Problems with my icons

[malpensar]

Ok, I rushed my first post and now I noticed that it lacked a few steps. Sorry, I missunderstood some of them. I'll start again from the beggining. I started having problems with my icons. It seems that some malware or virus made a mess and let them all screwed up. They suddenly change when I reboot my computer, or simply don't have any icon attached to the file name. Strangely, it only happens to the icons in the folders or the ones in the quick access on the toolbar, but not to the icons in the desk. I have the crappy Windows ME as OS due to my poor amount of RAM (128mb) and I received advice to move on to W2000, but to do that I have to format C: and I need a temporal solution to my problem. I have completely updated Windows, I've donwloaded and installed Spyware Blaster and Zoned Out with the IeSpyad pack, and I made a complete scan with AVG 7.5 actualized and SpyBot. They cleaned my PC and deleted some viruses and malwares, but Panda tells me that my PC's still infected. Thanks, I hope you will solve my problem.

Here's the Panda log:


Incident Status Location

Adware:adware/winprotect Not disinfected c:\windows\help\CHMRedir.chm
Adware:adware/sbsoft Not disinfected c:\windows\rdt.ini
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Adware:adware/powerstrip Not disinfected Windows Registry
Hacktool:exploit/mhtredir.gen Not disinfected HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11010101-1001-1111-1000-110112345678}
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\WINDOWS\SYSTEM\svchosthk.dll
Adware:Adware/Msnlist Not disinfected C:\WINDOWS\SYSTEM\micefix.exe
Spyware:Spyware/WareOut Not disinfected C:\WINDOWS\SYSTEM\minidrv.exe
Spyware:Spyware/WareOut Not disinfected C:\WINDOWS\SYSTEM32\wodata32.dll
Spyware:Cookie/WebtrendsLive Not disinfected C:\WINDOWS\Cookies\anyuser@statse.webtrendslive[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\WINDOWS\Cookies\anyuser@tribalfusion[1].txt

And Here's My HijackThis more recent log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:07:57 p.m., on 29/11/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPA.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG7\AVGCC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG7\AVGEMC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\ptsnoop.exe
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.76.29.26:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\RunServices: [KB918547] C:\WINDOWS\SYSTEM\KB918547\KB918547.EXE
O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - .DEFAULT Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {11010101-1001-1111-1000-110112345678} - ms-its:mhtml:file://C:oo.mht!http://209.190.137.29/targ.chm::/win32.exe
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab

--
End of file - 3931 bytes

[malpensar]

more than 72hs has passed.

BUMP

[Pancake]

Copy the bold text below to notepad. Save it as fixreg.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Quote:

REGEDIT4
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
]
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Code Store Database\Distribution Units\{11010101-1001-1111-1000-110112345678}]

After reboot post a new HJT log.


----------------------------------------------

Please download the OTMoveIt by OldTimer

Save it to your desktop.

Please double-click OTMoveIt.exe to run it

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


c:\windows\help\CHMRedir.chm
c:\windows\rdt.ini
C:\WINDOWS\SYSTEM\svchosthk.dll
C:\WINDOWS\SYSTEM\micefix.exe
C:\WINDOWS\SYSTEM\minidrv.exe
C:\WINDOWS\SYSTEM32\wodata32.dll



Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

==================================

Go to http://www.kaspersky.com/kos/eng/par...avwebscan.html

Answer Yes, when prompted to install an ActiveX component.

• The program will then begin downloading the latest definition files.
• Once the files have been downloaded click on NEXT
• Locate the Scan Settings button & configure to:
  • Scan using the following Anti-Virus database:
    • Extended
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK & have it scan My Computer
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  
  
  
  
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

[malpensar]

Ok, I completed steps 1 & 2 of your task, but I couldn't do it with three. Kaspersky told me that the program will only run on Windows 2000 or higher.

