Hi. I have a 2005 Dell Dimension 3000 with WinXP-SP2 32bit machine. 40gb HDD and 512mb ram.

I downloaded a ZIPped SWF file from Rapidshare and suddenly my browser started redirecting every URL I went to thru spam sites like thefeedyard.com and livefeedinc.com. Also every bit of anti-virus and anti-spyware I had installed suddenly denied me access, saying "Windows cannot access the specified path. You may not have the appropriate permissions to access this file.". *I'm* the Administrator on my PC. I also noticed that Task Manager wouldn't appear anymore and that my Help files seemed to all be gone. My wallpaper was unalterably changed to a pic of a blue screen with a big black warning sign with red letters saying "Your system is infected!! System has been stopped to prevent malware from spreading on your machine". AntivirusPro10 kept installing itself. When I ran ProcessExplorer to see what was running, a program named Seres.exe had 3 instances running , as well as a lot of other strange tasks I hadn't seen in the task list before:

AntivirusPro10.exe
45a.tmp
lizkavd.exe
wi.exe
tfdp.exe
~.exe
svcst.exe

It just so happened that a few weeks ago I used Eset's online scanner just to check my system and the files were still there. Miraculously I could run it out of it's folder by clicking the EXE file in there. I ran it twice (once, then again after a reboot) and it deleted multiple infections both times. This is the last Eset scan results so you can see what Eset found and deleted. It was almost identical to the first scan. My problems continued even after the second Eset scan. Redirected browser, antivirus inaccessible, pop-up ads, etc.

*********************
*********************

I was reading THIS TOPIC in the forum and it was identical to my situation. In it the tech had to resort to telling the person to run ComboFix to see if that restored any control for him. I too couldn't get any of the programs from your Prework page to run (HJThis, RootRepeal, DDS, or Security Check), so I took it upon myself to attempt to run ComboFix like he was told so I could try to get some control over my programs.
(DDS and Security Check STILL won't run on my machine. Running DDS gives an error saying "This is not a valid Win32 application", and SecureCheck opens a blank command prompt window for a half a second and immediately shuts off by itself.)

When I ran ComboFix, it found a fault in the Rootkit, so it rebooted the computer itself and finished running after a few minutes. The virus tried like hell to make it inaccessible to me like it had the rest of my antivirus programs, but ComboFix won out and finished working. After ComboFix ran, I could finally run HJThis and RootRepeal and at least get reports from those, but DDS and SecurityCheck still won't work for me. I have noticed while creating this thread that I haven't seen the pop-up ads littering my browser and nothing has tried to redirect offsite yet either. But Task Manager, all my old antispyware, and my Help files are still inaccessible to me.

Here is the HJThis report and the RootRepeal report made after Combofix ran and I rebooted the machine again to see if any infections would pop up. At the very bottom is the Combofix report it gave me.

Any and all help with restoring my PC will be greatly appreciated. Thanks!

*****************
*****************
*****************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:13 AM, on 10/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Search
R3 - URLSearchHook: URLSearchHook Class - {37D2CDBF-2AF4-44AA-8113-BD0D2DA3C2B8} - C:\Program Files\NZSearch\SearchEnh1.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [spc_w] "C:\Program Files\NZSearch\nzspc.exe" -w
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1219176554031
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe

--
End of file - 4764 bytes


*****************
*****************
*****************

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/10/17 06:35
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE229000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF8A75000 Size: 8192 File Visible: No Signed: -
Status: -

Name: PROCEXP113.SYS
Image Path: C:\WINDOWS\system32\Drivers\PROCEXP113.SYS
Address: 0xF8A85000 Size: 7872 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDE69000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\PIF\PIF
Status: Locked to the Windows API!

Path: C:\WINDOWS\SxsCaPendDel\SxsCaPendDel
Status: Locked to the Windows API!

Path: C:\WINDOWS\mui\mui
Status: Locked to the Windows API!

Path: C:\WINDOWS\ERDNT\ERDNT
Status: Locked to the Windows API!

