Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Can't delete a program....


  • Please log in to reply
12 replies to this topic

#1 Aninha

Aninha

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 01 May 2009 - 02:42 PM

My sister install this thing called "Ares Vista", and tried unistalling, the thing has disappeared from the list on panel control, but it come back everytime I turn the laptop on. And I just found out it is a type of spyware that get all the passwords the pc has on it. What should I do?

Thanks

-Ana

Edited by Aninha, 01 May 2009 - 02:44 PM.


BC AdBot (Login to Remove)

 


#2 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 01 May 2009 - 04:45 PM

Hello.

This program is P2P file sharing program. This program itself is not malicious, however, the content that you download with it may be.

These programs allow to share files between users as the name(s) suggest. In today's world cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: File-Sharing, otherwise known as Peer To Peer and Risks of File-Sharing Technology.

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organizations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

If you want help removing it anyways, we can help.

With Regards,
The Panda

#3 Aninha

Aninha
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 01 May 2009 - 08:00 PM

Yes, please, I would like to remove it from my laptop. There's no use for me and it's just occuping disc space.

Thanks

-A

#4 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 01 May 2009 - 08:53 PM

Hello Aninha.

That is a good decison. First we will need to identify where the program is installed and where it is loading from at startup.

Please download RunKeys.vbs to your desktop.
Double click RunKeys.vbs to run the script.
After a moment, a log file will open in notepad. Copy this log into your next post please.

With Regards,
The Panda

#5 Aninha

Aninha
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 01 May 2009 - 10:00 PM

Hello Panda,

Thank you very much!

Here's the log:

////////RunKeys\\\\\\\\
Microsoft® Windows Vista™ Home Premium 6.0.6001.1 (2009-5-1 22:58)

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"= C:\Windows\ehome\ehTray.exe [2008-9-20|125952|(Microsoft Corporation)]
"Sidebar"= C:\Program Files\Windows Sidebar\sidebar.exe [2008-9-20|1233920|(Microsoft Corporation)]
"TomTomHOME.exe"= C:\Program Files\TomTom HOME 2\HOMERunner.exe [2008-5-6|202088|(TomTom)]
"msnmsgr"= C:\Program Files\Windows Live\Messenger\msnmsgr.exe [2009-2-6|3885408|(Microsoft Corporation)]
"AdobeBridge"= []
"WMPNSCFG"= C:\Program Files\Windows Media Player\WMPNSCFG.exe [2008-9-20|202240|(Microsoft Corporation)]
"ares vista"= C:\Program Files\Ares Vista\AresVista.exe [2009-4-23|3042304|(Ares Vista)]
"DW6"= C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [2009-4-27|801904|(The Weather Channel Interactive, Inc.)]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"= C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2008-6-6|815104|(Synaptics, Inc.)]
"WD Drive Manager"= C:\Program Files\Western Digital\WD Drive Manager\WDBtnMgrUI.exe [2008-1-30|438272|(WDC)]
"SigmatelSysTrayApp"= C:\Windows\sttray.exe [2008-6-6|303104|(SigmaTel, Inc.)]
"Adobe Reader Speed Launcher"= C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-10-15|39792|(Adobe Systems Incorporated)]
"WD Anywhere Backup"= C:\Program Files\WD\WD Anywhere Backup\MemeoLauncher2.exe [2009-3-4|197856|()]
"Sprint SmartView"= C:\Program Files\Sprint\Sprint SmartView\SprintSV.exe [2008-10-15|17664|(Sprint)]
"QuickTime Task"= C:\Program Files\QuickTime\QTTask.exe [2009-1-5|413696|(Apple Inc.)]
"AVP"= C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 2009\avp.exe [2008-11-11|206088|(Kaspersky Lab)]
"SunJavaUpdateSched"= C:\Program Files\Java\jre6\bin\jusched.exe [2009-3-5|148888|(Sun Microsystems, Inc.)]
"iTunesHelper"= C:\Program Files\iTunes\iTunesHelper.exe [2009-4-2|342312|(Apple Inc.)]

---EOF---

#6 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 02 May 2009 - 09:49 AM

Hello.

