TechSpot

Solved:I have the Downloader-BEW virus, need help!

By lemkorusyn
Oct 14, 2007
  1. I have McAfee AV and while doing some computer work it popped up and started notifying me of files infected with the Downloader-BEW virus. It says it's cleaning them, but I would like to proactively remove this from my system. I've seen other users on this forum who have been helped. After reading the warnings concerning NOT using the instructions given to others, I have decided to begin a new thread and await further instructions. Please help!

    Michael
     
  2. Po`Girl

    Po`Girl TS Rookie Posts: 595

    Hi,

    You read the warnings.We like you already.:)

    The next step is to go HERE and follow all the steps,and post the three logs it asks for,as attachments in this thread.
     
  3. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    I'm on it! Be right back with all that you've requested! Thanks so much!
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Before following any other instructions, please do the following.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Also, please post a HJT log as per these instructions.

    Regards Howard :wave: :wave:

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  5. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    awf.txt

    Here is my awf.txt file, BUT, when I click on the "HERE" link to download the HJT software, I get the following message ...

    "Fatal error: Call to undefined function checknum() in /home/majorgee/public_html/download.php on line 32"
     

    Attached Files:

    • awf.txt
      File size:
      6.1 KB
      Views:
      9
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Major Geeks site must be down. I have now fixed the link and HJT can be downloaded directly from the Trend website.

    Please post the HJT log in your next reply.

    Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.


    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    OK, finished with that! Ready for the next step! See my attached awf.txt and hijackthis.log files.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Folders removed! See attached awf.txt file! I appreciate your fast responses. I'm here for the duration! As long as it takes! :)
     

    Attached Files:

    • awf.txt
      File size:
      868 bytes
      Views:
      5
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    There`s just one more bak file to deal with.

    Double-click FindAWF.exe to start the tool. Then, do the following
    Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
    A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

    Close the .txt file and click Yes to save the changes.
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Done! Ready for the next step.
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please double-click the FindAWF icon once again
    This time we are going to remove some folders.


    Use the following option: Press 3 then Enter to remove bak folders


    A text file opens called: folders.txt
    Click below the line and paste the following list of folders to be removed:

    Next, close and click Yes to save the changes.

    When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
    Please provide the new FindAWF log

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    And here you go again, Howard!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Still there, please do the following, though you will probably have to reinstall Nero once done.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    InCD.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Ahead\InCD\bak<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  15. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Well, I knew that was going way too smoothly! :) We have a slight problem. My computer won't let me boot in Safe Mode. I hit F8 and then I select "Safe Mode". It moves on and then comes back with the following screen ...

    "We apologize for the inconvenience, but Windows did not start successfully. A recent software of hardware change might have caused this.

    If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Good Configuration to revert to the most recent settings that worked.

    If a previous startup screen attempt was interrupted due to power failure or because the Power or Reset button was pressed, or if you aren't sure what caused the problem, choose Start Normally.

    Safe Mode
    Safe Mode with Networking
    Safe Mode with Command Prompt
    Last Known Good Configuration
    Start Windows Normally"


    I tried to choose "Safe Mode" several times, but continue to end up on this screen. The only way past it is to wait the 30 seconds and let it start normally.

    Then, here's what I did. I ran msconfig and turned off the InCD option in the startup, then restarted my PC. So, InCD is no longer running. I'll let you tell me what to do next!
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You`ll need to reinstall Nero, as incd is part of Nero and we had to delete it.

    See if that helps.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Hello again, Howard! I'm back! OK, here's what I did. I tried reinstalling Nero, but during the installation, it said there were files missing and that I should reinstall it (which is what I was doing, so that was rather confusing). When I'd try to run Nero after the "installation", it told me files were missing. So ... for now, I just went into Control Panel and uninstalled the entire thing. It's gone, and now I CAN boot up in Safe Mode! I'm just gonna leave it like that for now until we're through ridding this machine of the virus (my MAIN concern!).

    So, what's next? :)
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Also post a fresh HJT log.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  19. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Here are the awf.txt and hijackthis.log files you requested.
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s odd. the InCd bak file is there again.

    Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

    In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

    Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

    Click on the processes tab and end process for(if there).

    InCD.exe

    Close task manager.

    Locate and delete the following bold files and/or directories(if there).

    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\Ahead\InCD\bak<Delete the entire folder.

    Reboot into normal mode and rehide your protected OS files.

    Please download FindAWF to your Desktop.
    Double-click FindAWF.exe to start the tool.
    Select "option #1 - Scan for bak folders" by typing 1 and press Enter
    When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Howard,

    I believe the InCD BAK folder still being there may have been my mistake. After I uninstalled Nero and verified that I "could' start in Safe Mode, I never went in and removed the InCD BAK folder. I thought the uninstall would have done that, so I didn't! My mistake.

    OK, there was no InCD.exe file, but I found the BAK directory and deleted it. Here's my awf.txt file.
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s now clean.

    Your HJT log also appears to be clean.

    However, in the interests of safety, I`d like you to do the following in order to make sure you have no other nasties lurking on your system.

    Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Howard,

    Wow! That took quite some time, but I followed the instructions to the letter and have finally finished. I have attached the log files for HJT, AVG Antispyware, and Combofix. The results of the Panda Antirootkit scan showed ZERO rootkits found.

    Let me know if there is anything else I need to do!

    Michael
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Delete all files in AVG Antispyware quarantine.

    Your log files are clean.

    Turn off system restore.(XP/ME only) See how HERE.

    Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


    If you have any further virus/spyware problems, please post in this thread.

    Regards Howard :)

    This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  25. lemkorusyn

    lemkorusyn TS Rookie Topic Starter

    Howard,

    I did as you said and turned off and back on the system restore feature. I also created a restore point that I could name myself so I have something to go back to if needed.

    You have been a GREAT help to me! This is the most I've ever had to do to remove a virus from my machine. Quite frankly, I don't know how it got on my machine. My kids all swear they didn't download and install anything (who can be sure? :)) I have McAfee AV and it's worked wonderfully for many years ... until this Downloader-BEW virus. If you have any information on how this virus might have gotten past my firewall + McAfee AV I'd love to know.

    Michael
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...