IRC-Worm.Randon.I

[der]

Today each time I went into my gmail, by BitDefender would pop up saying that it had blocked this IRC-Worm.Randon.I. It told the file it was found in .. so I went looking. The file is c:/documentsandsettings/owner/localsettings/tempoaryinternetfiles ...
I was surprised to see all those tempoary files there. I clean my cache all of the time .. I delete my tempoary files, yet here are tons from a year ago up until now. Can I delete all those?? And if so .. can I do it from right there?
Also .. BitDefender recommended the following ... should I do that as well??

1. Select Run... from Start, then type regedit and press Enter;
   
2. Delete the following key:
   [HKLM\Software\Microsoft\Windows\CurrentVersion\Run \lsass="%SYSTEM%\lsass.exe"]
   where %SYSTEM% points to Windows\System folder.

[Mobo]

download and run this tool der:
Cleanup

Then reboot afterwards and it should be all clear. Just make sure to run it in full mode not demo mode.

[der]

you know what Mobo .. whenever you have given me a tool to fix something, I have always put them in a folder and saved them on cd, with a bit of info about them so that I remember what they are for. So, I got to looking after I posted this message and found that Cleanup tool .. with the settings you gave me the last time .. and poof .. all cleaned up now! So thank you, for then and now!
It's been awhile .. I have missed you .. hope that all is going well for you
(((hugs)))der

[Mobo]

Great to hear Der. Things are fine on my end and I sure hope is much the same on your end..

[der]

well I am glad to hear that things are going well for you Mobo. Things are going ok here .. hit a bit of a rough patch for awhile there but things are better now. Is a bit scary here in Michigan these days! But is ok .. we are survivors and keep plugging on and der is stepping out into a new business adventure .. so life should be interesting!!
See ya later Mobo .. thanks again!

[der]

.. this thing is still there or I am picking it up somewhere when I get online .. because I still get the pop ups occasionally saying that BitDefender has blocked it. So I am using CleanUp each night. Is there something else I can do to make it gone for good???

[Mobo]

If its in the temp folder then its from a site that you are visiting..

[der]

ok .... this thing is still here. I run cleanup and then is there the next day again

#1) . could I be picking it up when I go into my gmail account as that is where I received the first warning?

#2) My BitDefender says it has blocked it and that my computer has not been infected by it

#3) the following is what BitDefender says about it .....................

Presence of the registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run \explorer= "c:\windows\system\expl32.exe"].
Presence of the following files in Windows\System folder:
aim.txt
AImIRC.ini
bla.txt
bnc.dll
config.hfg
crazy.exe
cscan.dat
dtkode.txt
empavms.exe
EXPL32.EXE
impvms.dll
innocent
ipservers.txt
lan.bat
Libparse.exe
miconfig.exe
moo.dll
msccl.dll
newuser.bat
nhtml.dll
nicks.txt
nvdrv.ocx
p***ec.exe
ratsou.exe
reg.xpl
remote.ini
restart.exe
script1.dll
spig.txt
sysboot.dll
syste32.dll
system.exe
temp
unicod_look
unicod_ready
werty.bat
wincmd34.bat
wind.dll
WININET.DLL

Newer version of the worm will have these instead:

Presence of the registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run \lsass="%SYSTEM%\lsass.exe"]
where %SYSTEM% points to Windows\System folder.
Presence of the following files in %SYSTEM% folder:
aim.dll
aim.txt
boot.exe
c.dll
dr.exe
empavms.exe
flood.ocx
gt.exe
ipservers.dll
java.dll
lan.bat
Libparse.exe
lsass.exe
miconfig.exe
moo.dll
msccl.dll
msconig.exe
newuser.bat
nhtml.dll
ratsou.exe
regedit.dll
remote.ini
restart.exe
screen.dll
sipg.ocx
start.ocx
sysboot.dll
sysconfig.ocx
syste32.dll
temp
unicod_look
unicod_ready
users.dll
werty.bat
wincmd34.bat
wind.dll
zhid.exe TECHNICAL DESCRIPTION:
This worm spreads through IRC and is in fact a collection of backdoors, trojans, ddos programs and exploits, all packed in one executable file. The worm arrives as an exe file, through Mirc. Once this file is executed, the aforementioned registry key and files are created, and EXPL32.EXE (or LSASS.EXE for newer version) is run, thus giving the attacker complete control over the infected computer. It can download and install newer versions of itself from an internet address, files GT.EXE or GT2.EXE using its downloader component.
Removal instructions:

1. If you don't have BitDefender installed click to download an evaluation version.
   
2. Make the following changes in the windows registry:
   
   Note: Please make sure to modify only the values that are specified. It is also recommended to backup the windows registry before proceeding with these changes. For more information on backing the registry please read the FAQ.
   1. Select Run... from Start, then type regedit and press Enter;
      
   2. Delete the following key:
      [HKLM\Software\Microsoft\Windows\CurrentVersion\Run \lsass="%SYSTEM%\lsass.exe"]
      where %SYSTEM% points to Windows\System folder.
3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with IRC-Worm.Randon.I

#4) should I do what it suggests at the end there when it talks about deleting the register key??