Explorer keeps opening by itself

[escarpita]

My IE keeps oppening on its own, I am running XP Profesional on a dell latitude D610. I followed the procedures listed and I am including the text files. When the IE opens I notice a tiny white square on the upper left corner on the screen. Please help with this. The last thing I remember was I downloades a program to help speed downloads, after that is when
I started having the problem, when I tried to remove it iy said that it was unable to remove the entire program. This happened on Sunday 13th around 4PM

[abri]

Hi escarpita!
Welcome to MajorGeeks!

Sorry for your computer difficulties. One of us will be looking at your logs. Please be patient.
Thanks.

Your AVG Antispyware didn't run. Please try shutting down your computer and disonnecting it from the internet. Boot back up without being connected to the internet, then disable all your antivirus and antispyware software and see if you can get it to scan. If so, please have it fix everything it finds. When you're finished reenable all the antivirus/antispyware software and then reconnect to the internet.

abri

[abri]

Hi escarpita!
The Ares Chatroom server came onto your system at the same time as the virus you got and I don't know if it's part of it or if it came through this.

1) Go to add/remove programs and uninstall the below:

J2SE Runtime Environment 5.0 Update 11"
J2SE Runtime Environment 5.0 Update 4"
J2SE Runtime Environment 5.0 Update 6"
Java 2 Runtime Environment, SE v1.4.2_03"
Java(TM) 6 Update 2"
Java(TM) 6 Update 3"
Java(TM) SE Runtime Environment 6 Update 1

2) Reboot after uninstalling the above.

3) Install the current version of Sun Java from: Sun Java Runtime Environment


4) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Do the following belong to programs you know or want to keep? If not, please fix them as well.
O14 - IERESET.INF: START_PAGE_URL=http://ep-bt-elcomweb/apps/elcomportal/
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: wlg - Unknown owner - C:\WINDOWS\system32\walg.exe


5) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

Quote:

Files to delete:

C:\WINDOWS\out.exe
C:\WINDOWS\out3.txt
C:\WINDOWS\out.html
C:\Program Files\AresUltraSearch
C:\WINDOWS\system32\walg.exe
C:\WINDOWS\system32\sporder.dll

Folders to delete:

C:\Program Files\Ares Galaxy Turbo Booster
C:\Program Files\AresUltraSearch

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

7) Now run CCleaner in the default setting with the Windows tab as the active one. Do not check anything which is not already checked. After you hit the Run Cleaner button, there will be a warning that all the files will be permanently deleted. Click on ok and allow it to run. When it's finished, just close it.

8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

[escarpita]

Hi Abri thanks for your quick reply and help. I already did everything you asked me to. I am attaching the logs you requested. I haven't seen the IE open on its own or the white small square on the top left corner left of the screen.

When I reboot I get a couple of errors, but once I click ok they dissapear.

I will keep my sesions opens and see what happens

[abri]

Hi escarpita!

Ares Chatroom server didn't get deleted when you ran analyse.exe (hijackthis) and I don't know if that is because you did not want it deleted or because it needs to be disabled before it can be deleted. If you tried to fix it with hijackthis the first time around, please do the following:

• Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
• On the page that opens, scroll down to Ares Chatroom server
• then right click the entry, select Properties and press Stop Service.
• When it shows that it is stopped, next please set the Start-up Type to 'Disabled'.
• Click OK until you get back to Windows.

• Next, run HJT (it will now be called analyse.exe and you will find it inside the MGTools folder of your root drive), but instead of scanning, click on the None of the above, just start the program button at the bottom of the choices.
• At the lower right, click on the Config button
• Then click the Misc tools button
• Select Delete an NT Service
• Copy/paste AresChatServer into the box that opens, and press OK
• If you receive any error messages just ignore them and continue.
• Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.

Now run HJT/analyse.exe (select Do a system scan only) and select the following lines but DO NOT CLICK FIXuntil you exit all browser sessions including the one you are reading in right now:

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe


After you click fix, just close hijackthis.

Let me know how this goes. Also,what kind of errors do you get when you reboot? Do you get them every time you boot up?

abri

[escarpita]

Hi Abri!

I did the first part of your recomendation, but during the second part when I ran HJT/Analize.exe system scan only the lines:

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

didn't showed up.

I guess the errors I got where only the first time after I ran all the applications because is not doing it anymore.

So far everything looks OK, I haven't seen the IE act up again or the withe square on the screen. Please let me know what else do I have to do. (remove programs, scans, etc.) I also instaled the Comodo firewall since I was using the Windows firewall.

Thanks for your help and valuable support

[abri]

Hi escarpita!
I'm glad things are working better. Windows Firewall is okay for the shortterm, but you need to get a two-way firewall so you can see not only what is trying to come into your computer, but also what is trying to go back out. Zone Alarm free is simply easier to use than Comodo and I recommend trying it after you get settled in your computer again. I only suggest removing programs you don't use. You might ask more about this in the Software Forum. Other than that, I would only ask you now to run our final clean-up instructions:

Quote:

Your logs look good. If you're not experiencing any malware symptoms, please do the following:

• If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
• If we had you run Avenger, you can delete all files related to Avenger now.
• Go to add/remove programs and uninstall HijackThis.
• Then go into Windows Explorer and find MGTools directly under C:\ (or the root drive where your operating system is installed).
• Open the MGTools folder and delete the contents.
• Then delete the folder itself.
• Look for any leftover logs on your desktop and if found delete them
• Run CCleaner
• After you've completed the above, please follow the instructions at this link for setting a clean restore point. Disable and Enable System Restore!
• Once you've done this, please take a look at the link that follows. It's a good read and has some good information to help you prevent further malware invasions.
  
  How to Protect Yourself from Malware

Let us know how things went!

abri

[escarpita]

Hi Abri, everything seems to be working perfect. I followed the clean up instructions and removed some of the programs installed.

Thank you very much for your help and support!

[abri]

You're welcome!
I'm happy your computer is happy.
Enjoy it!
abri