scoot63
asked on
w32.areses.q!vbs virus
hi
on site in customers office and pc is infected with above virus. norton corp finds it every time i reboot in temp folder. deleted everything out of temp folder must be rebuilding it every time i reboot.i have found a file that i beleive is the problem cant find it though. i can see it in my hijack.log c:\documents and settings\all users\documents\settings\a
on site in customers office and pc is infected with above virus. norton corp finds it every time i reboot in temp folder. deleted everything out of temp folder must be rebuilding it every time i reboot.i have found a file that i beleive is the problem cant find it though. i can see it in my hijack.log c:\documents and settings\all users\documents\settings\a
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
also getting funny error on boot error 00000000 when u hit close it goes to error 0012caa0 the only way to close it is thru task manager it just says error. nothing running in msconfig not any processes i dont recognize.
Does norton say which file is infected? and which folder is it in?
According to the Norton web site this trojan creates a file with a random name in your c:\ root folder. Check there for any recently created files. Also, update Norton so the def files are newer than Sep 7 and run a full scan in safe mode.
According to the Norton web site this trojan creates a file with a random name in your c:\ root folder. Check there for any recently created files. Also, update Norton so the def files are newer than Sep 7 and run a full scan in safe mode.
Does that error appear after the desktop starts to load? Possibly some startup has a file missing - probably one of the infected files you disabled or deleted.
Msconfig is very incomplete. Here is a better idea:
(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
Msconfig is very incomplete. Here is a better idea:
(1) Download Autoruns from: http://www.sysinternals.com/Utilities/Autoruns.html
(2) Run the program. It lists a bunch of things that start when Windows starts.
(3) From the menu bar, select Options, and uncheck "Include Empty Locations" and "check" "Hide Microsoft Entries"
Important -> Then click the Refresh button in the toolbar.
(4) This will give you a shorter, more meaningful list.
(5) Examine that list and disable anything suspicious by un-checking it. Then reboot and see if it helped.
(6) If not, or if not sure, you can use the File -> Save as.. option in Autoruns to save the list to a text file and then cut and paste it here.
ASKER
virus defs are updated the file thats infected is message.hta c:\documents and settings\user\local settings\temp. one instance where it found apq2.tmp in the symantec shared folder
Can we look on a hijackthis log please?
Don't fix any entries, just let us look at it.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Then post the link to the saved list here.
Don't fix any entries, just let us look at it.
Please download HijackThis 1.99.1
http://www.cyberanswers.org/forum/uploads/HijackThis1991.exe
Open Hijackthis, click "Do a system scan and save a logfile" don't fix anything yet.
Then go to the below link and login using your Experts-Exchange username and password.
http://www.ee-stuff.com
Click on "Expert Area" tab
type or paste the link to your Question
"Browse" your pc to the location of your Hijackthis log and click "Upload"
Copy the resulting "url" and post it back here.
OR: paste the log to either of these sites:
1. http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here.
2. or at --> http://www.hijackthis.de/
and click "Analyse", click "Save". Then post the link to the saved list here.
I'm sorry, the virus is not showing in your hijackthis log.
Did Norton give you the name and location of the virus?
Try DrWebCureIt, it might find and delete it.
1. Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Or
2. Silent runners might show the file:
Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Did Norton give you the name and location of the virus?
Try DrWebCureIt, it might find and delete it.
1. Download and install DrWebCureit:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
to your desktop.
Doubleclick the "drweb-cureit.exe" and click "ok" in the prompt window that will open , asking "start the express scan now".
It will first make a quick scan of your system, let it clean what it find, and when it says "done"
Click on the green screwdriver-
Actions Tab- Adware-Dialers-Riskware-Ha
Click on the drive(s) you want to scan . A red dot will mark the selected drive(s) . Then hit the green arrow in lower right corner It will now scan your drive(s), say yes to all
After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
Or
2. Silent runners might show the file:
Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:
*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.
Wow, I've come into this one late....
Firstly, the virus is a virus, not adware, so eido and other's aren't going to remove it, they're not designed for that.
http://us.mcafee.com/root/mfs/default.asp
If you use the link above, that will take you to the McAfee Free scan.
