TechSpot

Downloader BEW infected

By Bravo466
Oct 28, 2007
  1. Hi,

    The other day I was using my computer when my McAfee Virus program popped up saying that the Downloader-BEW virus had infected 4 files on my computer including , gmail Notifier and**Apoint.exe.**It indicated it deleted those four files.** A couple of days later, McAfee popped up again and it found the Downloader-BEW virus had infected about 40 more .exe files including ituneshelper, some AOL software and others and deleted those files.**

    I followed the steps in the "Viruses/Spyware/Malware, preliminary removal instructions"**Attached are my log files.

    The Panda software indicated that it did not find anyhting.

    Do you think my system is clean now?

    I think it is unrelated by I will mention it just in case.**About a month ago I got a message saying " Files that are required for Windows to run properly have been replaced by unrecognized versions.**To maintain system stability Windows must restore the original versions of these files.**Insert your CD ROM now"

    My laptop, a Sony, did not come with the Windows installation**CDs.**I hit cancel and the message**only popped up one other time a couple of days later. I haven't received the message again in about a month.

    Thanks for you help!
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    I need to see the actual Combofix log and not the Combofix quarantine log.

    All items in your AVG Antispyware log say "Ignored". That`s because you haven`t told AVG Antispyware to quarantine it`s results as per the instructions. See this pictorial guide.

    I`d like to check your system for a very specific infection.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Also please post a Combofix log as well as a fresh AVG Antispyware log.

    Regards Howard :wave: :wave:

    This thread is for the use of Bravo466 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  3. Bravo466

    Bravo466 TS Rookie Topic Starter

    Thank you for your help Howard.

    In regards to the AVG Antispyware log. I did notice that those files were set to ignore.**I reran the program again afterwards and fixed those.**When I went to upload the new log file I could not find it.** I meant to mention that in my first post, sorry.**Just in case I reran the program yesterday and it did not find anything.

    Attached please find my Combo log and the FindAWF log.

    If you need me to follow up with anything else please let me know.**

    Thank you again for your help
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Just as I suspected.

    Your system is infected with a trojan called Downloader.Agent.awf. It replaces legitimate files that are common on most computers with an infected file. Then, it moves the legitimate files to a bak or backup folder.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Go and read this thread HERE and follow the instructions exactly.

    Post the requested log files when done.

    Regards Howard :)

    This thread is for the use of Bravo466 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. Bravo466

    Bravo466 TS Rookie Topic Starter

    Thank you for your help again.

    I followed the steps at the link you posted.

    About 4 bak files were not restored/removed.
    I ran the steps again and all but one was removed then.
    I ran it again and that same bak folder was still there.

    Attached are my requested logs.

    Thanks
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`ve done a really good job there.

    We need to remove those manually. Please note: You will probably need to reinstall Exifer and your AOl software once we`re done.

    You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    IMG_0338.exi
    AOLDial.exe

    Close task manager.

    Locate and delete the following bold files and/or folders(if there).


    C:\Program Files\Exifer\exifbak
    C:\Documents and Settings\Harris Sokoloff\Desktop\alska pics\3 hours\IMG_0338.exi
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Common Files\AOL\ACS\bak

    Reboot into normal mode and rehide your protected OS files.

    Run the FindAWF tool again and press option1.

    Post the awf.txt.

    Regards Howard :)

    This thread is for the use of Bravo466 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Bravo466

    Bravo466 TS Rookie Topic Starter

    It seems the files are removed for good now. Attached is the new log file.


    Am I correct in saying that the trojan has been removed?**If so where in the process was the Trojan itself removed?**I am just curious so I can get a better understating of how these trojans/ removal applications work

    Thanks
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Yes, that`s clean.

    Now, delete all files in AVG Antispyware quarantine.

    Then, post fresh Combofix and HJT logs.

    Regards Howard :)

    This thread is for the use of Bravo466 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Bravo466

    Bravo466 TS Rookie Topic Starter

    I deleted the quarantined files from AVG the virus software.

    Attached are the two log files requested.

    When the combofix was running, the AOL spy ware software on my computer popped up indicated that it found "bifrost", a backdoor malware software on my computer. I choose the option to block it. I don't remember this software being noticed on any of the other scans that I ran before.


    Thanks for your help!
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    bitfrost is part of Combofix and is not malicious.

    Go to add remove programmes in your control panel and uninstall anything to do with(if there).

    viewpoint
    viewpoint toolbar
    viewpoint manager

    Close control panel.

    Click start/run and type services.msc into the run box and press the enter key.

    When the window appears, maximise it. Double click on the following services(if there) and select stop if they are running. Set the startup type to disabled. Click apply/ok for each service you disable.

    Viewpoint Manager Service

    Close the services window.

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the quote box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:



    Save this as CFScript.txt

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

    [​IMG]

    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a fresh HJT log.

    Regards Howard :)

    This thread is for the use of Bravo466 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Bravo466

    Bravo466 TS Rookie Topic Starter

    Attached are the new logs

    Thanks
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All clean.

    Delete the following folder.

    C:\qoobox

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

    Go HERE, download and install the latest version of Java.

    Once it`s installed, go to add remove programmes in your control panel and uninstall all previous versions of Java, except version 6 update 3. Close Control panel.

    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of Bravo466 only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Bravo466

    Bravo466 TS Rookie Topic Starter

    I made those deletions/changes.

    Thank you so much for you time and help. I really do appreciate it.

    This thread is now closed: If you need this thread unlocking, please pm a moderator with a link to the thread.

    Only the original thread starter can do this. Anyone else, will be ignored.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...