RESOLUTION
Antivirus software with up-to-date signatures will help
prevent the Backdoor:W32/Berbew Trojan horse from infecting your
computer.
Important We also recommend that you use an Internet firewall and an
antivirus program with up-to-date signatures, and that you keep both Windows
and your programs up-to-date.
For more information about how to prevent viruses, and about how to recover from virus infections, click the following article number to view the article in the Microsoft Knowledge Base:
129972
Computer viruses: description, prevention, and recovery
Download and setup information
Prerequisites
The Download.Ject Payload Detection and Removal Tool has the
following prerequisites:
- Your computer must be running Microsoft Windows 2000 SP2
or later or a 32-bit version of Microsoft Windows XP.
- You must log on as a computer administrator or as a member
of the Administrators group.
For more information about how to determine whether a computer is running a 32-bit version of Windows XP or a 64-bit version of Windows XP, click the following article number to view the article in the Microsoft Knowledge Base:
827218
How to determine whether your
computer is running a 32-bit version or 64-bit version of Windows
XP
If these prerequisites are not met, the
installation will not work, and you will receive an error message. For more
information about the error message, view the following log file:
%Windir%\Debug\Berbcln.log
Additionally, we recommend that you install the Windows update to
disable the ADODB.stream object in Internet Explorer before you run the removal
tool. Although the removal tool will remove the Trojan horse from infected
computers, it will not prevent re-infection if your computer is still
vulnerable. By installing the critical update, you can help prevent additional
downloads of malware from a Download.Ject-infected
server.
For more information about the Windows update to disable the ADODB.stream object, click the following article number to view the article in the Microsoft Knowledge Base:
870669
How to disable the ADODB.Stream
object from Internet Explorer
Restart requirement
You do not have to restart your computer after you install this
tool.
Usage information
Important Before you follow these steps, make sure that you have backed up
all your important data.
When you install the Download.Ject Payload
Detection and Removal Tool and accept the end-user license agreement (EULA),
the installation package extracts the Berbcln.exe file to a temporary folder,
and then the removal tool runs. The removal tool verifies that your computer
meets the prerequisites that are listed in the "
Prerequisites" section. If the prerequisites
are met, the removal tool takes the following actions:
- The tool examines the following registry subkeys for
entries that the Trojan horse has added:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
- HKEY_CLASSES_ROOT\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32
- The tool searches in memory for evidence of the main
Backdoor:Win32/Berbew Trojan horse component. If the removal tool finds this,
the process is ended.
- The tool searches for the following data files that the
Trojan horse created. These files may contain sensitive personal data. The tool
deletes these files.
Neh2x32.vxd
Neh2x32.dat
Glumx32.vxd
Glumx32.dat
Tt32.vxd
Tt32.dat
Gart32.vxd
Gart32.dat
Jcole32.vxd
Jcole32.dat
Kk32.dll
Kk32.dll
Dnkk.dll
Surf.dat
Kkq32.dll
Kkq32.vxd
Dnkkq.dll
Kar32.dll
Kar32.vxd
Dkk32.dll
Zurfs.dat
- The tool deletes all the files that are associated with the
Backdoor:W32/Berbew Trojan horse. These files were identified in steps 1 and
2.
- The tool removes the registry entries that it identified in
step 1. If a Berbew registry value no longer points to a file on the hard disk,
the removal tool does not remove the orphaned registry value because the
registry value will not cause any damage if the associated file does not exist
on the hard disk.
- As part of its method of operation, the Trojan horse runs
two instances of Microsoft Internet Explorer in hidden windows. These windows
try to connect to malicious Web sites. One instance tries to upload stolen
personal data, and the other instance looks for software updates for the Trojan
horse. If the tool detects the Backdoor:W32/ Berbew Trojan horse on the
computer, the tool ends all currently running instances of Internet
Explorer.
- The tool displays a message that describes the outcome of
the detection and removal process. The following list contains the messages
that you may receive, and it explains their meanings.
| Message | Meaning |
| No infection detected | The Backdoor:Win32/Berbew
Trojan horse was not detected on this computer. |
| Successfully removed Backdoor:Win32/Berbew.gen Trojan. To
prevent malicious communication, all instances of Internet Explorer were
terminated. | The Backdoor:Win32/Berbew Trojan horse was removed. No
additional action is required. |
| This tool must be run by an administrator. | You
must log out and log on again as an administrator. |
| Fatal error, please review log file. | See the
%Windir%\Debug\Berbcln.log directory for more information. |
| Backdoor:/W32/Berbew.gen Trojan was detected, but could
not be removed. | Try to run the tool again and check the log file for
errors. |
| This tool requires Windows 2000 or Windows
XP. | This tool is not supported on versions of Windows other than
Windows 2000 and Windows XP. |
| Incorrect Windows version (Win32s) | This tool is
not supported on Windows 3.1 with Win32s. |
When you close the message box, the removal tool quits, and
the Berbcln.exe file is deleted from the temporary folder. You can now delete
the Windows-KB873018-ENU-V1.exe file manually. - The removal tool creates a log file named Berbcln.log in
the %Windir%\Debug folder. You can view this log file to determine if
Backdoor:W32/Berbew.gen infections were detected and were removed.
Command-line switches
The removal tool installer supports the following command-line
switches:
- /Q - Use quiet mode or suppress messages when the files are being
extracted.
- /Q:U - Use user-quiet mode. User-quiet mode displays some dialog boxes
to the user.
- /Q:A - Use administrator-quiet mode. Administrator-quiet mode does not
present any dialog boxes to the user.
-
/T:
path - Specify the location of the temporary folder that is used by
the Download.Ject Payload Detection and Removal Tool Setup program, or specify
the target folder for extracting files (when this switch is used together with
the /C switch).
- /C - Extract the files without installing them. If
/T:
path is not specified, you are prompted to specify a target folder.
-
/C:
cmd - Specify the path and the name of another Setup.inf file or an
.exe file to use to install the tool.
- /R:N - Never restart the computer after installation.
- /R:I - Prompt the user to restart the computer if a restart is
required, except when this switch is used with the /Q:A switch.
- /R:A - Always restart the computer after installation.
- /R:S - Restart the computer after installation without prompting the
user
For more information about the supported installation switches, click the following article number to view the article in the Microsoft Knowledge Base:
197147
Command-line switches for IExpress
software update packages
The removal tool supports the following command-line
switch:
- /S - Enables silent mode for the tool. This switch suppresses the
infection status dialog box that you receive after the tool has run.
Removal information
The Berbcln.exe file is automatically deleted from its temporary
location after the removal tool runs. You can delete the tool's installer
package after you install the removal tool.
Note After you install the Download.Ject Payload Detection and Removal
Tool, it does not appear in the
Installed programs list in the
Add/Remove Programs tool in Control Panel.