Let's remove that now. It won't be a proper removal like that Add/Remove programs would do, but it should work.

Install ERUNT
This tool will create a complete backup of your registry. After every reboot, a new backup is created to ensure we have a safety net after each step. Do not delete these backups until we are finished.

Do not use the NTREGOPT that comes with the installation package.
  • Please download erunt-setup.exe to your desktop.
  • Double click erunt-setup.exe. If you are using Windows Vista, right click the icon and select "Run As Administrator." Follow the prompts and allow ERUNT to be installed with the settings at default. If you do not want a Desktop icon, feel free to uncheck that. When asked if you want to create an ERUNT entry in the startup folder, answer Yes only if you are using Windows XP. You can delete the installation file after use.
  • Erunt will open when the installation is finished. Check all items to be backed up in the default location and click OK.
You can find a complete guide to using the program here:
http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

When we are finished, you may, remove ERUNT using Add/Remove Programs.

Download and Run OTMoveIT
  • Please download OTMoveIt3 by OldTimer to your desktop. If you have already used the program, there is no need to download a new one.
  • Double-click OTMoveIt3.exe to run it. If you are running on Vista, right click on the file and choose Run As Administrator.
  • Copy the lines in the codebox below. Do not copy the word "code".
    :processes
    AresVista.exe
    
    :reg
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "ares vista"=-
    
    :files
    C:\Program Files\Ares Vista\
  • Return to OTMoveIt3, right click in the Paste List Of Files/Patterns To Move window (under the yellow bar) and choose Paste.
  • Close all open windows expect OTMoveIt.
  • Click the Posted Image button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt3.
Note: If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key. Navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest ".log" file present, and copy/paste the contents of that document back here in your next post.
-----
Tell me how it goes.

With Regards,
The Panda

#7 Aninha

Aninha
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 02 May 2009 - 10:37 AM

Dear Panda,

you are my favourite animal in the whole kingdom!

Beautifully done!

Thabks so much!

Here the log:

========== PROCESSES ==========
Process AresVista.exe killed successfully.
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\ares vista deleted successfully.
========== FILES ==========
Folder move failed. C:\Program Files\Ares Vista scheduled to be moved on reboot.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05022009_112843

Files moved on Reboot...
Folder move failed. C:\Program Files\Ares Vista scheduled to be moved on reboot.

#8 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 02 May 2009 - 11:27 AM

Hello Aninha.

OTMoveIt was not able to remove the folder containing the program, though it looks like was able to remove it from startup. I would just leave the folder there, as it is not doing any harm without the program being run.

Any problems or questions at the moment? Please confirm that Ares is not starting anymore.

With Regards,
The Panda

#9 Aninha

Aninha
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 02 May 2009 - 02:24 PM

Panda,

No, it hasn't started so far. Thanks for the help!

-Ana

#10 Aninha

Aninha
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 02 May 2009 - 02:28 PM

Also I just deleted the folder myself > C:\Program Files\Ares Vista < I was unable to do it before, now it's gone!

#11 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 02 May 2009 - 02:48 PM

Hello Aninha.

That's good.

It could not be deleted before because a process was running from inside it.

Let's remove OTMoveIt.

Run Cleanup! with OTMoveIt
  • Double click the OTMoveIt3.exe icon on your desktop to start the program.
  • Click Posted Image.
  • A pop-up box will appear asking "Begin Removal Process?". Click Yes.
  • Click Yes when asked to reboot.
With Regards,
The Panda

Edited by PropagandaPanda, 02 May 2009 - 02:49 PM.


#12 Aninha

Aninha
  • Topic Starter

  • Members
  • 27 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Washington Dc
  • Local time:06:12 AM

Posted 02 May 2009 - 05:41 PM

Done it very nicely!

Thanks!

-Ana

#13 PropagandaPanda

PropagandaPanda


  • Malware Response Team
  • 10,433 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:12 AM

Posted 03 May 2009 - 09:38 AM

Glad we could help.

EDIT: Consider this topic closed.

The Panda

Edited by PropagandaPanda, 06 May 2009 - 08:01 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users