Windows Defender in safe mode??

[jornsen]

One thing you might do is go to C:\Documents and Settings\Tobbe\Cookies\tobbe and delete ALL the cookies in there. Some of these things were found there. I don't really understand why ATF didn't get rid of those but do it manually.
Judy

Done... Removed all files in C:\Documents and Settings\Tobbe\Cookies (!!) except index.dat. They were all timestamped today, so I guess ATF actually did clean up - they just comes back fast...

BTW, the second bitdefender scan froze the PC up... :-(

Goodnight!

Best..
/John

[jholland1964]

Just forget the Bitdefender scan. Will be back later with some steps to follow.

[jholland1964]

Ok jornsen,
Here we go;
You will need to update the anti-virus program, update the AVG Anti-spy program.
Download
- Pocket KillBox
Extract to it's own folder so it will be easy to find later.

Go to Start, Control Panel, Add/Remove
Look for and remove the following IF found;
funweb
DriveCleaner
WebHancer
Mirar

IMPORTANT: You should print or save these instructions, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet to complete these steps.
Reboot to SAFE MODE;

-- Click on ATF-Cleaner to run it
-- Where it says Select Files To Delete, Check the Select All Option
-- Click Empty Selected > OK > EXIT

Next; run the anti-virus program and Fix everythng found.

Now please Launch AVG Anti-Spyware.
-- Click on the Scanner button and choose the Settings Tab.
---> Under How to act?, click on Recommended action and choose Quarantine to set default action for detected malware.
--->Under Reports make sure Automatically generate report after every scan is selected and UNCHECK the Only if threats were found box.
-- Leave everything else at their default settings and Select the Scan tab and CLICK Complete System Scan to scan your machine.
-- Upon completion of the scan, Click Apply all actions to place any detected baddies in Quarantine.
-- AFTER clicking Apply all actions, Click on Save Report and select Save the report to your Desktop.

Now, reboot the computer into Normal Mode. But remain UNCONNECTED from the internet;
First of all your are going to run HiJackThis again and place checkmarks next to the following if still present;
O2 - BHO: Web Assistant - {04DCB17C-AB45-83AD-A86A-6DFB90277939} - C:\Programmer\PSupport\plibrary.dll
O2 - BHO: (no name) - {16601130-C4DB-4559-C162-8790BCE77690} - C:\WINDOWS\egzuckgh.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O4 - HKLM\..\Run: [Muzepett] C:\Program Files\Hqqog\Iqxm.exe
O4 - HKCU\..\Run: [disved] C:\WINDOWS\system32\disved.exe

O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
Once you have placed the checkmarks click the FIX button.
Exit HJT.

Now run Pocket Killbox:

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.
C:\Program Files\Hqqog\Iqxm.exe
C:\WINDOWS\system32\disved.exe
c:\windows\system32\data.~
c:\windows\system32\rlls.dll
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

Now boot into SAFE MODE

Open Windows Explorer navigate to and DELETE the following: (Some of these may have already been deleted by Pocket Killbox)

C:\Program Files\Hqqog\Iqxm.exe
C:\WINDOWS\system32\disved.exe
c:\windows\system32\data.~
c:\windows\system32\rlls.dll
Look for and delete the file showing in RED, not the entire folder.

Next;
Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Also please go to C:\WINDOWS\Prefetch and delete the contents of that file also.

Shut down. Re-attach the internet cable.
Reboot in Normal Mode and run another HJT scan and post back here with both the new HJT log and also the AVG Anti-spy log.
Judy

[jornsen]

Hi Judy

Done - see my log below
I attach the AVG log and a fresh HJT log.

FEELS GOOD!!! No popups until now!!! Rather slow at startup, but I guess he also has plenty of stuff that doesn't need auto start...

Best regards
/John

------------------
After jholland-3:

ATF and McAfee updated.
None of the mentioned found in ad/remove
McAfee: Found nothing (says more about McAfee than society?)
AVG: A couple of baddies - log attached
Killbox - done

Manual remove:
All 8 files were already gone.
Directory C:\Program Files\Hqqog was in red (and empty) - removed.
(a file called itpb_4.exe existed, but I guess that's OK - not removed)

prefetch - complete DIRECTORY content deleted.

Fresh HJT log.

[jholland1964]

(a file called itpb_4.exe existed, but I guess that's OK - not removed)

DANG!
Left out a KEY line in my post to you;

Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Forgot to say DELETE if found! But you obviously understood.
Rats!

The file noted in you post was that in C:\Program Files\? of where I have noted above?
Give me a few minutes to run through your logs and I will be back. Go back and get rid of that file though, Don't reboot either yet.

[jholland1964]

PP says that you should delete current combofix (always being updated) and get a fresh one and a fresh scanlog and let's see what remains....

[jornsen]

Hi Judy

Been away for a couple of days..

DANG!
Left out a KEY line in my post to you;

[COLOR=Red][COLOR=Black][COLOR=Black]Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Forgot to say DELETE if found! But you obviously understood.
Rats!

Wow... You lost me there... You actually DID tell me to delete the files...!?

The file noted in you post was that in C:\Program Files\? of where I have noted above?
Give me a few minutes to run through your logs and I will be back. Go back and get rid of that file though, Don't reboot either yet.

The file is in C:\WINDOWS - full path: C:\WINDOWS\itpb_4.exe - sorry
Should I delete that file?
The reboot is way too late - sorry

PP says that you should delete current combofix (always being updated) and get a fresh one and a fresh scanlog and let's see what remains....

Ehrm... I deleted the old combofix-file - it was 880.7xx bytes. Downloaded a new using what I'm quite sure is the same link as previously, but now I got a file of 50K!!!!????
Deleted the fresh download again.. :-)

The link is taken from http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29791, and it is: http://download.bleepingcomputer.com/sUBs/combofix.exe

I browsed a little and found a warning: http://boards.cexx.org/index.php?topic=15787.msg64828
You shouldn't belive all you read on the internet, but...

I wasn't able to find a download here on this site...

Ehrm...!!?? Confused... and maybe a little paranoid...

/John

[PhilliePhan]

Hi John,

The info regarding ComboFix is correct!

You should delete any copies of combofix.exe that are on your machine until further notice.

The tool itself is not a problem; however, if there is a certain rootkit on your machine, running combofix will result in disaster.....

I believe the creator has removed the tool and is addressing this as we speak.... May already be done.


PP