Looks Much better!

We still have few things to do.

Please read this post completely, it may make it easier for you if you copy and paste this post to a new text document or print it for reference later.

Step #1

You can go ahead and remove the tools we used.

Please download the OTMoveIt.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\System32\ps.exe
  C:\WINDOWS\pss
  C:\WINDOWS\System32\idleserv.exe
  C:\WINDOWS\System32\yrdqldwv.exe
  C:\WINDOWS\System32\xxruegba.exe
  C:\WINDOWS\System32\msdtc_32.exe
  C:\WINDOWS\System32\user_32.dll
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Step #2

Please open HiJackThis and scan. Check the boxes next to all the entries listed below

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [msci] "C:\DOCUME~1\Owner\LOCALS~1\Temp\2007423112541_mcinfo.exe" /insfin

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis

Step #3

Download CCleaner If you don't want the Yahoo toolbar, be sure to UNcheck that option when installing the software or update.

Instructions for using CCleaner:

• Launch CCleaner and under Options > Advanced > UNcheck "Only delete files in Windows Temp folder older than 48 hours".
• A pop up box will appear advising this process will permanently delete files from your system.
• To protect logon cookies that you wish to retain, under Options > Cookies. Select and using the arrow move those cookies to the "Cookies to keep" column.
• Then select the items you wish to clean up.
  • In the Windows Tab:
    • Clean all entries in the "Internet Explorer" section.
    • Clean all the entries in the "Windows Explorer" section.
    • Clean all entries in the "System" section.
    • Clean all entries in the "Advanced" section.
    • Clean any others that you choose.
  • In the Applications Tab:
  • Clean all in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Please UNcheck "Utilities" (i.e., Ad-Aware, ewido and other security program logs.)

• Click the "Run Cleaner" button and it will scan and clean your system.
• Click exit.
• Shutdown/restart the computer.

Step #4

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.2. Restart your computer.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.

Step #5

Please run Panda's ActiveScan You will need to use Internet Explorer to run it.

• Once you are on the Panda site click the Scan your PC button
  
• A new window will open...click the Check Now button
  
• Enter your Country
  
• Enter your State/Province
  
• Enter your e-mail address and click send
  
• Select either Home User or Company
  
• Click the big Scan Now button

o If it wants to install an ActiveX component allow it
o It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
o When download is complete, click on My Computer to start the scan
o When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the ActiveScan report

Let me know how thins are running now

I also get this message from McAfee every time I reboot, not in SAFE MODE. I allow it. Should I block it?

SysemGuard Description: Monitors changes to your internet Explorer preset URLS to preven spyware or other potentially unwanted programs from changing your browser settings without your permission

Process: C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
Process Name: Spy Sweeper Engine
Process Publisher: Webroot Software, Inc.
Affected Items: HKEY_USERS\S-1-5-21-194725168-951468696-4177962848-1003\Software\Microsoft\Internet Explorer\SearchUrl\

If you did not expect his change, McAfee recommends that you block it. If you expected change, allow it.

That should not be a problem.

Go Ahead and allow SpySweeper.


Could you please follow those instructions i just posted?

Thanks.

I did everything up to Panda's Active Scan. I have NOT been able to do that because I cannot access Internet Explorer. I get "SErver Cannot be found." I cannot get online with Mozilla Firefox either. I CAN get online to AOL via dialup but cannot use Internet Explorer once online. For example, I type www.daniweb.com (page cannot be found). Then I tried www.daniweb.com/index (I got onto your site, but got message DANI WEB IT Discussion Community 404 Error. This page does not exist on our server.) So, it's doing something, but not quite getting there. Google, Yahoo do not come up either. BUT I clicked on "Favorites" and got a website.

I have been doing all the repair work, accessing the info via another computer, copying the files to a flash drive, then copying them onto the infected computer, and running the software and processes.

Should I copy Internet Explorer onto the infected computer? I don't want to do anything to screw up this great communication and process we've had, so I'd really appreciate your thoughts and reply. Thanks!

Is it OKAY to load an updated version of AOL onto the infected computer in order to get a new version of Internet Explorer onto the infected computer? Are viruses able to corrupt IE to the point of having to reload?
Looking forward to someone's answer. Thanks!

Hi there, sorry for the delay getting to you, i've been busy.

I suggest you Update Aol after that we have cleaned up your system.

I will get to you as soon as possible thank you for your patience.

Are you able to access the internet properly now?

If you are you could please follow my instructions i posted in Message #11

Thanks.

I am going to go get the CD now and will update. HOpefully I will get IE running. I am emailing from another computer. I still can't get on IE from the virus computer. I can't do an online scan on the virus computer. I will get back after I've loaded the new AOL with new IE. Thanks!

Alright, No problem i see ahead hearing back from you.

Take your time.

Sorry, I didn't see message 17. I cannot access "Panda Active Scan" because I cannot do things through Internet Explorer. I cannot do the live scan on the infected computer. That's why I asked about AOL. I have not loaded new AOL yet.