Path: C:\WINDOWS\Config\Config
Status: Locked to the Windows API!

Path: C:\WINDOWS\Connection Wizard\Connection Wizard
Status: Locked to the Windows API!

Path: C:\WINDOWS\Minidump\Minidump
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\classes\classes
Status: Locked to the Windows API!

Path: C:\WINDOWS\java\trustlib\trustlib
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp98\imejp98
Status: Locked to the Windows API!

Path: C:\WINDOWS\inf\Catalog\Catalog
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\{BAF78226-3200-4DB4-BE33-4D922A799840}\{BAF78226-3200-4DB4-BE33-4D922A799840}
Status: Locked to the Windows API!

Path: C:\WINDOWS\Registration\CRMLog\CRMLog
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB917159\KB917159
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB920213\KB920213
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB922760\KB922760
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB931768\KB931768
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB932168\KB932168
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933566\KB933566
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB933729\KB933729
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB939653-IE7\KB939653-IE7
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB943460\KB943460
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB968389\KB968389
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB969059\KB969059
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB974112\KB974112
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB974571\KB974571
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB975025\KB975025
Status: Locked to the Windows API!

Path: C:\WINDOWS\$hf_mig$\KB975467\KB975467
Status: Locked to the Windows API!

Path: C:\WINDOWS\msapps\msinfo\msinfo
Status: Locked to the Windows API!

Path: C:\WINDOWS\Debug\UserMode\UserMode
Status: Locked to the Windows API!

Path: C:\WINDOWS\security\logs\logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\temp\temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\tmp\tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\InstallTemp\InstallTemp
Status: Locked to the Windows API!

Path: C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a 1e18e3b_8.0.50727.1433_x-ww_5cf844d2\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3 b_8.0.50727.1433_x-ww_5cf844d2
Status: Locked to the Windows API!

Path: C:\WINDOWS\ime\imejp\applets\applets
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\AuthCabs\Downloade d\Downloaded
Status: Locked to the Windows API!

Path: C:\WINDOWS\Sun\Java\Deployment\Deployment
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\QHEADLES\QHEADLES
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\QSIGNOFF\QSIGNOFF
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\ErrorRep\UserDumps\UserDumps
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\BATCH\BATCH
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\HelpFiles\HelpFiles
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\InstalledSKUs\Installe dSKUs
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Temp\Temp
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\85947e1a8 09663c7f480717673587a59\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\986836381 2bbe4a0a4d814b7943ba906\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\555558d2c 7916b118ad5baef62b18136\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\5cfa09586 faf6d9470f0c817d855bb6b\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\6915af3cf 644e553ca6da8ed6ca50d4f\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\b7becdf08 12b9161bfddc415c4486bad\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\d3767eab8 f4479a8d252b47e8ec225c8\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\de81b460c 3abcfc5b8494c785a5f3944\backup\backup
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\8cd6b657df2be1875bba5acbd76b9294\8cd6b657df2be1 875bba5acbd76b9294
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\ZAP1E2.tmp\ZAP1E2.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\ZAP2C9.tmp\ZAP2C9.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\ZAP2EF.tmp\ZAP2EF.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\ZAP567.tmp\ZAP567.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\ZAP65C.tmp\ZAP65C.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Tem p\ZAP65F.tmp\ZAP65F.tmp
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\Config\CheckPoint\Chec kPoint
Status: Locked to the Windows API!

Path: C:\WINDOWS\pchealth\helpctr\System\DFS\DFS
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temp orary ASP.NET Files\Temporary ASP.NET Files
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib
Status: Locked to the Windows API!

Path: C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A 46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90C C0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729
Status: Locked to the Windows API!

Path: C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Tempo rary ASP.NET Files\Bind Logs\Bind Logs
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\70\70
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\10\policy\poli cy
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\51\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\52\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\60\msft\msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\51\policy\msft \msft
Status: Locked to the Windows API!

