Solved Please Help Clean PC that is Infected with Trojan3.ANF

[Resolved] Please Help Clean PC that is Infected with Trojan3.ANF

Hello,

This morning I booted up my PC (Windows XP SP3) and started Outlook. I use F-Prot for AV and SpyBot. I also have a hardware firewall. Halfway through loading Outlook froze and a pop-up message from F-prot said

"F-prot Antivirus has stopped the following viruses and taken appropriate action:

Found Trojan: W32/Trojan3.ANF (exact)
- C:\WINDOWS\system32\DRIVERS\
- Filename = asyncmac.sys
- Status = deleted

Found Trojan: W32/Trojan3.ANF (exact)
- C:\WINDOWS\system32\dllcache\
- Filename = asyncmac.sys
- Status = deleted "

After I closed this message a Windows alert said that some files are missing and I need to reinstall them from my XP SP3 CD. I put the CD in and could not figure out what to do. So instead I restored the system to a state that is 2 days old. I rebooted, everything went well. Now I am in the process of running a deep scan of my entire computer. This may take an hour or two to run. I am looking for advice on what else I should do to be sure I am clean.

First, does anyone know what this Trojan is? Is it related to the Conflicker worm?

Second, what steps should I take to be 100% sure my PC is clean. The PC is part of a domain and is connected to a SBS 2003 server that is acting like a file server. Do I need to do something with my file server?

I have used TrendMicro Housecall in the past - it seems to take many hours to run. Should I do some form of online scan and if so, am I better off with Housecall, Kapersky WebScanner, or something else?

Let me know if you need any more info. Thanks so much for your help!

Chip

 

Hi Arie,

So sorry for not following the rules! In my rush to post my question I did not follow the instruction. I will do so now.

 

OK, I ran DDS. Below is the contents of DDS.txt.


DDS (Ver_09-03-16.01) - NTFSx86
Run by chip at 12:54:18.85 on Sat 04/25/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3582.2711 [GMT -7:00]

AV: F-PROT Antivirus for Windows *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FPAVServer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Anonymizer\Anonymizer Software\Common\AnonMgmtSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Acrobat 9.0\Acrobat\Acrotray.exe
C:\Program Files\FRISK Software\F-PROT Antivirus for Windows\FProtTray.exe
C:\PROGRA~1\VIRTUA~1\CitiVAN.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Anonymizer\Anonymizer Software\Anonymizer.exe
C:\Program Files\TechSmith\SnagIt 9\SnagIt32.exe
C:\WINDOWS\system32\OBroker.exe
C:\Program Files\TechSmith\SnagIt 9\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 9\SnagPriv.exe
C:\Program Files\TechSmith\SnagIt 9\snagiteditor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\clevinson\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uDefault_Page_URL = hxxp://companyweb
mDefault_Page_URL = hxxp://companyweb
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: CitiUSBrowserHelper Class: {387edf53-1cf2-4523-bc2f-13462651be8c} - c:\program files\virtual account numbers\BhoCitUS.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - c:\program files\ws_ftp pro\wsbho2k0.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SmartSelect Class: {f4971ee7-daa0-4053-9964-665d8ee6a077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [Anonymizer] c:\program files\anonymizer\anonymizer software\Anonymizer.exe -nogui
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe "
mRun: [IDTSysTrayApp] sttray.exe
mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 9.0\acrobat\Acrobat_sl.exe "
mRun: [<NO NAME>]
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 9.0\acrobat\Acrotray.exe "
mRun: [F-PROT Antivirus Tray application] c:\program files\frisk software\f-prot antivirus for windows\FProtTray.exe
mRun: [DiskeeperSystray] "c:\program files\executive software\diskeeper\DkIcon.exe "
mRun: [Citi Virtual Account Numbers] c:\progra~1\virtua~1\CitiVAN.exe /lang=en_RG /dontopenmycards
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe "
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe "
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\snagit~1.lnk - c:\program files\techsmith\snagit 9\SnagIt32.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\startw~1.lnk - c:\program files\mozilla firefox\plugins\mywebex\419\mwmpad.exe
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
IE: Append Link Target to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Append to Existing PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert Link Target to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert to Adobe PDF - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {DE700910-58F7-4D2E-B7E6-3BA2DA1B6806} - c:\progra~1\virtua~1\CitiVAN.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - c:\program files\mozilla firefox\plugins\mywebex\419\mwmie.dll
DPF: {00000032-9593-4264-8B29-930B3E4EDCCD} - hxxps://www.rooms.hp.com/vRoom_Cab/WebHPVCInstall32.cab
DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxp://support.dell.com/systemprofiler/SysPro.CAB
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://download.microsoft.com/download/e/4/9/e494c802-dd90-4c6b-a074-469358f075a6/OGAControl.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {485D813E-EE26-4DF8-9FAF-DEDF2885306E} - hxxp://theoracle2/connectcomputer/nshelp.dll
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1228099459805
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://spssevents.webex.com/client/T26L/event/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://meeting.juniper.net/dana-cached/setup/JuniperSetupSP1.cab
TCP: {384397BF-7F03-4A0C-8A9E-AA57194AC88E} = 192.168.1.33,192.168.2.34
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Handler: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - c:\program files\common files\g7ps\shared files\g7psdll\G7PS.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: acaptuser32.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\clevin~1\applic~1\mozilla\firefox\profiles\4xr9euph.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
FF - plugin: c:\program files\mozilla firefox\plugins\npatgpc.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdjvu.dll

