Death spiral -- please help?

Problem: Issues with a virus/malware?

System description: Windows 2000 Server, SP4
Antivirus: McAfee (I think)

Time line of problems:

1 - Antivirus detects "Generic dx!tvm" and "Generic dx!upu" Trojans
2 - Antivirus deletes these files from the Temp folder
3 - Antivirus keeps detecting / deleting these files
4 - Advertisments begin to pop-up randomly through IE6
5 - Suspecting malware I run SuperAntivirus
6 - SAS detects "TrojanAgent/Gen-FrauderX"
7 - SAS eliminates above trojan
8 - Antivirus does not detect the trojan any longer
9 - System seems normal but cannot Copy/Paste or Cut/Paste - Weirdest thing. I can perform all the operations for C/P with the mouse or Ctrl-C/Ctrl-V but there is no effect whatsoever and there is no error message whatsoever. Nothing. Nada. Niente. Like I never tried to C/P.
9a - Run sfc / purgecache. No changes.
10 - Begin clean-up procedure for MG.
11 - Follow all the steps until SAS. Uninstall previous version. Install a fresh one. Log:

=================================

UPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/06/2010 at 08:27 PM

Application Version : 4.46.1000

Core Rules Database Version : 5960
Trace Rules Database Version: 3772

Scan type : Complete Scan
Total Scan Time : 00:49:33

Memory items scanned : 420
Memory threats detected : 0
Registry items scanned : 6614
Registry threats detected : 6
File items scanned : 16108
File threats detected : 3

Adware.Agent/Gen
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NET
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NET#DisplayName
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NET#DisplayVersion
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\NET#UninstallString

Malware.Trace
HKU\S-1-5-21-1969449075-496612681-2601104367-500\Software\QNB2EB90WX

Adware.AdRotator
HKU\S-1-5-21-1969449075-496612681-2601104367-500\Software\RZDVL2F27W

Trojan.Agent/Gen-FSG
G:\DONE2\6 BEST ISO SOFTWARES (ULTRA MAGIC POWER DAEMON TOOLS AND OTHERS)\EXTRA_DRIVE_CREATOR_PRO_6_6\KEYGEN\KEYGEN.EXE

Trojan.Agent/Gen-SVC[Fake]
G:\DONE2\TOOLS AND TIPS TO CLEAN COMPUTER (WINDOWS)\TOOLS\CYDE UPDATER.EXE

Trojan.Agent/Gen-HackPatch
G:\OUT\NETWORK MAGIC 4.8.8 + PATCH\PATCH.EXE

==================

Note: all the malware in G are *very* ulikely to be related to the problem since my G drive is simply for storage.

=================

12 Install Anti-Malaware and run. Log:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5258

Windows 5.0.2195 Service Pack 4
Internet Explorer 6.0.2800.1106

12/6/2010 10:20:44 PM
mbam-log-2010-12-06 (22-20-44).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|)
Objects scanned: 202960
Time elapsed: 1 hour(s), 24 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 12
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\TYPELIB (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\10DPP6O2VE (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\INCG9WP8HQ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\JDK5SWFMZY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\JP595IR86O (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\OW1T3CYG7T (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ZE18MW23GY (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\W34BCG2GRJ (Trojan.Fraudpack) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\ (Hijack.Zones) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\System\CurrentControlSet\Services\iTunesMusic (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_PPDRV (Worm.KoobFace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PPDrv (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jgyo0w (Trojan.Downloader) -> Value: jgyo0w -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\alcohol 120\alcohol_activator.exe (Trojan.Agent) -> Not selected for removal.
g:\Done2\bundle of programs that every pc owner should have\Any DVD\any dvd pro + patch + portable [v 3.7.5.]\any dvd converter professional 3.7.5 + patch\any dvd converter professional 3.7.5 + patch\Patch.exe (Trojan.Bancos) -> Quarantined and deleted successfully.
c:\WINNT\winad\winads.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\WINNT\winad\winadsin.exe (Trojan.Agent) -> Quarantined and deleted successfully.

======================

Note: the alcohol_activator.exe was de-selected since it has been in use for the last 3 years without any issues. I think it was a false positive.

======================

13 - Upon AM reboot, the server BSOD. Error reads: "Unable to read device driver" Error 0xc0000008. It makes reference to SystemRoot/System32/Drivers/vtmini.sys

14 - Boot into Safe Mode. Same BSOD.
14 - Boot into Recovery Console. Verify vtmini.sys is there. It is.
15 - Boot into Emergency Recovery. Check everything. Refresh all files. Same BSOD.
16 - Download a fresh copy of vtmini.sys and replace through Recovery Console. Same BSOD

=====================

Any ideas would be greately appreciated.
I now have a BSOD server. Friggin thing MS crapware!!!
I can't believe that it is always the same with MS. One starts trying to fix something and it goes from bad to worst to dead.

Oh, BTW, I did not make any changes to any hardware and to my knowledge all the hardware is OK.

PS.: there where quite a number of reboots between steps. I just did not mentioned it because it gets tedious.

 

Err... well.. considering that the BSOD is a direct result of running the READ & RUN ME process, I am a little.... how should I put it? ... underwhelmed?

But fine, what other choice do I have?

 

Sorry but I have to disagree. The BSOD happened *immediately* following the scan with AM and reboot. Before that event I had scanned/cleaned/rebooted successfully in many occasions. Each time it booted OK but could not Copy/Cut/Paste. MA caused the BSOD. Either that of is an MS curse. I can see no other logical explanation.

In any event, it is academic now.... downloading Kaspersky as I type..

 

Malwarebytes' Anti-Malware (aka AM)

Downloaded from MG's link directly as expressly indicated in the READ & RUN ME.
I just want to make a point. I follow the process indicated to the letter. I know you guys/gals are here to help and are all volunteers. I have the greatest respect for that. Last thing I want is to waste your valuable time.

Anyhoo, there may be a lesson here.

Maybe somebody should go back and check all the READ & RUN ME versions of apps against all the versions of Windowze. I know, it's some work, but, that's the price for Quality Assurance.

 

Coincidence? I guess it's possible. I have seen worst. Sh*t happens.

Wrt BSOD, info was stated in the original post under item 13 but allow me to give you the full blob:

=========

STOP: C000026c {Unable To Load Device Driver}
SystemRoot/System32/DRIVERS/vtmini.sys device driver could not be loaded
Error Status was: 0xc0000008

Followed by the standard useless MS advice.

=========

As I pointed in the first post below, I tried to refresh all the Windoze files and the vtmini.sys without any success.

As far as I can tell vtmini.sys is a video driver for VIA/S3G. I see no reason why would it not load or why would the VGA driver not take over, or, for that matter why would the vtmini.sys be crucial even in Safe Mode. Befundled here :confused