Solved:I have the Downloader-BEW virus, need help!

[lemkorusyn]

I have McAfee AV and while doing some computer work it popped up and started notifying me of files infected with the Downloader-BEW virus. It says it's cleaning them, but I would like to proactively remove this from my system. I've seen other users on this forum who have been helped. After reading the warnings concerning NOT using the instructions given to others, I have decided to begin a new thread and await further instructions. Please help!

Michael

 

[Po`Girl]

Hi,

You read the warnings.We like you already.

The next step is to go HERE and follow all the steps,and post the three logs it asks for,as attachments in this thread.

 

[lemkorusyn]

I'm on it! Be right back with all that you've requested! Thanks so much!

 

[howard_hopkinso]

Hello and welcome to Techspot.

Before following any other instructions, please do the following.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, please post a HJT log as per these instructions.

Regards Howard :wave: :wave:

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

awf.txt

Here is my awf.txt file, BUT, when I click on the "HERE" link to download the HJT software, I get the following message ...

"Fatal error: Call to undefined function checknum() in /home/majorgee/public_html/download.php on line 32"

 

[howard_hopkinso]

The Major Geeks site must be down. I have now fixed the link and HJT can be downloaded directly from the Trend website.

Please post the HJT log in your next reply.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\iTunes\bak\iTunesHelper.exe"
"C:\Program Files\QuickTime\bak\QTTask.exe"
"C:\WINDOWS\system32\bak\ctfmon.exe"
"C:\WINDOWS\system32\bak\LVCOMSX.EXE"
"C:\WINDOWS\system32\bak\msvcmm32.exe"
"C:\WINDOWS\system32\bak\NeroCheck.exe"
"C:\Program Files\Ahead\InCD\bak\InCD.exe"
"C:\Program Files\Iomega\AutoDisk\bak\ADUserMon.exe"
"C:\Program Files\Iomega\DriveIcons\bak\deskup.exe"
"C:\Program Files\Iomega\DriveIcons\bak\ImgIcon.exe"
"C:\Program Files\Logitech\Video\bak\ISStart.exe"
"C:\Program Files\Logitech\Video\bak\LogiTray.exe"
"C:\Program Files\Logitech\Video\bak\ManifestEngine.exe"
"C:\Program Files\Maxtor\OneTouch Status\bak\maxmenumgr.exe"
"C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe"
"C:\Program Files\Panasonic\NCR2\bak\ncrcore.exe"
"C:\Program Files\TiVo\Desktop\bak\TiVoServer.exe"
"C:\Program Files\Yahoo!\Messenger\bak\YahooMessenger.exe"
"C:\Program Files\Common Files\Network Associates\TalkBack\bak\TBMon.exe"
"C:\Program Files\Common Files\TiVo Shared\Transfer\bak\TiVoTransfer.exe"
"C:\Program Files\Java\jre1.6.0_01\bin\bak\jusched.exe"
"C:\Program Files\Maxtor\OneTouch\Utils\bak\Onetouch.exe"
"C:\Program Files\Ahead\Ahead\data\Xtras\bak\mssysmgr.exe"
"C:\WINDOWS\system32\spool\drivers\w32x86\3\bak\hpztsb04.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

OK, finished with that! Ready for the next step! See my attached awf.txt and hijackthis.log files.

 

[howard_hopkinso]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\iTunes\bak
C:\Program Files\QuickTime\bak
C:\WINDOWS\system32\bak
C:\Program Files\Ahead\InCD\bak
C:\Program Files\Iomega\AutoDisk\bak
C:\Program Files\Iomega\DriveIcons\bak
C:\Program Files\Logitech\Video\bak
C:\Program Files\Maxtor\OneTouch Status\bak
C:\Program Files\Network Associates\Common Framework\bak
C:\Program Files\Panasonic\NCR2\bak
C:\Program Files\TiVo\Desktop\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\Program Files\Common Files\Network Associates\TalkBack\bak
C:\Program Files\Common Files\TiVo Shared\Transfer\bak
C:\Program Files\Java\jre1.6.0_01\bin\bak
C:\Program Files\Maxtor\OneTouch\Utils\bak
C:\Program Files\Ahead\Ahead\data\Xtras\bak
C:\WINDOWS\system32\spool\drivers\w32x86\3\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Folders removed! See attached awf.txt file! I appreciate your fast responses. I'm here for the duration! As long as it takes!