Path: C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193 501484cf5e6884fa1d22f9e\backup\asms\52\policy\msft \msft
Status: Locked to the Windows API!

==EOF==


*******************
*******************
*******************

ComboFix 09-10-16.09 - Wayne 10/17/2009 5:15.4.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.510.324 [GMT -6:00]
Running from: c:\documents and settings\Wayne\Desktop\ComboFix.exe
AV: ZoneAlarm Antivirus *On-access scanning disabled* (Outdated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}
FW: ZoneAlarm Security Suite Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\aboqilysoc.ban
c:\documents and settings\All Users\Application Data\adisuxupe.vbs
c:\documents and settings\All Users\Application Data\afev.lib
c:\documents and settings\All Users\Application Data\cupowomuke.pif
c:\documents and settings\All Users\Application Data\fizejum.bin
c:\documents and settings\All Users\Application Data\helices.vbs
c:\documents and settings\All Users\Application Data\imywox.reg
c:\documents and settings\All Users\Application Data\osujyxaqub.scr
c:\documents and settings\All Users\Application Data\uvebi.vbs
c:\documents and settings\All Users\Application Data\ygozowakox.dll
c:\documents and settings\All Users\Application Data\zewasuhow.vbs
c:\documents and settings\All Users\Documents\afydiniwy.pif
c:\documents and settings\All Users\Documents\ecavuto.dl
c:\documents and settings\All Users\Documents\esef.reg
c:\documents and settings\All Users\Documents\laxupivywa.bin
c:\documents and settings\All Users\Documents\lesawy.ban
c:\documents and settings\All Users\Documents\lusise._dl
c:\documents and settings\All Users\Documents\olubipap.scr
c:\documents and settings\All Users\Documents\sequtal.scr
c:\documents and settings\Wayne\Application Data\acukynybot.ban
c:\documents and settings\Wayne\Application Data\bemo.lib
c:\documents and settings\Wayne\Application Data\dilorifa.com
c:\documents and settings\Wayne\Application Data\dugeceqi.pif
c:\documents and settings\Wayne\Application Data\eburyraq.exe
c:\documents and settings\Wayne\Application Data\iniasd.txt
c:\documents and settings\Wayne\Application Data\kovysolyfo._dl
c:\documents and settings\Wayne\Cookies\abaquba.scr
c:\documents and settings\Wayne\Cookies\agywifaje.sys
c:\documents and settings\Wayne\Cookies\apuhi.reg
c:\documents and settings\Wayne\Cookies\ecowuqi.dll
c:\documents and settings\Wayne\Cookies\fazuluno.bat
c:\documents and settings\Wayne\Cookies\fikafuj.reg
c:\documents and settings\Wayne\Cookies\iwuvu.pif
c:\documents and settings\Wayne\Cookies\ixaxekid.scr
c:\documents and settings\Wayne\Cookies\mejip._sy
c:\documents and settings\Wayne\Cookies\oqenohogox._dl
c:\documents and settings\Wayne\Local Settings\Application Data\bebuxibop.dll
c:\documents and settings\Wayne\Local Settings\Application Data\beta._dl
c:\documents and settings\Wayne\Local Settings\Application Data\efuqit.bat
c:\documents and settings\Wayne\Local Settings\Application Data\hupadex.inf
c:\documents and settings\Wayne\Local Settings\Application Data\jawugujaq._sy
c:\documents and settings\Wayne\Local Settings\Application Data\ubinugik.sys
c:\documents and settings\Wayne\Local Settings\Application Data\udum.bin
c:\documents and settings\Wayne\Local Settings\Application Data\ukaju._dl
