Avatar of Steve Avery
Steve AveryFlag for United States of America asked on

How do I get rid of the BO:Writable -or- the BO:Heap virus alert

Problem:  I have a desktop PC that has contacted the BO:Writable BO:Heap virus alert ... and I can't seem to get rid of it.  I have tried many things, but all to no avail.

Scenario:  1. When the user tries to use the internet (IE 6), they get the following virus alert from McAfee:
                         Name: C:\Program Files\Internet Explorer\iexplorer.exe:KERNEL32.GetProcAddress
                         Detected As:     BO:Writable     BO:Heap
                         State:                Blocked by Buffer Overflow Protection
                 2. All other software works perfectly fine ... .no issues/problems ... only IE6 is the problem.

Current State:  1. Currently we have McAfee's Enterprise Solution 8.5i as our virus protection.  The patch
                            version is 5; scan engine is 5200.2160; dat version is 5303.0000; created on 05/26/08;
                            buffer overflow and access protection dat version is 354.
                        2. We are a Microsoft shop, so using another browser is not an option.

What I have done:  1. I have run a McAfee virus scan and nothing was found.
                               2. I installed Spy Sweeper and it found spyware but did not rid the PC of the 2 alerts.
                               3. I downloaded BitDefender and ran it ... it too found stuff but did not rid the PC of
                                   the above 2 alerts.
                               4. I installed Symantec's Endpoint Protection ... and that froze on me while running.
                               5. I have investigated experts-exchange and so far, "it seems" that things I have tried
                                   experts-exchange has suggested.

Other things:  1. The PC is a corporate controlled PC, so I can't change the buffer overflow protection.
                       2. I don't want to re-format the hard drive, but if I have to ... I have to.  Since the users can
                          get to their data, I may just copy the data to a memory stick and put it back on when the
                          hard drive is re-formatted and all software is re-installed ... again, I don't want to, but if I
                          have to I will.
                      3. However, I find this a challenge and I want to understand how to remove this message
                          in case it happens again on another PC.
                      4. I have been to McAfee's website and they do acknowledge that the above 2 alerts have
                          been found by McAfee's anti-virus software; however unless I missed it, McAfee did not
                          give a solution to rid the PC of the 2 alerts.

Thanks for your help.  
Anti-Virus Apps

Avatar of undefined
Last Comment
Steve Avery

8/22/2022 - Mon
Mohammed Hamada

Download Hijackthis
http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe

After downloading is, Install -- Run and click  "Do a system scan and save a logfile"..
Don't fix anything just attach the logfile here and we'll look into it.
rpggamergirl

A B0:Heap virus alert is usually a sign of Lop infection.

A hijackthis log as already suggested is also a good idea to check what's running in the system and what infection is present.

You can also try NoLop.
Please Download NoLop to your desktop from one of the links below...
http://www.spywareedge.net/nolop/NoLop.exe
http://www.spywaretimes.com/Tools/download/21/chk,ed0778d88843ca2625ab6208a197bcc5/
http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

First close any other programs you have running as this will require a reboot
Double click NoLop.exe to run it
Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, Click OK
Now click the "REBOOT" Button.
A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log.

Alternatively, a Lop uninstaller download:
http://www.pchell.com/downloads/lopuninstall.exe
ASKER
Steve Avery

moh10ly:
I did download Hijackthis and I did as you suggested ... attached is the logfle.

rpggamergirl:
In doing my research on this issue, I came to experts-exchange.  One of the suggestions was to download the nolop executeable.  I did that and nolop.exe did not find anything.  However, per your suggestion, I ran it again ... and again it did not find anything.
hijackthis.log
Your help has saved me hundreds of hours of internet surfing.
fblack61
Mohammed Hamada

There are two items (Marked below as first and second)  that I couldn't identify if they belong to the client that your fixing or to a domain or a specific script that you are running ... If you know these are safe and you use them then don't fix them if not then go ahead with the fix.

Run Hijackthis again and clean the listed below...

R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL (file missing)
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)
O4 - HKLM\..\Run: [installerkey] regedit /s c:\windows\installerkey.reg  (XXXXXX) <--- FIRST ONE
O4 - HKLM\..\Run: [Cleanmgr] "C:\WINDOWS\Cleantemp.exe" /s        (XXXXXX) <--- SECOND ONE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZUxdm080YYUS
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitia lSetup1.0.1.0.cab

Download CCleaner - Install it and run clean to empty all the Temp folders.

http://fs6.filehippo.com/7532/7cf471367a9e41fb97016f51e4954efa/ccsetup207.exe

Also Download Trend Micro" CWShredder" Run Click I Agree, Check the Box next to Move CWS ... and then click Fix.

http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

Also Download SpywareBlaster, After installation Download updates manually and Enable protection for IExplroer and Firefox..

Download Link
http://fs7.filehippo.com/2100/5fbb13e21521468584344a9e3f59fbf1/spywareblastersetup40.exe

After using all those,,,, Report back
rpggamergirl

No sign of Lop there I'm surprised as Bo:heap is usually the sign of it.

If problem persists, let's try Combofix and see what it finds.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

-------------
Also, your java is also the lower version which is very vulnerable to infections especially vundo. I suggest downloading the latest version.
Updating Java:
Go to Start > Control Panel > Add/Remove programs.
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
Select and click Remove.

