BestFriends.scr/AIM Beach Pics removal guide

edited October 2004 in Spyware & Virus Removal
The Problem:


My sis managed to get one of the family comps infected with what would appear to be a new variant to the "bestfriends.scr" AIM adware/virus.

She clicked a link in somebody's away message with a link labeled "LOOK HERE". Clicking the link would launch the default web browser and ask you to download the file bestfriends.scr or photos.pif.

Upon executing the downloaded file, two popups would appear which both contain banners hosted on an Angelfire site, along with setting the same AIM away message as mentioned before. Also, (with some variants) if one were to attempt to open either task manager or regedit on the infected machine, either window would stay open for a mere second, and promptly close.

Another new variant of this virus (known as the "AIM Beach Pics" virus woorks the exact same way, only you see an away message inviting you to view some vacation photos. This guide applies to this virus as well.
The Solution:


1. First, one must “Show hidden files and folders”. Doing this will make your machine capable of “seeing” the files so you will be able to manually remove them.


To do this: Visit this page and follw the directions partaining to your version of Windows.

2. Download the application HijackThis (the spyware hunter’s best friend). Save this file to an empty directory.



3. Run the downloaded file and press the “Do a system scan and save a logfile” button as shown in Fig-4. The application window will quickly fill with entries, and a window will appear asking where you would like to save a file (which is named "hijackthis.log" by default). Save this file to your desktop.

NOTE If you do not see the "Do a system scan and save a logfile" button like you see in the screenshot below, than you are using an old version of HijackThis. Redownload HJT using the link in Step 2 to get the latest version.

fig4.jpg
Fig-4


4. Immediatly after clicking the "Save" button in the afformented window, a Notepad window will appear with a bunch of text. Each "entry" in the text file represents one step your computer takes when it boots. Run a search (by selecting Edit, and choosing “Find” from the dropdown menu), for all of the following entries (make sure to search for each file one at a time):
  • MSOFTUPDATES.EXE
  • MSGINAV.EXE
  • YAHOOMSG.EXE
  • MSNGUYEN.EXE
  • NETSTATT.EXE
  • HQSNPFLH.EXE
  • EEPBIUNJ.EXE
  • BSPLAYER.EXE
  • KAZAALITE.EXE
  • WINMX.EXE
  • BSHARELITE.EXE
  • SVCHOSTA.EXE
  • SOFTICE32.EXE
  • WindowsSP2.exe
  • WINLOGONPC.EXE
  • MCAFEEANTIVIRUS.EXE
  • WINRAR32.EXE
  • MUSICMATCH32.EXE
  • WINAMP6.EXE
  • AMD64.EXE
  • AOLCLIENT.EXE
  • DRWEBAV.EXE
  • NORMANANTIVIRUS.EXE
  • SECUREANTIVIRUS.EXE

Be sure to search for each file one at a time!

* - PLEASE NOTE: While these files/entries may appear valid (such as the entry relating to “YAHOOMSG.EXE”, they have all proven to be the files responsible. In this case (and only for these files), take the associated brand name as a grain of salt.

If you do find one of the files listed above in your log, be sure to write it down elsewhere as you will need it later.



5. Now, to delete these files, one must force the computer into a state which it is unable to lock the user out of being able to remove them. To do this, you must boot Windows into “Safe Mode”.

To boot into safe mode:
  • Reboot the machine while repeatedly pressing the “F8” key located on your keyboard. Stop once a menu appears.
  • Use the arrow keys to select “Safe Mode” from the menu, and press Enter.
Once Windows finishes booting (it’s ok for it to look a little different compaired to booting Windows normally) you should successfully be in Safe Mode (you’ll also notice the word “Safe Mode” on all four corners of the screen).



6. Select Start, than Search, and select "For files or folders". A new window will open (a search window). On the left side of the window you will see the question "What do you want to search for?" with a list of selectable answers below. Select "All files and folders" (as seen in Fig-5) and the left side of the window will change with dialog boxes asking for the name of the file to search for.

fig5.jpg
Fig-5

8. Also on the left side of the same window you will see a "More advanced options" option. Click this text and a few checkboxes will appear. Make sure the boxes in Fig-6 are checked. If not, you can check them yourself by clicking the box!

fig6.jpg
Fig-6

9. Back at the top-left of the search window you will see the dialog box labeled "All or part of the file name:". Type in the filename you found in Step 4 (in this example (Fig-7), I'm using the filename "SOFTICE32.EXE") and simply press the "Search" button on the bottom-left corner of the window. Your computer will being searching your hard drive for the file you entered, and depending on the size of your hard drive and the speed of your computer, this could take as long as 10 minutes or more.

fig7.jpg
Fig-7

10. Once a file appears on the right pane of the search window, select it by left-clicking on the file once (just like I have done in Fig-7) and hold down the SHIFT key on your keyboard, and while holding it down, press the "Delete" key once. You will be asked if you would "Really like to delete this file". Press the "Yes" button.

fig8.jpg
Fig-8

11. Once you have done this, reboot the machine back into normal mode.



12. Once Windows has finished booting, run HJT again and press the "Do a system scan only" button (just below the button you have pressed in Step 3).



13. Look for an entry containing each file found in step 5, and select it by checking the box next to the entry. Once you are sure you have selected all entries, hit the button labeled “Fix checked” on the bottom left.



14. To make sure the infection is gone, WAIT 10 SECONDS and repeat steps 12 and 13.



If the entries containing all the files from step 5 are missing, than you have successfully removed the infection. If the file starts reappearing in the HJT log, repeat steps 3 through 11 being sure you haven't made any errors.

Assuming you have followed these steps correctly, you should now be rid of the problem. If not (or you cannot locate the file(s) causing it) please post your HJT log in a new thread with the subject mentioning "bestfriends.scr" or "AIM Beach virus" (whichever one applies to you) so someone will be able to further assist you.

Last update: 2/24/05

Comments

  • primesuspectprimesuspect Beepin n' Boopin Detroit, MI Icrontian
    edited October 2004
    DO NOT INSTANT MESSAGE OR PRIVATE MESSAGE THESMJ FOR MORE HELP IF YOU REQUIRE IT! HE WILL ONLY HELP YOU IF YOU MAKE A NEW THREAD WITH YOUR HJT LOG! NO EXCEPTIONS!

    If you are having trouble removing BestFriends and you cannot figure out what to do based on this guide, you should:

    1) REGISTER on our forums.

    2) READ this.

    3) POST a new thread in our Spyware/Virus/Trojan discussion forum,

    and finally, most importantly

    4) FOLD. It is a great project, doesn't change anything on your computer, and can help find cures for protein related diseases like cancer and alzheimers. PLUS IT IS FUN, and you get to join our team. How cool is that?
This discussion has been closed.