0

My brother in law got hit with Windows Police Pro on either 29 or 30 August. I wiped the WPP folder, but all EXE files were being intercepted and routed through "desote.exe". I deleted that file (probably a bad idea) and now I cannot reassociate EXE files. That means that I can't get into RegEdit, although there's a second problem there.

Apparently there's some hidden process running that intercepts regedit and regedt32; if I try alternate ways to run them (including renaming) they try to start and get killed. Also, I can't do system restore because the Properties attribute on My Computer cannot fine rundll32.exe (although it is right there in plain sight where it should be).

A process called svchasts.exe was running; I deleted it from task manager and it has not come back.

We may have a doorstop if I can't work out a way to reassociate EXE files to work, as I can't find the original XP CD on this box.

8
Contributors
21
Replies
22
Views
8 Years
Discussion Span
Last Post by PhilliePhan
0

We may have a doorstop if I can't work out a way to reassociate EXE files to work, as I can't find the original XP CD on this box.

If you are able to get MBA-M onto the machine, try this:
First, Rename mbam.exe to zappa.com
See if it will run.
If so, please have it remove all that it finds and post the log for us.


If it does not run, you can try the following, but it is strictly a "Run At Your Own Risk!" proposition:

* Download KILLBAD.zip and EXTRACT the KILLBAD folder to your C:\ Drive
* Use START > RUN >Command.com to get a command prompt

* TYPE C:\KILLBAD\KILLBAD.bat ENTER

* If the tool is able to run, a log should eventually pop up in notepad.
Please post that for us.

I will check back as time permits, though I do not know when that will be.

Best Luck :)
PP

0

thanks - I will be at his house Tuesday night to try both of those.

0

New linky for KILLBAD.zip

KILLBAD.zip

You might be able to run it by navigating to C:\KILLBAD\KILLBAD.bat and DoubleClicking the .bat file - that ought to work.

PP :)

0

Also, see if you are able to get this to run.

Looks like there are some serious rootkit components to this baddie and our best bet would be to get combofix to run. Generally, when I see baddies such as this, I advise a reformat because of the nature of the rootkit beast.

If you'd like to continue, please do the following:

Please Download Win32kDiag and save it to your Desktop.

http://ad13.geekstogo.com/Win32kDiag.exe
http://download.bleepingcomputer.com/rootrepeal/Win32kDiag.exe

-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please post the entire log for me and we’ll go from there.

I will check back as soon as time permits.

Cheers :)
PP

0

I have run into this problem and won. The main source of my trouble was that everything was trying to open with desote.exe, and once i found and deleted it, i couldn't run anything with an exe extension.

I found that under HKCR\exefile\shell\open\command, the (Default) entry was changed from ["%1" %*] to [c:\windows\desote.exe "%1" %*]. I was denied access to change the key. So I booted to PE on our WDS server - this step can be replaced with UBCD4Win or any PE boot disk) and loaded the software hive into the registry editor.

I'm sure there are at least a few reading this who don't know how to do that: Open regedit. Select HKLM and go to File-->Load Hive... and then browse to c:\windows\system32\config and choose your hive file to load. It will always ask for a canonical name; I typically go with asdf-<hive> but I would recommend <username>-<hive> for big jobs (i.e., citrix box). One last thing: the CLASSES_ROOT hive is actually the Classes Key under HKLM-Software. These are live changes people, Unload Hive writes to the file and there's no Undo, so make sure you know what you're doing.

0

Thanks :)

I am not sure that will be a viable option for most of the posters in this forum, though.
Plus, with all of the rootkit components of the more severe infections, that is not a practical solution for novices, which many of our posters are. . . .

PP :)

0

I realize that wasn't for everyone - I would have written it that way if I could have...but I hadn't really seen any answer for this when I looked, so I figured I'd at least give you something to work with, and who knows? UBCD isn't that hard to get going. Literacy required.

-1

Please start your own thread.

Thanks :)

That's pretty stupid. Why waste bandwidth and site storage by creating a thread about the same issue?

What's the point of having 15 threads from people that are having the same problem?

Are you afraid you won't get "credit" for solving another thread? Pretty ghey if you ask me.

BTW, I'm having the same problem. I won't start my own thread. I'm just going to reformat and be done with it.

Votes + Comments
A very insulting post, especially to PP who has worked so hard to assist all those infected.
0

haywoodJ;That's pretty stupid. Why waste bandwidth and site storage by creating a thread about the same issue?
Because each and every computer is different. What works on one may not work on another. Each user may have tried different steps even before posting here. Bandwidth and site storage is the business of the website owners, if they choose to limit what will be posted here and stored here then that will be their choice, it is not up to any of us to decide what and how many posts will be allowed, it is up to site administrators.

What's the point of having 15 threads from people that are having the same problem?
As stated before, each computer is different. Each computer has different software installed. What works for one may not work for another. Each person arrives at a different stage of infection. Confusion would reign if all posted in the same thread.

Are you afraid you won't get "credit" for solving another thread? Pretty ghey if you ask me.
This is a GROSS INSULT to PP and others who work here who are ALL volunteers. "Credit" has absolutely nothing to do with it and to even insinuate that it does is disgusting


BTW, I'm having the same problem. I won't start my own thread. I'm just going to reformat and be done with it.