 

[howard_hopkinso]

There`s just one more bak file to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

"C:\Program Files\Ahead\InCD\bak\InCD.exe"

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Done! Ready for the next step.

 

[howard_hopkinso]

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

C:\Program Files\Ahead\InCD\bak

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

And here you go again, Howard!

 

[howard_hopkinso]

Still there, please do the following, though you will probably have to reinstall Nero once done.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

InCD.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ahead\InCD\bak<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Well, I knew that was going way too smoothly! We have a slight problem. My computer won't let me boot in Safe Mode. I hit F8 and then I select "Safe Mode". It moves on and then comes back with the following screen ...

"We apologize for the inconvenience, but Windows did not start successfully. A recent software of hardware change might have caused this.

If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Good Configuration to revert to the most recent settings that worked.

If a previous startup screen attempt was interrupted due to power failure or because the Power or Reset button was pressed, or if you aren't sure what caused the problem, choose Start Normally.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration
Start Windows Normally"

I tried to choose "Safe Mode" several times, but continue to end up on this screen. The only way past it is to wait the 30 seconds and let it start normally.

Then, here's what I did. I ran msconfig and turned off the InCD option in the startup, then restarted my PC. So, InCD is no longer running. I'll let you tell me what to do next!

 

[howard_hopkinso]

You`ll need to reinstall Nero, as incd is part of Nero and we had to delete it.

See if that helps.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Hello again, Howard! I'm back! OK, here's what I did. I tried reinstalling Nero, but during the installation, it said there were files missing and that I should reinstall it (which is what I was doing, so that was rather confusing). When I'd try to run Nero after the "installation", it told me files were missing. So ... for now, I just went into Control Panel and uninstalled the entire thing. It's gone, and now I CAN boot up in Safe Mode! I'm just gonna leave it like that for now until we're through ridding this machine of the virus (my MAIN concern!).

So, what's next?

 

[howard_hopkinso]

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also post a fresh HJT log.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Here are the awf.txt and hijackthis.log files you requested.

 

[howard_hopkinso]

That`s odd. the InCd bak file is there again.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

InCD.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ahead\InCD\bak<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Howard,

I believe the InCD BAK folder still being there may have been my mistake. After I uninstalled Nero and verified that I "could' start in Safe Mode, I never went in and removed the InCD BAK folder. I thought the uninstall would have done that, so I didn't! My mistake.

OK, there was no InCD.exe file, but I found the BAK directory and deleted it. Here's my awf.txt file.

 

[howard_hopkinso]

That`s now clean.

Your HJT log also appears to be clean.

However, in the interests of safety, I`d like you to do the following in order to make sure you have no other nasties lurking on your system.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the Panda Antirootkit scan.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Howard,

Wow! That took quite some time, but I followed the instructions to the letter and have finally finished. I have attached the log files for HJT, AVG Antispyware, and Combofix. The results of the Panda Antirootkit scan showed ZERO rootkits found.

Let me know if there is anything else I need to do!

Michael

 

[howard_hopkinso]

Delete all files in AVG Antispyware quarantine.

Your log files are clean.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.


If you have any further virus/spyware problems, please post in this thread.

Regards Howard

This thread is for the use of lemkorusyn only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[lemkorusyn]

Howard,

I did as you said and turned off and back on the system restore feature. I also created a restore point that I could name myself so I have something to go back to if needed.

You have been a GREAT help to me! This is the most I've ever had to do to remove a virus from my machine. Quite frankly, I don't know how it got on my machine. My kids all swear they didn't download and install anything (who can be sure? ) I have McAfee AV and it's worked wonderfully for many years ... until this Downloader-BEW virus. If you have any information on how this virus might have gotten past my firewall + McAfee AV I'd love to know.

Michael