W32.Arpiframe virus

Hello Cyberlei,

I have looked into your problem and found a little bit of information. Firstly you might need to switch over to firefox as it is much better. I never really thought it was until i switched. Alright now to get rid of it.

I found this on another site


1. Temporarily Disable System Restore (Windows XP).
2. Update the virus definitions.
3. Reboot computer in SafeMode

4. Run a full system scan and clean/delete all infected files.

5. In order to make sure that threat is completely eliminated from your computer, carry out a full scan of your computer using AntiVirus and Antispyware Software. Another way to delete the virus using various Antivirus Program without the need to install can be done with Online Virus Scanner.

Try deleting again and if the problem still occurs please contact us.

Hope we could help
Flumesoft.com

changed thread title to something better.

Hi

We've recently started having the same problem on our production server. Whenever someone would access any website/webpage from the server, the returned html would have a string of B's injected right before the <html> tag.

I've googled and it seems to be this W32.Arpiframe virus which is causing it. Can anyone tell me how I can remove it without Norton? We've tried installing a new version of norton but as expected norton is up to its usual tricks and refuses to install because we had a really, really old version on there a few months ago. Guess its conflicting or something.

The weird thing is that this comes and goes, it will return those damn B's a whole day long and the next its gone only to return again the day after.

Thanks in advance
Stefan Pienaar

We had this last week.

You need to find which machine on the network is infected and intercepting the HTTP packets.

It's typically NOT the machine displaying the 20 B's in the browser.

If it's a small network with a single segment, start unplugging one machine at a time until you can identify the source.

If it's a large network, you'll need a sniffer to determine which machine is doing the ARP Spoofing.

Once we figured out what was going on with the ARP spoofing, it took our network guy about 5 minutes with the sniffer to track down two PCs that were infected.

The virus has been removed from our network. I just did like KirkLashbrook said use ethereal to sniffer your network on a switch or Hub which is connect the ISP, see which computer sending a huge packets out then disconnect from your network and remove the virus.

Thanks for the replies. It's a huge network with multiple computers in various offices on two different floors of the building.

I have installed a packet sniffer but it seems that the webpages are working fine today (no B's) so I guess which ever computer is causing it is still offline.

Thanks for the help

Stefan