============= SERVICES / DRIVERS ===============

R0 FPAV_RTP;FPAV_RTP;c:\windows\system32\drivers\FStopW.sys [2008-11-13 592224]
R2 AnonMgmtSvc;Anonymizer Management Service;c:\program files\anonymizer\anonymizer software\common\AnonMgmtSvc.exe [2008-11-17 37560]
R2 FPAVServer;F-PROT Antivirus for Windows system;c:\program files\frisk software\f-prot antivirus for windows\FPAVServer.exe [2008-4-21 45960]

=============== Created Last 30 ================

2009-04-21 12:00 3,321,856 a------- C:\Copy of Final_AVID04_list0309.mdb
2009-04-21 12:00 3,477,504 a------- C:\Final_AVID04_list0309.mdb
2009-04-15 00:17 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-13 10:10 <DIR> --d----- c:\docume~1\clevin~1\applic~1\Anonymizer
2009-04-13 10:10 <DIR> --d----- c:\program files\Anonymizer
2009-04-13 10:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Anonymizer
2009-04-13 10:10 <DIR> --d-h--- c:\docume~1\alluse~1\applic~1\{773E7240-B347-4DFF-A6EF-6E829EDD59DF}
2009-03-31 23:52 <DIR> --d----- c:\documents and settings\clevinson\.housecall6.6
2009-03-26 19:08 <DIR> --d----- C:\DCIM

==================== Find3M ====================

2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 07:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2009-02-27 12:55 111,992 a------- c:\windows\system32\acaptuser32.dll
2009-02-20 11:09 78,336 a------- c:\windows\system32\ieencode.dll
2009-02-09 05:10 729,088 a------- c:\windows\system32\lsasrv.dll
2009-02-09 05:10 714,752 a------- c:\windows\system32\ntdll.dll
2009-02-09 05:10 617,472 a------- c:\windows\system32\advapi32.dll
2009-02-09 05:10 401,408 a------- c:\windows\system32\rpcss.dll
2009-02-09 04:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-06 04:11 110,592 a------- c:\windows\system32\services.exe
2009-02-06 04:06 2,145,280 a------- c:\windows\system32\ntoskrnl.exe
2009-02-06 03:39 35,328 a------- c:\windows\system32\sc.exe
2009-02-06 03:32 2,023,936 a------- c:\windows\system32\ntkrnlpa.exe
2009-02-03 12:59 56,832 a------- c:\windows\system32\secur32.dll

============= FINISH: 12:54:43.98 ===============

 

Here is the contents of Attach.txt:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 11/12/2008 7:05:15 PM
System Uptime: 4/25/2009 12:01:13 PM (0 hours ago)

Motherboard: Dell Inc. | | 0HJ054
Processor: Intel(R) Pentium(R) 4 CPU 3.40GHz | Microprocessor | 3391/800mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 187.421 GiB free.
D: is FIXED (NTFS) - 233 GiB total, 232.352 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is NetworkDisk (NTFS) - 35 GiB total, 16.387 GiB free.
M: is NetworkDisk (NTFS) - 518 GiB total, 285.82 GiB free.
O: is NetworkDisk (NTFS) - 70 GiB total, 26.898 GiB free.