c:\documents and settings\Wayne\Local Settings\Application Data\valabe.sys
c:\documents and settings\Wayne\Local Settings\Application Data\ynawohy.bin
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\acajykavo._sy
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\acupe.bin
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\ahocetij.reg
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\cefudic.lib
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\egodyfatol.lib
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\esevivil.reg
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\ihifyrimo.dll
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\isocy.dat
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\jodawiz.ban
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\lemovoxi.lib
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\rizevopez.pif
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\sahyqupi.sys
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\ulabosyh.dll
c:\documents and settings\Wayne\Local Settings\Temporary Internet Files\ytegitun.exe
c:\documents and settings\Wayne\ntuser.dll
c:\documents and settings\Wayne\Start Menu\Programs\AntivirusPro_2010
c:\documents and settings\Wayne\Start Menu\Programs\AntivirusPro_2010\AntivirusPro_2010. lnk
c:\documents and settings\Wayne\Start Menu\Programs\AntivirusPro_2010\Uninstall.lnk
c:\documents and settings\Wayne\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Wayne\Start Menu\Programs\Startup\scandisk.lnk
c:\program files\Common Files\faze.dl
c:\program files\Common Files\jicaduva._sy
c:\program files\Common Files\kupaluku.com
c:\program files\Common Files\miqobevuty.sys
c:\program files\Common Files\ozocefyby.dll
c:\program files\Common Files\qimunux.bat
c:\program files\Common Files\sofeqohiji.ban
c:\program files\Common Files\uguroq.scr
c:\program files\Common Files\vyxutuq.dll
c:\program files\Common Files\wituhylu.reg
c:\windows\arit.vbs
c:\windows\asav._dl
c:\windows\awynekyf.reg
c:\windows\azic.dll
c:\windows\bosyzoq.ban
c:\windows\buryvykox.scr
c:\windows\curasabi.bat
c:\windows\cyvilik.bat
c:\windows\egicigi.reg
c:\windows\emis.dll
c:\windows\falekiw.dll
c:\windows\fyxocagog.bat
c:\windows\gebuqi.bin
c:\windows\iguce._dl
c:\windows\mapukyrido.bin
c:\windows\mizyzag.pif
c:\windows\oficerig.bat
c:\windows\selegocuty.scr
c:\windows\sesahibi.reg
c:\windows\system32\_scui.cpl
c:\windows\system32\AVR09.exe
c:\windows\system32\axaltocm.dll
c:\windows\system32\calc.dll
c:\windows\system32\certstore.dat
c:\windows\system32\critical_warning.html
c:\windows\system32\ffafdfaab6_d.dll
c:\windows\system32\fukojaqa.bin
c:\windows\system32\Iasv32.dll
c:\windows\system32\kevidobi.dll
c:\windows\system32\kilo._sy
c:\windows\system32\kuzefawi.dll
c:\windows\system32\minynity.ban
c:\windows\system32\murojuxi.scr
c:\windows\system32\siweviji.dll
c:\windows\system32\sonic.inf
c:\windows\system32\tajojeti.dll
c:\windows\system32\tufurate.dll
c:\windows\system32\uposoge.reg
c:\windows\system32\usac._sy
c:\windows\system32\winhelper.dll
c:\windows\system32\winupdate.exe
c:\windows\system32\yadeyufa.dll
c:\windows\system32\yefutani.dll
c:\windows\system32\yjoxose.reg
c:\windows\system32\ykyvapuroz._sy
c:\windows\system32\zilukiri.dll
c:\windows\unus.vbs
c:\windows\vuvew.vbs
c:\windows\win32k.sys
c:\windows\zosav._dl

