Try Kaspersky 8) I did some more testing with a fresh infection which should be a nasty one "zeus/wsnpoem v2" - google it! Was a sad experience. Dr. Web Cureit found download and fixed hosts file, Norman Malware Scanner found download, Kaspersky Virus Removal Tool found download, Avast found download. None noticed it was already installed and running. Hitman found 1 of the infected files but it is recreated at boot. ESETs brilliant online scanner zero, Trend Micro scanner zero, Nortons zero. Could not test MSE since this Virtualbox Windows seems to have problems getting activated... I knew they would use MSE for extended check. So I fired up Malwarebytes - all detected, all removed/repaired. Got infected again, this time SuperAntiSpyware removed all except quite a few registry entries. Last ComboFix, did a 100% job except a few registry entries (I think). Problem is I can do this again with another type of infection and then may be Normans tool is the only one to offer any help. Toolbox must be huge. Good idea to always start with Malwarebytes and SuperAntiSpyware.
A2 Squared is pretty good, ugly and slow but massive database - I forgot to test that one. Be careful with FPs, expect tons. Malwarebytes is so great when it recognize stuff but price to pay is smaller view on the world of infections.
Malwarebytes perfect cleanup Spoiler
Malwarebytes' Anti-Malware 1.41
Database version: 2905
Windows 5.1.2600 Service Pack 3
10/4/2009 7:40:10 PM
mbam-log-2009-10-04 (19-40-10).txt
Scan type: Quick Scan
Objects scanned: 83001
Time elapsed: 1 minute(s), 12 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.
Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.
Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.