[pchelpers] Re: virus problem

• From: Scott McNay <wizard@xxxxxxxx>
• To: PcCowboy <pchelpers@xxxxxxxxxxxxx>
• Date: Thu, 23 Mar 2006 01:32:29 -0600

Hi PcCowboy,

Wednesday, March 22, 2006, 11:53:45 PM, you wrote:

P> c:\windows\system32\irnrs.exe (Trojan Horse Downloader:generic:UEO)
P> The heal and move buttons doesn't work on it. A full AVG scan doesn't
P> see it. After unhiding all the files I found it with windows explorer
P> irnrs.exe.temp. I delete it and it comes right back after reboot. I have

After you delete it, create a FOLDER with the same name.  That will
probably block it.


P> Spybot keeps blocking a reg change for a file called "rabfsh" with the
P> line  rabfsh=c:\windows\system32\irnrs.exe runonce.
P> Can't find any file called rabfsh

"rahfsh" is not a file, it's just a text name.


P> H..L..M\system\controlset001\services\cmdservice
P> H..L..M..\system\current controlset\service\cmdservice

The abbreviation is "HKLM". RIGHT-click on either item (they both point
at the same spot) and select "Permissions". Add "Administrators" to
the list and check all of the "Allow" boxes. In extreme cases, you may
need to click on "Advanced", go to the Owner tab, and take ownership.
After that, you should be able to delete the key.

BUT FIRST, take a look at "ImagePath" under that key; that's the name
of the program that's probably causing irnrs.exe to keep coming back.
Rename or move the file named and restart the computer, and irnrs.exe
and the reg entry will probably stop coming back.  If not, you have
more to find.

Also try HijackThis (a technician tool), to see if it shows anything
that looks suspicious (or at least unfamiliar).

You might also take a run with RootkitRevealer from SysInternals, just
in case.

AutoRuns (a technician tool), also from SysInternals, is useful, but
you will probably want to first set it to filter out Microsoft items.

I also often look through the \Windows and \Windows\System32 folders
for new EXE files; most of them should be dated 2004 at the latest,
with only a few patches being newer. You can compare with a good
system. Any remaining files often have names that look random, which
increases their suspiciousness. This is NOT something that I'd suggest
to a non-tech, though, so those of you Peeping Toms who are not techs
should ignore this paragraph. :)

-- 
Scott.




-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

• References:
  • [pchelpers] virus problem
    • From: PcCowboy

Other related posts:

• » [pchelpers] virus problem
• » [pchelpers] Re: virus problem
• » [pchelpers] Re: virus problem
• » [pchelpers] Re: virus problem
• » [pchelpers] Re: virus problem
• » [pchelpers] Re: virus problem

• » Related posts
• » Previous by Date
• » Next by Date
• » This Month's Archive
• » Main Archive Page

• » View list details
• » Manage your subscription