Just fixed a NASTY virus on Laptop [length]

[Antec-User]

Comp shut down on me yesterday. No blue screen, just restarted. Went about my business and it happened again, but this time I had this thing pop up yesterday saying I was infected (under taskbar, NOT the net).. So I didn't click on it. Just shut the WLAN off. Windows security center popped up saying I was under attack. (Also under task bar).. Didn't touch anything.

I couldn't do anything. Was trying to shut stuff off when the screen went black with a warning that I was under attack. Restarted to see what I could do and it shut down again (3rd time.) Started in safemode and it was running fine so I did two scans. one MWB scan and another Microsoft Security Essentials. MSE only found one file, Malwarebytes didn't find anything.

Usually when they don't find anything you can find some suspicious files under Msconfig > Startup and trace the item and delete it. Did that and couldn't delete a couple things, so I shut it off in MSconfig and startup (restarted), so it disabled it and was able to delete the files. Restarted > Safemode > MSCONFIG > Startup and ANOTHER one was showing as active. This time the warnings popped up again. :eek2: Got it just in time before it shut me down again.

Did the same thing again, traced and deleted sections until the file was gone. Restarted, scanned twice again, CHKDSK, and CC Clean. Here I am.

Got it. Prolly some lingering files, but I can't get that one out of the startup menu. It was some "AivL virus scan" saying I was infected (IIRC.) That's why i don't click on ANYTHING when this happens. It will get you either way. Looked like it was ghosting as my Microsoft Security Essentials since all the MSE shortcuts moved and didn't work. Was popping up under startup on the right in the taskbar, but didn't appear in MSCONFIG > Startup. Very odd. This was a nasty one and I'm glad I cleared it out. And I don't store critical passwords for the net as cookies. I refuse to. Just for the boards.

Anyway. I was running Avast a while ago but switched. I updated MWB and MSE, did a full scan last night and it hasn't found anything. Seems like every time I run Combo-Fix it keeps telling me I've got the wrong operating system. I got rid of the problem manually, but there are still some lingering crumbs from it.

 

[Antec-User]

Combo fix log.

ComboFix 11-02-17.02 - Richard 02/18/2011 8:29.4.2 - x86
Microsoft® Windows Vista™ Ultimate 6.0.6002.2.1252.1.1033.18.2814.1370 [GMT -5:00]
Running from: c:\users\Richard\Downloads\ComboFix.exe
AV: Microsoft Security Essentials *Disabled/Updated* {108DAC43-C256-20B7-BB05-914135DA5160}
SP: Microsoft Security Essentials *Disabled/Updated* {ABEC4DA7-E46C-2F39-81B5-AA334E5D1BDD}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\programdata\Desktop
c:\windows\system32\twunk_32.exe

.
((((((((((((((((((((((((( Files Created from 2011-01-18 to 2011-02-18 )))))))))))))))))))))))))))))))
.

2011-02-18 13:35 . 2011-02-18 13:35 -------- d-----w- c:\users\Richard\AppData\Local\temp
2011-02-18 13:35 . 2011-02-18 13:35 -------- d-----w- c:\windows\system32\config\systemprofile\AppData\Local\temp
2011-02-18 13:35 . 2011-02-18 13:35 -------- d-----w- c:\users\Public\AppData\Local\temp
2011-02-18 13:35 . 2011-02-18 13:35 -------- d-----w- c:\users\Default\AppData\Local\temp
2011-02-18 04:01 . 2011-02-18 04:01 28752 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{769D7F85-97CA-424C-BFFF-760DB758CE2E}\MpKslf95b8bfa.sys
2011-02-18 04:01 . 2011-01-13 09:41 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{769D7F85-97CA-424C-BFFF-760DB758CE2E}\mpengine.dll
2011-02-18 03:58 . 2011-02-04 13:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{ECE6B407-8C20-4369-9E3D-252F9F005037}\gapaengine.dll
2011-02-18 03:53 . 2011-02-04 13:00 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{C97D12F5-EEF4-40F3-A21C-BAD97EB41C00}\gapaengine.dll
2011-02-18 03:51 . 2011-02-18 03:51 711168 ----a-w- c:\windows\isRS-000.tmp
2011-02-17 13:25 . 2011-02-04 13:00 439632 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{356106C4-76E9-4839-B509-2CB6E6500008}\gapaengine.dll
2011-02-17 01:45 . 2011-02-17 01:45 364570 ----a-w- c:\program files\Mozilla Firefox\uninstall\uninstaller.exe
2011-02-09 20:06 . 2010-12-31 13:57 2039808 ----a-w- c:\windows\system32\win32k.sys
2011-02-09 20:06 . 2010-10-15 14:08 3602320 ----a-w- c:\windows\system32\ntkrnlpa.exe
2011-02-09 20:06 . 2010-10-15 13:48 1205080 ----a-w- c:\windows\system32\ntdll.dll
2011-02-09 20:06 . 2010-10-15 14:08 3550096 ----a-w- c:\windows\system32\ntoskrnl.exe
2011-02-09 20:06 . 2011-01-06 10:51 2409784 ----a-w- c:\program files\Windows Mail\OESpamFilter.dat
2011-02-09 20:04 . 2011-01-08 06:28 292352 ----a-w- c:\windows\system32\atmfd.dll
2011-02-09 20:04 . 2011-01-08 08:47 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-07 14:19 . 2011-02-07 14:19 -------- d-----w- c:\program files\iPod
2011-02-07 14:13 . 2011-02-07 14:14 -------- d-----w- c:\users\Richard\{c5b16590-a0f0-4d30-8fd5-dc56ff07650b}
2011-02-04 13:11 . 2011-02-04 13:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\NISBackup\gapaengine.dll
2011-02-04 13:02 . 2011-02-04 13:00 439632 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\gapaengine.dll
2011-02-04 12:47 . 2011-02-04 12:47 -------- d-----w- c:\windows\Temp4477936D-8AF3-1B8F-0A23-258EAA875040-Signatures
2011-02-04 12:46 . 2011-02-04 12:48 -------- d-----w- c:\program files\Microsoft Security Client
2011-02-04 12:45 . 2010-04-05 20:00 221568 ----a-w- c:\windows\system32\drivers\netio.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-01-13 09:41 . 2010-11-26 14:47 5890896 ----a-w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2011-01-13 09:41 . 2010-11-25 15:47 5890896 ------w- c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Updates\mpengine.dll
2010-12-28 15:55 . 2011-01-12 21:34 413696 ----a-w- c:\windows\system32\odbc32.dll
2010-12-14 14:49 . 2011-01-12 21:34 1169408 ----a-w- c:\windows\system32\sdclt.exe
2010-12-10 13:28 . 2010-12-10 13:28 749832 ----a-w- c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight\SpotlightResources.dll
2010-11-29 22:38 . 2010-11-29 22:38 94208 ----a-w- c:\windows\system32\QuickTimeVR.qtx
2010-11-29 22:38 . 2010-11-29 22:38 69632 ----a-w- c:\windows\system32\QuickTime.qts
2008-07-09 13:40 . 2009-08-04 23:08 58720 ----a-w- c:\program files\Install Lightroom 2.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2008-01-21 125952]
"PeerBlock"="c:\program files\PeerBlock\peerblock.exe" [2010-10-15 1866864]
"Messenger (Yahoo!)"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2010-03-03 5244216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-04-17 1049896]
"hpWirelessAssistant"="c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2008-04-15 488752]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-07-23 13797920]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-09-23 35760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-11-29 421888]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2010-11-30 997408]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2011-01-25 421160]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Status Monitor.lnk - c:\program files\Brother\Brmfcmon\BrMfcWnd.exe [2010-10-26 1089536]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^ImageMixer 3 SE Camera Monitor Ver.5.lnk]
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\ImageMixer 3 SE Camera Monitor Ver.5.lnk
backup=c:\windows\pss\ImageMixer 3 SE Camera Monitor Ver.5.lnk.CommonStartup
backupExtension=.CommonStartup

[HKLM\~\startupfolder\C:^ProgramData^Microsoft^Windows^Start Menu^Programs^Startup^Snapfish Media Detector.lnk]
backup=c:\windows\pss\Snapfish Media Detector.lnk.CommonStartup
backupExtension=.CommonStartup
path=c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\Snapfish Media Detector.lnk

[HKLM\~\startupfolder\C:^Users^Richard^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\users\Richard\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
%ProgramFiles%\Windows Defender\MSASCui.exe -hide [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-09-21 06:07 932288 ----a-r- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-09-23 11:47 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim]
2010-03-08 21:04 3972440 ----a-w- c:\program files\AIM\aim.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ArcSoft Connection Service]
2010-03-18 16:19 207360 ----a-w- c:\program files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrMfcWnd]
2008-02-19 15:22 1089536 ------r- c:\program files\Brother\Brmfcmon\BrMfcWnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter3]
2007-12-22 00:57 86016 ------w- c:\program files\Brother\ControlCenter3\BrCtrCen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2010-11-18 00:13 136176 ----atw- c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 23:24 54840 ----a-w- c:\program files\HP\HP Software Update\hpwuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPAdvisor]
2008-09-30 23:56 972080 ----a-w- c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM]
2006-09-11 10:40 218032 ----a-w- c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2011-01-25 20:08 421160 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Malwarebytes Anti-Malware (reboot)]
2010-04-29 20:39 1090952 ----a-w- c:\program files\Malwarebytes' Anti-Malware\mbam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-03-03 18:32 5244216 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-09-23 07:47 4240760 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
2009-07-23 19:39 92704 ----a-w- c:\windows\System32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl.exe]
2008-08-01 23:14 202032 ----a-w- c:\program files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 22:38 421888 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
2007-08-16 14:56 236016 ----a-w- c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2009-05-06 01:09 148888 ----a-w- c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateP2GoShortCut]
2008-06-14 01:11 210216 ----a-w- c:\program files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdatePDIRShortCut]
2008-06-14 01:11 210216 ----a-w- c:\program files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Mobile Device Center]
2007-05-31 16:21 648072 ----a-w- c:\windows\WindowsMobile\wmdc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WindowsWelcomeCenter]
2009-04-11 06:28 2153472 ----a-w- c:\windows\System32\oobefldr.dll

R1 MpKsl794875e0;MpKsl794875e0;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{55944C03-3994-4257-9025-12B8147AF2E6}\MpKsl794875e0.sys [x]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 Com4QLBEx;Com4QLBEx;c:\program files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe [2008-04-03 193840]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2010-10-25 54144]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\Antimalware\NisSrv.exe [2010-11-11 206360]
R3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\DRIVERS\NwUsbCdFil.sys [2010-07-08 20480]
R3 NWUSBModem_000;Novatel Wireless USB Modem Driver (vGEN);c:\windows\system32\DRIVERS\nwusbmdm_000.sys [2010-07-08 176384]
R3 NWUSBPort_000;Novatel Wireless USB Status Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser_000.sys [2010-07-08 176384]
R3 NWUSBPort2_000;Novatel Wireless USB Status2 Port Driver (vGEN);c:\windows\system32\DRIVERS\nwusbser2_000.sys [2010-07-08 176384]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]
S1 MpKslf95b8bfa;MpKslf95b8bfa;c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{769D7F85-97CA-424C-BFFF-760DB758CE2E}\MpKslf95b8bfa.sys [2011-02-18 28752]
S2 Recovery Service for Windows;Recovery Service for Windows;c:\program files\SMINST\BLService.exe [2008-10-06 365952]
S3 MpNWMon;Microsoft Malware Protection Network Driver;c:\windows\system32\DRIVERS\MpNWMon.sys [2010-10-25 43392]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2008-05-09 43040]
S3 pbfilter;pbfilter;c:\program files\PeerBlock\pbfilter.sys [2010-10-15 20080]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - MPKSL521BAA23
*NewlyCreated* - MPKSLF95B8BFA
*NewlyCreated* - PBFILTER
*Deregistered* - aswFsBlk
*Deregistered* - aswMonFlt
*Deregistered* - aswRdr
*Deregistered* - aswSP
*Deregistered* - aswTdi
*Deregistered* - eeCtrl
*Deregistered* - EraserUtilRebootDrv
*Deregistered* - IDSVix86
*Deregistered* - MpKsl521baa23
*Deregistered* - SymEFA
*Deregistered* - SYMFW
*Deregistered* - SYMNDISV
*Deregistered* - SYMTDI

