Need to get rid of the Malware again (Outerinfo, Internet speed monitor, etc)

[green tea]

Uninstalled about 4 things in Add/Remove and restarted. (When I uninstalled Norton, it asked about the items in quarantined and I hit entered as well.). After restarting, I ran the Norton Removal Tool.

Said yes to everything it asked, and then it rebooted. However, after the Windows load screen, the monitor was black again and showed "no signal". PC shut off, and rebooted... so now I'm in safe mode with networking

[evilfantasy]

Run MalwareBytes again, post the log.

[green tea]

Run MBAM before or after installing Avast?

[evilfantasy]

After. It wouldn't hurt to run a full scan with Avast after posting the MBAM log as well.

[green tea]

Installing AVAST, and then it asked this:

Do you want to schedule boot-time antivirus scan of local harddrives? Scan will perform after pc restart.

Should I say yes or no? what does boot-time mean?

[evilfantasy]

Answer no.

[green tea]

Ok thanks. I'm restarting now, and then will do MBAM.
....

Rebooted and was able to go to normal mode. Can I run MBAM in normal mode?
(sorry for all the questions every single step of the way.. and a big thank you for your patience)

[evilfantasy]

Yes run everything in normal mode unless the instructions say otherwise.

[green tea]

Couldn't do MBAM in normal mode-- after logging in normal mode, I waited several minutes for the regular icons on the tray to load (it usually takes a while). But then when I tried to click startup or MBAM icon, nothing happened. It was like the desktop was frozen.

So i shut down the computer and now it's rebooted back to Safe mode with networking. I'll run MBAM now, and hopefully this can help bring us back to normal mode (and one that works too).

[green tea]

New MBAM log:

Malwarebytes' Anti-Malware 1.11
Database version: 660

Scan type: Full Scan (C:\|)
Objects scanned: 109974
Time elapsed: 47 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007231.dll (Adware.Bestrevenue) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007232.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007233.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007234.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007235.exe (Trojan.Insider) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007236.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007237.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007238.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007239.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007240.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007241.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007242.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D172B5C7-37F3-42FE-B932-0FBE6EBB1A9E}\RP6\A0007243.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.

[evilfantasy]

Normal mode?

If so try the F-Secure scan now. If not then run SDFix again.

[green tea]

No, I ran this in safemode with networking (see above for reason).

I'll do SDFix again then.

[green tea]

Able to completely run SDFix this time.. it rebooted to normal mode. Upon logging in, the SDFix window appeared and finish the process.


SDFix: Version 1.177
Run by User on 2008-04-30 at 10:56 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Name :
MRV47

Path :

MRV47 - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat - Contains Links to Malware Sites! - Deleted
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat - Contains Links to Malware Sites! - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\WINDOWS\system32\sockins32.dll  - Deleted
C:\WINDOWS\winself.exe  - Deleted
C:\WINDOWS\system32\drivers\MRV47.sys - Deleted
C:\WINDOWS\system32\drivers\MRV47.sys - Deleted





Removing Temp Files

ADS Check :
 


                                 Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-30 23:03:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg]
"s0"=dword:4ce74f62
"s1"=dword:1fb8e70e
"s2"=dword:a278c24d

