How do I get rid of the BO:Writable -or- the BO:Heap virus alert
Problem: I have a desktop PC that has contacted the BO:Writable BO:Heap virus alert ... and I can't seem to get rid of it. I have tried many things, but all to no avail.
Scenario: 1. When the user tries to use the internet (IE 6), they get the following virus alert from McAfee:
Name: C:\Program Files\Internet Explorer\iexplorer.exe:KER
Detected As: BO:Writable BO:Heap
State: Blocked by Buffer Overflow Protection
2. All other software works perfectly fine ... .no issues/problems ... only IE6 is the problem.
Current State: 1. Currently we have McAfee's Enterprise Solution 8.5i as our virus protection. The patch
version is 5; scan engine is 5200.2160; dat version is 5303.0000; created on 05/26/08;
buffer overflow and access protection dat version is 354.
2. We are a Microsoft shop, so using another browser is not an option.
What I have done: 1. I have run a McAfee virus scan and nothing was found.
2. I installed Spy Sweeper and it found spyware but did not rid the PC of the 2 alerts.
3. I downloaded BitDefender and ran it ... it too found stuff but did not rid the PC of
the above 2 alerts.
4. I installed Symantec's Endpoint Protection ... and that froze on me while running.
5. I have investigated experts-exchange and so far, "it seems" that things I have tried
experts-exchange has suggested.
Other things: 1. The PC is a corporate controlled PC, so I can't change the buffer overflow protection.
2. I don't want to re-format the hard drive, but if I have to ... I have to. Since the users can
get to their data, I may just copy the data to a memory stick and put it back on when the
hard drive is re-formatted and all software is re-installed ... again, I don't want to, but if I
have to I will.
3. However, I find this a challenge and I want to understand how to remove this message
in case it happens again on another PC.
4. I have been to McAfee's website and they do acknowledge that the above 2 alerts have
been found by McAfee's anti-virus software; however unless I missed it, McAfee did not
give a solution to rid the PC of the 2 alerts.
Thanks for your help.
Scenario: 1. When the user tries to use the internet (IE 6), they get the following virus alert from McAfee:
Name: C:\Program Files\Internet Explorer\iexplorer.exe:KER
Detected As: BO:Writable BO:Heap
State: Blocked by Buffer Overflow Protection
2. All other software works perfectly fine ... .no issues/problems ... only IE6 is the problem.
Current State: 1. Currently we have McAfee's Enterprise Solution 8.5i as our virus protection. The patch
version is 5; scan engine is 5200.2160; dat version is 5303.0000; created on 05/26/08;
buffer overflow and access protection dat version is 354.
2. We are a Microsoft shop, so using another browser is not an option.
What I have done: 1. I have run a McAfee virus scan and nothing was found.
2. I installed Spy Sweeper and it found spyware but did not rid the PC of the 2 alerts.
3. I downloaded BitDefender and ran it ... it too found stuff but did not rid the PC of
the above 2 alerts.
4. I installed Symantec's Endpoint Protection ... and that froze on me while running.
5. I have investigated experts-exchange and so far, "it seems" that things I have tried
experts-exchange has suggested.
Other things: 1. The PC is a corporate controlled PC, so I can't change the buffer overflow protection.
2. I don't want to re-format the hard drive, but if I have to ... I have to. Since the users can
get to their data, I may just copy the data to a memory stick and put it back on when the
hard drive is re-formatted and all software is re-installed ... again, I don't want to, but if I
have to I will.
3. However, I find this a challenge and I want to understand how to remove this message
in case it happens again on another PC.
4. I have been to McAfee's website and they do acknowledge that the above 2 alerts have
been found by McAfee's anti-virus software; however unless I missed it, McAfee did not
give a solution to rid the PC of the 2 alerts.
Thanks for your help.
A B0:Heap virus alert is usually a sign of Lop infection.
A hijackthis log as already suggested is also a good idea to check what's running in the system and what infection is present.
You can also try NoLop.
Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log.
