Tech Support Forum - View Single Post

Ried · 08-25-2005, 07:30 AM

Hello Daddis,

Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below.

Please be sure the following is in effect:

Go to My Computer->Tools->Folder Options->View tab:
* Under the Hidden files and folders heading, select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm and then click OK.

Download KillBox http://www.greyknight17.com/spy/KillBox.exe.

From Normal Mode:

NOTE: The entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.

* Open the folder you just created and click on apt.exe and search in the window for bepqeqm.exe r.
* Open your C:\Windows\system32 folder and search for bepqeqm.exe . Don't delete it yet, just leave the system32 folder open so you can see the bad file.
* In APT again, Select bepqeqm.exe and Click Kill3.
* Then immediately delete c:\windows\system32\bepqeqm.exe r from your system32 folder.

Close APT.

Reboot into Safe Mode.(tapping F8 or F5)

Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED

HKEY_CURRENT_USER\Software\aurora

If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C:

C:\WINDOWS\system32\PartyPoker.ico
C:\WINDOWS\system32\StopSpyware.ico

Start KillBox.
Go to the File menu, and choose Paste from Clipboard.
Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there.
Select/tick the following:
* Delete on Reboot
* End Explorer Shell While Killing File
* Unregister.dll Before Deleting" if it's not grayed out.
Click the RED X button.

Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r.
O4 - HKLM\..\Run: [reqyajw] c:\windows\system32\bepqeqm.exe r

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Locate and delete the following:

c:\windows\system32\bepqeqm.exe r (or whatever the name may have changed to, as noted above).

Reboot into Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer

Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it
Click On 'Scan Now'
Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB
Begin the scan by selecting My Computer
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
If it finds any malware, it will offer you a report. Click on see report
Then click Save report
Post the contents of the report in your next reply along with a new HijackThis log.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

08-25-2005, 07:30 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,112 OS: WinXP and Vista	Hello Daddis, Please print out or copy this page to Notepad since you will not have any of browsers open while you are fixing this. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. Again, you should not have any open browsers when you are following the procedures below. Please be sure the following is in effect: Go to My Computer->Tools->Folder Options->View tab: * Under the Hidden files and folders heading, select Show hidden files and folders. * Uncheck the Hide protected operating system files (recommended) option. * Click Yes to confirm and then click OK. Download KillBox http://www.greyknight17.com/spy/KillBox.exe. From Normal Mode: NOTE: The entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r. * Open the folder you just created and click on apt.exe and search in the window for bepqeqm.exe r. * Open your C:\Windows\system32 folder and search for bepqeqm.exe . Don't delete it yet, just leave the system32 folder open so you can see the bad file. * In APT again, Select bepqeqm.exe and Click Kill3. * Then immediately delete c:\windows\system32\bepqeqm.exe r from your system32 folder. Close APT. Reboot into Safe Mode.(tapping F8 or F5) Click START…RUN…Type in regedit. Make sure just “My Computer” is showing in the left pane and click..FILE….EXPORT…and save a copy some were in case you make a mistake. Now navigate to each of the following keys and delete the file/folder/entry I highlighted in RED HKEY_CURRENT_USER\Software\aurora If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor. Copy the file names below to the clipboard by highlighting them and pressing Ctrl-C: C:\WINDOWS\system32\PartyPoker.ico C:\WINDOWS\system32\StopSpyware.ico Start KillBox. Go to the File menu, and choose Paste from Clipboard. Verify that you've done this properly by clicking the dropdown-arrow next to the Full Path of File to Delete field. The filenames you pasted will be found in there. Select/tick the following: * Delete on Reboot * End Explorer Shell While Killing File * Unregister.dll Before Deleting" if it's not grayed out. Click the RED X button. Click [Yes] at the 'Delete on Reboot' prompt. Click [No] at the Pending Operations prompt. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r. O4 - HKLM\..\Run: [reqyajw] c:\windows\system32\bepqeqm.exe r Now open the folder dsrfix on your desktop. * Double click on dsrfix.bat * A window will pop up briefly then close, this is normal. Locate and delete the following: c:\windows\system32\bepqeqm.exe r (or whatever the name may have changed to, as noted above). Reboot into Normal Mode. Perform an online scan with Internet Explorer with Panda ActiveScan - requires Internet Explorer Click on the Scan your PC button & a 'pop up' window shall appear. * ensure that your pop up blocker doesn't block it Click On 'Scan Now' Enter your e-mail address & click 'Scan Now' ...begins downloading Panda's ActiveX controls.- 8MB Begin the scan by selecting My Computer * You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. If it finds any malware, it will offer you a report. Click on see report Then click Save report Post the contents of the report in your next reply along with a new HijackThis log. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."