==== Disabled Device Manager Items =============

Class GUID: TI Technologies Inc.
Description: RADEON X600 256MB HyperMemory Secondary
Device ID: PCI\VEN_1002&DEV_5B72&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Manufacturer: ATI Technologies Inc.
Name: RADEON X600 256MB HyperMemory Secondary
PNP Device ID: PCI\VEN_1002&DEV_5B72&SUBSYS_06031002&REV_00\4&1603E009&0&0108
Service: ati2mtag

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_0644&PID_0200\00000208CE78
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_0644&PID_0200\00000208CE78
Service: USBSTOR

Class GUID: {36FC9E60-C465-11CF-8056-444553540000}
Description: USB Mass Storage Device
Device ID: USB\VID_054C&PID_01BD\000000115C11
Manufacturer: Compatible USB storage device
Name: USB Mass Storage Device
PNP Device ID: USB\VID_054C&PID_01BD\000000115C11
Service: USBSTOR

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: Multimedia Controller
Device ID: PCI\VEN_1002&DEV_4D52&SUBSYS_A3461002&REV_00\4&5855BE9&0&10F0
Manufacturer:
Name: Multimedia Controller
PNP Device ID: PCI\VEN_1002&DEV_4D52&SUBSYS_A3461002&REV_00\4&5855BE9&0&10F0
Service:

