Windows Defender in safe mode??

[jornsen]

Hi Judy

Done - see my log below
I attach the AVG log and a fresh HJT log.

FEELS GOOD!!! No popups until now!!! Rather slow at startup, but I guess he also has plenty of stuff that doesn't need auto start...

Best regards
/John

------------------
After jholland-3:

ATF and McAfee updated.
None of the mentioned found in ad/remove
McAfee: Found nothing (says more about McAfee than society?)
AVG: A couple of baddies - log attached
Killbox - done

Manual remove:
All 8 files were already gone.
Directory C:\Program Files\Hqqog was in red (and empty) - removed.
(a file called itpb_4.exe existed, but I guess that's OK - not removed)

prefetch - complete DIRECTORY content deleted.

Fresh HJT log.

[jholland1964]

(a file called itpb_4.exe existed, but I guess that's OK - not removed)

DANG!
Left out a KEY line in my post to you;

Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Forgot to say DELETE if found! But you obviously understood.
Rats!

The file noted in you post was that in C:\Program Files\? of where I have noted above?
Give me a few minutes to run through your logs and I will be back. Go back and get rid of that file though, Don't reboot either yet.

[jholland1964]

PP says that you should delete current combofix (always being updated) and get a fresh one and a fresh scanlog and let's see what remains....

[jornsen]

Hi Judy

Been away for a couple of days..

DANG!
Left out a KEY line in my post to you;

[COLOR=Red][COLOR=Black][COLOR=Black]Navigate to;
C:\WINDOWS\itpb_4.exe[876056.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whInstaller.exe]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][webhdll.dll]
C:\WINDOWS\itpb_6.exe[whCC-MTHREE.exe][whiehlpr.dll]

Forgot to say DELETE if found! But you obviously understood.
Rats!

Wow... You lost me there... You actually DID tell me to delete the files...!?

The file noted in you post was that in C:\Program Files\? of where I have noted above?
Give me a few minutes to run through your logs and I will be back. Go back and get rid of that file though, Don't reboot either yet.

The file is in C:\WINDOWS - full path: C:\WINDOWS\itpb_4.exe - sorry
Should I delete that file?
The reboot is way too late - sorry

PP says that you should delete current combofix (always being updated) and get a fresh one and a fresh scanlog and let's see what remains....

Ehrm... I deleted the old combofix-file - it was 880.7xx bytes. Downloaded a new using what I'm quite sure is the same link as previously, but now I got a file of 50K!!!!????
Deleted the fresh download again.. :-)

The link is taken from http://www.spywarefri.dk/forum/topic.asp?TOPIC_ID=29791, and it is: http://download.bleepingcomputer.com/sUBs/combofix.exe

I browsed a little and found a warning: http://boards.cexx.org/index.php?topic=15787.msg64828
You shouldn't belive all you read on the internet, but...

I wasn't able to find a download here on this site...

Ehrm...!!?? Confused... and maybe a little paranoid...

/John

[PhilliePhan]

Hi John,

The info regarding ComboFix is correct!

You should delete any copies of combofix.exe that are on your machine until further notice.

The tool itself is not a problem; however, if there is a certain rootkit on your machine, running combofix will result in disaster.....

I believe the creator has removed the tool and is addressing this as we speak.... May already be done.


PP