Windows Defender in safe mode??

[jornsen]

Hi again, Guys

Entoxicated by my success with my own PC last week, I started a much more doubtfull project: My teenage sons PC. He has had a lot of problems with popus in the last months and I have been postponing the best I could.. :-)

I am at Item 8 in the Sticky "Read me before" thread, and I have had a lot of "fun" until now. Now, to my huge surprise, Windows Defender won't start in safe mode. It actually says that it won't start because its service isn't running, but if I try to start this manually, I am told that it (the service) cannot run in safe mode...

EH? The thread instructs me to run it in safe mode, and I'm quite sure I ran it in safe mode on my own PC last week... What could be wrong?

Best regards
/Jornsen

[jornsen]

Ran Windows Defender in normal mode to get on.
Finished procedure, still having pop up problems and now also freeze-up problems (started during this clean!?)
I attach my log from the clean procedure, along with Kaspersky log, AVG log and Hijackthis log. No log feature in Windows Defender... I can make one, if needed...

Please have a look... :-/

/Jornsen

[jholland1964]

Give me some time to go through your logs and I will get back to you.
Judy

[PhilliePhan]

EH? The thread instructs me to run it in safe mode, and I'm quite sure I ran it in safe mode on my own PC last week... What could be wrong?

Hi John,

It should run in Safe Mode . . . . Though, I am embarrassed to say, I hardly ever scan with it. I find the AVG Anti-Spy and Kaspersky Online Scanner to be more than plenty to get started.

The only reason I still have it in the Sticky Post is so that those people who do not have any "real time" protection will get some (for Free).

-- I am thinking about adding a Combofix log to the steps. You might want to run that as well....

Saw a few baddies, but will try to stay out of Judy's hair this time around!

Cheers
PP

[jholland1964]

Saw a few baddies, but will try to stay out of Judy's hair this time around!

Isn't he a nice guy Wants to stay out of my hair...

Ok jornsen, here we go.
Download LSPFix from http://www.cexx.org/lspfix.htm and Run the Program. Disconnect from the Internet and close all Internet Explorer Windows. Check the "I know what I'm doing" Button and place all listings of rlls.dll into the remove section by clicking on the button that points to the right. When all instances of this dll are in the Remove section. Press the finish button.

Then Reboot.
Next go to PP's Sticky
Download ATF-Cleaner but do not run it yet.
Run at least two on the online scans in his sticky, making certain that one of them is the Trend-Micro online scan. Fix ANYTHING found by these online scans.

Disconnect completely from the internet. I mean actually remove the plug from the back of the computer.
Reboot the computer into SAFE MODE.
-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop. Please submit this report with your request for assistance!

Shut Down the computer. Reconnect the internet cable.
Reboot into NORMAL Mode.
Run a new HJT scan and save the log. Post it back here with the AVG log.

[jornsen]

Hi Judy

I did my very best to follow your instructions, but I am simly not able to run trend housecall on this PC - see part of my log below.
Ran panda and combofix (Ref: PP) as the two online scanners. see my notes about bitdefender!!??
Otherwise, I think I followed your instructions.. :-)

Still experiencing popups etc (now(?) also from http://dk.drivecleaner.com/ - drivecleaner 2006)

Best regards
/John


log: after jholland-post2:
-----------------------
LSPFix: oups - forgot to log; the report said zero in the first two categories, 8 and 16 in the next two categories.

(all scans below and previously have been "full scans")
trend housecall (java based) - crash - took down browsers with it. Twice (second time, I decided to stay with the computer to see what happened - and got disturbed by my daugther watching kids TV on the laptop... :-)
trend housecall (ActiveX based): 1) hang right after start. 2) Crash some time during (as above)
Installed IE 7
housecall (java based): Crash as above.
housecall (activeX based): Crash as above.
Terminated all I could from taskbar (among these mcafee on-access scan), some from tasklist(ipodservice, googletoolbarnotifier, iteneshelerp, versioncucs2tray, guard, frameworkservice)
housecall (java based): Crash as above.
Reboot to safe mode with network
IE cannot start (window flickers)
Gave op on Trend housecall again.

PP-Sticky Bitdefender link redicrects to http://www.surfsanity.com/v4/ - doesn't look OK... Not used!!
Downloaded and executed combofix as of advice by PP (http://download.bleepingcomputer.com...combofix.exe):
Left the PC while it ran, but I guess it didn't reboot as i thought it should (can see from what was started). Log-window had opened. (attached)
Rebooted myself ("install important updates and shutdown" - installed update 1 of 1!!??)

Panda ActiveScan:
Found Disinfected
Virus 20 19
Spyware 15 0
Hacking tools/rootkits 1 0
Log attached.

Tried trend housecall again - system rebooted shortly after actual scan begun!!!!!

after boot, disconnected from internet
ATF cleaner: OK

AVG: OK - log attached
-------------------

[PhilliePhan]

Hi John,

Thanks for the heads-up on the BitDefender linky!
They changed it, and I have updated the link in the sticky.

Still, you should not have been redirected as you were - perhaps malware? Does the same thing happen with the new link I just put in?


BTW - I have been helping a friend who has a LinkOptimizer problem and comparing her scanlogs to yours from the other thread. I noticed that I missed having you remove these two entries with ADS Spy (hjt):

C:\Documents and Settings\All Users\Application Data\TEMP : 2A81F9CE (97 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 2A81F9CE (97 bytes)

No worries, but I am embarrassed to have overlooked them. You can delete them in ADS Spy.


Anyhoo, those logs for this thread look interesting. You and Judy have some work to do!

Best
PP

[jornsen]

Hi PP

The BitDefender link works fine now - scanning p.t.... :-)

I'll remove the two entries from my laptop using HJT ads spy.. Thanks!!

those logs for this thread look interesting. You and Judy have some work to do!
PP

Interesting... ...nice way to put it.. Yes, I guess we have quite some work to do... still considering just to format and reinstall, but I'm affraid I won't get half of his games to work again.....

/John

[jornsen]

Hi Guys

During bitdefender scan, the PC rebooted.. :-(
I'll try it again to check if it's consistent, but I guess it is (when you think of my experiences with trend housecall - and Windows Defender)...

Honestly, do you think we can do save this, or should I just give up and reinstall??

/John

[jholland1964]

Oh brother, love it when PP says,

those logs for this thread look interesting. You and Judy have some work to do!

Him and his dumb dancing banana!

Ok, we do have some work to do, but I do think we can get this cleaned out.
Give me some time to research what we need to do and I will get back to you ASAP.
One thing you might do is go to C:\Documents and Settings\Tobbe\Cookies\tobbe and delete ALL the cookies in there. Some of these things were found there. I don't really understand why ATF didn't get rid of those but do it manually.
Judy