Member Avatar for pjf01

Hi there.

For a couple of days now I have not been able to use several of my desktop icons, Internet explorer, My computer, Recyle Bin and Network places no longer work. Once I double click on them the curser changes to an egg timer then the desktop turns blue and after a few seconds goes back to normal but nothing appears. However, I have Word on the desktop but this works when double clicked. If I go into safe mode then all the icons work as normal.

This all started when AVG anti virus identified 'Obfustat.UVE' and then trojan 'Generic8.KOT' and 'trojanhorsedownloader.agent.suo'. I followed the instructions from AVG and they all healed except the Obfustat one which repeatedly occurred over and over (now appears to be cured though).

I have tried tried to complete as much of the basic things from the forum posts (empting virus vaults, temporary internet files etc) but as I can not access the internet browser I am unable to get some of the spyware and programs that are suggested (I keep reading about hijackthis etc but can not download them). I have run Spybot and it picked up something called 'Alexa' and has now fixed this.

I am running Windows 2000 with AVG anti Virus and Zone Alarm. Any help as to how to go forward would be greatly appreciated.

Thanks

  • 3 Contributors
  • 8 Replies
  • 157 Views
  • 1 Year Discussion Span
  • Latest Post Latest Post by marino1999

Recommended Answers

All 8 Replies

Member Avatar for gerbil

Hello, pjf, this should restore your desktop icon functions.

Copy these downloads into the pc. They fit on a floppy.

==Download SDFix from here: http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
and save it to your desktop. Dclick SDFix.exe and choose Run to extract it to %systemdrive%, which commonly will be C:\

ATF Cleaner:
==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
=Restart your computer in Safe Mode:- press F8 several times while POST is running and before IDE detection completes.
- On the Windows Advanced Options Menu, select Safe Mode and press Enter.
- When the Boot Menu appears again, select Microsoft Windows XP and press Enter.
- Log in by using the Administrator account and password. NOTE: The password is blank by default unless you set a password.
==Open the extracted SDFix folder, C:\SDFix and double click RunThis.bat to start the script. Type Y to begin the cleanup.
You will be prompted to press any key to Reboot - the pc will then restart.
The tool will run again and complete the removal process then display Finished; press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
Restart the pc in normal mode. Post the contents of the file Report.txt here, along with the log of a fresh hijackthis scan run in normal mode.
==download hijackthis: http://www.majorgeeks.com/download5554.html
-copy it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.

Member Avatar for pjf01

Gerbil,

Thanks for your help with this.

I managed to download the three programs onto a good old fashioned floppy disk and put them onto my troubled laptop as required. I am still unable to access the icons that I previously mentioned although I have attached the two logs below.

Heres the SDFix one....

SDFix: Version 1.113

Run by claire on Tue 11/06/2007 at 6:10p

Microsoft Windows 2000 [Version 5.00.2195]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services: 


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files: 

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found. 

C:\WINDOWS\system32
No streams found. 

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



                                 Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-11-06 18:17:19
Windows 5.0.2195 Service Pack 4 FAT NTAPI

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Remaining Files:
---------------


Files with Hidden Attributes:

Thu 18 May 2006         4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 13 Nov 2004        37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Sat 13 Aug 2005        19,456 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL0003.tmp"
Sat 13 Aug 2005        19,968 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL0005.tmp"
Sun 18 Sep 2005        19,456 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL0126.tmp"
Sun 18 Sep 2005        19,968 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL2751.tmp"
Sun 18 Sep 2005        19,968 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL3799.tmp"
Thu 26 Jan 2006        45,568 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL0427.tmp"
Sun 18 Sep 2005        19,456 ...H. --- "C:\Documents and Settings\claire\Application Data\Microsoft\Word\~WRL3298.tmp"

Finished! 


And the Hijackthis one....


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:17 PM, on 11/6/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\imabunny.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {82AF5D76-845D-4DA8-8097-99924D9A65AA} - c:\windows\system32\atimiaabw.dll (file missing)
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O2 - BHO: (no name) - {FB981D1D-E4CF-46DA-AD94-A0078F76E48D} - C:\WINDOWS\system32\pndx5016b.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ShowIcon_Justram_USB Product Driver v2.25r003] "C:\Program Files\USB Product Driver 2.25r003\shwicon.exe" -t"Justram\USB Product Driver v2.25r003"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - [url]http://www.truedoc.com/activex/tdserver.cab[/url]
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - [url]http://www.musicnotes.com/download/mnviewer.cab[/url]
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - [url]http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab[/url]
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - [url]http://www.sibelius.com/download/software/win/ActiveXPlugin.cab[/url]
O20 - Winlogon Notify: xkgjfifo - atimiaabw.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

--
End of file - 4490 bytes

Thanks again for your help

Edited by mike_2000_17 because: Fixed formatting
Member Avatar for gerbil

Hi, pj, it does appear that this one, Obfustat.UVE, is gone. SDFix would have spotted it.
It is important to make your hijackthis logs in normal mode because some processes are not started in safe mode -we may miss a few bugs.
Okay, start hijackthis, safe or normal mode, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.

