Cant remove virus/trojan (Generic PWS.y!ti) ?

I got a rar file from a friend that has apparently infected my pc. According to my VShield the name is Generic PWS.y!ti.
It's main location from what i've learned so far is C:\lsass.exe. It keeps extensions and system files hidden, this is how i found out my infection because i do not have extensions and system files hidden normally.

From a dos window i can see the file in my root. (dir /a)

08/04/2004  14:00		   380,928 lsass.exe

When i'm in Windows my VShield keeps alerting me, C:\lsass.exe\000535a8.EXE cannot be cleaned. Neither can i move or delete it.
Using a 3rd party program (hiddenfinder) i did Properties of the lsass.exe located in the root and it strangely enough had a Font tab. So maybe it has itself connectec to fonts too?!

I searched my registry and it has 'connected' itself to userinit.exe:

HLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogin C:\WINDOWS\system32\userinit.exe,c:\lsass.exe

My OS is Windows XP SP2

This is my hyjackthis log and DDS log. I hope somebody can help me get rid of this bugger.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:10, on 10/7/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
c:\lsass.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HiddenFinder\hiddenfinder.exe
C:\Documents and Settings\z\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,c:\lsass.exe
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MAFWTaskbarApp] C:\WINDOWS\system32\MAFWTray.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: Creative Audio Engine Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CTAELicensing.exe
O23 - Service: Creative Audio Service (CTAudSvcService) - Creative Technology Ltd - C:\Program Files\Creative\Shared Files\CTAudSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 3823 bytes

DDS log:

DDS (Ver_09-09-29.01) - NTFSx86
Run by z at 15:21:00.10 on Wed 10/07/2009
Internet Explorer: 6.0.2900.2180
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3071.2355 [GMT 2:00]


============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Sygate\SPF\smc.exe
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MAFWTray.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Vshwin32.exe
C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
C:\WINDOWS\regedit.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Network Associates\On Demand Scanner\Scan32\SCAN32.EXE
C:\Documents and Settings\z\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = about:blank
mWinlogon: Userinit=c:\windows\system32\userinit.exe,c:\lsass.exe
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
mRun: [SmcService] c:\progra~1\sygate\spf\smc.exe -startgui
mRun: [MAFWTaskbarApp] c:\windows\system32\MAFWTray.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\z\applic~1\mozilla\firefox\profiles\4zoc2tw4.default\
FF - prefs.js: browser.startup.homepage - www.google.com

============= SERVICES / DRIVERS ===============

R0 d346bus;d346bus;c:\windows\system32\drivers\d346bus.sys [2008-6-4 156800]
R0 d346prt;d346prt;c:\windows\system32\drivers\d346prt.sys [2008-6-4 5248]
R0 NaiFsRec;NaiFsRec;c:\windows\system32\drivers\naifsrec.sys [2001-4-30 4512]
R2 AvSynMgr;AVSync Manager;c:\program files\network associates\virusscan\Avsynmgr.exe [2001-4-30 155665]
R3 COMMONFX.SYS;COMMONFX.SYS;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
R3 CTAUDFX.SYS;CTAUDFX.SYS;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
R3 CTSBLFX.SYS;CTSBLFX.SYS;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
R3 MAFW;MAFW;c:\windows\system32\drivers\mafw.sys [2008-5-30 186368]
R3 McShield;McShield;c:\program files\common files\network associates\mcshield\Mcshield.exe [2001-4-30 229499]
R3 NaiFiltr;NaiFiltr;c:\program files\common files\network associates\mcshield\naifiltr.sys [2001-4-30 24480]
S3 COMMONFX;COMMONFX;c:\windows\system32\drivers\COMMONFX.sys [2009-6-23 99352]
S3 Creative Audio Engine Licensing Service;Creative Audio Engine Licensing Service;c:\program files\common files\creative labs shared\service\CTAELicensing.exe [2009-8-26 79360]
S3 CTAUDFX;CTAUDFX;c:\windows\system32\drivers\CTAUDFX.sys [2009-6-23 555032]
S3 CTERFXFX.SYS;CTERFXFX.SYS;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTERFXFX;CTERFXFX;c:\windows\system32\drivers\CTERFXFX.sys [2009-6-23 100888]
S3 CTSBLFX;CTSBLFX;c:\windows\system32\drivers\CTSBLFX.sys [2009-6-23 566296]
S3 KORGUMDS;KORG USB-MIDI Driver for Windows;c:\windows\system32\drivers\KORGUMDS.SYS [2008-10-29 21720]

=============== Created Last 30 ================


==================== Find3M ====================

2009-10-04 16:16 190,144 a------- c:\windows\system32\PnkBstrB.exe
2009-10-04 15:44 138,808 a------- c:\windows\system32\drivers\PnkBstrK.sys
2009-08-26 11:10 444,952 a------- c:\windows\system32\wrap_oal.dll
2009-08-26 11:10 109,080 a------- c:\windows\system32\OpenAL32.dll
2009-07-19 00:58 75,064 a------- c:\windows\system32\PnkBstrA.exe
2009-07-12 02:58 895,736 a------- c:\windows\system32\wmvdmod.dll
2008-06-10 19:28 87,608 a------- c:\docume~1\z\applic~1\inst.exe
2008-06-10 19:28 47,360 a------- c:\docume~1\z\applic~1\pcouffin.sys
2006-06-23 08:48 32,768 a----r-- c:\windows\inf\UpdateUSB.exe

============= FINISH: 15:21:12.04 ===============

Well after 3 days i must say i really hoped someone could help me get this virus beaten. I guess no experts have been present in the forum. I read that it normally takes 24 hours tops for a reply!

Well guys, for what it's worth, i got the virus out myself. In case somebody else gets the same virus just just Malwarebytes' Anti-Malware. It seems to work good enough to rid of the virus after a reboot.
At first i was manually deleting reg keys, (the virus kept sticking itself to userinit.exe), but it kept coming back.

Cheers.

Since this issue appears to be resolved ... this topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact me via pm with the address of the thread.

Everyone else please begin a New Topic.