Windows Defender in safe mode??

**jornsen** · 02-12-2007, 03:02 PM

Hi PP

The BitDefender link works fine now - scanning p.t.... :-)

I'll remove the two entries from my laptop using HJT ads spy.. Thanks!!

Originally Posted by PhilliePhan

those logs for this thread look interesting. You and Judy have some work to do!
PP

Interesting...

...nice way to put it.. Yes, I guess we have quite some work to do... still considering just to format and reinstall, but I'm affraid I won't get half of his games to work again.....

/John

**jornsen** · 02-12-2007, 04:23 PM

Hi Guys

During bitdefender scan, the PC rebooted.. :-(
I'll try it again to check if it's consistent, but I guess it is (when you think of my experiences with trend housecall - and Windows Defender)...

Honestly, do you think we can do save this, or should I just give up and reinstall??

/John

**jholland1964** · 02-12-2007, 04:47 PM

Oh brother, love it when PP says,

those logs for this thread look interesting. You and Judy have some work to do!

Him and his dumb dancing banana!

Ok, we do have some work to do, but I do think we can get this cleaned out.
Give me some time to research what we need to do and I will get back to you ASAP.
One thing you might do is go to C:\Documents and Settings\Tobbe\Cookies\tobbe and delete ALL the cookies in there. Some of these things were found there. I don't really understand why ATF didn't get rid of those but do it manually.
Judy

**jornsen** · 02-12-2007, 06:04 PM

Originally Posted by jholland1964

One thing you might do is go to C:\Documents and Settings\Tobbe\Cookies\tobbe and delete ALL the cookies in there. Some of these things were found there. I don't really understand why ATF didn't get rid of those but do it manually.
Judy

Done... Removed all files in C:\Documents and Settings\Tobbe\Cookies (!!) except index.dat. They were all timestamped today, so I guess ATF actually did clean up - they just comes back fast...

BTW, the second bitdefender scan froze the PC up... :-(

Goodnight!

Best..
/John

**jholland1964** · 02-12-2007, 06:16 PM

Just forget the Bitdefender scan. Will be back later with some steps to follow.

**jholland1964** · 02-13-2007, 01:26 AM

Ok jornsen,
Here we go;
You will need to update the anti-virus program, update the AVG Anti-spy program.
Download
- Pocket KillBox
Extract to it's own folder so it will be easy to find later.

Go to Start, Control Panel, Add/Remove
Look for and remove the following IF found;
funweb
DriveCleaner
WebHancer
Mirar

IMPORTANT: You should print or save these instructions, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet to complete these steps.
Reboot to SAFE MODE;

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Next; run the anti-virus program and Fix everythng found.

Now please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop.

Now, reboot the computer into Normal Mode. But remain UNCONNECTED from the internet;
First of all your are going to run HiJackThis again and place checkmarks next to the following if still present;
O2 - BHO: Web Assistant - {04DCB17C-AB45-83AD-A86A-6DFB90277939} - C:\Programmer\PSupport\plibrary.dll
O2 - BHO: (no name) - {16601130-C4DB-4559-C162-8790BCE77690} - C:\WINDOWS\egzuckgh.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Muzepett] C:\Program Files\Hqqog\Iqxm.exe
O4 - HKCU\..\Run: [disved] C:\WINDOWS\system32\disved.exe

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
Once you have placed the checkmarks click the FIX button.
Exit HJT.

Now run Pocket Killbox:

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.
C:\Program Files\Hqqog\Iqxm.exe
C:\WINDOWS\system32\disved.exe
c:\windows\system32\data.~
c:\windows\system32\rlls.dll
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

C:\Program Files\Hqqog\Iqxm.exe
C:\WINDOWS\system32\disved.exe
c:\windows\system32\data.~
c:\windows\system32\rlls.dll
Look for and delete the file showing in RED, not the entire folder.

Next;
Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Also please go to C:\WINDOWS\Prefetch and delete the contents of that file also.

Shut down. Re-attach the internet cable.
Reboot in Normal Mode and run another HJT scan and post back here with both the new HJT log and also the AVG Anti-spy log.
Judy

**jornsen** · 02-13-2007, 03:20 PM

Hi Judy

Done - see my log below
I attach the AVG log and a fresh HJT log.

FEELS GOOD!!! No popups until now!!! Rather slow at startup, but I guess he also has plenty of stuff that doesn't need auto start...

Best regards
/John

------------------
After jholland-3:

ATF and McAfee updated.
None of the mentioned found in ad/remove
McAfee: Found nothing (says more about McAfee than society?)
AVG: A couple of baddies - log attached
Killbox - done

Manual remove:
All 8 files were already gone.
Directory C:\Program Files\Hqqog was in red (and empty) - removed.
(a file called itpb_4.exe existed, but I guess that's OK - not removed)

prefetch - complete DIRECTORY content deleted.

Fresh HJT log.

**jholland1964** · 02-13-2007, 03:45 PM

(a file called itpb_4.exe existed, but I guess that's OK - not removed)

DANG!
Left out a KEY line in my post to you;

Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Forgot to say DELETE if found! But you obviously understood.
Rats!

The file noted in you post was that in C:\Program Files\? of where I have noted above?
Give me a few minutes to run through your logs and I will be back. Go back and get rid of that file though, Don't reboot either yet.

Thread: Windows Defender in safe mode??

Thread Tools

Display

Hybrid View

Thread Information

Users Browsing this Thread

Posting Permissions