O2 - BHO: (no name) - {82AF5D76-845D-4DA8-8097-99924D9A65AA} - c:\windows\system32\atimiaabw.dll (file missing)
O2 - BHO: (no name) - {FB981D1D-E4CF-46DA-AD94-A0078F76E48D} - C:\WINDOWS\system32\pndx5016b.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O20 - Winlogon Notify: xkgjfifo - atimiaabw.dll (file missing)

Good. Now browse to this file and delete it:
C:\WINDOWS\system32\pndx5016b.dll

Normally I would send you to the website for this file, it is from a chap [Doug Knox] with a formidable reputation... but I got it for you, it is to repair your links:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as fixkey.reg, as type "all files", to your desktop; dclick it to run... agree; if it opens in notepad instead rclick the icon [file], choose Open with, Registry editor....
__________________________________________________________
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\.lnk]
@="lnkfile"

[HKEY_CLASSES_ROOT\.lnk\ShellEx]

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214EE-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{000214F9-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{00021500-0000-0000-C000-000000000046}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellEx\{BB2E617C-0920-11d1-9A0B-00C04FC2D6C1}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\.lnk\ShellNew]
"Command"="rundll32.exe appwiz.cpl,NewLinkHere %1"

[HKEY_CLASSES_ROOT\lnkfile]
@="Shortcut"
"EditFlags"=dword:00000001
"IsShortcut"=""
"NeverShowExt"=""

[HKEY_CLASSES_ROOT\lnkfile\CLSID]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\Offline Files]
@="{750fdf0e-2a26-11d1-a3ea-080036587f03}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}]

[HKEY_CLASSES_ROOT\lnkfile\shellex\DropHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers]

[HKEY_CLASSES_ROOT\lnkfile\shellex\PropertySheetHandlers\ShimLayer Property Page]
@="{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}]
@="Shortcut"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\InProcServer32]
@="shell32.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered]

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentAddinsRegistered\{89BCB740-6119-101A-BCB7-00DD010655AF}]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\PersistentHandler]
@="{00021401-0000-0000-C000-000000000046}"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\ProgID]
@="lnkfile"

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex]

[HKEY_CLASSES_ROOT\CLSID\{00021401-0000-0000-C000-000000000046}\shellex\MayChangeDefaultMenu]
__________________________________________________________

If you can get on the net, even from safe mode with networking, or by starting IE from Task Manager, File, New task; or Start, run; in either enter iexplore.exe, you should:
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
- to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs reboot to restore the desktop.
Post that log plus a fresh hijackthis log.

Member Avatar for pjf01

Gerbil,

Firstly, thanks for the extra help you gave by getting me the 'Doug Knox' link.

Secondly, I have followed all of the bits you suggested and finally the icons and internet explorer work!!! Thank you so much!

Here is the combo fix log......

ComboFix 07-11-08.1 - claire 11/07/2007 20:26:54.1 - FAT32x86
Running from: C:\Documents and Settings\claire\Desktop\ComboFix.exe
.


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.


C:\WINDOWS\start.exe


.
(((((((((((((((((((((((((   Files Created from 2007-10-08 to 2007-11-08  )))))))))))))))))))))))))))))))
.


2007-11-07 20:27    16,384  --a----t-   C:\WINDOWS\SYSTEM32\Perflib_Perfdata_39c.dat
2007-11-07 20:25    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-11-07 19:36    <DIR>    d--------   C:\Program Files\backups
2007-11-06 18:42    401,720 --a------   C:\Program Files\imabunny.exe
2007-11-06 18:09    <DIR>    d--------   C:\WINDOWS\ERUNT
2007-11-04 21:41    <DIR>    d--------   C:\WINDOWS\SYSTEM32\New Folder
2007-11-03 16:52    119,040 --a------   C:\WINDOWS\SYSTEM32\xhcjgyos.dat
2007-11-03 16:52    41,728  --a------   C:\WINDOWS\SYSTEM32\stpwqrbu.dat
2007-11-03 16:52    35,072  --a------   C:\WINDOWS\SYSTEM32\lwszozol.dat
2007-11-03 15:31    <DIR>    d--------   C:\WINDOWS\SYSTEM32\AppCert


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 18:46    4,491   ----a-w C:\Program Files\bunrep1.txt
2007-11-06 18:45    4,491   ----a-w C:\Program Files\hijackthis.log
2003-03-09 17:55    305 ---h--w C:\Program Files\desktop.ini
2003-03-09 17:51    21,952  ---h--w C:\Program Files\folder.htt
2000-07-26 12:00    32,528  ----a-w C:\WINDOWS\inf\wbfirdma.sys
2006-09-01 19:40:28 8,192   --sha-w C:\WINDOWS\o2cLicStore.bin
.


