I've been hit with some type of virus that has taken over my Internet Explorer. Every time I reboot my computer I'm directed to a website http:// clicks.spazbox.net/mt.html/ and a Trojan virus (of differing types) is inserted into my system.
On each occcasion various malicious programs have been installed onto my hard drive, my registry has been corrupted and my startup files have malware items.

I've literally spent hours with both Trendmicro and Microsoft and they have no solution other than re-installing WIndows. In addition I've run, on multiple occasions, Spybot Search & Destroy, two other Spyware programs and sysclean. Nothing helps!

Anybody out there ever heard of spazbox and know what to about it?

Thanks,
Gary

Hi I have the same problem, have you solved it ?

>:(
Same problem for me. I tried several things but was unable to avoid that at every reboot, my PC connects with spazbox...
Let me know if you have a solution!!

:-[ i got it 2, on a customers pc, been fighting it 4 3 days !!!! :'( >:(

I've got a laptop with this SpazBox - spyware or virus?
AdAware and SpybotSD aren't getting rid of it and McAfee doesn't recognize it. Its very disturbing!
Anyone have a solution? Please email me if you do -
[email protected]

Thanks!
Jay

I've got a solution, more or less.

After finally talking to a Level 2 Tech at TrendMicro he sent me a new vesion of their software that provides internet security, had me download a registry cleaner and had me run CW Shredder and Spy Sweeper.

The bottom line is this, once you've got this thing you have to clean out your machine with the above mentioned tools, install software that essentially disables Internet Explorer by blocking Spazbox (and all other sites) from coming through IE and install a different browser with better security.

I installed Mozilla Firefox, but I've heard Opera is more secure.

The bottom line is that, once this thing hits you and unless you want to spend hours manually cleaning out your Registry, you have to say goodbye to Internet Explorer.

The only lingering effects I have right now is that, on startup, a TrendMicro page comes up indicating that Spazbox is being blocked and I've got some residual file damage from the viruses that brought this little goodey into my machine. Other than that, every time I run a virus check or Spy Sweeper the results come up clean.

As I indicated initially, there are no good solutions to this problem, but the one I implemented was at least liveable.

Hopefully you find this helpful

;D I found a HIDDEN :o partition that the PC was booting from and emulating(4 lack of a better term) XP, so no matter what I did to clean xp, when web access was enabled it reloaded all the viruses, mal/ad/spy-ware...
Good luck all.. . 8)

Hi,

I had the same Problem.But I finnally got rid of it ;D

I found this link and read what I had to do.

http://www.trojaner-info.de/hijacker/escan.shtml

It worked with kav for me.

I got rid of it by opening Windows Task Manager and stopping a process called asetup.exe. Then I opened up Windows Explorer and found the asetup.exe file in the root of the C: drive and deleted that.

Thanks for the great tip!!

I had asetup32.exe on the root. I checked my other Windows2000 boxes and they didn't have that file.
I renamed it Xsetup32.xxe in case I actually needed the file - rebooted and the spazbox /browser thing did NOT come up!! Wonderful!

Earlier I did try some other packages recommended but they did not work - only this asetup.exe solution seems to work.

Hallo best computer people,

Beat that window with http://clicks.spazbox.net/mt.html
It cost my 2 evenings of my time. But...

:)
I have found the sollution. It's Working with Windows XP Home edition.

First: set de system recovery off

Start regedit

Go to:
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->Run

Delete the following 3 regkeys
REGSRV32.EXE
C:\asetup32.exe
Rundll32.exe "C:\WINDOWS\Download Program Files\bridge.dll", Load

Go to:
HKEY_LOCAL_MACHINE->Software->Microsoft->Windows->CurrentVersion->RunServices

Delete the following regkey
REGSRV32.EXE


Exit regedit

Turn off your machine

Wait a few seconds and start your PC again.

Don't forget to set the system recovery back to on.

Succes

SP2 will solve all probs.

