Avatar of scoot63
scoot63
 asked on

w32.areses.q!vbs virus

hi
on site in customers office and pc is infected with above virus. norton corp finds it every time i reboot in temp folder. deleted everything out of temp folder must be rebuilding it every time i reboot.i have found a file that i beleive is the problem cant find it though. i can see it in my hijack.log c:\documents and settings\all users\documents\settings\arm32.dll. have tried to avenge it but i get a invalid script error.also tried to remove it from recovery console but is get access denied when i try to go to the sub directory. its a bad deal. PLS help
Anti-Virus Apps

Avatar of undefined
Last Comment
rpggamergirl

8/22/2022 - Mon
SOLUTION
r-k

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
scoot63

ASKER
ok finally got rid of arm32.dll not a problem anymore.norton still finding w32.areses.q!vbs everytime i reboot. it deletes the file but it is being regenerated every time i boot.ewido doesnt find it in safe mode and norton doesnt find it either
scoot63

ASKER
also getting funny error on boot error 00000000 when u hit close it goes to error 0012caa0 the only way to close it is thru task manager it just says error. nothing running in msconfig not any processes i dont recognize.
r-k

Does norton say which file is infected? and which folder is it in?

According to the Norton web site this trojan creates a file with a random name in your c:\ root folder. Check there for any recently created files. Also, update Norton so the def files are newer than Sep 7 and run a full scan in safe mode.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
r-k

Does that error appear after the desktop starts to load? Possibly some startup has a file missing - probably one of the infected files you disabled or deleted.

Msconfig is very incomplete. Here is a better idea:

(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
scoot63

ASKER
virus defs are updated the file thats infected is message.hta c:\documents and settings\user\local settings\temp. one instance where it found apq2.tmp in the symantec shared folder
rpggamergirl

Can we look on a hijackthis log please?
Don't fix any entries, just let us look at it.

Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> http://www.hijackthis.de/ 
and click "Analyse", click "Save".  Then post the link to the saved list here.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
scoot63

ASKER
rpggamergirl

I'm sorry, the virus is not showing in your hijackthis log.

Did Norton give you the name and location of the virus?



Try DrWebCureIt, it might find and delete it.
1.  Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


Or
2.  Silent runners might show the file:
Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.


Simon Earl

Wow, I've come into this one late....

Firstly, the virus is a virus, not adware, so eido and other's aren't going to remove it, they're not designed for that.

http://us.mcafee.com/root/mfs/default.asp

If you use the link above, that will take you to the McAfee Free scan.

Run the free scan and let me know what it finds......I've got a removal tool that will get rid of it, but after having seen some of the changes made above I want to be sure I'm advising the right method of removal.

Basically, we don't use Symantec....period......

Thanks
Si
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Simon Earl

Just another thought.....is System Restore turned off ?

If not, turn it off, run another scan and then reboot

Once you've rebooted, then turn it back on (if you so wish) I tend to keep it turned off

Cheers
Si
scoot63

ASKER
C:\WINDOWS\Temp\arm8557.tmp W32/Areses.h
C:\WINDOWS\Temp\smss.exe W32/Areses.h
here is what mcafee found
and system restore is turned off
set machine to see all system files
Simon Earl

I would go to Control Panel, Internet Options and empty the Tempory Internet Files

should get rid of the bugger !

Si
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
scoot63

ASKER
the infected files are in the c:\windows\temp. deleting temp internet files doesnt touch it. went to it manually and deleted smss.exe and attempted to delete arm8557.tmp and it prompted me for xp sp2 cd says it need some dll cache files. rebooted and norton found the same virus w32.areses.q!vbs in c:\documents and settings\local settings\temp
scoot63

ASKER
and the infected file was message.htm the file was deleted successfully by norton it doesnt exist until you reboot then it finds it again
scoot63

ASKER
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Simon Earl

Scoot63,

Quickest way is to send me an email

I'll email you a 90 day trial for McAfee Total Protection Solutions

Should get rid of the bugger

Take it easy
Si
scoot63

ASKER
ill try it
this thing is wicked if u go into safemode the arm8557.tmp file is in the c:\windows\temp folder. u can delete it and it goes to the recycle bin then comes right back to the c:\windows\temp folder is also adds that line back to the registry image file execution options \explorer debugger
scoot63

ASKER
gotta go closing time for these folks u will check further posts when i get back to office
thanks
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
ASKER CERTIFIED SOLUTION
rpggamergirl

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
rpggamergirl

Silent Runners didn't find the other file you mentioned --> c:\documents and settings\local settings\temp

When you look in your registry also check if "iexplore.exe" is also listed under Image File Execution Options" key

BTW, have you tried running DrWebCureIt?

Also you should turn your System Restore back on, it's a bad idea to turn if off while your system is at risk of messing up(while cleaning viruses etc)
If something happens, it is better to have a bad restore than none, unless you are happy to reformat.
It is better to turn off/flush system restore points when your system is stable. Any viruses in your system restore points if there are any are harmless till you use those points.