Alternatively, a Lop uninstaller download:
http://www.pchell.com/downloads/lopuninstall.exe
A hijackthis log as already suggested is also a good idea to check what's running in the system and what infection is present.
You can also try NoLop.
Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16
First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log.
Alternatively, a Lop uninstaller download:
http://www.pchell.com/downloads/lopuninstall.exe
ASKER
moh10ly:
I did download Hijackthis and I did as you suggested ... attached is the logfle.
rpggamergirl:
In doing my research on this issue, I came to experts-exchange. One of the suggestions was to download the nolop executeable. I did that and nolop.exe did not find anything. However, per your suggestion, I ran it again ... and again it did not find anything.
hijackthis.log
I did download Hijackthis and I did as you suggested ... attached is the logfle.
rpggamergirl:
In doing my research on this issue, I came to experts-exchange. One of the suggestions was to download the nolop executeable. I did that and nolop.exe did not find anything. However, per your suggestion, I ran it again ... and again it did not find anything.
hijackthis.log
There are two items (Marked below as first and second) that I couldn't identify if they belong to the client that your fixing or to a domain or a specific script that you are running ... If you know these are safe and you use them then don't fix them if not then go ahead with the fix.
Run Hijackthis again and clean the listed below...
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-1
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-F
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-8
O4 - HKLM\..\Run: [installerkey] regedit /s c:\windows\installerkey.re
O4 - HKLM\..\Run: [Cleanmgr] "C:\WINDOWS\Cleantemp.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
Download CCleaner - Install it and run clean to empty all the Temp folders.
http://fs6.filehippo.com/7532/7cf471367a9e41fb97016f51e4954efa/ccsetup207.exe
Also Download Trend Micro" CWShredder" Run Click I Agree, Check the Box next to Move CWS ... and then click Fix.
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
Also Download SpywareBlaster, After installation Download updates manually and Enable protection for IExplroer and Firefox..
Download Link
http://fs7.filehippo.com/2100/5fbb13e21521468584344a9e3f59fbf1/spywareblastersetup40.exe
After using all those,,,, Report back
Run Hijackthis again and clean the listed below...
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-1
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-F
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-8
O4 - HKLM\..\Run: [installerkey] regedit /s c:\windows\installerkey.re
O4 - HKLM\..\Run: [Cleanmgr] "C:\WINDOWS\Cleantemp.exe"
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1
Download CCleaner - Install it and run clean to empty all the Temp folders.
http://fs6.filehippo.com/7532/7cf471367a9e41fb97016f51e4954efa/ccsetup207.exe
Also Download Trend Micro" CWShredder" Run Click I Agree, Check the Box next to Move CWS ... and then click Fix.
http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe
Also Download SpywareBlaster, After installation Download updates manually and Enable protection for IExplroer and Firefox..
Download Link
http://fs7.filehippo.com/2100/5fbb13e21521468584344a9e3f59fbf1/spywareblastersetup40.exe
After using all those,,,, Report back
No sign of Lop there I'm surprised as Bo:heap is usually the sign of it.
If problem persists, let's try Combofix and see what it finds.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
-------------
Also, your java is also the lower version which is very vulnerable to infections especially vundo. I suggest downloading the latest version.
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
If problem persists, let's try Combofix and see what it finds.
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
-------------
Also, your java is also the lower version which is very vulnerable to infections especially vundo. I suggest downloading the latest version.
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.
Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
ASKER
moh10ly:
I did everything you asked me to do and still the BO:Writable BO:Heap still appears when accessing the internet. Attached is a copy of the latest hijackthis log; also, a copy of the combofix log that rpggamergirl requested.
Moreover, the installerkey.reg and the cleantemp.exe you pointed out to me is something that corporate has installed on all of the machines. Also, your link to ccleaner was not up-to-date. I googled it and was able to get the latest version. Also, I am not in the office on Friday, so I will not be able to report back to you until Monday.
Thanks for your help.
rpggamergirl:
I did run the combofix program as you requested and sorry to report, I still have the BO:Writable BO:Heap virus alerts showing up when accessing the internet explorer. Attached is a copy of the combofix log you requested and a copy of the latest hijackthis log moh10ly requested.