Then Download and install the newest version from here:
http://www.java.com/en/download/manual.jsp
ASKER
Steve Avery

moh10ly:
I did everything you asked me to do and still the BO:Writable BO:Heap still appears when accessing the internet.  Attached is a copy of the latest hijackthis log; also, a copy of the combofix log that rpggamergirl requested.

Moreover, the installerkey.reg and the cleantemp.exe you pointed out to me is something that corporate has installed on all of the machines.  Also, your link to ccleaner was not up-to-date.  I googled it and was able to get the latest version.  Also, I am not in the office on Friday, so I will not be able to report back to you until Monday.

Thanks for your help.

rpggamergirl:
I did run the combofix program as you requested and sorry to report, I still have the BO:Writable BO:Heap virus alerts showing up when accessing the internet explorer.  Attached is a copy of the combofix log you requested and a copy of the latest hijackthis log moh10ly requested.

I have not yet installed the latest version of java.  Also, I am not in the office on Friday, so I will not be able to report back to you until Monday.

Thanks for your help.

hijackthis1.log
log.txt
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mohammed Hamada

Still the same items were not fixed ...
Try to run hijackthis again and fix them after closing all other applications to avoid access problems.

O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
O3 - Toolbar: CouponBar - {5BED3930-2E9E-76D8-BACC-80DF2188D455} - (no file)

rpggamergirl

O2 - BHO: Browser Helper Object - {AFD4AD01-58C1-47DB-A404-FBE00A6C5486} - C:\Program Files\Common\helper.dll
The above entry won't go? try and turning off realtime monitors/shield that you might have before fixing entries.

C:\WINDOWS\cpnprt2.cid <-- delete this this one.
 
In add/remove programs, also uninstall these if listed there, they are unnecessary.
My Web Search Bar
MyWebSearch Email Plugin


Looks like a file infector was busy there at some stage.
Some legit files there were being replaced and it seems those replaced files have been deleted by your antivirus scanner as they're showing empty in the CF log. We can try and replaced those files, then scan with BitDefender or Kaspersky afterwards.


Download FindAWF
http://noahdfear.net/downloads/FindAWF.exe

Save the file to the Desktop
Double-click the FindAWF icon.

If a Security Alert shows, allow the program to run.
As instructed, press any key to continue.
Use the following option: Press 1 then Enter to scan for bak folders
The scan may take a while, please be patient.

When done, a text file, Find AWF report is produced, please attach that here using "Code Snippet"
ASKER
Steve Avery

moh10ly / rpggamergirl,

I did what both of you told me to do ... I should have stop there; however, while I was cleaning up what you both wanted me to clean up, I decided to completely remove the Symantec Endpoint entries from the register.  Once I got done, I rebooted the PC and it came back with a corrupted registry.  The SYSTEM file is corrupted.  I will probably have to use the ultimate boot cd to recover the corrupted registry.  Please give me a few days.  Thanks.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
rpggamergirl

Did you run FindAWF? It wasn't a scanner that cleans bad files.
If you have ran it, we need to see the log. Combofix log showed legit files that has been moved from its default location.
The FindAWF scan - it will find all the original folders and files that needs to be restored.

Step 2 -  we input all the files in a script that need to be restored.

Step 3 - we input a script to delete those moved original folders.
rpggamergirl

In Combofix log, it showed that these files below have been moved from its default location, FindAWF is the tool that finds all of the moved files(in case combofix didn't list them all.)
smax4pnp.exe
userupdaterini.EXE
userupdaterini.EXE
jusched.exe
msmsgs.exe
Advertise.lnk
qttask.exe
Advertise.lnk
Cleantemp.exe
hkcmd.exe
igfxpers.exe
igfxtray.exe
Mohammed Hamada

Try scanning your PC using Trend micro Online Scanner.
I suppose you have some rootkits.

Link:
http://prerelease.trendmicro-europe.com/hc66/launch/
click on launch housecall free scan and then follow the instructions that will be provided later.

Download Anti rootkits
Use the 5 star - free ones.
http://www.antirootkit.com/software/index.htm

When you scan using any of them, they will a log file... post here when done.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Steve Avery

moh10ly/rpggamergirl,

Good news ... the BO:Writable BO:Heap virus is gone.  Don't know how, but its gone ... here is what I did:
     - on Monday, I corrupted the registry (the system file), as I mentioned in the last correspondence
     - today Thursday, I used the ultimate boot cd to boot the machine and was able to manually fix
       the registry ... I used the register files from last Thursday's restore point
     - after fixing the registry and rebooting the machine, I used last Thursday's restore point to do
       a system restore
     - after a successful restore, I ran hijackthis again and followed your suggestions up to last
       Thursday as to what to fix (sorta/kinda getting myself back where I was last Thursday)
     - after hijackthis fixed the points that both of you suggested, I rebooted and was able to get to the
        internet with absolutely no trace of BO:Writable BO:Heap virus
     - again, I don't know exactly what happened in the above sequence to rid the machine of the
        virus, but it is gone

THANK YOU both for your help and support.  It probably would have been easier to save data to a memory stick and re-format the hard drive.  But in the long run, this issue now gives me knowledge in
how to handle a virus of this nature.  Again, THANK YOU both for your help ... keep up the excellent work.

sla0610

ASKER CERTIFIED SOLUTION
Mohammed Hamada

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER
Steve Avery

Thanks again.