Infected copy of c:\windows\system32\drivers\atapi.sys was found and disinfected
Restored copy from - Kitty ate it :^)
Infected copy of c:\windows\system32\eventlog.dll was found and disinfected
Restored copy from - c:\windows\system32\dllcache\eventlog.dll

c:\windows\system32\proquota.exe was missing
Restored copy from - c:\i386\proquota.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IAS
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Service_Ias


((((((((((((((((((((((((( Files Created from 2009-09-17 to 2009-10-17 )))))))))))))))))))))))))))))))
.

2009-10-17 11:21 . 2004-08-04 10:00 50176 ----a-w- c:\windows\system32\proquota.exe
2009-10-17 10:11 . 2009-10-17 10:11 0 ----a-w- C:\settings.dat
2009-10-17 10:10 . 2009-08-13 17:14 472064 ----a-w- C:\RootRepeal3.exe
2009-10-17 10:01 . 2009-10-17 10:01 34816 ----a-w- c:\windows\system32\drivers\rootrepeal2.sys
2009-10-17 04:43 . 2009-10-17 08:42 -------- d-----w- c:\documents and settings\All Users\Application Data\66701020
2009-10-17 03:46 . 2009-10-17 03:46 16279 ----a-w- c:\documents and settings\Wayne\Local Settings\Application Data\tofikygoke.dat
2009-10-17 03:46 . 2009-10-17 03:46 15379 ----a-w- c:\windows\hoga.com
2009-10-16 08:13 . 2009-08-13 17:14 472064 ----a-w- C:\RootRepeal.exe
2009-10-16 08:01 . 2009-10-16 08:01 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2009-10-16 06:22 . 2009-10-16 06:22 18208 ----a-w- c:\windows\muxyjuhoh.com
2009-10-16 02:17 . 2009-10-16 02:17 -------- d-----w- c:\documents and settings\Administrator\Application Data\DivX
2009-10-16 01:38 . 2009-10-16 01:38 -------- d-sh--w- c:\documents and settings\Administrator\PrivacIE
2009-10-15 15:54 . 2009-10-15 15:54 18691 ----a-w- c:\program files\Common Files\idesa.dat
2009-10-15 15:54 . 2009-10-15 15:54 13265 ----a-w- c:\documents and settings\Wayne\Local Settings\Application Data\epegopymy.dat
2009-10-15 15:14 . 2009-10-15 15:14 17423 ----a-w- c:\windows\wunoru.com
2009-10-15 15:14 . 2009-10-15 15:14 14581 ----a-w- c:\program files\Common Files\umapyvo.dat
2009-10-15 14:31 . 2009-10-15 14:31 46 ----a-w- C:\p2hhrvirus.bat
2009-09-25 13:29 . 2009-09-25 13:29 -------- d-----w- c:\documents and settings\All Users\Application Data\NCH Swift Sound
2009-09-25 13:28 . 2009-09-25 13:28 -------- d-----w- c:\program files\NCH Swift Sound
2009-09-25 09:18 . 2009-09-25 10:10 -------- d-----w- c:\documents and settings\Wayne\Application Data\Quintessential Media Player

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2009-10-17 11:20 . 2009-03-19 09:30 -------- d-----w- c:\program files\SUPERAntiSpyware
2009-10-15 15:25 . 2007-12-03 06:46 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-10-15 14:55 . 2009-08-07 04:18 -------- d-----w- c:\program files\Hijack This 8-2009
2009-09-01 17:34 . 2008-11-23 13:48 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-05 09:11 . 2004-08-10 17:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-04 17:37 . 2007-06-14 09:23 102664 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2009-08-03 19:36 . 2009-08-07 04:14 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-03 19:36 . 2009-08-07 04:14 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-07-31 16:49 . 2005-06-10 02:58 268912 ----a-w- c:\documents and settings\Wayne\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2005-06-16 02:50 . 2005-06-16 02:50 6033 ----a-w- c:\program files\uninstal.log
2009-07-16 06:31 . 2009-07-16 06:31 1114427 --sha-w- c:\windows\system32\jurumoku.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"DellSupport"="c:\program files\DellSupport\DSAgnt.exe" [2007-03-15 460784]
"spc_w"="c:\program files\NZSearch\nzspc.exe" [2006-07-11 311362]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-09-25 1998576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2004-10-15 1404928]
"IntelMeM"="c:\program files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-04 221184]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 53248]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"DMXLauncher"="c:\program files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 86016]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-09-20 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-09-20 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2005-09-20 114688]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-01 149280]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-6-15 113664]
dlbcserv.lnk - c:\program files\Dell Photo Printer 720\dlbcserv.exe [2005-6-9 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\NetZero\\qs\\exec.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpo licy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboo t.sys [8/8/2009 3:16 AM 28544]
S1 SASDIFSV;SASDIFSV;\??\c:\program files\SUPERAntiSpyware\SASDIFSV.SYS --> c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [?]
S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
S3 isapeep;isapeep;\??\c:\windows\system32\isapeep.sy s --> c:\windows\system32\isapeep.sys [?]
S3 rootrepeal2;rootrepeal2;c:\windows\system32\driver s\rootrepeal2.sys [10/17/2009 4:01 AM 34816]
S3 rootrepeal3;rootrepeal3;\??\c:\windows\system32\dr ivers\rootrepeal3.sys --> c:\windows\system32\drivers\rootrepeal3.sys [?]
S3 SASENUM;SASENUM;\??\c:\program files\SUPERAntiSpyware\SASENUM.SYS --> c:\program files\SUPERAntiSpyware\SASENUM.SYS [?]
S3 scsiscan;SCSI Scanner Driver;c:\windows\system32\drivers\scsiscan.sys [1/14/2007 10:23 AM 10880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSe tup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = about:blank
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://my.netzero.net/s/search?r=minisearch
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\Wayne\Application Data\Mozilla\Firefox\Profiles\gs82h1qg.default\
FF - prefs.js: browser.startup.homepage - about:blank
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

