TechSpot

Nar.vbs virus

By rutiene
Apr 2, 2009
  1. My computer has been running slow lately and so I ran an AVG virus scan. After doing so it came up with nar.vbs. I read that it was difficult to scrub so I come here to check that I'm all clear. =]

    Mmm... I can't seem to add attachments... should I just post it?
     

    Attached Files:

  2. Spyder_1386

    Spyder_1386 TS Rookie Posts: 498

    hi rutiene

    All seems fine :) .... has your computer started working at normal speed again? Why are you on Internet Explorer 6 though? Upgrade to 7 or use Firefox .... much better :)

    Spyder_1386 :)
     
  3. rutiene

    rutiene TS Rookie Topic Starter

    I use FF. That's why the Ie homepage is just dell.

    And no, I still can't get it working at normal speed. ><! I've had the motherboard replaced so I'm not sure what it could be...
     
  4. mflynn

    mflynn TS Rookie Posts: 2,655

    Hi Guys

    Spyder is right no apparent Malware issues so lets do some cleanup and tweaking.

    First the below is harmless but lets get rid of them anyway.
    Run HJT Scan only and select and fix the below 2 items.
    O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
    O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

    Then do the below.

    Left Drag mouse and Copy for Pasting all text in the box below. Make sure the slider bar goes to bottom from the @ to the end of the second exit.
    Then paste to the black screen of an open command prompt. All may not apply so ignore errors.

    Code:
    @echo off
    sc config Alerter start= disabled
    sc stop Alerter
    
    sc config AeLookupSvc start= disabled
    sc stop AeLookupSvc
    
    sc config ClipBook start= disabled
    sc stop ClipBook
    
    sc config Dfs start= disabled
    sc stop Dfs
    
    sc config FastUserSwitchingCompatability start= disabled
    sc stop FastUserSwitchingCompatability
    
    sc config TrkWks start= disabled
    sc stop TrkWks
    
    sc config TrkSvr start= disabled
    sc stop TrkSvr
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config ERSvc start= disabled
    sc stop ERSvc
    
    sc config HidServ start= disabled
    sc stop HidServ
    
    sc config PolicyAgent start= disabled
    sc stop PolicyAgent
    
    sc config CiSvc start= disabled
    sc stop CiSvc
    
    sc config IsmServe start= disabled
    sc stop IsmServ
    
    sc config kdc start= disabled
    sc stop kdc
    
    sc config LicenseService start= disabled
    sc stop LicenseService
    
    sc config Messenger start= disabled
    sc stop Messenger
    
    sc config Netlogon start= disabled
    sc stop Netlogon
    
    sc config NetTcpPortSharing start= disabled
    sc stop NetTcpPortSharing
    
    sc config mnmsrvc start= disabled
    sc stop mnmsrvc
    
    sc config NetDDE start= disabled
    sc stop NetDDE
    
    sc config NetDDEdsdm start= disabled
    sc stop NetDDEdsdm
    
    sc config NtLmSsp start= disabled
    sc stop NtLmSsp
    
    sc config SysmonLog start= disabled
    sc stop SysmonLog
    
    sc config RSVP start= disabled
    sc stop RSVP
    
    sc config SSDPSRV start= disabled
    sc stop SSDPSRV
    
    sc config upnphost start= disabled
    sc stop upnphost
    
    sc config WMPNetworkSvc start= disabled
    sc stop WMPNetworkSvc
    
    sc config WmiApSrv start= disabled
    sc stop WmiApSrv
    
    sc config WmdmPmSN start= disabled
    sc stop WmdmPmSN
    
    sc config RemoteRegistry start= disabled
    sc stop RemoteRegistry
    
    sc config RemoteAccess start= disabled
    sc stop RemoteAccess
    
    sc config SCardSvr start= disabled
    sc stop SCardSvr
    
    sc config TlnSvr start= disabled
    sc stop TlnSvr
    
    sc config UPS start= disabled
    sc stop UPS
    
    sc config WebClient start= disabled
    sc stop WebClient
    
    sc config DNSCache start= disabled
    sc stop DNSCache
    
    sc config RpcSs start= Automatic
    sc start RpcSs
    
    sc config RpLocator start= Automatic
    sc start RpcLocator
    
    sc config MSIServer start= Automatic
    sc start MSIServer
    exit
    exit
    When above is finished continue below.

    A deep Temp and Reg clean.

    Run CCleaner http://www.ccleaner.com/download/builds (get SLIM at bottom no Yahoo toolbar)
    Run twice or more on Cleanup temps, then on left click Registry then Scan for issues also repeat till clean. (you should already have this from 8 Steps)

    Run ATF-Cleaner http://majorgeeks.com/ATF_Cleaner_d4949.html Temp and Registry, repeatedly until no more found.

