Help! Fatal System Error when trying to rid malware

[sjn2009]

I was following all the steps for removing malware and than posting in the stickied post. I got all the way finished with a SAS Full Scan and after about 20 seconds of the quarantine process starting I hear my computer make an almost grinding sound than pop up with a blue screen saying the following in white letters:
STOP: c000021a {Fatal System Error}
The Windows Logon Process system process terminated unexpectedly with a status of (0x00000000 0x00000000).
The system has been shut down.



^^ Never had this happen before. In the scan it had found 186 threats, 101 of them registry, and ever rebooting my computer from that fatal error screen I got a bunch of pop ups from AOL security trying to say iexplorer.exe is trying to gain access to the internet. None of this has EVER happened before.

The viruses found mentioned a lot of websearch, vundo, trojan, etc.


What can I do to contine the removal process?

Also this entire time I've been typing and while I was running the scan I have a message box that won't go away. It read:
Server Busy     [?][X]
this action cannot be completed because the other program is busy. Choose "Switch To" to activate the busy program and correct the problem.

Only when I click anything it just repops up!



EDIT: Found the SAS Log, I'll add it here. I will though await confirmation from a malware specialist before I contine on with the process. Since the viruses were never quarantined. Also sorry about spelling errors, I'm using Opera since Firefox won't install and IE is broken. Also it's 3:16 am and I am very tired.

Edit2:
Just incase it's needed here's the system properties:

System:
   Microsoft Windows XP
   Home Edition
   Version 2002
   Service Pack 3

Registered to:
   Scott

Dell Dimension DIM2400 Intel(R)
Celeron(R) CPU 2.40 GHz
2.39 GHz, 512 MB of RAM

The warranty ran out 2-3 years ago.


Edit: Something odd happened when I came back to my computer after leaving it idle.
The only open window I had when I left was this website viewed on Opera... but for some reason internet explorer opened itself up, opened a new tab and went to:
http://www.serveadsready.com/banners/serveadsready/tag300x250.html

I assume this is due to the malware in some way..

[attachment deleted by admin]

[sjn2009]

I'm having more and more problems lately, and most of them didn't start until after I scanned my computer with SAS. How can I reformat this Dell back to factory default?

[evilfantasy]

You have a lot of pretty nasty malware and it's probably crashing your computer when the scanner was trying to remove it. Some malware "fights back".

Can you post the 2 RSIT logs please. Depending on how it looks we may be able to get the rest of ti pretty easily.

Download random's system information tool (RSIT) by random/random from and save it to your Desktop.

• Double click on RSIT.exe to run.
  
• Click Continue at the disclaimer screen.
  
• Once it has finished, two logs will open.
• log.txt <will be maximized and info.txt <will be minimized
  
• Please post the contents of both logs in the next reply.

[sjn2009]

I get a pop up from HiJack This saying:
Out of Memory

and the only option is to press ok...

Ugh anyways they finished, here's the logs:

[attachment deleted by admin]

[evilfantasy]

The (0x00000000 0x00000000) is often a hardware issue. Have you added any new or had any problems with memory or other hardware recently?

Looking at the logs, BRB.

[evilfantasy]

If your antivirus tries to block this then please allow it to run.

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
 
Double click combofix.exe & follow the prompts.

For Windows XP Systems install the Recovery Console:

- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your Internet connection is active (if possible) and click Yes.
- If for some reason your Internet is not working click No.
- If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA click OK.
- Accept Microsoft's EULA (Click Yes).
- When you are told that the RC is installed correctly click YES to continue scanning for malware.

When finished ComboFix will produce a log for you.
Post the ComboFix log and a new HijackThis log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[sjn2009]

Well here are the logs you asked for.

[attachment deleted by admin]

[evilfantasy]

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJ

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe

:files
c:\windows\SYSTEM32\qknrxguf.ini
c:\windows\SYSTEM32\ntnkcamu.ini
c:\temp\MTGOInstall

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

---

Let me know how the computer is running now.

[sjn2009]

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== FILES ==========
c:\windows\SYSTEM32\qknrxguf.ini moved successfully.
c:\windows\SYSTEM32\ntnkcamu.ini moved successfully.
c:\temp\MTGOInstall moved successfully.
========== COMMANDS ==========
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_578.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
FireFox cache emptied.
Opera cache emptied.
Temp folders emptied.
Explorer started successfully
 
OTMoveIt3 by OldTimer - Version 1.0.8.0 log created on 01192009_222941

[evilfantasy]

How is the computer is running now?

[sjn2009]

It's running ok from what I can tell, and the desktop is finally showing again instead of that annoying white screen.

[evilfantasy]

• Click START then RUN
  
• Now type Combofix /u in the runbox
  
• Make sure there's a space between Combofix and /u
• Then hit Enter.
• The above procedure will:
• Delete the following:
• ComboFix and its associated files and folders.
• Reset the clock settings.
• Hide file extensions, if required.
• Hide System/Hidden files, if required.
• Set a new, clean Restore Point.
----------

Download

ATF Cleaner by Atribune to your Desktop.

Alternate download link

Note: Vista users must use Run As Administrator

• Under Main: Select Files to Delete choose: Select All.
  
• Click the Empty Selected button.
  