I have not yet installed the latest version of java. Also, I am not in the office on Friday, so I will not be able to report back to you until Monday.
Thanks for your help.
hijackthis1.log
log.txt
I did everything you asked me to do and still the BO:Writable BO:Heap still appears when accessing the internet. Attached is a copy of the latest hijackthis log; also, a copy of the combofix log that rpggamergirl requested.
Moreover, the installerkey.reg and the cleantemp.exe you pointed out to me is something that corporate has installed on all of the machines. Also, your link to ccleaner was not up-to-date. I googled it and was able to get the latest version. Also, I am not in the office on Friday, so I will not be able to report back to you until Monday.
Thanks for your help.
rpggamergirl:
I did run the combofix program as you requested and sorry to report, I still have the BO:Writable BO:Heap virus alerts showing up when accessing the internet explorer. Attached is a copy of the combofix log you requested and a copy of the latest hijackthis log moh10ly requested.
I have not yet installed the latest version of java. Also, I am not in the office on Friday, so I will not be able to report back to you until Monday.
Thanks for your help.
hijackthis1.log
log.txt
Still the same items were not fixed ...
Try to run hijackthis again and fix them after closing all other applications to avoid access problems.
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-F
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-8
Try to run hijackthis again and fix them after closing all other applications to avoid access problems.
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-F
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-8
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-F
The above entry won't go? try and turning off realtime monitors/shield that you might have before fixing entries.
C:\WINDOWS\cpnprt2.cid <-- delete this this one.
In add/remove programs, also uninstall these if listed there, they are unnecessary.
My Web Search Bar
MyWebSearch Email Plugin
Looks like a file infector was busy there at some stage.
Some legit files there were being replaced and it seems those replaced files have been deleted by your antivirus scanner as they're showing empty in the CF log. We can try and replaced those files, then scan with BitDefender or Kaspersky afterwards.
Download FindAWF
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced, please attach that here using "Code Snippet"
The above entry won't go? try and turning off realtime monitors/shield that you might have before fixing entries.
C:\WINDOWS\cpnprt2.cid <-- delete this this one.
In add/remove programs, also uninstall these if listed there, they are unnecessary.
My Web Search Bar
MyWebSearch Email Plugin
Looks like a file infector was busy there at some stage.
Some legit files there were being replaced and it seems those replaced files have been deleted by your antivirus scanner as they're showing empty in the CF log. We can try and replaced those files, then scan with BitDefender or Kaspersky afterwards.
Download FindAWF
http://noahdfear.net/downloads/FindAWF.exe
Save the file to the Desktop
Double-click the FindAWF icon.
If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.
When done, a text file, Find AWF report is produced, please attach that here using "Code Snippet"
ASKER
moh10ly / rpggamergirl,
I did what both of you told me to do ... I should have stop there; however, while I was cleaning up what you both wanted me to clean up, I decided to completely remove the Symantec Endpoint entries from the register. Once I got done, I rebooted the PC and it came back with a corrupted registry. The SYSTEM file is corrupted. I will probably have to use the ultimate boot cd to recover the corrupted registry. Please give me a few days. Thanks.
I did what both of you told me to do ... I should have stop there; however, while I was cleaning up what you both wanted me to clean up, I decided to completely remove the Symantec Endpoint entries from the register. Once I got done, I rebooted the PC and it came back with a corrupted registry. The SYSTEM file is corrupted. I will probably have to use the ultimate boot cd to recover the corrupted registry. Please give me a few days. Thanks.
Did you run FindAWF? It wasn't a scanner that cleans bad files.
If you have ran it, we need to see the log. Combofix log showed legit files that has been moved from its default location.
The FindAWF scan - it will find all the original folders and files that needs to be restored.
Step 2 - we input all the files in a script that need to be restored.
Step 3 - we input a script to delete those moved original folders.
