We help IT Professionals succeed at work.

Virus infection bo heap, internet explorer crashes all the time

PDvD3
PDvD3 asked
on
5,735 Views
Last Modified: 2013-12-09
Hello experts,
I experiance a problem with Mcafee virusscan enterprise. When I start internet explorer the program hangs and the virusscanner commes with the message that there is an infection, bo heap. Doing some researche I found some articles with several solutions.
I tried a lot antispyware, antivirus and rootkid programs with no result. Also reinstalled mcafee virusscan with no result. internet explorer still hang and mcafee still says infection with bo heaap.
I have also used hijackthis and my log file is detached. Hope that someone can help me with interpreting this file.
The opperating system we use is XP-pro sp2 internet explorer 7. and mcafee virusscan enterprise 8.0

Hope you can help me, thanks
Dirk-Jan
hijackthis150708
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
BO heap is usually a sign of lop infection but it's not showing in your logfile.

Try running combofix, even if it doesn't remove anything we can look at the list of files in the last 30 days.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..


Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


OR:
Do an online Kaspersky scan and save the log and show us.
Using Internet Explorer, run Kaspersky Online Scanner
http://www.kaspersky.com/virusscanner
   
* Click 'Accept' in the window that pops up.
* You will be prompted to install an ActiveX component from Kaspersky, Click on the information bar and select Install ActiveX Control if so. This may happen more than once. That is OK. You also may get a warning from your Windows Firewall. You can tell it to unblock.
* The program will launch and then start to download the latest definition files.
* Once the scanner is installed and the definitions downloaded, click 'Next'.
* Now click on 'Scan Settings'
* In the scan settings make sure that the following are selected:
          o Scan using the following Anti-Virus database: 'Extended' (If available, otherwise 'Standard')
          o Scan Options: 'Scan Archives' and 'Scan Mail Bases'
* Click 'OK'
* Now under 'Select a target to scan' select 'My Computer'
* The scan will take a while, so be patient and let it run. Once the scan is complete, it will display whether your system has been infected.
* Now click on the 'Save Report As...' button:
* Make sure it says Save as a text file - change it if not
* Save the file to your desktop.

Author

Commented:
Thank you rpqqamergirl for youre quick reply. It took some time scanning witk ComboFix but here is the log file. A fresh log file of hijackthis follows. Thank you.
ComboFixlog.txt

Author

Commented:
Here is the new hijackthis log file

hijackthis.log
CERTIFIED EXPERT
Top Expert 2007

Commented:
Thanks for the logs.

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
Folder::
C:\WINDOWS\TEMP\TMP0000000D1143BA0A7A7D7185
C:\WINDOWS\TEMP

------------------------------------------------------------------------

3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

Author

Commented:
Like you suggested i made the script and started as you explaned a new scan. This a the result: see attachment

NewComboFixlog.txt
CERTIFIED EXPERT
Top Expert 2007

Commented:
C:\WINDOWS\TEMP <-- can you try and empty this folder? in safe mode maybe.

Or use third party programs like below:
Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1
 
Reboot your computer into Safe Mode.
 
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser,
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time.

OR:
CCleaner:
http://www.ccleaner.com/download/
CERTIFIED EXPERT
Top Expert 2007

Commented:
Do you have lots of valuable data in that pc?

Just so you know these trojans are also called banking trojans, they steal info.
They could also infect your MBR(master Boot Record)


If they don't go manually, maybe SDfix will delete those files:
Download SDFix and save it to your desktop.(either one below)
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

If needed: How to use SDFix.
http://www.bleepingcomputer.com/forums/topic131299.html

Double click SDFix and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and attach the "Report.txt" back

Author

Commented:
Thanks again, I've got the feeling that this leads to a solution.
I first cleanet al temp files in safe mode. Than I restarted in safe mode and gave SDFix a go. After scanning the pc restarted ans SDFix tried scanning again. Unfortunate it then comes with an error in

read file error: c:\WINDOWS\Temp\bca4e2da.$$$ , Het system kan het opgegeven bestand niet vinden
read file error: c:\WINDOWS\Temp\fa56d7ec.$$$ , Het system kan het opgegeven bestand niet vinden
                                                                                 (System cannot find the location of the file)            (translated)
This error is logged in the catchme.log

I tried to run catchme than manualy, that works, after scanning it reports 460 hidden files, Wat to do?
At the moment i'm not at the office I hope to tackle the problem tomorrow. I'm a bit worried becouse this is a computer in a domain in a little office, so I hope the problems stay with this machine.

still need your help.

