Need help with Win32.Zafi.B infection

I followed the process you described. Combofix ran and went to reboot. The same thing happened as before. I get the boot screen and then goes black with a message at the top "ssing operating system", which I assume says missing operating system. I turn off the computer and back on agin twice with the same result. Uggh..

So it won't boot back to windows this time?

That is correct.

Okay, reboot your machine and after the beep, starting tapping F12, this will bring up an advanced menu list, are you able to do a last known good configuration?

F12 did not prompt any action. I don't recall hearing a beep either. But, F8 did work to open a boot menu. Hope that was ok to do. I selected the "last known good configuration and that worked to load windows. Combofix returned to prepare a log report. Here is the resulting log.

ComboFix 09-01-07.01 - HP_Administrator 2009-01-07 15:33:51.2 - NTFSx86

Running from: c:\documents and settings\HP_Administrator\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\HP_Administrator\Desktop\CFscript.txt
* Created a new restore point

FILE ::
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm
.
ADS - WINDOWS: deleted 0 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\found.000
c:\found.000\dir0000.chk\Setup.ilg
c:\found.000\dir0000.chk\setup.inx
C:\sqmdata00.sqm
C:\sqmnoopt00.sqm

.
((((((((((((((((((((((((( Files Created from 2008-12-07 to 2009-01-07 )))))))))))))))))))))))))))))))
.

2009-01-07 15:33 . 2009-01-07 15:33 d-------- c:\windows\LastGood
2009-01-07 15:33 . 2004-08-09 23:00 15,360 --a------ c:\windows\system32\OLDC.tmp
2009-01-07 15:33 . 2004-08-09 23:00 15,360 --a------ c:\windows\system32\ctfmon.exe
2008-12-12 20:29 . 2008-12-12 20:29 d-------- c:\documents and settings\HP_Administrator\.NeoProPics

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-07 21:33 --------- d-----w c:\program files\QuickTime
2009-01-07 21:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-07 20:33 --------- d-----w c:\program files\Visioneer OneTouch
2009-01-07 20:33 --------- d-----w c:\program files\SymNetDrv
2009-01-07 20:33 --------- d-----w c:\program files\Norton SystemWorks
2009-01-07 20:33 --------- d-----w c:\program files\iTunes
2009-01-07 06:33 --------- d-----w c:\program files\SUPERAntiSpyware
2009-01-07 00:06 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-07 00:06 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-07 00:06 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-07 00:06 --------- d-----w c:\program files\Symantec
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Microsoft Web Folders
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\InstallShield
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\IcoFX
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Corel
2009-01-06 23:17 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\ArcSoft
2009-01-05 20:43 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-05 20:43 --------- d-----w c:\program files\Star Defender 4
2009-01-05 17:26 --------- d-----w c:\program files\MemadorPro
2009-01-04 07:46 --------- d-----w c:\program files\EPSON Print CD
2008-12-29 06:22 --------- d-----w c:\program files\Norton SystemWorks Basic Edition
2008-12-28 02:08 --------- d-----w c:\program files\OrderPicture
2008-12-19 20:36 --------- d-----w c:\documents and settings\HP_Administrator\Application Data\Photodex
2008-12-15 18:04 60,744 ----a-w c:\documents and settings\HP_Administrator\g2mdlhlpx.exe
2008-11-28 22:36 --------- d-----w c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-27 19:41 --------- d-----w c:\program files\iPod
2008-11-27 19:41 --------- d-----w c:\program files\Common Files\Apple
2008-11-27 19:41 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2008-11-07 19:23 32,000 ----a-w c:\windows\system32\drivers\usbaapl.sys
2008-10-09 12:21 173,568 ----a-w c:\program files\KB41683.exe
2007-05-08 00:06 27,378 ----a-w c:\program files\Adobe Bridge Cache.bc
2006-06-04 12:43 58 ----a-w c:\program files\Adobe Bridge Cache.bct
2005-12-23 01:32 251 ----a-w c:\program files\wt3d.ini
2005-07-08 05:55 312 ---ha-w c:\documents and settings\HP_Administrator\Application Data\wklnhst.dat
2005-07-21 19:53 22 --sha-w c:\windows\SMINST\HPCD.sys
2008-09-08 04:05 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008090820080909\index.dat
.

------- Sigcheck -------

2004-08-09 23:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\ServicePackFiles\i386\ctfmon.exe
2004-08-09 23:00 15360 24232996a38c0b0cf151c2140ae29fc8 c:\windows\system32\ctfmon.exe
2008-04-13 19:12 15360 5f1d5f88303d4a4dbc8e5f97ba967cc3 c:\windows\system32\dllcache\ctfmon.exe
.
((((((((((((((((((((((((((((( snapshot@2009-01-07_14.16.21.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-04-14 13:43:46 233,472 ----a-w c:\windows\SMINST\RECGUARD.EXE
+ 1998-05-07 09:04:38 52,736 ----a-w c:\windows\system\hpsysdrv.exe
+ 2004-12-01 10:55:30 126,976 ----a-w c:\windows\system32\hkcmd.exe
+ 2004-06-07 11:42:30 659,456 ----a-w c:\windows\system32\hphmon06.exe
+ 2004-10-25 14:17:56 90,112 ----a-w c:\windows\system32\ps2.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PPWebCap"="c:\progra~1\ScanSoft\PAPERP~1\PPWebCap.exe" [2001-08-10 40960]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-09 15360]
"EasyLinkAdvisor"="c:\program files\Linksys EasyLink Advisor\LinksysAgent.exe" [2007-03-15 454784]
"EPSON Stylus Photo R280 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_FATICKA.EXE" [2007-04-13 182272]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2009-01-07 1830128]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]
"OneTouch Monitor"="c:\progra~1\VISION~1\ONETOU~2.EXE" [2001-10-30 86016]
"Acrobat Assistant 8.0"="c:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-10-14 623992]
"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2007-09-18 25472]
"osCheck"="c:\program files\Norton AntiVirus\osCheck.exe" [2008-02-07 718704]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-09-03 111936]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 58984]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2007-09-07 267064]
"High Definition Audio Property Page Shortcut"="HDAudPropShortcut.exe" [2004-03-17 c:\windows\system32\Hdaudpropshortcut.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 c:\windows\AGRSMMSG.exe]
"SoundMan"="SOUNDMAN.EXE" [2005-09-21 c:\windows\SOUNDMAN.EXE]
"AlcWzrd"="ALCWZRD.EXE" [2005-09-21 c:\windows\ALCWZRD.EXE]