If you have ran it, we need to see the log. Combofix log showed legit files that has been moved from its default location.
The FindAWF scan - it will find all the original folders and files that needs to be restored.
Step 2 - we input all the files in a script that need to be restored.
Step 3 - we input a script to delete those moved original folders.
In Combofix log, it showed that these files below have been moved from its default location, FindAWF is the tool that finds all of the moved files(in case combofix didn't list them all.)
smax4pnp.exe
userupdaterini.EXE
userupdaterini.EXE
jusched.exe
msmsgs.exe
Advertise.lnk
qttask.exe
Advertise.lnk
Cleantemp.exe
hkcmd.exe
igfxpers.exe
igfxtray.exe
smax4pnp.exe
userupdaterini.EXE
userupdaterini.EXE
jusched.exe
msmsgs.exe
Advertise.lnk
qttask.exe
Advertise.lnk
Cleantemp.exe
hkcmd.exe
igfxpers.exe
igfxtray.exe
Try scanning your PC using Trend micro Online Scanner.
I suppose you have some rootkits.
Link:
http://prerelease.trendmicro-europe.com/hc66/launch/
click on launch housecall free scan and then follow the instructions that will be provided later.
Download Anti rootkits
Use the 5 star - free ones.
http://www.antirootkit.com/software/index.htm
When you scan using any of them, they will a log file... post here when done.
I suppose you have some rootkits.
Link:
http://prerelease.trendmicro-europe.com/hc66/launch/
click on launch housecall free scan and then follow the instructions that will be provided later.
Download Anti rootkits
Use the 5 star - free ones.
http://www.antirootkit.com/software/index.htm
When you scan using any of them, they will a log file... post here when done.
ASKER
moh10ly/rpggamergirl,
Good news ... the BO:Writable BO:Heap virus is gone. Don't know how, but its gone ... here is what I did:
- on Monday, I corrupted the registry (the system file), as I mentioned in the last correspondence
- today Thursday, I used the ultimate boot cd to boot the machine and was able to manually fix
the registry ... I used the register files from last Thursday's restore point
- after fixing the registry and rebooting the machine, I used last Thursday's restore point to do
a system restore
- after a successful restore, I ran hijackthis again and followed your suggestions up to last
Thursday as to what to fix (sorta/kinda getting myself back where I was last Thursday)
- after hijackthis fixed the points that both of you suggested, I rebooted and was able to get to the
internet with absolutely no trace of BO:Writable BO:Heap virus
- again, I don't know exactly what happened in the above sequence to rid the machine of the
virus, but it is gone
THANK YOU both for your help and support. It probably would have been easier to save data to a memory stick and re-format the hard drive. But in the long run, this issue now gives me knowledge in
how to handle a virus of this nature. Again, THANK YOU both for your help ... keep up the excellent work.
sla0610
Good news ... the BO:Writable BO:Heap virus is gone. Don't know how, but its gone ... here is what I did:
- on Monday, I corrupted the registry (the system file), as I mentioned in the last correspondence
- today Thursday, I used the ultimate boot cd to boot the machine and was able to manually fix
the registry ... I used the register files from last Thursday's restore point
- after fixing the registry and rebooting the machine, I used last Thursday's restore point to do
a system restore
- after a successful restore, I ran hijackthis again and followed your suggestions up to last
Thursday as to what to fix (sorta/kinda getting myself back where I was last Thursday)
- after hijackthis fixed the points that both of you suggested, I rebooted and was able to get to the
internet with absolutely no trace of BO:Writable BO:Heap virus
- again, I don't know exactly what happened in the above sequence to rid the machine of the
virus, but it is gone
THANK YOU both for your help and support. It probably would have been easier to save data to a memory stick and re-format the hard drive. But in the long run, this issue now gives me knowledge in
how to handle a virus of this nature. Again, THANK YOU both for your help ... keep up the excellent work.
sla0610
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks again.
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe
After downloading is, Install -- Run and click "Do a system scan and save a logfile"..
Don't fix anything just attach the logfile here and we'll look into it.