Regards~

In my occasion due to "spazbox" my PC makes autodial to the internet every time that I disconnect from the internet. I found TWICE a file that is called dasetup.exe.
C:\Windows\Temp\IXP000.TMP
And also at the location
C:\Program Files\Common Files\Microsoft Shared\dasetup
May I delete it to get rid of spazbox?

Yes delete the whole temp folder.
Temp stands for temporary, in other words duplicate.
After that delete the dasetup. I'd say its prob

Just back up any data that's valuable. Still get probs then get back to us.

Regards~alicka

OK,thanks a lot for your advice, I 'll try it now.

Perhaps you could also give me some piece of advice
For another problem:

What about a file called
W32usb2.exe in the system folder
Which is infected by W32.Spybot.Worm?
Norton was unable to repair this file.

I guess the only solution is to backup my files
Ang format my PC?
:( That really makes me angry!!

Hi all

I've also been battling with this for a couple of days now! So far I've got PestPatrol and Spy Sweeper to wipeout the spy/ad-ware generated by it and my FireWall stops it starting with a little manual help. Not a very satifactory way to deal with it really.

I'm using xp pro and don't seem to have the same files in the registra as Marc.

For example my reg has a arsetup32.exe instead of a asetup32.exe file. Does anybody know if these are the same or not?

Anybody managed to remove this from an XP Pro machine yet?

This is a very nasty beast.

I have seen it on my system as arsetup32.exe also. The other important file is regsrv32.exe
I could not locate the other file names as described in the earlier posts.

I did a search through my registry for regsrv32.exe and found the registry riddled with it. Many more entries than described in previous posts. I used regalyzer from http://www.safer-networking.org to search and delete these entries.

I can clean these up but it keeps reappearing. It is shutting down attempts to start up the task manager with Ctrl-Alt-Del (is there another way to get to the task manager in XP home?). It also closes down attempts to start Vet or the firewall (Sygate)
I'm running Spybot but it doesn't seem to be able to kill it off. Adaware no good either.
Getting to the point where we Format c: and start all over again. Painful.

Just found some relevant info on regsrv32.exe. Seems it is a virus. Beware, there is a valid system file called regsvr32.exe (note that the v and r are swapped). As for regsrv32.exe this file is the virus DDoS-Apbot@MM. Here's a reference link if you want to read about it:

http://vil.nai.com/vil/content/v_99144.htm

There are some tips for cleaning it at this site: http://forums.thetechguys.com/archive/index.php/t-5453.html

This appears to be a fairly old virus (2001) and discussion on the above pages does not mention the arsetup32.exe file. It may be that it is a new variant of an old virus.

I'm going to give it a try...

All gone now! :D I hope

I ended up having to delete arsetup.exe from windows directory and winboot32.exe and winmom32.exe from run and run once registars

I've renamed the file kla.exe in windows directory - I think this file was also involved but not 100% sure. Anybody know what it does?

Hmmm nasty little bugger >:(

My customers system is so riddled with spy/malware that I can't open regedit or task manager.

A search of the system does reveal arsetup.exe in the root of C:/ but I can't delete it without ending the process - which I can't do as I can't open Task Manager

Any ideas anyone?

??

Removing arsetup.exe worked for my mother-in-law's PC.   She had the annoying spazbox and 4 different viruses on her PC, including the W32.Spybot.Worm.  The PC also kept opening 2 Internet Explorer windows at startup each time.

First off, I installed the latest AdAware Personal http://www.lavasoftusa.com/software/adaware/ and removed all spyware.  Be sure to keep the internet connection off after it is clean, so it doesn't fill up with more.

To remove the arsetup.exe file, try starting your PC in SAFE MODE.  Keep hitting F8 as it's starting up and select SAFE MODE.   Find the file and either rename it to be safe or delete it all together.

Also, go into the registry and delete any references to the arsetup.exe file in the following locations:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Then restart and see what happens... you should be all clear.

I also removed any references to IEXPLORE.EXE in those registry locations to stop it from launching twice at startup.

To remove the W32.SpyBot.Worm, go to http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html for information on how to remove it.  Worked like a charm.

One of my machines is also infected . I've run Norton, XoftSpy, Spyguard and A2(Squared) over this XP Home machine. Though the speed has improved the packages continually pick up new malwares. The only way I've been able to get to the Registry is by booting in Safe Mode. If I boot in 'ordinary' mode then, like earlier respondents, the virus seems to kill any attempts to call task manager (Ctl+Alt+Del), or MSCONFIG or even Norton.
When in Safe Mode I removed references to REGSRV, ARSETUP, etc from the registry. I also deleted them from C:\ and C:\windows (and anywhere else I found them for good measure).

But SPAZBOX reappears whenever IE Explorer is launched.
This thing is driving me up the walls.

I think I need to be able to boot in Normal Mode and then the delete the processes. but alas I can't get at those commands.

I have noticed that all seems fine until I make my dial up internet connection (via network connections). Though not configured to do so, the dial up monitor indicates a lot of activity and then, after about 5 minutes, opens an IE window and directs itself to SPAZBOX (not nominated as home page). Is there a registry entry that says what to do once an Internet connection is established?

Sorry about all the Qs but really, this thing has me demented.

Hi Freaked out,
I used regalyzer from http://www.safer-networking.org to search and delete these entries. This is a registry editor program that these viruses do not try to shut down.

Hijack This! Is another good tool to try. It highlights non-standard registry entries that are related to your browser. Some may be valid, others will not be so be careful what you delete. (Oh yes I forgot that the viruses would not let this start up until I had successfully run the virus checker. It's a good tool for additional cleanup though)

Ultimately I conquered this thing with a fresh update of VET. You can do a manual download of the latest virus signature files and update it using a utility you can download at the same time. Running this utlilty made Vet immediately active in memory without having to reboot and without allowing the virus the chance to shut it down.
It immediately detected FOUR viruses active in memory and killed them off. A full scan then found another 14 infections.

Once I dealt with the viruses, Spybot and Adaware cleaned up the rest.

Good Luck

Thanks Janet. I'll have a lash off that and I'll let you know how I go.

Do you (or any of the interested observers) have any idea about the unrequested launch of IE. In other words, I call the dialer and then, after about 3-5 minutes, even without initiating IE, the IE window appears... and guess where... u got it... SPAZBOX. Is the IE launch driven by the REGSRV32.EXE / ARSETUP corruptions or is this a separate entry.


TIA

I'd say it's definitely related.

OK. Now I'm really mad >:( I used Regalyiser to find and remove the references to ARSETUP and REGSRV32 in LOCAL MACHINE, LOCAL USER , etc. I then searched the entire reg for any other occurrences that I might have missed. I removed the lot. After a few reboots I was able to access Task Manager (... what progress)...

Before I kicked off my dialer I got to look at the Processes in Task Manager and the little ARSETUP was back. I killed it and dialed and after a few minutes ARSETUP reappeared in Task Manager.

I thought I must be losing my mind. But then I remed that I'd lost that ages ago. I can but conclude that ARSETUP and REGSRV are only part of the problem. Something else must be giving ARSETUP its wings. Any ideas?

freakedout, I doubt you will conquer it without a anti virus program. I know that VET can kill it. Go to www.vet.com, pay the money and download the necessaries, including the program that will immediately install the signatures into memory.

How much time and stress have you wasted on this problem so far?? What is that worth in $$'s ? Certainly more than the cost of a good virus protection program. And you certainly never want to go through this again, right? An up to date anti-virus checker will make sure it never happens again.

The infections I had were not on my PC, but a friends. She had no anti-virus software, no backups, no firewall, nothing :-[. That's all changed now. Make the investment for yourself. You'll be glad you did.

I'm getting unnerved.

Spazbot is on this computer - I keep getting the message when I log on. (It's a shared computer, I'm the technical support user.)

I've searched the hard drive and regedit and the processes window for each of the filenames mentioned here, and none of them appear to be present - but I'm still getting the Spazbot message every time the computer restarts. (I'm running ZoneAlarm, so I can stop it accessing the Internet, but it's still a pain getting the messages.)