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\BitComet\\BitComet.exe"="C:\\Program Files\\BitComet\\BitComet.exe:*:Enabled:BitComet - a BitTorrent Client"
"C:\\Documents and Settings\\User\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe"="C:\\Documents and Settings\\User\\Local Settings\\Temp\\WZSE0.TMP\\SymNRT.exe:*:Disabled:Symantec Removal Utility"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed  4 Aug 2004        60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Wed 12 Mar 2003           119 A..HR --- "C:\WINDOWS\system32\NTICDMK32.dll"
Tue 26 Mar 2002         1,024 A..HR --- "C:\WINDOWS\system32\ntiembed.dll"
Tue 22 Apr 2008       145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Wed  7 Mar 2001       311,296 A..HR --- "C:\WINDOWS\system32\Tools\AC2K.exe"
Tue 20 Feb 2001       310,784 A..HR --- "C:\WINDOWS\system32\Tools\AC98.exe"
Tue 20 Feb 2001       311,296 A..HR --- "C:\WINDOWS\system32\Tools\ACL98.exe"
Tue 20 Feb 2001       311,808 A..HR --- "C:\WINDOWS\system32\Tools\ACLME.exe"
Fri 27 Apr 2001       327,168 A..HR --- "C:\WINDOWS\system32\Tools\All.exe"
Thu 23 Nov 2000       316,416 A..HR --- "C:\WINDOWS\system32\Tools\AutoClick.exe"
Tue 16 Oct 2001       363,008 A..HR --- "C:\WINDOWS\system32\Tools\Change.exe"
Wed 10 Apr 2002       547,840 A..HR --- "C:\WINDOWS\system32\Tools\CheckPath.exe"
Thu 30 Aug 2001       381,440 A..HR --- "C:\WINDOWS\system32\Tools\Counter.exe"
Sun 20 Jan 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelDv.exe"
Mon 19 Mar 2001       532,480 A..HR --- "C:\WINDOWS\system32\Tools\DeleteFiles.exe"
Sun 20 Jan 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelT2.exe"
Sun 20 Jan 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelT2Dv.exe"
Wed  6 Mar 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\DelTools.exe"
Mon 11 Mar 2002       361,472 A..HR --- "C:\WINDOWS\system32\Tools\LostRun.exe"
Mon  2 Apr 2001       296,960 A..HR --- "C:\WINDOWS\system32\Tools\RegClean.exe"
Thu  7 Mar 2002       369,152 A..HR --- "C:\WINDOWS\system32\Tools\Regexe.exe"
Thu  7 Mar 2002       382,464 A..HR --- "C:\WINDOWS\system32\Tools\Restart.exe"
Thu  7 Mar 2002       374,784 A..HR --- "C:\WINDOWS\system32\Tools\RunAP.exe"
Thu  7 Mar 2002       360,960 A..HR --- "C:\WINDOWS\system32\Tools\RunRegexe.exe"
Fri  2 Nov 2001       379,392 A..HR --- "C:\WINDOWS\system32\Tools\SDW98ME.exe"
Fri  9 Mar 2001       312,832 A..HR --- "C:\WINDOWS\system32\Tools\SoundDrv.exe"
Fri 12 Nov 2004        37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Wed 30 Apr 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\ab59ac72525ea90a47679441587835c9\BIT2.tmp"
Mon 26 Jun 2006       273,920 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL0003.tmp"
Mon  2 Oct 2006       632,832 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL0701.tmp"
Mon  2 Oct 2006       111,104 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL1421.tmp"
Sun 29 Oct 2006     1,031,680 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL1530.tmp"
Mon  2 Oct 2006       419,840 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL1910.tmp"
Mon  2 Oct 2006       210,432 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL2468.tmp"
Mon  2 Oct 2006       312,832 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL2915.tmp"
Mon  2 Oct 2006        70,144 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL3288.tmp"
Mon  2 Oct 2006       532,992 ...H. --- "C:\Documents and Settings\User\My Documents\My Works\Career\~WRL3469.tmp"

Finished!

[green tea]

After SDFix was done and the desktop loaded, A LOT of things happened.

Report.txt log showed
Then the Disk Monitor message popped up: "failure: Create Service, Error_Service_Exists"
The page for that Symantec/Norton Removal tool also appeared on it's own
A couple "your pc has recover from a serious error" showed up
AVAST! On Access Scanner is running ( it says 7 providers total, 6 running).
avast! virus recovery database is also running.

Winpatrol has detected a lot of things trying to install. Help???!!!

[green tea]

Should I approve this? Here's what's in the winpatrol new program alert:

C:\Program Files\Alwil Software\Avast4\ashDisp.exe

I denied this a couple of times already, since I'm not sure if I should trust it or not.  Is this the authentic Avast program?

Also, out of the 7 Avast providers, 4 is now running. What does that mean?