==== System Restore Points ===================

RP100: 1/25/2009 8:18:56 PM - System Checkpoint
RP101: 1/26/2009 10:31:09 PM - System Checkpoint
RP102: 1/28/2009 11:43:38 AM - System Checkpoint
RP103: 1/29/2009 12:47:44 PM - Installed HP BladeSystem Power Sizing Tool.
RP104: 1/30/2009 8:15:17 PM - System Checkpoint
RP105: 2/1/2009 10:28:06 AM - System Checkpoint
RP106: 2/2/2009 6:33:54 PM - System Checkpoint
RP107: 2/3/2009 7:30:04 PM - System Checkpoint
RP108: 2/4/2009 7:43:23 PM - System Checkpoint
RP109: 2/5/2009 9:15:53 PM - System Checkpoint
RP110: 2/7/2009 8:41:09 AM - System Checkpoint
RP111: 2/7/2009 1:23:27 PM - Installed Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
RP112: 2/8/2009 1:32:09 PM - System Checkpoint
RP113: 2/9/2009 3:37:37 PM - System Checkpoint
RP114: 2/10/2009 5:28:42 PM - Software Distribution Service 3.0
RP115: 2/10/2009 5:54:10 PM - Printer Driver Microsoft XPS Document Writer Installed
RP116: 2/10/2009 6:20:17 PM - Software Distribution Service 3.0
RP117: 2/11/2009 6:36:47 PM - System Checkpoint
RP118: 2/12/2009 8:20:31 PM - System Checkpoint
RP119: 2/13/2009 9:10:50 PM - System Checkpoint
RP120: 2/14/2009 10:04:12 PM - System Checkpoint
RP121: 2/16/2009 8:25:31 AM - Before MFT changes
RP122: 2/16/2009 9:57:59 AM - Installed QuickTime
RP123: 2/17/2009 1:53:29 PM - System Checkpoint
RP124: 2/18/2009 1:57:47 PM - System Checkpoint
RP125: 2/19/2009 7:03:40 PM - System Checkpoint
RP126: 2/20/2009 11:21:27 PM - System Checkpoint
RP127: 2/21/2009 11:39:09 PM - System Checkpoint
RP128: 2/23/2009 8:08:36 AM - System Checkpoint
RP129: 2/24/2009 8:38:18 AM - System Checkpoint
RP130: 2/24/2009 11:47:47 PM - Software Distribution Service 3.0
RP131: 2/26/2009 7:00:23 PM - System Checkpoint
RP132: 2/27/2009 7:18:14 PM - System Checkpoint
RP133: 2/28/2009 8:06:15 PM - System Checkpoint
RP134: 3/1/2009 9:10:37 AM - Installed Lizardtech DjVu Control
RP135: 3/2/2009 4:33:25 PM - System Checkpoint
RP136: 3/3/2009 4:46:31 PM - System Checkpoint
RP137: 3/4/2009 5:39:17 PM - System Checkpoint
RP138: 3/5/2009 6:02:30 PM - System Checkpoint
RP139: 3/6/2009 9:21:09 PM - System Checkpoint
RP140: 3/7/2009 10:01:55 PM - System Checkpoint
RP141: 3/8/2009 10:30:40 PM - System Checkpoint
RP142: 3/9/2009 11:17:05 PM - System Checkpoint
RP143: 3/10/2009 11:08:46 PM - Software Distribution Service 3.0
RP144: 3/11/2009 8:10:00 AM - Removed Java(TM) 6 Update 11
RP145: 3/11/2009 8:10:31 AM - Installed Java(TM) 6 Update 12
RP146: 3/12/2009 9:21:10 AM - System Checkpoint
RP147: 3/13/2009 10:25:04 AM - System Checkpoint
RP148: 3/14/2009 2:37:08 PM - System Checkpoint
RP149: 3/15/2009 3:41:11 PM - System Checkpoint
RP150: 3/16/2009 12:10:26 AM - Shockwave Player
RP151: 3/17/2009 8:21:09 AM - System Checkpoint
RP152: 3/18/2009 8:32:59 AM - System Checkpoint
RP153: 3/19/2009 8:49:22 AM - System Checkpoint
RP154: 3/20/2009 1:23:34 PM - System Checkpoint
RP155: 3/20/2009 7:15:11 PM - Installed Pro Studio Manager ver.3.5
RP156: 3/21/2009 8:20:22 PM - System Checkpoint
RP157: 3/22/2009 9:27:53 PM - System Checkpoint
RP158: 3/23/2009 9:44:06 PM - System Checkpoint
RP159: 3/24/2009 9:29:50 PM - Software Distribution Service 3.0
RP160: 3/24/2009 11:33:55 PM - Software Distribution Service 3.0
RP161: 3/25/2009 1:19:08 AM - Software Distribution Service 3.0
RP162: 3/26/2009 8:01:50 AM - System Checkpoint
RP163: 3/27/2009 8:44:32 AM - System Checkpoint
RP164: 3/28/2009 10:11:22 AM - System Checkpoint
RP165: 3/29/2009 5:33:56 PM - System Checkpoint
RP166: 3/30/2009 5:42:28 PM - System Checkpoint
RP167: 3/31/2009 9:25:13 PM - System Checkpoint
RP168: 4/1/2009 7:50:17 PM - Installed Java(TM) 6 Update 13
RP169: 4/3/2009 8:06:43 AM - System Checkpoint
RP170: 4/4/2009 10:33:36 AM - System Checkpoint
RP171: 4/5/2009 1:32:06 PM - System Checkpoint
RP172: 4/6/2009 5:17:04 PM - System Checkpoint
RP173: 4/7/2009 5:30:29 PM - System Checkpoint
RP174: 4/11/2009 11:31:47 AM - System Checkpoint
RP175: 4/12/2009 11:37:16 AM - System Checkpoint
RP176: 4/13/2009 10:08:09 AM - Before anonymyzer installation
RP177: 4/14/2009 10:48:37 AM - System Checkpoint
RP178: 4/15/2009 12:46:10 AM - Software Distribution Service 3.0
RP179: 4/15/2009 10:15:28 AM - Software Distribution Service 3.0
RP180: 4/16/2009 2:41:36 PM - System Checkpoint
RP181: 4/17/2009 3:12:44 PM - System Checkpoint
RP182: 4/18/2009 7:07:00 PM - System Checkpoint
RP183: 4/19/2009 7:14:17 PM - System Checkpoint
RP184: 4/20/2009 7:46:47 PM - System Checkpoint
RP185: 4/21/2009 9:25:48 PM - System Checkpoint
RP186: 4/22/2009 9:27:10 PM - System Checkpoint
RP187: 4/23/2009 10:36:45 PM - System Checkpoint
RP188: 4/25/2009 11:59:56 AM - Restore Operation

