 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows 95 / March 2004checking registry for irun4 and it "finds" ssafe"?
Had email from our isp (Cox) a week back or so saying our computer was sending virusses and they had some some directions for us on using their virus cleaner. Our McAffee had just stopped working too so, pennys from Heaven! It was a bit of an unusual download process. The directions were in a zip file attached to the email. Upon extracting it, it was an executable. On running it we never saw any directions but there was alot of disk drive activity. Appeared to be searching for something for a couple minutes or so. Long story short, the performance of our leopard computer suddenly became a snail. Checking Ctl-Alt-Del and I saw irun4 listed which was a new one to me. But I wasn't sure it was a virus and this new machine was having other problems. Today I downloaded and installed the trial version of Zone-Alarm. The computer appeared to lockup before the tutorial finished. Upon restarting the system and completing the installation, Zone Alarm immediately reported that irun4 was trying to access the Internet and asked if I wanted to stop it. Yessir! I then ctl_alt-del again and saw it was still on the stack. I terminated it and the computer is still running like a leopard. I used regedit->edit->search and asked it to find irun4. It reports HKCU\software\microsoft\windows\currentversion\run highlighting ssafe.exe. MsnMsgr and Default are there too but not highlighted. I used the edit->delete to cut ssafe out of the registry. Irun4 didn't show up anywhere else in the registry. I still don't know why "ssafe" was highlighted tho I was searching for irun4. I guess there may be more bad news here. Ssafe.* is nowhere on the system drive. Irun4 is on the system drive c:\winme\system\irun4.exeopen and irun4.exe. The latter was "modified 3/4/2004 906am and created 3/5/2004 8:55:40 am. The former was modified at the same time and created a few secs earlier. They are both 12,288 bytes size. I've renamed them. Oh yeah. On restarting after the lockup, scandisk reported the size of the hard drives was recorded incorrectly and asked if I wanted it corrected. I said yes. So far that seems to have been the right thing to do. This is a WinME system, not win95. irun4: It is a worm....the email you opened and ran was not from your ISP, it was the worm. http://hq.mcafeeasap.com/dispVirus.asp?virus_k=101071 and http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_BAGLE.J&VSect=T Download and run the Stinger tool per the instructions here: http://vil.nai.com/vil/stinger ssafe is from another worm....W32/Netsky.j@MM : http://vil.nai.com/vil/content/v_101083.htm and http://www.sophos.com/virusinfo/analyses/w32netskyj.html The Stinger tool will remove that also. Install the free anti-virus, AVG 6.0 Free Edition, from here: http://www.grisoft.com/us/us_dwnl_free.php and then set it to run as a background scanner, and to check for updates every day. ...and stop clicking on every attachment you receive! Here are some more things you should do, for starters: Read here: Dealing with Hijackware http://mvps.org/winhelp2002/unwanted.htm http://www.mvps.org/inetexplorer/Darnit.htm#tshoot http://aumha.org/a/parasite.htm http://doxdesk.com/parasite/CoolWebSearch.html and http://www.merijn.org/cwschronicles.html Use CWShredder, the removal tool, available here: http://computercops.biz/downloads-cat-14.html http://www.majorgeeks.com/downloads31.html http://www.spywareinfo.com/downloads/tools/CWShredder.exe http://www.zerosrealm.com/downloads/CWShredder.zip http://aumha.org/downloads/cwshredder.zip In addition, install Ad-Aware 6 free edition, start it, click its 'Check for Updates' link in the app to install updates, then use it to scan your system, and remove what it finds. Ad-Aware: http://www.lavasoftusa.com/support/download/ Install, update and run SpyBot Search & Destroy, scan your system, and then remove the items in RED only. SpyBot S&D: http://www.safer-networking.org/index.php?page=download Download, unzip, and run Hijack This from one of these locations: http://computercops.biz/downloads-cat-14.html http://www.majorgeeks.com/downloads31.html http://www.spywareinfo.com/downloads/tools/HijackThis.exe Unzip to a folder other than your Desktop or the Temp folder, doubleclick HijackThis.exe, and hit "Scan". When the scan is finished, the "Scan" button will change into a "Save Log" button. Press that, save the log somewhere you can find it (Desktop, My Documents, or similar). Most of what it lists will be harmless or even required, so do NOT fix anything yet. Copy the log files and paste them into a new post at one of these forums: http://forums.net-integration.net/ http://computercops.biz/forums.html http://forums.spywareinfo.com/index.php?showforum0 http://tomcoyote.org/forums/ http://www.lavasoftsupport.com http://boards.cexx.org/ The folks there will tell you what to remove.  SignatureGlen Ventura, MS MVP W95/98 Systems http://dts-l.org/goodpost.htm > Had email from our isp (Cox) a week back or so saying our computer was > sending virusses and they had some some directions for us on using [quoted text clipped - 43 lines] > > This is a WinME system, not win95. |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2009 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.