[fboutlet]

Removing arsetup.exe worked for my mother-in-law's PC.   She had the annoying spazbox and 4 different viruses on her PC, including the W32.Spybot.Worm.  The PC also kept opening 2 Internet Explorer windows at startup each time.

First off, I installed the latest AdAware Personal http://www.lavasoftusa.com/software/adaware/ and removed all spyware.  Be sure to keep the internet connection off after it is clean, so it doesn't fill up with more.

To remove the arsetup.exe file, try starting your PC in SAFE MODE.  Keep hitting F8 as it's starting up and select SAFE MODE.   Find the file and either rename it to be safe or delete it all together.

Also, go into the registry and delete any references to the arsetup.exe file in the following locations:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
RunOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Curr entVersion\
RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run

Then restart and see what happens... you should be all clear.

I also removed any references to IEXPLORE.EXE in those registry locations to stop it from launching twice at startup.

To remove the W32.SpyBot.Worm, go to http://securityresponse.symantec.com...ybot.worm.html for information on how to remove it.  Worked like a charm.

[freakedout]

One of my machines is also infected . I've run Norton, XoftSpy, Spyguard and A2(Squared) over this XP Home machine. Though the speed has improved the packages continually pick up new malwares. The only way I've been able to get to the Registry is by booting in Safe Mode. If I boot in 'ordinary' mode then, like earlier respondents, the virus seems to kill any attempts to call task manager (Ctl+Alt+Del), or MSCONFIG or even Norton.
When in Safe Mode I removed references to REGSRV, ARSETUP, etc from the registry. I also deleted them from C:\ and C:\windows (and anywhere else I found them for good measure).

But SPAZBOX reappears whenever IE Explorer is launched.
This thing is driving me up the walls.

I think I need to be able to boot in Normal Mode and then the delete the processes. but alas I can't get at those commands.

I have noticed that all seems fine until I make my dial up internet connection (via network connections). Though not configured to do so, the dial up monitor indicates a lot of activity and then, after about 5 minutes, opens an IE window and directs itself to SPAZBOX (not nominated as home page). Is there a registry entry that says what to do once an Internet connection is established?

Sorry about all the Qs but really, this thing has me demented.

[Janet]

Hi Freaked out,
I used regalyzer from http://www.safer-networking.org to search and delete these entries. This is a registry editor program that these viruses do not try to shut down.

Hijack This! Is another good tool to try. It highlights non-standard registry entries that are related to your browser. Some may be valid, others will not be so be careful what you delete. (Oh yes I forgot that the viruses would not let this start up until I had successfully run the virus checker. It's a good tool for additional cleanup though)

Ultimately I conquered this thing with a fresh update of VET. You can do a manual download of the latest virus signature files and update it using a utility you can download at the same time. Running this utlilty made Vet immediately active in memory without having to reboot and without allowing the virus the chance to shut it down.
It immediately detected FOUR viruses active in memory and killed them off. A full scan then found another 14 infections.

Once I dealt with the viruses, Spybot and Adaware cleaned up the rest.

Good Luck

[freakedout]

Thanks Janet. I'll have a lash off that and I'll let you know how I go.

Do you (or any of the interested observers) have any idea about the unrequested launch of IE. In other words, I call the dialer and then, after about 3-5 minutes, even without initiating IE, the IE window appears... and guess where... u got it... SPAZBOX. Is the IE launch driven by the REGSRV32.EXE / ARSETUP corruptions or is this a separate entry.


TIA

[Janet]

I'd say it's definitely related.

[freakedout]

OK. Now I'm really mad >:( I used Regalyiser to find and remove the references to ARSETUP and REGSRV32 in LOCAL MACHINE, LOCAL USER , etc. I then searched the entire reg for any other occurrences that I might have missed. I removed the lot. After a few reboots I was able to access Task Manager (... what progress)...

Before I kicked off my dialer I got to look at the Processes in Task Manager and the little ARSETUP was back. I killed it and dialed and after a few minutes ARSETUP reappeared in Task Manager.

I thought I must be losing my mind. But then I remed that I'd lost that ages ago. I can but conclude that ARSETUP and REGSRV are only part of the problem. Something else must be giving ARSETUP its wings. Any ideas?

[Janet]

freakedout, I doubt you will conquer it without a anti virus program. I know that VET can kill it. Go to www.vet.com, pay the money and download the necessaries, including the program that will immediately install the signatures into memory.

How much time and stress have you wasted on this problem so far?? What is that worth in $$'s ? Certainly more than the cost of a good virus protection program. And you certainly never want to go through this again, right? An up to date anti-virus checker will make sure it never happens again.

The infections I had were not on my PC, but a friends. She had no anti-virus software, no backups, no firewall, nothing :-[. That's all changed now. Make the investment for yourself. You'll be glad you did.

[Carnall]

I'm getting unnerved.

Spazbot is on this computer - I keep getting the message when I log on. (It's a shared computer, I'm the technical support user.)

I've searched the hard drive and regedit and the processes window for each of the filenames mentioned here, and none of them appear to be present - but I'm still getting the Spazbot message every time the computer restarts. (I'm running ZoneAlarm, so I can stop it accessing the Internet, but it's still a pain getting the messages.)

The one thing I haven't tried is running the RegAlyzer program from Safer-networking.org - trying that now.

[macmurphy]

Hi all,

I got hit with this liittle sometime last week. Nothing seemed to work for me, I'm not that good with computers and could nt follow some of the advice like setting de system recovery off?

So any at home last night, my cpu was running at 100% and I had only 1 internet window open, it was coming to a grinding halt.

I went into to system restore in system tools, eh voilà there you go, set my computer back to a date before I had spazbox ( had reformatted only a week previous) . Cpu then running at 7% <<<<<<

So now I'm wondering , is this a long term solution?
Or will it all come back to haunt me?

[macmurphy]

I like this site,

B I t c h comes out as pregnant.. funny

[hunterX]

Hi.. thanks a lot, I got rid of the spazbox on my system.. thanks for the help everyone!! ;D

[DeathByMilkfloat]

I accidentally *cough* ran my security software across spazbox.net:
I have left out steps where no results were found. Interesting... I wonder if the owner of Spazbox knows about the possible Trojan on port 5000?

Report begins:

MacAnalysis Started at: 8:29 pm

MacAnalysis scans over 1600 holes, please do something else during the scan. For more informations: [email protected]


STEP 2: Folders:

Viewable Folder found: (folder path removed by DeathByMilkfloat).

STEP 3: Trojans

Possible trojan found on port 5000
Known trojans: Bubbel, Back Door Setup, Sockets de Troie


STEP 4: Services/Protocols Holes

WEB:80 is active
Version: Apache 2.0

Info: Apache /tmp File Race Vulnerability
Resume: Apache programs htdigest and htpasswd are used to offer advanced features to users of the web server. However, these two helper programs (rest removed by DeathByMilkfloat).

PortMap:111 is active (Risk: Low)
Resume: Your rpc services can be listed by anyone.
Fix: Restrict access to 111/tcp to local clients.

Report ends.

Whilst the ethics of reporting a system scan on the web are questionable, I think the there is a possibility that the owner(s) of Spazbox are unaware that their system may have been hijacked. It might be possible... On second thoughts though it is a bit unlikely.

[freakedout]

:D
Well whadeyno! At last I got rid of the little git. I thank you all for your help. My approach was to take running tasks and run a serach in Google over the name. For instance, if winmon32.exe or arsetup.exe or whatever else appeared in my task list, then I searched Google for it. The earlier posts helped me to identify likely nasties. Once I found a nasty then I deleted / renamed it from anywhere I could find it (registry, file / folder name, etc).. This apprach, in conjunction with the mutiplicity of virus / spyware scanners eventually ridded my system of the nasties.

With regard to the contibution about the VET pachage from Computer Associates, may I point out the following.. .
Currently I have Norton, Spyguard, AGV, XoftSpy and a couple more applications running on my system. Some of the apps catch some of the nasties. None of them catch all of the nasties. Simply by adding one more layer of protection to the defence may not lead to resolution. Its true that after an amount of time you add it up and say "It would have been cheaper to buy that licence" but that can only be in hindsight. Furthermore, it is apparent that these discussion groups contain contributions from companies in the business of selling nasties protection / removal applications. So, I guess the cynic in me is always on the look out.

Having said that however, I would like to thank all of you who helped to rid me of my demons.

Thanks :P

[mejmw]

I succeeded in removing arsetup.exe (spazbox.net) by first stopping the "system restore" then removing the entry from the registry, followed by rebooting the machine and deleting the file c:\arsetup.exe. Then restarting system resore. Hope this helps.

[Auctionhugh]

There is a thread here http://forums.spywareinfo.com/index.php?showtopic=25111 which has a number of helpful suggestions about this nasty bug as well.

----
Professional Web Design by AuctionHugh's Wife Kathleen
Artistic - Straightforward - EASY for You!
Examples and Pricing at Kallen Web Design of Kalamazoo