Security Tools - Blue Screen on Startup

I'm on a Dell Studio 15 running Vista 32 Home.

McAfee gave a warning that it deleted some Trojan. A minute later, a warning popped up saying a virus was stealing my credit card information. Security Tools opened and began scanning my computer. I knew it was a virus and tried to start the task manager to end the process, but nothing happened and the screen went black. I manually crashed it and rebooted. Upon startup, Security Tools began scanning right away. I couldn't start the task manager or find the McAfee icon, which disappeared, before the computer crashed to a blue screen and then shut down. Multiple reboots resulted the same.

I can start Windows in basic Safe Mode. Thanks for any help.

Hello, and welcome to GeekPolice.

Please note the following information about the malware forum:

• Only Tech Officers, Global Moderators, Administrators, and Malware Advisors are allowed to give advice on removing malware from your computer.
  
• From this point on, please do not make any more changes to your computer; such as install/uninstall programs, use special fix tools, delete files, edit the registry, etc. - unless advised by the staff I noted above.
  
• Please do not ask for help elsewhere (in this site or other sites). Doing so can result in system changes, which may not show up in the logs you post.
  
• If you have already asked for help somewhere, please post the link to the topic you were helped.
  
• We try our best to reply quickly, but for any reason we do not reply in two days, do one of two things:
  
  Reply to this topic with the word BUMP, or
  see this topic.
  
  
• Lastly, keep in mind that we are volunteers, so you do not have to pay for malware removal. Persist in this topic until its close, and your computer is declared clean.

---

We need to do some diagnostics to get started.

1. Please download and run RKill.

Download mirror 1 - Download mirror 2 - Download mirror 3

• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  
• It will quickly run and launch a log. If it does not launch a log, try another download link until it does.
  
• Please post its log in your next reply.
  
• After it has run successfully, delete RKill.

Note: This tool only kills the active infection, the actual infection will not be gone. Once you reboot the infection will be active again! Please do not reboot until instructed further to do so.

2. Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
  
• It will show a black screen with some data on it.
  
• A report called MBRcheckxxxx.txt will be on your desktop
  
• Open this report and post its content in your next reply.

3. Please download Cheetah-Anti-Rogue by me, and save to your Desktop.

• Double-click on Cheetah-Anti-Rogue.zip, and extract the file to your Desktop.
  
• Double-click on Cheetah-Anti-Rogue.cmd to start.
  
• It will finish quickly and launch a log.
  
• Post the contents of it in your next reply.

4. In your next reply, please post the following logs for my review:

• MBRCheck log (2)
• Cheetah log (3)

Thanks!

Since Security Tools crashes the computer when I run it normally, I can only operate in Safe Mode.

After the first part of time information, the RKill log reads:

"Processes terminated by Rkill or while it was running:"

And then blank space until it says "RKill completed on".

MBRCheck log says:

\\.\C: --> \\.\PhysicalDrive0
\\.\D: --> \\.\PhysicalDrive0

Size is 232GB
Device Name is \\.\PhysicalDrive0
MBR Status - Dell Inspiron MBR code detected

Cheetah log:

-- Malware removal tools check --
Malwarebytes' Anti-Malware
RKill

-- Known infection --

C:/Users/Kevin/Start Menu/Programs/Security Tool.lnk (SecurityTool.RGE)

Extra message: Detection only.

EOF


Will Security Tools spread through network connections or USB drives? The spyware seems to be blocking my wireless connection, haven't tested wired, and I'm using a USB drive to get the programs on my laptop.

Nah. Rogues rarely ever spread.

Scan with Malwarebytes' Anti-Malware

Please open Malwarebytes' Anti-Malware, click the Update tab, and click Check for Updates. Then, click the Scanner tab, select Perform Quick Scan, and press Scan. Remove selected, and post the log in your next reply.

---

Scan with ComboFix

Note: the following tool is to only be used under the guidance of a malware helper. In the event you already have the tool, please delete the old copy and download a new copy.

Please download ComboFix from BleepingComputer.com

Alternate link: GeeksToGo.com

Alternate link: Forospyware.com (Click the green button on the page to download it).