The one thing I haven't tried is running the RegAlyzer program from Safer-networking.org - trying that now.

Hi all,

I got hit with this liittle sometime last week. Nothing seemed to work for me, I'm not that good with computers and could nt follow some of the advice like setting de system recovery off?

So any at home last night, my cpu was running at 100% and I had only 1 internet window open, it was coming to a grinding halt.

I went into to system restore in system tools, eh voilà there you go, set my computer back to a date before I had spazbox ( had reformatted only a week previous) . Cpu then running at 7% <<<<<<

So now I'm wondering , is this a long term solution?
Or will it all come back to haunt me?

I like this site,

B I t c h comes out as pregnant.. funny

Hi.. thanks a lot, I got rid of the spazbox on my system.. thanks for the help everyone!! ;D

I accidentally *cough* ran my security software across spazbox.net:
I have left out steps where no results were found. Interesting... I wonder if the owner of Spazbox knows about the possible Trojan on port 5000?

Report begins:

MacAnalysis Started at: 8:29 pm

MacAnalysis scans over 1600 holes, please do something else during the scan. For more informations: [email protected]


STEP 2: Folders:

Viewable Folder found: (folder path removed by DeathByMilkfloat).

STEP 3: Trojans

Possible trojan found on port 5000
Known trojans: Bubbel, Back Door Setup, Sockets de Troie


STEP 4: Services/Protocols Holes

WEB:80 is active
Version: Apache 2.0

Info: Apache /tmp File Race Vulnerability
Resume: Apache programs htdigest and htpasswd are used to offer advanced features to users of the web server. However, these two helper programs (rest removed by DeathByMilkfloat).

PortMap:111 is active (Risk: Low)
Resume: Your rpc services can be listed by anyone.
Fix: Restrict access to 111/tcp to local clients.

Report ends.

Whilst the ethics of reporting a system scan on the web are questionable, I think the there is a possibility that the owner(s) of Spazbox are unaware that their system may have been hijacked. It might be possible... On second thoughts though it is a bit unlikely.

:D
Well whadeyno! At last I got rid of the little git. I thank you all for your help. My approach was to take running tasks and run a serach in Google over the name. For instance, if winmon32.exe or arsetup.exe or whatever else appeared in my task list, then I searched Google for it. The earlier posts helped me to identify likely nasties. Once I found a nasty then I deleted / renamed it from anywhere I could find it (registry, file / folder name, etc).. This apprach, in conjunction with the mutiplicity of virus / spyware scanners eventually ridded my system of the nasties.

With regard to the contibution about the VET pachage from Computer Associates, may I point out the following.. .
Currently I have Norton, Spyguard, AGV, XoftSpy and a couple more applications running on my system. Some of the apps catch some of the nasties. None of them catch all of the nasties. Simply by adding one more layer of protection to the defence may not lead to resolution. Its true that after an amount of time you add it up and say "It would have been cheaper to buy that licence" but that can only be in hindsight. Furthermore, it is apparent that these discussion groups contain contributions from companies in the business of selling nasties protection / removal applications. So, I guess the cynic in me is always on the look out.

Having said that however, I would like to thank all of you who helped to rid me of my demons.

Thanks :P

I succeeded in removing arsetup.exe (spazbox.net) by first stopping the "system restore" then removing the entry from the registry, followed by rebooting the machine and deleting the file c:\arsetup.exe. Then restarting system resore. Hope this helps.

There is a thread here http://forums.spywareinfo.com/index.php?showtopic=25111 which has a number of helpful suggestions about this nasty bug as well.

----
Professional Web Design by AuctionHugh's Wife Kathleen
Artistic - Straightforward - EASY for You!
Examples and Pricing at Kallen Web Design of Kalamazoo (http://www.kallenweb.com/)
http://www.kallenweb.com/kalamazoo_web_design.gif (http://www.kallenweb.com/kalamazoo_web_design.html)