Here's the HJT logfile:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:12 p.m., on 08/12/2007
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG7\AVGEMC.EXE
C:\ARCHIVOS DE PROGRAMA\GRISOFT\AVG7\AVGAMSVR.EXE
C:\WINDOWS\ptsnoop.exe
C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPA.EXE
C:\WINDOWS\SYSTEM\E_SICN03.EXE
C:\ARCHIVOS DE PROGRAMA\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMP.EXE
C:\ARCHIVOS DE PROGRAMA\TREND MICRO\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\WBEM\WINMGMT.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 64.76.29.26:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARCHIVOS DE PROGRAMA\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [AVG7_CC] C:\ARCHIV~1\GRISOFT\AVG7\AVGCC.EXE /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\ARCHIV~1\GRISOFT\AVG7\AVGEMC.EXE
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\ARCHIV~1\GRISOFT\AVG7\AVGAMSVR.EXE
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [PTSNOOP] ptsnoop.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\ARCHIVOS DE PROGRAMA\WINAMP\WINAMPa.exe"
O4 - .DEFAULT Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE (User 'Default user')
O4 - .DEFAULT Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE (User 'Default user')
O4 - Startup: Microsoft Office.lnk = C:\Archivos de programa\Microsoft Office\Office\OSA9.EXE
O4 - Startup: EPSON Status Monitor 3 Environment Check.lnk = C:\WINDOWS\SYSTEM\E_SRCV03.EXE
O12 - Plugin for .spop: C:\ARCHIV~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by24fd.bay24.hotmail.msn.com/...x/HMAtchmt.ocx
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab

--
End of file - 3197 bytes

[malpensar]

Oh, I forgot. I did that scan BEFORE moving those files with OTMoveIt, like I thought you told me to.

[Pancake]

That looks ok now.How are things.Does Panda still pick up that malware ?.

[malpensar]

Ok. The icons are still doing the same thing. I'll make a new Panda scan and bring the news later. Thanks.

[Pancake]

I dont think this is caused by malware but we will look deeoer



This will help to identify any malware on your system.
Please download Combofix from any of these locations:

Here
or
Here




Save ComboFix to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

Caution...Never run and remove files using ComboFix without being supervised by a security analyst.

[malpensar]

PandaLog:


Incident Status Location

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Adware:adware/powerstrip Not disinfected Windows Registry
Spyware:Cookie/Xiti Not disinfected C:\WINDOWS\Cookies\anyuser@xiti[1].txt
Spyware:Cookie/Apmebf Not disinfected C:\WINDOWS\Cookies\anyuser@apmebf[2].txt
Spyware:Cookie/FastClick Not disinfected C:\WINDOWS\Cookies\anyuser@fastclick[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\Cookies\anyuser@ad.yieldmanager[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\WINDOWS\Cookies\anyuser@statcounter[1].txt
Potentially unwanted tool:Application/PerfectKeylog.B Not disinfected C:\_OTMoveIt\MovedFiles\windows\SYSTEM\svchosthk.dll
Adware:Adware/Msnlist Not disinfected C:\_OTMoveIt\MovedFiles\windows\SYSTEM\micefix.exe
Spyware:Spyware/WareOut Not disinfected C:\_OTMoveIt\MovedFiles\windows\SYSTEM\minidrv.exe
Spyware:Spyware/WareOut Not disinfected C:\_OTMoveIt\MovedFiles\windows\SYSTEM32\wodata32.dll

[Pancake]

Those files are not a problem.They are dead..all you have to do is remove your cookies and OT we can take out after Combofix has been done.

[malpensar]

Combofix isn't working. First it tells me that I can't run the program because it requires to do it in MS-DOS that is not compatible with my Windows version. An then it displays an error window with the legend: 'can't find %systemroot%/system32/cmd.exe'. I don't know what to do.

[malpensar]

I think that ComboFix will only work on Windows 2000 or higher. But I might be wrong.

PD:
Oh man, yesterday I was doing a quick surf on the forum, trying to find people with related problems, and I found out some guy who had the same icon issue. He said that he had downloaded some serial from seriall.com, or something like that, and suddenly I remembered that I have done the same stupidity, too. I think that my problem could have started there. I beg you pardon for not telling that important thing before.

[Pancake]

Sorry I forgot you had another version of windows.I suggest you so a System Restore back to before the problem started.

[malpensar]

If I do that, all files introduced after the restore point will be erased?

[Pancake]

Some stay and some are removed.You can always reverse the restore if things dont turn out as you like.

[malpensar]

Bad news. I can't do system restore. It freezes when I try to pick a restore point and all I can do is closing the tool. Sometimes when I open other system tools I receive a Rundll32 error, too.

[malpensar]

I don't want to push you, but is there any other solution?

[Pancake]

The last option is the worst one...formate-reinstall

[malpensar]

I don't have the cd or I don't know how to reinstall windows anyway

[Pancake]

If you can get hold of an ME disc you can do a nondistuctive windows m.e reinstall with out loseing data.You will need to go into safe mode and than:

c:windows\options\cabs\setup.exe

Double click setup and windows will start reinstalling on top of its self.