BHO-{3d7a1a09-8c14-4d19-8307-ec9d261ca938} - yadeyufa.dll
HKLM-Run-kumojazuw - c:\windows\system32\tajojeti.dll
HKLM-Run-66701020 - c:\docume~1\ALLUSE~1\APPLIC~1\66701020\66701020.ex e
HKLM-Run-zifawutojo - zilukiri.dll
SharedTaskScheduler-<NO NAME> - (no file)
SharedTaskScheduler-{fbd5ad42-fa4f-4fe8-9177-88939bdf4085} - c:\windows\system32\tajojeti.dll
SSODL-latatiyof-{fbd5ad42-fa4f-4fe8-9177-88939bdf4085} - c:\windows\system32\tajojeti.dll
AddRemove-HijackThis - c:\program files\Trend Micro\HijackThis2\HijackThis.exe



************************************************** ************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-17 05:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-3669232049-2875415384-651909778-1006\Software\Microsoft\SystemCertificates\Address Book*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2192)
c:\windows\system32\WININET.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\IEFRAME.dll
c:\windows\system32\mshtml.dll
c:\windows\system32\msls31.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\SmartFTP\smarthook.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\tcpsvcs.exe
c:\windows\system32\snmp.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\windows\system32\wscntfy.exe
.
************************************************** ************************
.
Completion time: 2009-10-17 5:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-17 11:29

Pre-Run: 14,266,028,032 bytes free
Post-Run: 14,240,124,928 bytes free

300 --- E O F --- 2009-09-12 12:22

Hello Wayne!! Welcome back to the forum.

Its very disappointing that your system is infected again.Our security team will join you shortly.They will come up with their expertise and will help you to follow the prework.Thanks for your patience.

Regards
Ankur

BigWayne,

Welcome. I must say, what you did was quite risky. You should NEVER follow the advice given on another thread despite the fact that they may seem identical. Each issue is unique.

I'm Crush the PCHF Security Team Leader and I'll be helping you to remove your Malware. Before we begin there are some things that you should know:

1. We are all volunteer staff here at PCHF so we log in and assess threads when real life, work, family, and other obligations permit. Additionally, we are located all over the world. There may be a bit of a time delay due to this.

