Please help bo heap virus

[nmw80]

Hi

My computer infected with bo heap virus, i get a messege every time i restart the computer and i can't also use media player since i get the messege:windows media player encuntred a problem and need to shut down....
what can i do??? and please if you need me to post a log transcricpt do tell me how to do that too...


I'll apreciate all the help i can get.

[crunchie]

Hi and welcome to VDr forums .

Please download and install AVG antispyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait and AVG antispyware will open to the main screen automatically.
• Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
• This is very important to get updates
• When updating has finished. Close AVG antispyware.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE
  
  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!

• Run AVG antispyware.
• Click on scanner at top of AVG antispyware sceen.
• Click on Settings.
• Under How to Act click on Recommended Action and choose Quarantine.
• Under How to scan all boxes should be selected.
• Under Possibly unwanted software all boxes should be selected.
• On right side under Reports: click on Automatically generate report after every scan.
• Under What to scan select scan every file.
• Click On scan Tab.
• Click on Complete system scan.
• Let the program scan the machine It can take awhile give it time.
• When scan has finished at bottom of screen click Apply all Actions.
• Click Save report
• Click Save Report as (Save as window's screen should pop up.)
• Click desktop.
• Click Save.
• Exit AVG antispyware.

Reboot back to normal mode.

Post the log here.

========

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

[nmw80]

Wow thank you so much for that eloborate answer as soon as i get home im gonna follow you're instarction. I have to say you're the only site that excually have a solution to this problem or at least offer a solution . I'll keep you posted...

[crunchie]

You are welcome . Hurry back.

[nmw80]

Ok so here is the log (I did everything you said )

Logfile of HijackThis v1.99.1
Scan saved at 6:01:11 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Microsoft LifeCam\MSCamSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Software\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [GPDownloadManager] C:\Program Files\GalleryPlayer\Player\GPDownloadManager.exe
O4 - HKLM\..\Run: [GPClientMonitor] C:\Program Files\GalleryPlayer\Player\GPClientMonitor.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TickWaveSecondCake] C:\Documents and Settings\All Users\Application Data\log great tick wave\site soft.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Poke this] C:\DOCUME~1\D&N\APPLIC~1\TWOBUI~1\more download.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10...I.cab53083.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab53083.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10...t.cab53083.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames...e.cab53083.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramewor...o.cab53083.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10...y.cab53852.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - (no file)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

[crunchie]

Exit AVG antispyware. Reboot back to normal mode.

Post the log here.

This one please.

======

Could you click Start>Settings>Control Panel>Add or Remove Programs and uninstall 'Window Search', 'Window Searching', 'Lop.com', 'LOP SEARCH', 'Browser Enhancer', or 'Ultimate Browser Enhancer' if listed. You may be given a code to insert, do so and reboot when done. If not listed there, run the Lop Remover from:
http://66.220.17.157/help.html

======

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

C:\WINDOWS\vVX3000.exe

======

Scan with HijackThis and then place a check next to all the following, if present:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [Windows Services] "C:\Program Files\svchosts.exe"

O20 - Winlogon Notify: ckpNotify - C:\WINDOWS\

O21 - SSODL: altmannsberger - {210b4043-35ca-4aa0-8796-191f9663dfb3} - (no file)


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\Program Files\svchosts.exe

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in Safe Mode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear.

Select the first option to run Windows in Safe Mode hit enter.

-

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

[FNPDOC]

Hi and welcome to VDr forums .

Please download and install AVG antispyware tool

• Close all other Applications Select language click Ok
• Click I Agree
• Click next
• Click Install
• Click Finish
• Wait and AVG antispyware will open to the main screen automatically.
• Wait again a few minutes and AVG antispyware Should Auto update itself. If it doesn't click update at top of screen.
• This is very important to get updates
• When updating has finished. Close AVG antispyware.

If you have an "always on" connection to the internet, physically disconnect that connection until you are finished with Safe Mode and have rebooted back into normal mode.

• Next, please reboot your computer in Safe Mode by doing the following:
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear use arrow up to highlight
• Select the first option, to run Windows in Safe Mode hit enter.
• For additional help in booting into Safe Mode, see the following site: HERE
  
  You MUST manage to get into Safe Mode for the fix to work.

Make sure to close all open windows/programs/folders. Have nothing else open while AVG antispyware performs its scan!

• Run AVG antispyware.
• Click on scanner at top of AVG antispyware sceen.
• Click on Settings.
• Under How to Act click on Recommended Action and choose Quarantine.
• Under How to scan all boxes should be selected.
• Under Possibly unwanted software all boxes should be selected.
• On right side under Reports: click on Automatically generate report after every scan.
• Under What to scan select scan every file.
• Click On scan Tab.
• Click on Complete system scan.
• Let the program scan the machine It can take awhile give it time.
• When scan has finished at bottom of screen click Apply all Actions.
• Click Save report
• Click Save Report as (Save as window's screen should pop up.)
• Click desktop.
• Click Save.
• Exit AVG antispyware.

Reboot back to normal mode.

Post the log here.

========

Download HijackThis self-extracting zip version from here. Once downloaded, double click on the file & it will install into it's own, permanent folder.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

I have the same Bo HeaP virus, downloaded the AVG antispyware, downloaded fine, but was unable to do an update, received an error message, tried several times. I just updated McAfee 8.5 the other day, ran ad ware first. Found a lot of trojans, this one keeps on the desktop as
Name: system32svchost.exe:KERNEL32.LoadLibraryA
Detected as: BO: Writable BO:Heap
State: Blocked by Buffer Overflow Protection

Not sure how to proceed, thanks for any help you can provide

[fink]

Welcome to virtualdr.

Have a look through this thread...

http://discussions.virtualdr.com/sho...d.php?t=167915

and do all of the things it suggests then copy the Hijackthis log into a new thread with all pertinent details.

Pls make sure that hijackthis is installed into it's own permanent folder.. eg- C:/program files/hijackthis.

But please start a new thread so we can keep each members problems separate. Thanks