==== Installed Programs ======================

2007 Microsoft Office Suite Service Pack 1 (SP1)
Acrobat.com
Adobe Acrobat 9 Pro Extended - English, Français, Deutsch
Adobe AIR
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 Plugin
Adobe Flash Player ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS3
Adobe Presenter 7
Adobe Reader 9.1
Adobe Setup
Adobe Shockwave Player
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Anonymizer Software
Apple Software Update
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
Belarc Advisor 7.2
Broadcom 440x 10/100 Integrated Controller
CamStudio
Critical Update for Windows Media Player 11 (KB959772)
Dell Resource CD
Diskeeper Server Standard Edition
EditPlus 2
F-PROT Antivirus for Windows
FOX News Live
Google Toolbar for Internet Explorer
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HP BladeSystem Power Sizing Tool
HP Sizing Tool Update Components
Intel(R) PRO Network Connections Drivers
Ipswitch WS_FTP Pro
Java(TM) 6 Update 13
Juniper Networks Secure Meeting 6.2.0
jv16 PowerTools 2005
Lizardtech DjVu Control
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Professional 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Save as PDF or XPS Add-in for 2007 Microsoft Office programs
Microsoft Silverlight
Microsoft Software Update for Web Folders (English) 12
Microsoft Sync Framework Runtime v1.0 (x86)
Microsoft Sync Framework Services v1.0 (x86)
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.8)
MSXML 4.0 SP2 (KB954430)
PDF Settings
Photo Mechanic 4.6
PokerStars
Pro Studio Manager ver.3.5
QIF2
QuickBooks Pro Edition 2004
QuickTime
RideMax for Disneyland 5.1
Security Update for 2007 Microsoft Office System (KB951550)
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB960003)
Security Update for Microsoft Office Excel 2007 (KB959997)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office system 2007 (KB956828)
Security Update for Microsoft Office Word 2007 (KB956358)
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Shadow Copy Client
ShredXP
SigmaTel Audio
Skype™ 4.0
SnagIt 9
Spelling Dictionaries Support For Adobe Reader 9
SPSS 16.0 for Windows
Spybot - Search & Destroy
SyncToy 2.0 (x86)
Update for Microsoft Office 2007 Help for Common Features (KB957244)
Update for Microsoft Office Access 2007 Help (KB957241)
Update for Microsoft Office Excel 2007 Help (KB957242)
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Microsoft Office Outlook 2007 Help (KB957246)
Update for Microsoft Office PowerPoint 2007 Help (KB957247)
Update for Microsoft Office Publisher 2007 Help (KB957249)
Update for Microsoft Office Word 2007 Help (KB957252)
Update for Microsoft Script Editor Help (KB957253)
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb962871)
Update for Windows XP (KB898461)
Update for Windows XP (KB943729)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VersaCheck 2004 Silver Express
Virtual Account Numbers
WebEx
WebEx MeetMeNow
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows PowerShell(TM) 1.0
Windows Search 4.0
WinZip

==== Event Viewer Messages From Past Week ========

4/25/2009 12:01:53 PM, error: Service Control Manager [7024] - The Windows Search service terminated with service-specific error 2147749155 (0x80040D23).
4/25/2009 11:56:03 AM, information: Windows File Protection [64004] - The protected system file asyncmac.sys could not be restored to its original, valid version. The file version of the bad file is unknown The specific error code is 0x00000005 [Access is denied. ].

==== End Of File ===========================

 

Finally, before I followed Arie's instructions to use DDS, I started a deep scan with F-prot. It found the trojan again even though I restored to Wednesday's configuration. It deleted that file automatically. Hope this doesn't mess things up.

Thanks so much!