Rename ComboFix.exe to combo-fix.exe before you save it to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools A guide to do this can be found here
  
• Click Start then copy paste the following command into the search box & hit enter: "%userprofile%\desktop\combo-fix.exe" /killall
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. This will not install in Vista, so it will just continue scanning, and skip the console install.
  
• When finished, it shall produce a log for you. Please include the contents of C:\ComboFix.txt in your next reply.

---

Please include the following logs, along with your new list of symptoms after the scans were run:

• MBAM log
  
• ComboFix log

Slight change of plans. I had booted Safe Mode without network connections, so I decided to switch to With Network because my other computer was occupied, and I figured since RKill didn't find anything it wouldn't matter if Security Tools restarted.

I didn't press the Boot Options key in time, and the computer booted in normal to the desktop. I quickly opened my flash drive and executed RKill before the Security Tools window could pop up. Here's the log:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Kevin on 07/28/2010 at 16:58:17.


Processes terminated by Rkill or while it was running:


C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\DllHost.exe


Rkill completed on 07/28/2010 at 16:58:34.

-------------

Security Tools has failed to open since and I believe all of my programs are working normally. Just scanned with Malwarebytes and nothing was infected; the same result occurred when I scanned in Safe Mode previously. But I also just received a virus alert from McAfee saying it deleted a Trojan named SXUeKSmyTA.exe detected as FakeAlert-SpyPro.gen.p in my Local Temp folder. This is similar to the alert message that popped up minutes before Security Tools opened.

Cheetah is also still detecting the virus in the same location as before.

Can you do ComboFix, at least?

It's currently running right now. I started it, it said it detected CD-emulating devices and restarted the computer. It created a Restore Point, scanned for infections, said it found a rootkit and restarted again, and now it's scanning again.

I was about to post, before I ran Combofix, that I was randomly getting directed to ad websites on Google and Malwarebytes didn't let me update because of error 723, which means a driver didn't start.

Here's the Combofix log, although it started scanning before I could input the line of text you instructed me to. Also, after Combofix, I don't think Google is redirecting me to ad sites.

ComboFix 10-07-27.05 - Kevin 07/28/2010 17:46:52.1.2 - x86
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3066.1984 [GMT -4]
Running from: c:\users\Kevin\Downloads\ComboFix.exe
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\users\Kevin\AppData\Local\{9440F592-44F8-40B0-BC06-3B83005CB91B}
c:\users\Kevin\AppData\Local\{9440F592-44F8-40B0-BC06-3B83005CB91B}\chrome.manifest
c:\users\Kevin\AppData\Local\{9440F592-44F8-40B0-BC06-3B83005CB91B}\chrome\content\_cfg.js
c:\users\Kevin\AppData\Local\{9440F592-44F8-40B0-BC06-3B83005CB91B}\chrome\content\overlay.xul
c:\users\Kevin\AppData\Local\{9440F592-44F8-40B0-BC06-3B83005CB91B}\install.rdf
c:\users\Kevin\AppData\Local\111164805.exe
c:\users\Kevin\AppData\Local\apunorapu.dll
c:\users\Kevin\AppData\Local\sdteutwl.dll
c:\users\Kevin\AppData\Roaming\.#
c:\users\Kevin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.lnk
c:\windows\system32\st326162.dll

Infected copy of c:\windows\system32\drivers\kbdclass.sys was found and disinfected
Restored copy from - Kitty had a snack :p
.
((((((((((((((((((((((((( Files Created from 2010-06-28 to 2010-07-28 )))))))))))))))))))))))))))))))
.

