I have McAfee AV and while doing some computer work it popped up and started notifying me of files infected with the Downloader-BEW virus. It says it's cleaning them, but I would like to proactively remove this from my system. I've seen other users on this forum who have been helped. After reading the warnings concerning NOT using the instructions given to others, I have decided to begin a new thread and await further instructions. Please help!

Michael

Hi,

You read the warnings.We like you already.

The next step is to go HERE and follow all the steps,and post the three logs it asks for,as attachments in this thread.

I'm on it! Be right back with all that you've requested! Thanks so much!

Hello and welcome to Techspot.

Before following any other instructions, please do the following.

[color=red]Very Important:[/color] Before deciding whether you should clean or reformat your system, go and read this thread [color=blue]HERE[/color] and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also, please post a HJT log as per these instructions.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

Here is my awf.txt file, BUT, when I click on the "HERE" link to download the HJT software, I get the following message ...

"Fatal error: Call to undefined function checknum() in /home/majorgee/public_html/download.php on line 32"

Attached Files

awf.txt (6.1 KB, 9 views)

The Major Geeks site must be down. I have now fixed the link and HJT can be downloaded directly from the Trend website.

Please post the HJT log in your next reply.

Right click on this link DelO15Domains.inf and choose Save As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards. NOTE: This script will delete any sites you may have added to the Trusted Sites. So if you want them back, you have to add them back to the Trusted Sites again.


Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.


Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

OK, finished with that! Ready for the next step! See my attached awf.txt and hijackthis.log files.

Attached Files

	hijackthis.log (12.0 KB, 1 views)
	awf.txt (7.7 KB, 3 views)

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

Folders removed! See attached awf.txt file! I appreciate your fast responses. I'm here for the duration! As long as it takes!

Attached Files

awf.txt (868 Bytes, 5 views)

There`s just one more bak file to deal with.

Double-click FindAWF.exe to start the tool. Then, do the following
Select "option #2 - Restore files from bak folders" by typing 2 and press Enter .
A text file will open up. Please copy/paste the following text from the quote box (all except the word QUOTE) into the text file.

Close the .txt file and click Yes to save the changes.
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt in your next reply as an attachment.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

Done! Ready for the next step.

Attached Files

awf.txt (868 Bytes, 2 views)

Please double-click the FindAWF icon once again
This time we are going to remove some folders.


Use the following option: Press 3 then Enter to remove bak folders


A text file opens called: folders.txt
Click below the line and paste the following list of folders to be removed:

Next, close and click Yes to save the changes.

When done with the above, FindAWF automatically runs a new scan and opens a new log that you need to post.
Please provide the new FindAWF log

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

And here you go again, Howard!

Attached Files

awf.txt (868 Bytes, 4 views)

Still there, please do the following, though you will probably have to reinstall Nero once done.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

InCD.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ahead\InCD\bak<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

Well, I knew that was going way too smoothly! We have a slight problem. My computer won't let me boot in Safe Mode. I hit F8 and then I select "Safe Mode". It moves on and then comes back with the following screen ...

"We apologize for the inconvenience, but Windows did not start successfully. A recent software of hardware change might have caused this.

If your computer stopped responding, restarted unexpectedly, or was automatically shut down to protect your files and folders, choose Last Known Good Configuration to revert to the most recent settings that worked.

If a previous startup screen attempt was interrupted due to power failure or because the Power or Reset button was pressed, or if you aren't sure what caused the problem, choose Start Normally.

Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Last Known Good Configuration
Start Windows Normally"

I tried to choose "Safe Mode" several times, but continue to end up on this screen. The only way past it is to wait the 30 seconds and let it start normally.

Then, here's what I did. I ran msconfig and turned off the InCD option in the startup, then restarted my PC. So, InCD is no longer running. I'll let you tell me what to do next!

You`ll need to reinstall Nero, as incd is part of Nero and we had to delete it.

See if that helps.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

Hello again, Howard! I'm back! OK, here's what I did. I tried reinstalling Nero, but during the installation, it said there were files missing and that I should reinstall it (which is what I was doing, so that was rather confusing). When I'd try to run Nero after the "installation", it told me files were missing. So ... for now, I just went into Control Panel and uninstalled the entire thing. It's gone, and now I CAN boot up in Safe Mode! I'm just gonna leave it like that for now until we're through ridding this machine of the virus (my MAIN concern!).

So, what's next?

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Also post a fresh HJT log.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]

Here are the awf.txt and hijackthis.log files you requested.

Attached Files

	awf.txt (778 Bytes, 2 views)
	hijackthis.log (12.2 KB, 1 views)

That`s odd. the InCd bak file is there again.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

InCD.exe

Close task manager.

Locate and delete the following bold files and/or directories(if there).

C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Ahead\InCD\bak<Delete the entire folder.

Reboot into normal mode and rehide your protected OS files.

Please download FindAWF to your Desktop.
Double-click FindAWF.exe to start the tool.
Select "option #1 - Scan for bak folders" by typing 1 and press Enter
When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt as an attachment.

Regards Howard

[color=red]This thread is for the use of[/color] lemkorusyn [color=red]only. [color=blue]Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our[/color] security and the web forum.[/color]