2. Malware Removal threads are very time intensive. Each entry must be researched until it can be said with 100% certainty whether or not it can stay or needs to be removed. Sometimes additional work is needed to weed out suspect entries

3. This may turn into a long ordeal but, rest assured we will stay with you until you are completely disinfected.

4. Please do not run any tools or fixes unless asked to do so by myself or a member of the Security Team

5. If you are not the original poster of this thread DO NOT run any fixes given to the poster in this thread. They are all custom tailored specifically to this user. It could prove to be disastrous. PCHF does not assume any responsibility for users that decide to do so

6. If you have any questions or issues please stop and ask! We are all here to help.

With that out of the way:


Please download Malwarebytes' Anti-Malware from one of these places:

https://www.cleverbridge.com/342/coo...%3ddl-10804572

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, navigate to the Update tab and click Check For Updates. It will then download the latest updates for you
* Now navigate back to the Scan tab
* Select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply

Please Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

Here is the M-Bam report you requested, Crush. Task Manager is appearing now but the Help files still seem to be either inaccessible or deleted. Also, before I ran Combofix when I was trying to
get RootRepeal to run, I extracted it multiple times from the RAR file and put it in different locations each time after the virus killed in an attempt to get one of them to run. Each one of those is still denying me access to them when I try to send them to the Recycle Bin just like before Combofix.


*****************************

Malwarebytes' Anti-Malware 1.41
Database version: 2976
Windows 5.1.2600 Service Pack 2

10/17/2009 3:35:34 PM
mbam-log-2009-10-17 (15-35-34).txt

Scan type: Full Scan (C:\|E:\|F:\|)
Objects scanned: 179428
Time elapsed: 58 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\isapeep (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Documents and Settings\All Users\Application Data\66701020 (Rogue.Multiple) -> Quarantined and deleted successfully.

Files Infected:
C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\ntuser.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\Documents and Settings\Wayne\Start Menu\Programs\Startup\scandisk.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\calc.dll.v ir (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\eventlog.d ll.vir (Trojan.Sirefef) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\Iasv32.dll .vir (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\siweviji.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\tufurate.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yadeyufa.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yefutani.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zilukiri.d ll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

BigWayne,



Your computer has multiple infections, including a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

After reading that data sheet, it sounds like a reformat is in order for 100% peace of mind. I hate to, but it looks like it may need it, especially if it did kill all the Help files. It may be worth doing it just to get rid of all the hidden thumbs.db files cluttering the HDD-lol. After 4 years, I'm sure it could use some clearing out of the HDD for registry fixes and old broken uninstall leftover files.

BTW, my Dell didn't come with the installation disk. It has the files on the HDD from what the included literature said. Can a complete reinstall be done without any sort of disks? A friend has the driver disk Dell sent him for a nearly identical computer bought 2 months after mine when his was compromised. Mine is the 2005 Dell Dimension 3000 Home Vers, and his is the same model Dell but the Pro Version. If I need any sort of disks for the reinstall, will his Pro disks be compatible enough if I need some sort of disk for the reformat?

I don't think I've used any personal info of mine except to forums like this since I downloaded what I think was the viral file, so hopefully that won't be a worry. The trouble started just about a half an hour after I downloaded that Rapidshare ZIP.

Now here's the big question. How secure are JPG's and TXT/Word files if I move them to a flash drive from this computer before the reformat? I only have a very few family photos (jpgs, tiffs), some Photoshop PSD and Inkscape SVG files, and some stories I've written that I'd like to save before a reinstall, so losing most anything else (install programs, junk images, etc) is negligible. I'm even willing to let my browser bookmarks go if need be.

How safe is uploading those files to a flashdrive without concern for any part of the virus being uploaded to it as well? Should I upload my keeper stuff to the flash drive, then run Malwarebytes on the flash drive to make sure? I'm sorry to be such a n00b on this stuff.

Hi Bigwayne,

You'll be fine backing up anything but .scr and exe files. Those can be restored through reinstalling the programs. You'll need an XP reinstall disc for he reformat, any will do. Perhaps you can borrow one off a friend or a relative?

The drivers can be downloaded direct from Dell's website if you do not have the Drivers disc that came with your PC. You'll need your Service Tag which can usually be found somewhere on the tower. It is a string of 7 numbers and letters that will look something like this:




Here is the URL for the Drivers downloads:

Dell - Drivers and Downloads

Just click on Choose By Service Tag and you're golden

We'll be here if you encounter any further issues or problems during the reformat