2010-07-28 21:56 . 2010-07-28 21:57 -------- d-----w- c:\users\Kevin\AppData\Local\temp
2010-07-28 21:56 . 2010-07-28 21:56 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-07-27 21:47 . 2010-07-27 21:47 -------- d--h--w- c:\windows\PIF
2010-07-27 02:25 . 2010-07-28 21:46 -------- d-----w- C:\QUARANTINE
2010-07-27 02:25 . 2010-07-27 02:25 -------- d-----w- c:\users\Kevin\AppData\Local\awotldiij
2010-07-17 22:32 . 2010-07-17 22:32 -------- d-----w- c:\programdata\ATI
2010-07-17 22:17 . 2010-07-17 22:17 -------- d-----w- c:\program files\ATI
2010-07-17 22:16 . 2010-07-17 22:16 -------- d-----w- C:\ATI
2010-07-17 22:15 . 2010-07-17 22:15 -------- d-----w- C:\AMD
2010-07-17 16:46 . 2010-07-17 16:47 -------- d-----w- c:\program files\QuickTime
2010-07-13 01:56 . 2010-07-13 01:56 -------- d-----w- c:\users\Kevin\AppData\Roaming\SmartDraw
2010-07-13 01:50 . 2010-07-13 01:50 -------- d-----w- C:\DESI-III
2010-07-13 01:30 . 2010-07-13 01:30 -------- d-----w- c:\programdata\Cadsoft
2010-07-12 02:54 . 2010-07-06 17:58 1328504 ----a-w- c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\o8o452vk.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\BFHUpdater.exe
2010-07-12 02:54 . 2010-07-06 17:58 724992 ----a-w- c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\o8o452vk.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
2010-07-02 23:52 . 2010-07-02 23:52 -------- d-----w- c:\users\Kevin\AppData\Roaming\vlc
2010-07-02 23:50 . 2010-07-02 23:50 -------- d-----w- c:\program files\VideoLAN
2010-07-02 23:50 . 2010-07-02 23:50 -------- d-----w- c:\users\Kevin\AppData\Local\WeatherBug
2010-07-02 23:50 . 2010-07-02 23:50 -------- d-----w- c:\users\Kevin\AppData\Roaming\WeatherBug
2010-07-02 23:50 . 2010-07-02 23:50 -------- d-----w- c:\program files\Atrinsic
2010-07-02 23:50 . 2010-07-02 23:50 18944 ----a-r- c:\users\Kevin\AppData\Roaming\Microsoft\Installer\{8F018A9E-56DE-4A79-A5EF-25F413F1D538}\IconBB6A16301.exe
2010-07-02 23:49 . 2010-07-02 23:49 12800 ----a-w- c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\o8o452vk.default\extensions\toolbar@alot.com\components\AlotXpcom.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-07-28 20:58 . 2009-08-21 13:56 -------- d-----w- c:\program files\Steam
2010-07-21 02:14 . 2009-07-15 21:10 138184 ----a-w- c:\windows\system32\drivers\PnkBstrK.sys
2010-07-21 02:13 . 2009-07-15 21:09 215016 ----a-w- c:\windows\system32\PnkBstrB.exe
2010-07-17 22:30 . 2009-07-07 20:36 -------- d-----w- c:\program files\ATI Technologies
2010-07-14 02:26 . 2009-07-07 20:36 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-07-14 02:24 . 2009-07-07 20:41 -------- d-----w- c:\program files\Common Files\Roxio Shared
2010-07-14 02:20 . 2010-03-15 21:48 -------- d-----w- c:\program files\Xming
2010-07-14 02:20 . 2009-07-07 20:58 -------- d-----w- c:\program files\CyberLink
2010-07-14 02:20 . 2009-07-25 02:29 -------- d-----w- c:\programdata\CyberLink
2010-07-14 02:19 . 2010-01-04 01:30 -------- d-----w- c:\program files\G4FON Software
2010-07-14 02:15 . 2009-12-14 21:15 -------- d-----w- c:\program files\Bonjour
2010-06-25 17:13 . 2010-06-25 01:35 -------- d-----w- c:\program files\Microsoft Games for Windows - LIVE
2010-06-25 15:57 . 2009-09-08 02:47 -------- d-----w- c:\program files\Student Backup
2010-06-25 02:24 . 2010-02-20 18:02 -------- d-----w- c:\program files\Electronic Arts
2010-06-25 01:37 . 2010-06-25 01:37 -------- d-----w- c:\programdata\Codemasters
2010-06-24 23:31 . 2010-06-24 23:31 445016 ----a-w- c:\windows\system32\wrap_oal.dll
2010-06-24 23:31 . 2010-06-24 23:31 109144 ----a-w- c:\windows\system32\OpenAL32.dll
2010-06-24 23:31 . 2010-06-24 23:31 -------- d-----w- c:\program files\OpenAL
2010-06-24 22:44 . 2009-11-25 22:35 -------- d-----w- c:\program files\SystemRequirementsLab
2010-06-24 22:44 . 2010-06-24 22:44 85504 ----a-w- c:\users\Kevin\AppData\Roaming\SystemRequirementsLab\srlproxy_cyri_4.1.71.0A.dll
2010-06-24 22:44 . 2009-11-25 22:35 -------- d-----w- c:\users\Kevin\AppData\Roaming\SystemRequirementsLab
2010-06-13 18:21 . 2010-03-21 18:54 -------- d-----w- c:\users\Kevin\AppData\Roaming\Skype
2010-06-13 17:59 . 2009-10-11 20:42 -------- d-----w- c:\users\Kevin\AppData\Roaming\skypePM
2010-06-12 13:10 . 2010-03-11 19:01 -------- d-----w- c:\program files\Starcraft
2010-06-11 01:23 . 2009-07-07 21:05 -------- d-----w- c:\programdata\McAfee
2010-06-11 01:23 . 2010-06-11 01:23 -------- d-----w- c:\program files\Common Files\McAfee
2010-06-11 01:23 . 2010-06-11 01:22 -------- d-----w- c:\program files\McAfee
2010-06-11 01:22 . 2010-06-11 01:22 -------- d-----w- c:\program files\Common Files\Cisco Systems
