[pchelpers] Re: virus problem

Hi Pc

> It came in all messed up and no protection at all.
> 
> I used AVG, spybot, ad-aware, Housecall,  CCleaner window defender to 
> clean it.

You should use at least one more antispyware program and one that is 
stronger than the two above. I would suggest running both Ewido and 
Windows Defender. In such an extreme case, i'd also run CounterSpy 
because it's the best one, even if you can only use it for 15 days 
unless you want to pay for it:
http://www.local.nu/HelpDesk/index.php/Anti-spyware_software

In addition, it's definitely necessary to run at least one antitrojan 
program, although some antispyware like Ewido and CounterSpy are turning 
into antitrojan programs of sorts. TrojanHunter is apparently the best 
and it's free for 30 days. A-squared is probably the best free one. 
http://www.local.nu/HelpDesk/index.php/Anti-virus_software

Although you shouldn't have more than one antivirus programs running in 
the background, you should definitely scan your computer with a second 
one that you either disable or uninstall after use. And while scanning 
with this temporary one, you obviously have to disable the normal one's 
background, autoprotect function.

Run all of the above programs in Windows safe mode and in all accounts.

> After removing 100s of viruses and spyware (in safemode) I rebooted
> and a window came up saying that IE had been completely removed and did 
> I want to remove all personal settings.

What did you answer?

> Tried IEFix and tried to reinstall IE only getting the message that it 
> already had a newer version installed.

How did you try to reinstall? Sounds like there was corruption or junk 
in the Windows Update or IE update folders and all you would have had to 
do was empty them. C:/Program Files/Internet Explorer/Uninstall Information.

> So I installed IE7 and it seems to be working. Only on the MS update 
> site the update scan window
> won't come up. It says that there was an error.

What error? If you have automatic updates turned on, you can more or 
less forget about the update site.

> The main problem is that I still get one virus alert from avg. It is 
> c:\windows\system32\irnrs.exe (Trojan Horse Downloader:generic:UEO)
> The heal and move buttons doesn't work on it. A full AVG scan doesn't 
> see it. After unhiding all the files I found it with windows explorer
> irnrs.exe.temp. I delete it and it comes right back after reboot. I have 
> tried to delete it in safemode in the admin account with system restore 
> turned off.

Did it let you delete it? If it came back, then it's not the main file, 
and AVG hasn't found the main file.

If you're not curious like me and don't want to test the security 
programs i mentioned above, you could run KillBox and HijackThis. They 
should allow you to get rid of the trojan manually.

> Goggle shows only one webpage for this virus. An anti virus program 
> called GMS and they want $999 for 25 lic for it.

Many antivirus programs do not remove trojans and many don't even detect 
them. AVG is pretty good in finding trojans but specifically says in its 
online help that one has to delete them manually. You should use an 
antitrojan program, not an antivirus program to get rid of trojans.

I'm pretty sure that Trojan Hunter and even the free A-Squared 
http://www.emsisoft.com/en/software/download/ are better than even an 
insanely expensive antivirus program that accidentally talks about a 
certain trojan on its Internet site. I'm pretty sure that Avast and 
Bitdefender would also detect this trojan, and Avast is free and 
probably the best AV.

I'm curious; i get no Google hit at all for irnrs.exe. Not even for I 
irnrs + trojan. What did you search for?

> Spybot keeps blocking a reg change for a file called "rabfsh" with the 
> line  rabfsh=c:\windows\system32\irnrs.exe runonce.
> Can't find any file called rabfsh

That's not the name of the file; it's a Spybot abbreviation. The file is 
called irnrs.exe

> Spybot also shows two reg lines that it can't delete.
> H..L..M\system\controlset001\services\cmdservice
> H..L..M..\system\current controlset\service\cmdservice
> 
> I tried to delete them with regedit but was denied access
> Went to Safemode admin account and was still denied access

Let's see if they are removed by the programs i mentioned above.

> Tried to use Panda scan but in Safemode I get up to the point where 
> ActiveX needs to run
> and after clicking on the yellow bar to give it permission the window 
> comes back saying
> that it could no longer display the webpage that it had to re-send the 
> data.

Are you talking about the online scan? Online scans are mostly useless. 
They take ages and are usually not very efficient. They don't seem to 
usually be more than advertisement for an installable version.

> In normal mode clicking on the scan now button doesn't do a thing.

Are you talking about the online scan?

> So this is where I'm at now, with a computer that appears to run alright 
> but only with a AVG Alert popup every 30 secs.

I'm curious to know which if any of my steps helped. More ideas here 
http://www.local.nu/HelpDesk/index.php/Windows_cleanup



-- 
-------list-services-below-----------
Regards, John Durham (list moderator) <http://modecideas.com/contact.html?sig>
Freelists login at http://www.freelists.org/cgi-bin/lsg2.cgi
List archives at http://www.freelists.org/archives/pchelpers
PC-HELPERS list subscribe/unsub at http://modecideas.com/discuss.htm?sig
Latest news live feeds at http://modecideas.com/indexhomenews.htm?sig
Good advice is like good paint- it only works if applied.

Other related posts: