Many thanks for that. I had looked in all the usual places, but failed to spot anything that looked odd. Incidentally, system restore wasn't an option - it seems to have been nobbled.
That seems to have done the trick. I have no idea why Combofix wasn't in my toolbox, but it certainly is now!
ComboFix is probably my single most useful tool.
Although the infected files were in a common location for malware, it is easy to overlook them when they are called something familiar like 'msconfig'.
Looks like this virus has returned.Not sure how it got past my AVG 2012 Just about to watch a flash video. This time it really tried to lock up my computer.
I was getting before hand may not be related izrfa.dll and mswias.dll missing during runDll mystery files that do not exist.
Disabled system security, sound and internet via computer management got control through a system restore did try safemode understand that there was a trap there too.
Comp said I had no devices but they were only switched off. Very clever virus like to know how to avoid this one for the future any precautions.
The latest version of this crap creates a file that restores the virus in the user/local/temp folder if it is deleted or moved. If you manage to boot into an Administrator account in safe mode or have a linux live CD etc then look for two files in the user/local/app data or applications folder called 'skype.dat' and 'skype.ini' and delete them - problem solved.
Just to add, as expected Microsoft security essentials couldn't tell it was a virus file so if your using it, don't bother.
I found these by running a trial copy of Malware Antibyes in quick scan mode and then I opened skype.dat in notepad to verify it was indeed a virus loader. The crafty scumbags!
look for two files in the user/local/app data or applications folder called 'skype.dat' and 'skype.ini' and delete them
It makes it more annoying when they use proper names for the infected files. You can always spot randomly names files from a mile away, but it's easier to overlook a file with a 'genuine' name. The location is still a giveaway, though.
And as usual, there'll also be a whole list of genuine names for the infected files to use, so it won't be limited to just skype.*
It makes it more annoying when they use proper names...*
To be honest I rarely see them with genuine file names (I am a computer engineer) and as you say they are normally '1.2565657.exe' for example so they are easy to spot.
What I did find was that the dat file was an encrypted zip folder and the ini was the instruction to extract it to the temp folder and those files all had general names like 'index.html' and 'image_32.png' that you would expect to see in a web page folder.
There was also a 'css' script putting it into full page view with no controls but I am still looking for the system commands used to disable ctrl/alt/del etc.
The oddest thing so far is that I can find no trace of it in the registry...yet!
Comments
ComboFix is probably my single most useful tool.
Although the infected files were in a common location for malware, it is easy to overlook them when they are called something familiar like 'msconfig'.
I was getting before hand may not be related izrfa.dll and mswias.dll missing during runDll mystery files that do not exist.
Disabled system security, sound and internet via computer management got control through a system restore did try safemode understand that there was a trap there too.
Comp said I had no devices but they were only switched off. Very clever virus like to know how to avoid this one for the future any precautions.
http://forums.digitalspy.co.uk/showthread.php?t=1774732&page=4
Just to add, as expected Microsoft security essentials couldn't tell it was a virus file so if your using it, don't bother.
I found these by running a trial copy of Malware Antibyes in quick scan mode and then I opened skype.dat in notepad to verify it was indeed a virus loader. The crafty scumbags!
It makes it more annoying when they use proper names for the infected files. You can always spot randomly names files from a mile away, but it's easier to overlook a file with a 'genuine' name. The location is still a giveaway, though.
And as usual, there'll also be a whole list of genuine names for the infected files to use, so it won't be limited to just skype.*
To be honest I rarely see them with genuine file names (I am a computer engineer) and as you say they are normally '1.2565657.exe' for example so they are easy to spot.
What I did find was that the dat file was an encrypted zip folder and the ini was the instruction to extract it to the temp folder and those files all had general names like 'index.html' and 'image_32.png' that you would expect to see in a web page folder.
There was also a 'css' script putting it into full page view with no controls but I am still looking for the system commands used to disable ctrl/alt/del etc.
The oddest thing so far is that I can find no trace of it in the registry...yet!
00000376 00000005 .text
00000415 00000006 `.data
00000456 00000006 .idata
00000496 00000005 .rsrc
00002048 00000013 .0123456789
00002069 00000006 ;<=>?
00002640 00000012 KERNEL32.DLL
00002654 00000010 USER32.DLL
00002666 00000009 GDI32.DLL
00002734 00000011 ExitProcess
00002748 00000012 GetLastError
00002764 00000016 GetModuleHandleA
00002784 00000019 InterlockedExchange
00002806 00000012 VirtualAlloc
00002822 00000011 VirtualFree
00002982 00000010 BeginPaint
00002996 00000015 CreateWindowExA
00003014 00000014 DefWindowProcA
00003032 00000016 DispatchMessageA
00003052 00000008 EndPaint
00003064 00000011 GetMessageA
00003078 00000011 LoadCursorA
00003092 00000009 LoadIconA
00003104 00000011 LoadStringA
00003118 00000010 MoveWindow
00003132 00000015 PostQuitMessage
00003150 00000014 RegisterClassA
00003168 00000008 SetTimer
00003180 00000010 ShowWindow
00003194 00000016 TranslateMessage
00003214 00000012 UpdateWindow
00003230 00000012 ValidateRect
00003262 00000011 CreateFontA
00084882 00000010 fff3f
00085026 00000010 3f333
00086526 00000030 VS_VERSION_INFO
00086618 00000028 StringFileInfo
00086654 00000016 040904E4
00086678 00000030 FileDescription
00086712 00000032 Development Tool
00086754 00000028 LegalCopyright
00086806 00000060 2002-2013 Lychaon Nightspell.
00086874 00000022 FileVersion
00086914 00000028 ProductVersion
00086958 00000032 OriginalFilename
00086992 00000022 DEVTOOL.EXE
00087022 00000022 VarFileInfo
00087054 00000022 Translation
C:\Documents and Settings\**User Profile**\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\40/4eeb0ee8-3e5fcfb6
C:\WINDOWS\system32/c_7265135