    KCleaner ftp://ftp2.kcsoftwares.com/kcsoftwa/files/kcleaner.exe
    Fantastic cleaner. (When installing uncheck Relevant Knowledge do not install)
    When run Click Analyze and when it finds then click clean.
    -------------------------------------------------------------------------------------
    The issues can and are likely found is in System Restore so do the below

    Start-Programs-Accessories-System Tools-Disk- System Restore and create a new Restore point. Name it "Cleanup at TechSpot".

    Then Start-Programs-Accessories-System Tools-Disk Cleanup
    Click OK to accept C:
    Select all Boxes
    Then click More Options
    Here click System Restore and OK to "Are you sure" and the OK to Run.

    As this runs it clears all but the most recent Restore Point but it does one other thing that can contain infested files and a huge amount of disk space.

    It clears what is known as Shadow copies which are used by specialized back up programs.

    This is if you have the Volume Shadow Copy running which is the default.

    After all the above reboot run for a while and report back if there is improvement!

    Mike
     
  5. rutiene

    rutiene TS Rookie Topic Starter

    When I installed KCleaner, comodo started screaming at me about a virus rkverify.exe?
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    KClean is clean! I have used this program for years. I have had many here on the Forum to use it also.

    Now when you installed you did not uncheck the Revelant Knowledge as I advised and that is what it is picking up.

    A very minor adware but have Comodo block it so KCleaner can install then go to Add/Remove programs and uninstall Revelant Knowledge. But keep KCleaner!

    Mike
     
  7. rutiene

    rutiene TS Rookie Topic Starter

    I definitely unchecked RelevantKnowledge, I made a point to do so. I installed it twice because I thought it was something else and it came up both times. When I ran KCleaner, Comodo kept on screaming at me. :s
     
  8. mflynn

    mflynn TS Rookie Posts: 2,655

    Hmmm!

    OK KCleaner and Relevant Knowledge are 2 different Programs.

    The file Comodo is complaining about is rkverify.exe (the rk in rkverify has to do with Relevant Knowledge so let Comodo block it and remember the setting!

    Also look in the Add/Remove for for the Relevant Knowledge and uninstall it!

    Mike
     
  9. rutiene

    rutiene TS Rookie Topic Starter

    Well.. here's the problem. KCleaner wasn't working when I kept blocking it, so I unblocked it... (this is before I posted). <----- feels like an ***** now. I'm actually running my antivirus to make sure that things are ok.

    I also looked in Add/Remove and there's no Relevant Knowledge.

    I understand that its hard to trust someone over the internet to follow simple instructions, with all the idiocy out there, but I really didn't keep the Relevant Knowledge checkbox checked. ><!
     
  10. mflynn

    mflynn TS Rookie Posts: 2,655

    OK no problem!

    So now uninstall even KCleaner in Add/Remove.

    Reboot

    Then try to install from scratch again and approve all including RK then RK will be in the Add/Remove to uninstall later. As I said it is a very minor adware.

    Mike
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Rutiene, your computer is slow because you have too many programs and processes loading at startup and running in the background. While the entries are legitimate they can be started manually when you need them.

    The ONLY processes you need on Startup are:
    Antivirus program(AVG)
    Firewall is using 3rd party firewall
    Touchpad for the laptop (Synaptics)

    Nothing else!

    Give this a try- it will give you an idea:
    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK everything except the processes mentioned above> Apply> OK.

    Reboot> NOTE: you will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

    (Some of the processes may reload because they are loading from memory and have to be stopped elsewhere, but this should give you some idea of what it can be like!)

    By the way, your helpers missed AdWatch. Real Time Protection needs to be temporarily disabled before the scans:
    AD-AWARE AD-WATCH
     
  12. rutiene

    rutiene TS Rookie Topic Starter

    Well... my computer does seem to be running faster now. But now I'm using the ugly Windows2000 Theme and not my XP Silver. D: I can't seem to turn it on either.
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    The object here is to get rid of the malware!

    And at the end, Mike should have had you remove the cleaning tools and old restore points. But that is only done when the cleaning is complete. We don't know that.
     
  14. mflynn

    mflynn TS Rookie Posts: 2,655

    In Services confirm Themes service is set to Automatic and is started.

    Then in Control Panel Click System-Advanced-Performance Settings.

    Put Dot in Adjust for best performance then in box below select only these 3 items.

    Smooth edges of screen fonts
    Use common tasks in folders
    Use visual styles on windows and buttons.
    Click Apply then OK OK

    Now Rt click a blank spot on Desktop then left click properties, then Appearance and chose Windows XP style in the pulldown of Windows and bottons. Click Apply OK.

    Let me know all remaining issues so we may continue of finish.

    Mike
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...