I tried to do a System Restore. The computer refused! In fact, it didn't even HAVE any little blue underlined days before about Dec. 27, and this was Dec. 31.
Jerry's computer came bundled with McAfee. I did a full system scan with McAfee, which assured me the computer was clean -- no worms, no viruses. An expert friend told me that in his professional opinion, McAfee was a useless piece of bleep, so on my friend's recommendation, I bought a copy of Norton Internet Security (which I've had on my own computer for years).
A full system scan with a fully up-to date Norton assured me that Jerry's computer was clean -- no worms, no viruses. But I was still on "WetPxxxx4Sale."
I used the Task Manager to make a list of all the processes that were running at startup. Then I used MY computer to look them up at www.sysinfo.org. Two of them were identified as viruses, wuauclt.exe and wmiprvse.exe, which sysinfo said is "added by the SONEBOT-B worm." Which was identified in bleeping 2004!!!)
So on Jerry's computer, I went into Safe Mode and deleted all instances of both viruses "by hand." Then I flushed the Recycle Bin.
Feeling happy that surely I had solved the problem, and still in Safe Mode, I went into regedit and changed both instances of "WetPxxxx4Sale" to "Mary loves Jerry."
Then I restarted Jerry's computer in the ordinary state. And when I checked, I found that the little icons in the system tray were STILL "WetPxxxx4Sale"!!
I went back into Safe Mode. I checked to make sure that the offending viruses were still gone, which they were. I went back into regedit and changed both instances of "WetPxxxx4Sale" to "Mary loves Jerry 2."
You guessed it. Jerry's computer is still being served by "WetPxxxx4Sale." Norton says everything is fine. No processes appear to be running that aren't supposed to be running.
Some time in the last few days of frustration, I seem to remember a "regedit32." is that different from regedit? Would trying that do any good at all?
I am no expert. I've used a computer every day for more than 20 years, but I've hit my ceiling on computer savvy with what you've just read. My GUESS is that Jerry's computer has a worm that's sophisticated enough to hide from Norton. But I figure it can't really be the SONEBOT-B worm, because that was identified in freaking 2004, which is centuries ago in malware, I'm sure. Maybe it's "son(e) of SONEBOT," as it were.
It can't be up to much if both McAfee and Norton say it's not there, and every process that's running when no programs are running is identified as innocent by the computer. (For example, "used by Norton Antivirus.") The computer seems to be running just fine. Jerry has other e-mail addresses, but he can't remember his passwords, so he uses Hotmail exclusively -- no chance for the worm to take over his addressbook, I wouldn't think.
sysinfo.org says that wmiprvse.exe is a legitimate file that's SUPPOSED to be in the system32\wbem subdirectory, not running at startup. But I deleted it, and it stayed deleted through the next two visits to Safe Mode. Would it do any good at all for me to e-mail MY copy of wmiprvse.exe to myself at Yahoo, download it onto Jerry's computer, and then in Safe Mode put it where it belongs?
Or has the worm gotten into Jerry's BIOS? -- i.e., would it even do any good to go drastic and scrub Jerry's computer clean and reinstall the very operating system? Or would I go through all that pain and in the end discover that I was STILL connected by "WetPxxxx4Sale"?
I'm frustrated! I hope someone here can put me out of my misery!
Mod Edit: Edited to remove offensive word. ~tg
Edited by tg1911, 31 January 2007 - 06:21 PM.