and "C:\Document and Settings\All Users\Application Data". You have to set Windows Explorer to show all hidden files and folders (Tools > Folder Options > View tab). Just delete the McAfee folders even if they are empty in all the "Application Data" folders. Can be more than one!
In Vista: C:\Program Files, C:\ProgramData and C:\Users\yourname\AppData\Roaming

4. Reboot and redownload/reinstall your McAfee products directly from your account at the McAfee web site.
http://community.mcafee.com/showthread.php?t=216782

Let me know how you make out.

Brian