2010-05-27 17:38 . 2010-05-27 17:38 5586432 ----a-w- c:\windows\system32\drivers\atikmdag.sys
2010-05-27 17:05 . 2010-05-27 17:05 15180800 ----a-w- c:\windows\system32\atioglxx.dll
2010-05-27 17:02 . 2010-05-27 17:02 143360 ----a-w- c:\windows\system32\atiapfxx.exe
2010-05-27 17:02 . 2010-05-27 17:02 511488 ----a-w- c:\windows\system32\aticfx32.dll
2010-05-27 17:00 . 2010-05-27 17:00 446464 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-05-27 16:59 . 2010-05-27 16:59 376832 ----a-w- c:\windows\system32\atieclxx.exe
2010-05-27 16:59 . 2010-05-27 16:59 176128 ----a-w- c:\windows\system32\atiesrxx.exe
2010-05-27 16:58 . 2009-07-07 23:10 159744 ----a-w- c:\windows\system32\atitmmxx.dll
2010-05-27 16:58 . 2009-07-07 23:10 356352 ----a-w- c:\windows\system32\atipdlxx.dll
2010-05-27 16:58 . 2010-05-27 16:58 278528 ----a-w- c:\windows\system32\Oemdspif.dll
2010-05-27 16:58 . 2010-05-27 16:58 11776 ----a-w- c:\windows\system32\atimuixx.dll
2010-05-27 16:57 . 2010-05-27 16:57 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-05-27 16:54 . 2010-05-27 16:54 3668480 ----a-w- c:\windows\system32\atidxx32.dll
2010-05-27 16:41 . 2010-05-27 16:41 53248 ----a-w- c:\windows\system32\aticalrt.dll
2010-05-27 16:41 . 2010-05-27 16:41 53248 ----a-w- c:\windows\system32\aticalcl.dll
2010-05-27 16:39 . 2010-05-27 16:39 4096000 ----a-w- c:\windows\system32\aticaldd.dll
2010-05-27 16:37 . 2009-07-07 23:10 3798528 ----a-w- c:\windows\system32\atiumdag.dll
2010-05-27 16:35 . 2010-05-27 16:35 50176 ----a-w- c:\windows\system32\coinst.dll
2010-05-27 16:31 . 2009-07-07 23:10 3025408 ----a-w- c:\windows\system32\atiumdva.dll
2010-05-27 16:25 . 2010-05-27 16:25 237568 ----a-w- c:\windows\system32\atiadlxx.dll
2010-05-27 16:25 . 2010-05-27 16:25 12800 ----a-w- c:\windows\system32\atiglpxx.dll
2010-05-27 16:25 . 2010-05-27 16:25 16896 ----a-w- c:\windows\system32\atigktxx.dll
2010-05-27 16:25 . 2010-05-27 16:25 209920 ----a-w- c:\windows\system32\drivers\atikmpag.sys
2010-05-27 16:24 . 2010-05-27 16:24 30208 ----a-w- c:\windows\system32\atiuxpag.dll
2010-05-27 16:24 . 2010-05-27 16:24 22528 ----a-w- c:\windows\system32\atiu9pag.dll
2010-05-27 16:24 . 2010-05-27 16:24 23040 ----a-w- c:\windows\system32\atitmpxx.dll
2010-05-27 16:24 . 2010-05-27 16:24 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-05-27 16:20 . 2010-05-27 16:20 52736 ----a-w- c:\windows\system32\atimpc32.dll
2010-05-27 16:20 . 2010-05-27 16:20 52736 ----a-w- c:\windows\system32\amdpcom32.dll
2010-05-26 17:06 . 2010-06-11 19:42 34304 ----a-w- c:\windows\system32\atmlib.dll
2010-05-26 14:47 . 2010-06-11 19:42 289792 ----a-w- c:\windows\system32\atmfd.dll
2010-05-21 18:14 . 2009-10-03 17:01 221568 ------w- c:\windows\system32\MpSigStub.exe
2010-05-16 14:59 . 2009-10-06 02:15 6836 ----a-w- c:\users\Kevin\AppData\Local\d3d9caps.dat
2010-05-09 22:31 . 2010-05-09 22:31 6459288 ----a-w- c:\programdata\Xfire\124.exe
2010-05-07 19:52 . 2010-05-07 19:52 41872 ----a-w- c:\windows\system32\xfcodec.dll
2010-05-04 19:15 . 2010-06-11 19:42 834048 ----a-w- c:\windows\system32\wininet.dll
2010-05-04 18:37 . 2010-06-11 19:42 78336 ----a-w- c:\windows\system32\ieencode.dll
2010-05-01 14:13 . 2010-06-11 19:42 2037248 ----a-w- c:\windows\system32\win32k.sys
2009-09-01 00:07 . 2010-06-11 01:23 23864 ----a-w- c:\program files\mozilla firefox\components\Scriptff.dll
2009-07-07 23:06 . 2009-04-11 17:43 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2009-04-11 1233920]
"Steam"="c:\program files\steam\steam.exe" [2010-05-07 1238352]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-21 1008184]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2008-11-30 1422632]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2008-12-21 3810304]
"Dell DataSafe Online"="c:\program files\Dell DataSafe Online\DataSafeOnline.exe" [2009-07-07 1779952]
"dellsupportcenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2009-06-03 206064]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 31016]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2009-03-19 483428]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-11-12 141600]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\udaterui.exe" [2009-01-16 136512]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2009-09-01 124240]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2010-03-18 421888]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2010-05-27 98304]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\McAfeeEngineService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"VistaSp2"=hex(b):d0,f5,da,33,f3,60,ca,01

