I work as a PC tech, I got a computer in that keeps generating tmp files in the windows/temp folder that are DETECTED by Norton AV as having the W32.IRCBot VIRUS.  Norton deletes the infection but they keep coming one after the other.  

I have ran AV scans with Norton, trend Micro and Sophos, Spyware scans with Spybot S&D and Ad-aware.  I have ran HJT, XP_procexp, TcpView.  I also ran a program by McAfee/Avert called stng260.exe.  Everything comes back clean, but I am still getting these infected tmp files.  Has anyone dealt with the W32.IRCBot virus and successfully cleaned it?  All the AV sites out there just give generic worm removal instructions that do not work.
lex.....  From what my research has turned up ..... "W32.IRCBot virus" isn't a virus , but rather a trojan. If it was my machine , this is what I would try .....
Run CCleaner ...... delete all entries it brings up . Then run the "Issues" function as well. ( be sure to backup registry when prompted ) fix anything issues FINDS .  THEN
1.... D/l   Ewido ....... from  http://www.filehippo.com/download_ewido/   make sure you have the latest version .......
2.... Make sure that if there are more than 1 user accounts setup that you sign in with the Admin account .
3.... Go into control panel , folder options and click the view tab ..... scroll down and make sure that "Show hidden files and folders" is ticked . then apply and ok
4....While in control panel ...... click system , then when system properties opens ...click the system restore tab and turn off system restore on all drives .
5....Reboot into SAFE mode ....... Now run Ewido .........
record anything it finds ....... then remove what is found .
6....Run Norton again in safe mode and see if it picks up the nasty ...... ( it wont fix it if its still there ,but it will detect it . ( also check Norton quarintine FILE and see if it has quarintined it but failed to delete it......)
7 ... Then if Ewido found anything ( from what you recorded ) manually check the registry and see if any entries are still present .......( use the "find" function in the EDIT portion of regedit .)

Hopefully it will have been removed .......
If for some reason its still there , post a hijackthis log here .......

dl65  


Your right, I should not have called it a virus, it is actually a back door Trojan horse.  I have a hard time separating virus/Trojan/worm, my users get confused so I always just say virus, lol

I will try your solution, I hope it finds it.  Some how those temp files are being created or downloaded from somewhere.  It is a little disconcerting that the scanner finds the infected tmp files and has a name for them in their LIBRARY but can not find the infection  responsible for putting them there.