• If you use Firefox browser click Firefox at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• If you use Opera browser click Opera at the top and choose: Select All
  
• Click the Empty Selected button.
  If you would like to keep your saved passwords click No at the prompt.
  
• Click Exit on the Main menu to close the program.

Note that your system will run slower for a reboot or two after having used this tool so don't panic.

----------

Download OTCleanIt.exe and save it to your Desktop.

• Double-click OTCleanIt.exe.
  
• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes, if not delete it yourself.

.
Important: Restart the computer before continuing.

----------

Run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

• Click on SCAN NOW
  
• Click Accept.
  
• The program will then begin downloading the latest definition files.
• Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  
• The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As

• Next, in the Save as prompt, Save in area, select: Desktop.
  
• In the File name area use KScan, or something similar.
  
• In Save as type: click the drop arrow and select: Text file [*.txt]
  
• Then, click: Save

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

[sjn2009]

Here's the log

[attachment deleted by admin]

[evilfantasy]

Looks good

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

Here are some great FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

Concerned about Browser Security? Consider using Mozilla Firefox. With more than 15,000 improvements, Firefox 3 is faster, safer and smarter than ever before.

For Internet Explorer 7 users there is IE7Pro. IE7Pro is a must have add-on for Internet Explorer, which includes a lot of features and tweaks to make your IE friendlier, more useful, more secure and customizable.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
* Using Winpatrol to protect your computer from malicious software

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[sjn2009]

I was scanning with http://secunia.com and tried to update everything it suggested me to. All worked except for these:

Microsoft Internet Explorer 7.x   7.0.6000.16762   
   
This installation of Microsoft Internet Explorer 7.x is insecure and potentially exposes your system to security threats!

Your system does not have all security related patches from Microsoft installed. Please see list below for details about the missing patches.

Update Instructions:
Download via Microsoft Windows Update.

Missing KB Articles:
KB958215

Installed on Your System in:
C:\Program Files\Internet Explorer\IEXPLORE.EXE

Macromedia Flash Player 6.x   6.0.79.0   
   
This installation of Macromedia Flash Player 6.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 6.0.79.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 6.0.88.0.

Update Instructions:
Apply updates.

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.


Installed on Your System in:
C:\WINDOWS\SYSTEM32\Macromed\Flash\flash.ocx

Adobe Flash Player 9.x   9.0.45.0   
   
This installation of Adobe Flash Player 9.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 9.0.45.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 9.0.151.0.

Update Instructions:
Download


Installed on Your System in:
C:\WINDOWS\SYSTEM32\NPSWF32.dll

Macromedia Flash Player 5.x   5.0.42.0   
   
This installation of Macromedia Flash Player 5.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 5.0.42.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 9.0.151.0.

Update Instructions:
Download


Installed on Your System in:
C:\I386\SWFLASH.OCX

Macromedia Flash Player 6.x   6.0.80.0   
   
This installation of Macromedia Flash Player 6.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 6.0.80.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 6.0.88.0.

Update Instructions:
Apply updates.

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.


Installed on Your System in:
C:\Documents and Settings\All Users\Application Data\AOL Downloads\kw_setupSTUS\comps\aol\flasha.ocx

Macromedia Flash Player 6.x   6.0.80.0   
   
This installation of Macromedia Flash Player 6.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 6.0.80.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 6.0.88.0.

Update Instructions:
Apply updates.

Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash

Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution

Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html

Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9

Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.


Installed on Your System in:
C:\Program Files\Common Files\AOL\Flasha.ocx

Macromedia Flash Player 7.x   7.0.19.0   
   
This installation of Macromedia Flash Player 7.x is insecure and potentially exposes your system to security threats!

The detected version installed on your system is 7.0.19.0, however, the latest patched version released by the vendor, fixing one or more vulnerabilities, is 9.0.151.0.

Update Instructions:
Download


Installed on Your System in:
C:\I386\Flash.ocx

Microsoft Internet Explorer 7.x   7.0.5730.13   
   
This installation of Microsoft Internet Explorer 7.x is insecure and potentially exposes your system to security threats!

Your system does not have all security related patches from Microsoft installed. Please see list below for details about the missing patches.

Update Instructions:
Download via Microsoft Windows Update.

Missing KB Articles:
KB958215



Installed on Your System in:
C:\09b60bb240d17280e8e0\iexplore.exe

-Everytime I downloaded what they tell me nothing happened or in the case of IE it wouldn't download because I'm not using IE... So I opened IE and tried to do that but I get a "connection problem" screen.
Any ideas?

-I tried to download Firefox, because I'm more comfortable with it than Opera or IE, and I get an error when trying to install. when choosing where I want to make the folder (C:Program etc) I get a popup saying "0"... This is different than the one I got 2 months ago when trying to install it and it said not enough Space available even though I still have 18.7 MB available.

-McAfee hasn't worked in 3 years on this computer. It came with AOL when I mom upgraded and it hasn't seemed to do anything other than give us problems. I tried to uninstall it and get her something simpler like AVG but there is no uninstall for it anywhere.

-How reliable is AOL Secuity Center? She doesn't say she has any problems with it but than again she doesn't DO anything with it. She just lets it scan and never updates. It says her saftey status is poor because of multiple firewalls and Virus Protection (AOL's) but I can't download the AOL virus protection and it suggests I uninstall Microsoft Firewall which just sounds fishy to me.