R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys [2009-09-01 65448]
R3 MovRVDrv32;MovRVDrv32;c:\windows\system32\DRIVERS\MovRVDrv32.sys [2008-04-17 3768]
R3 PCD5SRVC{3F6A8B78-EC003E00-05040104};PCD5SRVC{3F6A8B78-EC003E00-05040104} - PCDR Kernel Mode Service Helper Driver;c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms [2008-11-04 22904]
R4 sptd;sptd;c:\windows\system32\Drivers\sptd.sys [2009-08-30 721904]
S2 AESTFilters;Andrea ST Filters Service;c:\windows\System32\DriverStore\FileRepository\stwrt.inf_f6ef8056\aestsrv.exe [2009-03-19 81920]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-05-27 176128]
S2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe [2008-12-18 155648]
S2 McAfeeEngineService;McAfee Engine Service;c:\program files\McAfee\VirusScan Enterprise\engineserver.exe [2009-09-01 21256]
S2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe [2009-09-01 70728]
S3 amdkmdag;amdkmdag;c:\windows\system32\DRIVERS\atikmdag.sys [2010-05-27 5586432]
S3 amdkmdap;amdkmdap;c:\windows\system32\DRIVERS\atikmpag.sys [2010-05-27 209920]
S3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys [2008-10-28 135936]
S3 k57nd60x;Broadcom NetLink (TM) Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\k57nd60x.sys [2008-10-07 212992]
S3 OA008Ufd;Creative Camera OA008 Upper Filter Driver;c:\windows\system32\DRIVERS\OA008Ufd.sys [2009-02-09 133472]
S3 OA008Vid;Creative Camera OA008 Function Driver;c:\windows\system32\DRIVERS\OA008Vid.sys [2009-02-09 271616]

