Use caution in opening the attached folder --- the original infector is in there, named bank_statement.zip. This is a malformed self-executing zip file, don't click on it!
My customer clicked on the bank_statement.zip e-mail attachment which started circulating 9/30. It seems likely that it's dropped another Trojan or two as well. This is an exceptionally nasty, stealthed package --- GMER and other rootkit tools find lots of kernel hook activity, but HiJackThis looks pretty clean, all the major virus scanners find nothing with current updates. [Avast! did block my download attempt, so the scanners are starting to catch up...]
See http://www.virustotal.com/analisis/0...c1bc72bf0601a8, and http://www.threatexpert.com/report.a...6-6fae34194ede for scans of the original infector.
In normal mode on an XP SP2 system, double-clicking on _any_ application starts it running as a background process, with no open window. The cursor passes under the Start Menu button, so it can't be opened or right-clicked. Right-click Properties don't work on anything else, either. It also boots without prompting for a logon. Anything launched from the Run line doesn't open a window either, e.g. services.msc.
In Safe Mode, applications can run and open windows normally, logon prompt is normal, etc. HiJackThis and GMER found an obvious infected file: utm3mzgz.sys in Win\System32\drivers, which I renamed from a boot disk, and I've disabled System Restore from the Registry. Unfortunately, I can only run GMER, HiJackThis, ComboFix, AVZ, Avast! etc. from Safe Mode (I do _not_ want to connect this box to the network again for current updates, either!), and they don't seem to be finding much. The normal mode inability to open applications persists.