Author

Commented:
Hi there, again

I'm still searching for a solution an done some research. When reading about SDFix it occured to me that de reboot after the scan of SDFix in safe mode does not work well. In the item How to use SDFix it says that after the reboot the computer will start with a screen stating that SDFix has finished and "At this point you should press any key on your computer's keyboard in order to continue to your desktop"
This does not happen on my machine. I've to push the power on button so it boots again and I assume there lies a problem. I logon and then SDFix tries to go on.
I.m open for suggestions need help

thanks,
Dirk-Jan
CERTIFIED EXPERT
Top Expert 2007

Commented:
catchme found 460 hidden files? they're not necessarily infected files, do you have the report?

These files below are what concern me, they need to go, the whole folder need to be emptied just in case other bad files are hiding there too.
c:\WINDOWS\Temp\bca4e2da.$$$
c:\WINDOWS\Temp\fa56d7ec.$$$

Did SDFix able to produce a log at all?
Are these files above still present in the system?
c:\WINDOWS\Temp\bca4e2da.$$
c:\WINDOWS\Temp\fa56d7ec.$$

Author

Commented:
Hi there,

Here is the report made by SDFix, hope you can tell me more about it. At the moment I'm scanning with Gmer and while it runs I can see some entries that are not well. I will post that log also.
Report.txt

Author

Commented:
Scanning with Gmer is ready, here is the log file. Those entries with WS2.32.dll are bad I think.
Wating for reply, thanks
GmerLog.log
CERTIFIED EXPERT
Top Expert 2007

Commented:
>>>Those entries with WS2.32.dll are bad I think.<<<
I don't know if those lines are bad, I'm not really sure how Gmer works but the file in itself " WS2.32.dll" is legit.

Gmer has detected an MBR rootkit, so I would suggest fixing your MBR.
You can use latest version of mbr.exe tool or the Recovery Console
http://www2.gmer.net/mbr/mbr.exe 


In this link it shows you how to do it.
http://askbobrankin.com/fix_mbr.html 
To fix a modified MBR you can use the Windows Recovery Console and use the 'fixmbr' command.
You boot the recovery console by using your Windows CD / DVD.

1. Restart your computer with the Windows XP Setup disk in the CDROM drive.
2. If you are prompted to press a key to start the computer from CDROM, do so quickly. Otherwise it may try to boot from the hard drive.
3. After a few minutes, you'll see a prompt to press the R key to start the Recovery Console.
4. When Recovery Console starts, it will prompt you to enter a number corresponding to the Windows XP installation that you need to repair. In most cases, you'll enter "1" (which will be the only choice). If you press ENTER without typing a number, Recovery Console will quit and restart your computer.
5. Enter your Administrator password. If you don't enter the correct password, you cannot continue.
6. At the Recovery Console command prompt, type fixmbr and then verify that you want to proceed.


Also check below link "How To use Recovery Console" might help:
http://web.mit.edu/ist/products/winxp/advanced/registry-corruption.html

Author

Commented:
hi,

I installed the recovery console and run fixmbr. There is some effect but when I run Gmer again it still keeps some entries about \device\Harddisk0\DR0 sector 61: malicious code @ sector ...
A lot of other entries are gone. so something good is happening.
I attached the new Gmer log

NewGmerLog.log
CERTIFIED EXPERT
Top Expert 2007

Commented:
As long as you've already ran "fixmbr" I'm good because doing that is supposed to remove mbr rootkit.

The Gmer log now doesn't have the line;
MBR rootkit code detected                      <-- ROOTKIT

So maybe that malicious code stated there might be a false positive or just a non-standard sector, I don't know.
We could try and contact Gmer and ask for his help/an explanation about what the below line means which is after fixing mbr.
Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x950e4c1 size 0x1fd

Author

Commented:
I have to say thank you for willing to help me. At the moment the machine works better. I can even start internet explorer without hanging. It just reacts well. so the problem seems to be gone. I'm not totaly convinced that this is it.
Youre proposal to get in contact with Gmer is a good one. I've allready sent them the log file. I hope they are willing to help.
One thing I found wierd, how dit we get this kind of infection?

Maby at this stage I have to accept .
Are there any steps you advice me to go on from this point?

Dirk-Jan
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
thank you rpqqamergirl, i'm happy about the way you helped me out here!!
I'll keep you posted with the gmer issue. Where shall I put my findings about the gmer issue? Can I just put here in this thread/ question?

Lots of thanks again

Dirk-Jan

Author

Commented:
I'm very thankfull the way you helped me. Were shall I put my result about the gmer line if they answer me?
Thanks again,

Dirk-Jan
CERTIFIED EXPERT
Top Expert 2007

Commented:
You're welcome, it's a pleasure working with you.

Yes, you can just post your findings here so everyone that will be reading this thread can benefit on the info, or you can just email it to me.

I would also like to suggest that you change all passwords that has been used in this pc, and if you do your banking in this pc you also need to notify your bank just to make sure that everything is in order.


You can now uninstall combofix please.
Go to Start > Run and copy and paste next command in the field:

ComboFix /u


Thanks!

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.