.
Contents of the 'Scheduled Tasks' folder

2010-07-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-07-26 02:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com?o=15179&l=dis
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\o8o452vk.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.verizon.net/newsroom/portals/newsroom.portal
FF - prefs.js: keyword.URL -
FF - plugin: c:\program files\Google\Google Updater\2.4.1636.7222\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: c:\users\Kevin\AppData\Roaming\Mozilla\Firefox\Profiles\o8o452vk.default\extensions\battlefieldheroespatcher@ea.com\platform\WINNT_x86-msvc\plugins\npBFHUpdater.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("ui.use_native_colors", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.lu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nu", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.nz", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--p1ai", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbayh7gpa", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.tel", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.auth.force-generic-ntlm", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.proxy.type", 5);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.count", 24);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.buffer.cache.size", 4096);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("dom.ipc.plugins.timeoutSecs", 45);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("svg.smil.enabled", false);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("accelerometer.enabled", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref", true);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);
c:\program files\Mozilla Firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.name", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("extensions.{972ce4c6-7e08-4474-a285-3208198ce6fd}.description", "chrome://browser/locale/browser.properties");
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("plugins.update.notifyUser", false);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.nptest.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npswf32.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npctrl.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled.npqtplugin.dll", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

URLSearchHooks-{00000000-6E41-4FD3-8538-502F5495E5FC} - c:\program files\Ask.com\GenericAskToolbar.dll
BHO-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
Toolbar-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - c:\program files\Ask.com\GenericAskToolbar.dll
HKCU-Run-DW6 - c:\program files\The Weather Channel FW\Desktop\DesktopWeather.exe
HKCU-Run-Weather - c:\program files\AWS\WeatherBug\Weather.exe
HKCU-Run-rmrqbwcq - c:\users\Kevin\AppData\Local\awotldiij\jcxsxuktssd.exe
HKCU-Run-Hyusuxa - c:\users\Kevin\AppData\Local\sdteutwl.dll
HKLM-Run-Dgezonugi - c:\users\Kevin\AppData\Local\apunorapu.dll
AddRemove-DAEMON Tools Toolbar - c:\program files\DAEMON Tools Toolbar\uninst.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-07-28 17:57
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system.ini 215 bytes

scan completed successfully
hidden files: 1

**************************************************************************

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\PCD5SRVC{3F6A8B78-EC003E00-05040104}]
"ImagePath"="\??\c:\progra~1\DELLSU~1\HWDiag\bin\PCD5SRVC.pkms"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1950126225-3399687971-54713052-1000\Software\SecuROM\License information*]
"datasecu"=hex:d2,92,de,7b,a4,1a,ef,f3,2e,29,85,60,65,32,80,9c,1a,93,93,db,d8,
84,c3,bd,0f,4d,96,97,6c,45,e3,8c,df,18,57,24,3f,47,c7,fe,3b,ac,e1,08,72,9c,\
"rkeysecu"=hex:e6,e0,06,46,9e,be,97,4b,a6,a5,27,17,14,23,92,5e
.
Completion time: 2010-07-28 17:59:54
ComboFix-quarantined-files.txt 2010-07-28 21:59

Pre-Run: 47,698,419,712 bytes free
Post-Run: 47,805,542,400 bytes free

- - End Of File - - 6CAA55E1BB1D78A8A7771F6F23427696

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  
• Copy and paste that log as a reply to this topic

Can I run other programs during the scan?