Run the free scan and let me know what it finds......I've got a removal tool that will get rid of it, but after having seen some of the changes made above I want to be sure I'm advising the right method of removal.
Basically, we don't use Symantec....period......
Thanks
Si
Firstly, the virus is a virus, not adware, so eido and other's aren't going to remove it, they're not designed for that.
http://us.mcafee.com/root/mfs/default.asp
If you use the link above, that will take you to the McAfee Free scan.
Run the free scan and let me know what it finds......I've got a removal tool that will get rid of it, but after having seen some of the changes made above I want to be sure I'm advising the right method of removal.
Basically, we don't use Symantec....period......
Thanks
Si
Just another thought.....is System Restore turned off ?
If not, turn it off, run another scan and then reboot
Once you've rebooted, then turn it back on (if you so wish) I tend to keep it turned off
Cheers
Si
If not, turn it off, run another scan and then reboot
Once you've rebooted, then turn it back on (if you so wish) I tend to keep it turned off
Cheers
Si
ASKER
C:\WINDOWS\Temp\arm8557.tm
C:\WINDOWS\Temp\smss.exe W32/Areses.h
here is what mcafee found
and system restore is turned off
set machine to see all system files
C:\WINDOWS\Temp\smss.exe W32/Areses.h
here is what mcafee found
and system restore is turned off
set machine to see all system files
I would go to Control Panel, Internet Options and empty the Tempory Internet Files
should get rid of the bugger !
Si
should get rid of the bugger !
Si
ASKER
the infected files are in the c:\windows\temp. deleting temp internet files doesnt touch it. went to it manually and deleted smss.exe and attempted to delete arm8557.tmp and it prompted me for xp sp2 cd says it need some dll cache files. rebooted and norton found the same virus w32.areses.q!vbs in c:\documents and settings\local settings\temp
ASKER
and the infected file was message.htm the file was deleted successfully by norton it doesnt exist until you reboot then it finds it again
ASKER
http://www.rafb.net/paste/results/CiSJG538.html
log from silent runners
log from silent runners
Scoot63,
Quickest way is to send me an email
I'll email you a 90 day trial for McAfee Total Protection Solutions
Should get rid of the bugger
Take it easy
Si
Quickest way is to send me an email
I'll email you a 90 day trial for McAfee Total Protection Solutions
Should get rid of the bugger
Take it easy
Si
ASKER
ill try it
this thing is wicked if u go into safemode the arm8557.tmp file is in the c:\windows\temp folder. u can delete it and it goes to the recycle bin then comes right back to the c:\windows\temp folder is also adds that line back to the registry image file execution options \explorer debugger
this thing is wicked if u go into safemode the arm8557.tmp file is in the c:\windows\temp folder. u can delete it and it goes to the recycle bin then comes right back to the c:\windows\temp folder is also adds that line back to the registry image file execution options \explorer debugger
ASKER
gotta go closing time for these folks u will check further posts when i get back to office
thanks
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Silent Runners didn't find the other file you mentioned --> c:\documents and settings\local settings\temp
When you look in your registry also check if "iexplore.exe" is also listed under Image File Execution Options" key
BTW, have you tried running DrWebCureIt?
Also you should turn your System Restore back on, it's a bad idea to turn if off while your system is at risk of messing up(while cleaning viruses etc)
If something happens, it is better to have a bad restore than none, unless you are happy to reformat.
It is better to turn off/flush system restore points when your system is stable. Any viruses in your system restore points if there are any are harmless till you use those points.
When you look in your registry also check if "iexplore.exe" is also listed under Image File Execution Options" key
BTW, have you tried running DrWebCureIt?
Also you should turn your System Restore back on, it's a bad idea to turn if off while your system is at risk of messing up(while cleaning viruses etc)
If something happens, it is better to have a bad restore than none, unless you are happy to reformat.
It is better to turn off/flush system restore points when your system is stable. Any viruses in your system restore points if there are any are harmless till you use those points.
ASKER