Hi people, am hoping someone might recognise these symptoms as a virus and know what to do! Friend of mine's business has just been hit by something but I can't work out what it is. Symptoms are: - Periodically (every 30-60 minutes or so), around 40 pages are sent to every printer on every computer on the network (even shared printers). The printed pages are related to porno sites. The print jobs are listed as both "Remote Downlevel Document" owned by the Guest account, and "Local Downlevel Document" which is owned by the local user. - Some computers (but not all) on the network have multiple directories created (in C: and in C:\ sub directories and possibly other locations), all called "-= Porn Collection =-" which contain screenshots and links to porno websites. I've done lots of googling and I can't find any reference to what this virus might be. The only reference to a virus that submits print jobs I can find is BugBear but it doesn't seem to have the porn collection and that was around about 5 years ago so you'd think modern AV software would pick it up (all these computers have updated AV software on them btw!) Can anyone help??? Thanks!

Hi, download to your desktop http://www.suspectfile.com/systemscan open it and make sure that all options are checked, click on "Scan Now" at the end of the scan will be released (always on your desktop inside the folder suspectfile) two files. Go to office http://www.freefilehosting.net the zip file and write in your next reply URL where I can get it. Remember the scan with no connection with the antivirus disabled unless then resume scanning finished. SystemScan is recognized, mistake, by some antivirus as infected. Ciao, Marco

Thanks a lot for your help. The report is here: http://freefilehosting.net/download... If you have any ideas please let me know! Thanks!

Hi There are many values infected, for example C:\WINDOWS\system32\drivers\lsass.exe C:\WINDOWS\system32\icondrv.exe and many others. The problem now is that we must work in the system registry to restore the two values in HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon [Winlogon] "Shell" and "Userinit" We can do even using HijackThis, so we do it automatically. So please, download HijackThis http://www.trendsecure.com/portal/e... Install HijackThis, go to the folder and run the program Hijackthis.exe select the button "Do a system scan and save a logfile." Now brought into the program folder and copy and paste the log. Thank you

Hi. I am having the same problem so I was very interested in the dialog going on about this issue. However, it seems like it was never completed. So if anyone has the time to take a look at my logfile I would be glad to post it. Thanks.