Link to home
Start Free TrialLog in
Avatar of scoot63

asked on

w32.areses.q!vbs virus

on site in customers office and pc is infected with above virus. norton corp finds it every time i reboot in temp folder. deleted everything out of temp folder must be rebuilding it every time i reboot.i have found a file that i beleive is the problem cant find it though. i can see it in my hijack.log c:\documents and settings\all users\documents\settings\arm32.dll. have tried to avenge it but i get a invalid script error.also tried to remove it from recovery console but is get access denied when i try to go to the sub directory. its a bad deal. PLS help
Avatar of r-k

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of scoot63


ok finally got rid of arm32.dll not a problem still finding w32.areses.q!vbs everytime i reboot. it deletes the file but it is being regenerated every time i boot.ewido doesnt find it in safe mode and norton doesnt find it either
Avatar of scoot63


also getting funny error on boot error 00000000 when u hit close it goes to error 0012caa0 the only way to close it is thru task manager it just says error. nothing running in msconfig not any processes i dont recognize.
Does norton say which file is infected? and which folder is it in?

According to the Norton web site this trojan creates a file with a random name in your c:\ root folder. Check there for any recently created files. Also, update Norton so the def files are newer than Sep 7 and run a full scan in safe mode.
Does that error appear after the desktop starts to load? Possibly some startup has a file missing - probably one of the infected files you disabled or deleted.

Msconfig is very incomplete. Here is a better idea:

(1) Download Autoruns from:

(2) Run the program. It lists a bunch of things that start when Windows starts.

(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
    Important -> Then click the Refresh button in the toolbar.

(4) This will give you a shorter, more meaningful list.

(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.

(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
Avatar of scoot63


virus defs are updated the file thats infected is message.hta c:\documents and settings\user\local settings\temp. one instance where it found apq2.tmp in the symantec shared folder
Avatar of rpggamergirl
Can we look on a hijackthis log please?
Don't fix any entries, just let us look at it.

Please download HijackThis 1.99.1
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.

Then go to the below link and login using your Experts-Exchange username and password.
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.

OR: paste the log to either of these sites:
then at the bottom left corner click "paste"
Copy the address/url and post it here.

2. or at --> 
and click "Analyse", click "Save".  Then post the link to the saved list here.
I'm sorry, the virus is not showing in your hijackthis log.

Did Norton give you the name and location of the virus?

Try DrWebCureIt, it might find and delete it.
1.  Download and install DrWebCureit:
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select -Delete
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green  arrow in lower right corner It will now scan your  drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

2.  Silent runners might show the file:
Please download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log,
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Wow, I've come into this one late....

Firstly, the virus is a virus, not adware, so eido and other's aren't going to remove it, they're not designed for that.

If you use the link above, that will take you to the McAfee Free scan.

Run the free scan and let me know what it finds......I've got a removal tool that will get rid of it, but after having seen some of the changes made above I want to be sure I'm advising the right method of removal.

Basically, we don't use Symantec....period......

Just another System Restore turned off ?

If not, turn it off, run another scan and then reboot

Once you've rebooted, then turn it back on (if you so wish) I tend to keep it turned off

Avatar of scoot63


C:\WINDOWS\Temp\arm8557.tmp W32/Areses.h
C:\WINDOWS\Temp\smss.exe W32/Areses.h
here is what mcafee found
and system restore is turned off
set machine to see all system files
I would go to Control Panel, Internet Options and empty the Tempory Internet Files

should get rid of the bugger !

Avatar of scoot63


the infected files are in the c:\windows\temp. deleting temp internet files doesnt touch it. went to it manually and deleted smss.exe and attempted to delete arm8557.tmp and it prompted me for xp sp2 cd says it need some dll cache files. rebooted and norton found the same virus w32.areses.q!vbs in c:\documents and settings\local settings\temp
Avatar of scoot63


and the infected file was message.htm the file was deleted successfully by norton it doesnt exist until you reboot then it finds it again

Quickest way is to send me an email

I'll email you a 90 day trial for McAfee Total Protection Solutions

Should get rid of the bugger

Take it easy
Avatar of scoot63


ill try it
this thing is wicked if u go into safemode the arm8557.tmp file is in the c:\windows\temp folder. u can delete it and it goes to the recycle bin then comes right back to the c:\windows\temp folder is also adds that line back to the registry image file execution options \explorer debugger
Avatar of scoot63


gotta go closing time for these folks u will check further posts when i get back to office
Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Silent Runners didn't find the other file you mentioned --> c:\documents and settings\local settings\temp

When you look in your registry also check if "iexplore.exe" is also listed under Image File Execution Options" key

BTW, have you tried running DrWebCureIt?

Also you should turn your System Restore back on, it's a bad idea to turn if off while your system is at risk of messing up(while cleaning viruses etc)
If something happens, it is better to have a bad restore than none, unless you are happy to reformat.
It is better to turn off/flush system restore points when your system is stable. Any viruses in your system restore points if there are any are harmless till you use those points.