Win32.BettInet.AR (Aurora)

Do the below too!

- download Nail/Bolder/Aurora Remover 0.3.1 Beta and save it to its own folder like c:\ABIremover

- Now extract the abiremover.exe file from the ZIP file into the folder you created but do not run the EXE yet. We will run it later.

- Now boot into safe mode, run the abiremover.exe but make sure you are physically disconnected from the internet (unplug your cable to be sure). Just click install, wait (explorer window will disapear)

- When abiremover finishes just reboot into normal and continue with the below steps.


Also download HOSTER and then follow the below steps.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program

Let us know if this helps or not.

 

Follow the below steps exactly as written:

- Boot in normal mode

- Download HijackThis 1.99.1

- Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

- Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

- Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

- Run HijackThis and save your log file.

- Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).

 

Note: You may run into problems doing the below unless you disable or uninstall SpySweeper because it will see these attempted changes and may tyr to block them. In most cases though, you can just tell it to accept the change.

Is there a reason why you did not run the BitDefender online scan?

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.

c:\windows\system32\hpexgfg.exe
C:\WINDOWS\System32\?ttrib.exe

After killing all the above processes, click "Back".
Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: SDWin32 Class - {134AEAB8-CE10-4D3C-8D93-97C0107DDEE5} - C:\WINDOWS\System32\dqltt.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {BACBA8F6-4465-4FB1-4361-69534E815D90} - C:\WINDOWS\System32\kcmpp.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {014DA6C9-189F-421a-88CD-07CFE51CFF10} - (no file)
O4 - HKLM\..\Run: [q77Q36h] cresccp.exe
O4 - HKLM\..\Run: [Ioxx] C:\WINDOWS\Bxdp.exe
O4 - HKLM\..\Run: [lchnkw] c:\windows\system32\hpexgfg.exe r
O4 - HKCU\..\Run: [Ikcsxqx] C:\WINDOWS\System32\?ttrib.exe

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\WINDOWS\Bxdp.exe
C:\WINDOWS\System32\dqltt.dll
c:\windows\system32\cresccp.exe
c:\windows\system32\hpexgfg.exe

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Also look for and delete: C:\WINDOWS\System32\?ttrib.exe
This is not to be confused with attrib.exe which is legitimate. Look for a file (the ? may or may not show) that has some characters at the beginning and ends with ttrib.exe. It is probably several 100k bytes in size which is much larger than the valid attrib.exe.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

That's because of two reasons:
1) HJT deleted some of the files already when it fixed the entries.
2) Sometime the files mutate (rename themselves) . This happen to you because one of the baddies is now:


c:\windows\system32\wioefat.exe
O4 - HKLM\..\Run: [ffpnybp] c:\windows\system32\wioefat.exe r

You need to kill that process and fix the line with HJT then delete the file in safe mode.

Yes!

Years of using and building PCs! I use many PCs for my work too. Lot's of reading.

Not that way but you could buy an MG's teeshirt or other items. Also send your friends here.

 

You're welcome! And yes, post another log. Entries like:

O4 - HKLM\..\Run: [ffpnybp] c:\windows\system32\wioefat.exe r

have a nasty habit of coming back over and over again and renaming themselves each time. Sometimes there are other hidden files that need to be found and deleted to finalize the fix. This particular item is not part of Aurora.

 

You're welcome. You are clean. Now to help keep it that way, complete the steps not already completed in the below thread:

How to Protect yourself from malware!

 

You're welcome. Surf safely.