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=2ba74f64a6114c49b665706b888d904e
# end=finished
# remove_checked=true
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2010-07-29 01:19:52
# local_time=2010-07-28 09:19:52 (-0500, Eastern Daylight Time)
# country="United States"
# lang=1033
# osver=6.0.6002 NT Service Pack 2
# compatibility_mode=5892 16776638 100 100 1299486 116965511 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=247777
# found=3
# cleaned=3
# scan_time=8409
C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\111164805.exe.vir a variant of Win32/Kryptik.FSA trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\apunorapu.dll.vir probably a variant of Win32/Cimag.AX trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Qoobox\Quarantine\C\Users\Kevin\AppData\Local\sdteutwl.dll.vir a variant of Win32/Kryptik.FRZ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C

Are there any other symptoms of infection?

Everything appears to be normal. I'm guessing it's gone?

Well anyway, thank you very much for all of your help. I came here a few years ago with a virus on my old laptop, which unfortunately was too infected to repair, but you guys were still a great help. Will recommend to anyone I know who has problems.

Hiya! Your logs appear to be clean. If there are no more issues, then we shall clean up!

Clean up System Restore

Now, to get you off to a clean start, we will be creating a new Restore Point, then clearing the old ones to make sure you do not get reinfected, in case you need to "restore back."

To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
  
• Select System
  
• On the left select Advance System Settings and accept the warning if you get one
  
• Select System Protection Tab
  
• Select Create at the bottom
  
• Type in a name i.e. Clean
  
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
  
• Select Performance Information and Tools
  
• On the left select Open Disk Cleanup
  
• Select Files from all users and accept the warning if you get one
  
• In the drop down box select your main drive i.e. C
  
• For a few moments the system will make some calculations
  
• Select the More Options tab
  
• In the System Restore and Shadow Backups select Clean up
  
• Select Delete on the pop up
  
• Select OK
  
• Select Delete

Run OTC to remove our tools

To remove all of the tools we used and the files and folders they created, please do the following:
Please download OTC.exe by OldTimer:

• Save it to your Desktop.
  
• Double click OTC.exe.
  
• Click the CleanUp! button.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.

Note: If any tool, file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.

Purge old temporary files

Please download TFC by OldTimer to your desktop

• Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  
• It will close all programs when run, so make sure you have saved all your work before you begin.
  
• Click the Start
  button to begin the process. Depending on how often you clean temp
  files, execution time should be anywhere from a few seconds to a minute
  or two. Let it run uninterrupted to completion.
  
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Security Check

Please download Security Check by screen317 from SpywareInfoforum.org or Changelog.fr.

• Save it to your Desktop.
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Tell me in your next reply, if you have completed these tasks:

• Cleaned System Restore
  
• Ran OTC
  
• Ran TFC
  
• Ran Security Check

Also, let me know how your computer is running, and don't forget to post the contents of the Security Check log.

Computer is still running fine.

Results of screen317's Security Check version 0.99.4
Windows Vista Service Pack 2 (UAC is disabled!)
Internet Explorer 7 Out of date!
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
ESET Online Scanner v3
McAfee VirusScan Enterprise
McAfee Agent
WMI entry may not exist for antivirus; attempting automatic update.
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 13
Out of date Java installed!
Adobe Flash Player 10.1.53.64
Adobe Reader 9.3.3
````````````````````````````````
Process Check:
objlist.exe by Laurent
McAfee VirusScan Enterprise engineserver.exe
McAfee VirusScan Enterprise vstskmgr.exe
McAfee VirusScan Enterprise mcshield.exe
McAfee VirusScan Enterprise mfeann.exe
McAfee VirusScan Enterprise shstat.exe
````````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

``````````End of Log````````````

Java Update!

Please download the newest version of Java from Java.com.

Before installing: it is important to remove older versions of Java since it does not do so automatically and old versions still leave you vulnerable.
Go to the Control Panel and enter Add or Remove Programs (Programs and Features in Vista/7).
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment). Please uninstall/remove each of them.

Once old versions are gone, please install the newest version.

---

See this page for more info about malware and prevention.

Any more questions?