c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-07-04 113664]
wkcalrem.LNK - c:\program files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-23 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 258048]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2005-02-02 536576]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]
Spyder3Utility.lnk - c:\program files\Datacolor\Spyder3Elite\Utility\Spyder3Utility.exe [2007-11-06 6306019]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-10-28 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2009-01-07 01:33 356352 c:\program files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.ACDV"= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ProfileReminder.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ProfileReminder.lnk
backup=c:\windows\pss\ProfileReminder.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Updates from HP.lnk
backup=c:\windows\pss\Updates from HP.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Check for OneTouch Updates.lnk]
path=c:\documents and settings\HP_Administrator\Start Menu\Programs\Startup\Check for OneTouch Updates.lnk
backup=c:\windows\pss\Check for OneTouch Updates.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-09 17:32 58984 c:\program files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\ScanSoft\\PaperPort\\Config\\Ereg\\ITP32.EXE"=
"c:\\Documents and Settings\\HP_Administrator\\Desktop\\NeoFtp-dalekincaid.exe"=
"c:\\Program Files\\OrderPicture\\orderpicture.exe"=
"c:\\Program Files\\OrderPicture\\ImageManager.exe"=
"c:\\Program Files\\OrderPicture\\ProcessandUpload.exe"=
"c:\\WINDOWS\\system32\\fxsclnt.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Collages.net Inc\\Collages.net Desktop\\CollagesSysTray.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2007-02-27 55024]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-01-06 99376]
R3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2006-02-16 4096]
R4 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-01-25 149352]
R4 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~1\NORTON~1\NPROTECT.EXE [2005-11-03 95832]
R4 P1C1394;Phase One 1394 Camera Driver;c:\windows\system32\drivers\p1c1394.sys [2008-06-16 23552]
S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-12 23888]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2003-02-17 44344]
S3 Spyder3;Datacolor Spyder3;c:\windows\system32\drivers\Spyder3.sys [2007-11-06 12288]
S4 Collages Service;Collages Service;c:\program files\Collages.net Inc\Collages.net Desktop\CollagesService.exe [2008-07-01 45056]
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

2009-01-07 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - HP_Administrator.job
- c:\program files\Norton AntiVirus\Navw32.exe [2008-02-07 09:05]

2009-01-05 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2007-09-18 07:22]

2009-01-07 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDetect.exe []
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BMUpdate - c:\windows\system32\BMUpdate.exe
HKCU-Run-CollagesSystray - c:\program files\Collages.net Inc\Collages.net
HKLM-Run-hpsysdrv - c:\windows\system\bak\hpsysdrv.exe
HKLM-Run-vinclock - c:\documents and settings\HP_Administrator\Application Data\Google\ocboo1892823.exe
HKU-Default-Run-CollagesSystray - c:\program files\Collages.net Inc\Collages.net
MSConfigStartUp-CollagesSystray - c:\program files\Collages.net Inc\Collages.net


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.yahoo.com/
uDefault_Search_URL = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
mSearch Bar = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
IE: &ieSpell Options - c:\program files\ieSpell\iespell.dll/SPELLOPTION.HTM
IE: &Lookup Meaning - c:\program files\ieSpell\iespell.dll/LOOKUPMEANING.HTM
IE: Append to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Check &Spelling - c:\program files\ieSpell\iespell.dll/SPELLCHECK.HTM
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\httpfv.ini - c:\windows\Downloaded Program Files\httpfv.exe
O16 -: {BA83FD38-CE14-4DA3-BEF5-96050D55F78A}
hxxp://www.flipviewer.com/exe/fv373p.cab
c:\windows\Downloaded Program Files\httpfv.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-07 16:33:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1028)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\EPSON\EBAPI\eEBSvc.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\ASTSRV.EXE
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Common Files\EPSON\EBAPI\SAgent2.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\PSIService.exe
c:\program files\Photodex\ProShowProducer\scsiaccess.exe
c:\progra~1\NORTON~1\NORTON~1\SPEEDD~1\NOPDB.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\dllhost.exe
c:\windows\system32\wscntfy.exe
c:\windows\ehome\ehmsas.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
.
**************************************************************************
.
Completion time: 2009-01-07 16:47:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-07 21:47:19
ComboFix2.txt 2009-01-07 19:23:11

Pre-Run: 102,802,120,704 bytes free
Post-Run: 102,531,829,760 bytes free

252 --- E O F --- 2008-12-18 18:59:38

I think we can say this is a rap now.
What problems remain?

Thank you. There doesn't seem to by any problems related to the infection I had. The only thing is my Norton Systemworks and Antivirus will not work. I get a popup message titled, ccApp.exe - Unable to locate component.
"This application has failed to start because ccL30.dll was not found.

You may need to uninstall it and then re-installing, that's probably the only way of replacing a missing dll.

Ok. I'll give that a go. Thanks so much for all your help. I'll let you know if any problems arear as I start using the computer more.

Since this issue is resolved, this topic is closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter.

Everyone else, please open a new topic for your questions.