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
WindowsMobile REG_MULTI_SZ wcescomm rapimgr
LocalServiceRestricted REG_MULTI_SZ WcesComm RapiMgr
.
Contents of the 'Scheduled Tasks' folder

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2372118078-2300994879-1303945531-1000Core.job
- c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-18 00:13]

2011-02-18 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2372118078-2300994879-1303945531-1000UA.job
- c:\users\Richard\AppData\Local\Google\Update\GoogleUpdate.exe [2010-11-18 00:13]
.
.
------- Supplementary Scan -------
.
mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*Yahoo! SearchBar Home Page
uInternet Settings,ProxyOverride = <local>
uInternet Settings,ProxyServer = http=127.0.0.1:49362
uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*Yahoo!
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: {{FA9B9510-9FCB-4ca0-818C-5D0987B47C4D} - c:\program files\PokerStars.NET\PokerStarsUpdate.exe
FF - ProfilePath - c:\users\Richard\AppData\Roaming\Mozilla\Firefox\Profiles\68oevt4d.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?fr=ffsp1&p=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?fr=ffds1&p=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - Ext: Yahoo! Toolbar: {635abd67-4fe9-1b23-4f01-e679fa7484c1} - %profile%\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
FF - Ext: PitchDark: {c1dffba0-628e-11d9-9669-0800200c9a66} - %profile%\extensions\{c1dffba0-628e-11d9-9669-0800200c9a66}
FF - Ext: Tab Mix Plus: {dc572301-7619-498c-a57d-39143191b318} - %profile%\extensions\{dc572301-7619-498c-a57d-39143191b318}
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - %profile%\extensions\{20a82645-c095-46ed-80e3-08825760534b}
FF - Ext: Exif Viewer: exif_viewer@mozilla.doslash.org - %profile%\extensions\exif_viewer@mozilla.doslash.org
FF - Ext: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension
FF - user.js: yahoo.homepage.dontask - true);user_pref(network.protocol-handler.warn-external.dnupdate, false
.
.
------- File Associations -------
.
.reg=REG_SZ
.
- - - - ORPHANS REMOVED - - - -

MSConfigStartUp-lmeuwqlm - c:\users\Richard\AppData\Local\Temp\lxvybuyye\tvsgkhrsikk.exe
MSConfigStartUp-rfglgbyk - c:\users\Richard\AppData\Local\Temp\ebxdshjdu\qhmarxpsikk.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, GMER - Rootkit Detector and Remover
Rootkit scan 2011-02-18 08:35
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil10l_ActiveX.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2011-02-18 08:38:09
ComboFix-quarantined-files.txt 2011-02-18 13:37
ComboFix2.txt 2010-12-15 20:50
ComboFix3.txt 2010-11-18 01:38
ComboFix4.txt 2010-11-01 02:51

Pre-Run: 70,350,528,512 bytes free
Post-Run: 70,321,307,648 bytes free

- - End Of File - - 7823A0D5501E6A7A9F6505F837BA36BA

 

[DTECH]

That was a great technique....

 

[Antec-User]

??? ^ Sarcasm? (can't tell... seriously)


And I did all of this two days ago. Just copied my thread from the car boards and posted up. This was a real mess to clear up.
And for Visual aids, this is the type of thing I track down to the folder to investigate or delete;