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 08:05p C:\WINDOWS\SYSTEM32\mobsync.exe]
"AtiPTA"="Atiptaxx.exe" [04/11/00 04:57p C:\WINDOWS\SYSTEM32\atiptaxx.exe]
"LTSMMSG"="LTSMMSG.exe" [05/12/00 03:43p C:\WINDOWS\LTSMMSG.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [11/03/07 04:30p]
"ShowIcon_Justram_USB Product Driver v2.25r003"="C:\Program Files\USB Product Driver 2.25r003\shwicon.exe" [11/04/04 02:08p]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [03/09/07 01:02a]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [09/22/07 03:57p]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [11/15/05 07:44p]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [10/24/05 03:53p]


[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop


C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
MA111 Configuration Utility.lnk - C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe [2006-01-29 11:04:08]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ActiveSync]
WcesWlgn.dll 11/15/05 07:44p 7168 C:\WINDOWS\SYSTEM32\WcesWlgn.dll


[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RealDownload.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RealDownload.lnk
backup=C:\WINDOWS\pss\RealDownload.lnkCommon Startup


R1 Avg7RsNT;AVG7 Rezident Driver;C:\WINDOWS\system32\Drivers\avg7rsnt.sys
R3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\alifir.sys
R3 ati2mpab;ati2mpab;C:\WINDOWS\system32\DRIVERS\ati2mpab.sys
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\system32\DRIVERS\LTSM.sys
R3 openhci;Microsoft USB Open Host Controller Driver;C:\WINDOWS\system32\DRIVERS\openhci.sys
R3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys
S3 usb_rndisy;USB RNDIS Adapter;C:\WINDOWS\system32\DRIVERS\usb8023y.sys
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys
S3 YMIDUSB;YAMAHA Corporation USB MIDI Driver;C:\WINDOWS\system32\Drivers\ymidusb.sys
Start Pending2 xiuwuykc;i8042 Keyboard and PS/2 Mouse Port Support;C:\WINDOWS\System32\svchost.exe -k netsvcs


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
xiuwuykc


*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-11-03 23:00:20 C:\WINDOWS\Tasks\Tune-up Application Start.job"
"2007-11-03 15:30:46 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************


catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 20:32:49
Windows 5.0.2195 Service Pack 4 FAT NTAPI


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


scan completed successfully
hidden files: 0


**************************************************************************
.
Completion time: 11/08/2007 20:34:40
.
--- E O F ---


And the new Hijackthis log....



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:37:33 PM, on 11/8/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Atiptaxx.exe
C:\WINDOWS\LTSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\USB Product Driver 2.25r003\shwicon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\imabunny.exe


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: BrowserHelper Class - {EBCDDA60-2A68-11D3-8A43-0060083CFB9C} - C:\WINDOWS\system32\nzdd.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ShowIcon_Justram_USB Product Driver v2.25r003] "C:\Program Files\USB Product Driver 2.25r003\shwicon.exe" -t"Justram\USB Product Driver v2.25r003"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.exe
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.com/activex/tdserver.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/ZAxRcMgr.cab31267.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


--
End of file - 4743 bytes

Thanks again

Edited by happygeek because: fixed formatting
Member Avatar for gerbil

That hijackthis log shows as clean, pj.
There are these files from Combofix that I do not trust.... they could be encoded filenames from a legit pgm, they could be .dat files for malware...
You don't want a new folder in system32 -it is not the place to go putting your own stuff, let pgm installers do that.
So... delete this folder [check it's contents first]:

C:\WINDOWS\SYSTEM32\New Folder

These files were created at the same time as each other; order your system32 files by creation time so to see what files were written at the same time as these. If no others, and a property check shows them as unclaimed, delete them.

2007-11-03 16:52 119,040 --a------ C:\WINDOWS\SYSTEM32\xhcjgyos.dat
2007-11-03 16:52 41,728 --a------ C:\WINDOWS\SYSTEM32\stpwqrbu.dat
2007-11-03 16:52 35,072 --a------ C:\WINDOWS\SYSTEM32\lwszozol.dat

That done, you should be all okay again. Glad it worked for you.
Cheers.

Member Avatar for pjf01

Gerbil (or Super-Gerbil as I will now refer to you!),

I have deleted the New Folder and the three unclaimed files as suggested. Everything is back to normal and working well. Thanks again for your help and keep up the good work - you guys are brilliant!

pj

Member Avatar for gerbil

Am pleased I could help you, pj.
Cheers.

Member Avatar for marino1999

I have experienced the very same problem, followed the recommendations from "gerbil" and it worked absolutely brilliant....my respect to you guys and thanks for the help....

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.