That is your prerogative and I applaud it. Why did you come here in the first place if all you wanted to do was post insults to the volunteers here. I for one am thrilled you won't start your own thread, plus it will save you the embarrassment of having nobody willing to respond to you

0

Please start your own thread.

Thanks :)

haywoodJ;That's pretty stupid. Why waste bandwidth and site storage by creating a thread about the same issue?

What's the point of having 15 threads from people that are having the same problem?
As stated before, each computer is different. Each computer has different software installed. What works for one may not work for another. Each person arrives at a different stage of infection. Confusion would reign if all posted in the same thread.

I don't see major anti-virus companies writing different removal instructions based on different levels of installed software.

It's a generic Windows virus/malware issue. To think that it would behave any differently based on what pieces of software I have installed is ridiculous.


BTW, I'm having the same problem. I won't start my own thread. I'm just going to reformat and be done with it.

That is your prerogative and I applaud it. Why did you come here in the first place if all you wanted to do was post insults to the volunteers here. I for one am thrilled you won't start your own thread, plus it will save you the embarrassment of having nobody willing to respond to you

I came here - one of the many sites I have visited - looking for information on the virus that infected me late last night.

To think that I was being insulting is very short-sighted. The other person simply posted a "I'm having the same problem" reply and was responded to with a "Thanks! Start your own thread."

To me that was very insulting to that person. "Hey, good for you, but this thread is for helping somebody else because they asked first. If you want help go start your own thread."

When I looked at PP's profile I'm greeted with all of these "see his posts" and "see how many threads he's solved" statistics.

Most other sites encourage people to search existing open topics for answers instead of blindly asking a question that has been asked multiple times.

You are much off teaching somebody how to help themselves instead of teaching them to expect somebody to give them the answers. "Give a man a fish........"


BTW - PP has done nothing but post the exact thing in every Windows Police Pro thread, so don't tell me that each problem is different. It's the exact thing, word for word. All pointing to a link to some batch file that doesn't even exist on the forum.

0


...The other person simply posted a "I'm having the same problem" reply and was responded to with a "Thanks! Start your own thread."

To me that was very insulting to that person. "Hey, good for you, but this thread is for helping somebody else because they asked first. If you want help go start your own thread."

Most other sites encourage people to search existing open topics for answers instead of blindly asking a question that has been asked multiple times.....

The rules here are very clear and stated multiple times at the top of most of the forums here and at least twice right here in the stickys at the top of this forum:
http://www.daniweb.com/forums/announcement64-1.html
Please do NOT piggy back on another members thread, but create your very own thread where you will recieve better assistance.

http://www.daniweb.com/forums/thread72053.html
DO NOT HIJACK OTHER MEMBERS THREADS PLEASE.

...do not hijack existing threads with your own support issue; start a new thread instead.
http://www.daniweb.com/forums/forum99.html
http://www.daniweb.com/forums/forum12.html
http://www.daniweb.com/forums/forum11.html
http://www.daniweb.com/forums/forum7.html

I am sorry you don't care for the way things are handled here I choose to defend what has worked well here and at most other malware removal forums for a very long time.

If you don't care for this policy, which holds throughout these forums, I suggest you contact one of our moderators or the adminstators.

0

What's the point of having 15 threads from people that are having the same problem?

This is pretty much SOP in every security forum.
The reason being, if I am interacting with multiple posters with multiple computers and am posting different instructions for each, and answering various questions from each poster, can you imagine the confusion? Heck, if one user has multiple computers to clean, I request a separate thread for each compy.

BTW - After getting combofix to run, the instructions for each user will be tailored to the results of their scanlogs.

Are you afraid you won't get "credit" for solving another thread? Pretty ghey if you ask me.

Don't really care - It's not as though volunteers get paid. . . .

I don't see major anti-virus companies writing different removal instructions based on different levels of installed software.
It's a generic Windows virus/malware issue. To think that it would behave any differently based on what pieces of software I have installed is ridiculous.

This is far off base - I certainly doubt you'll see and large AV company produce a solution . . . . that will run. LOL!
MBA-M will get it and combofix will get many of the rootkit components if they can be run.
You'll note that this malware has a rootkit component that prevents tools from being run......

BTW - I took down my links when I realized that the tool I wrote would not be effective.

BTW, I'm having the same problem. I won't start my own thread. I'm just going to reformat and be done with it.

That is probably the best and certainly the most effective solution.

Here's hoping you have a ton of un-backed up data!

Cheers :)

0

I had a very similar problem on my laptop this afternoon. I have a lot of experience removing viruses but this one was a little trickier than some.

The thing that I really found strange was that I had no symptoms when I turned off the laptop last night. I turned it on earlier today but had walked away for about 20 minutes, and no one else had touched it. When I came back there was a new icon for Windows Police Pro on the Desktop, not to mention that somehow Active Desktop seemed to have been turned on as my background image was overlayed with three paragraphs of pretty standard "You have an infection...." verbiage. Surprisingly enough I was not able to right-click on the Desktop and get to Properties page, that process errored out indicating that I did not have the necessary permissions to pull up the Property Sheet.

One of the first things that I checked was the EXE file associations in Windows Explorer (Tools\Folder Options...\File Types) and found that EXE was curiously missing from the list. I clicked on New and typed in EXE and then clicked on the Advanced button to associate with APPLICATION. However, once I did that it wanted to load apps by using DESOTE.EXE and that was confusing to me, which actually led me to this post.

Aside from all of the flaming that was going I did pull some knowledge from this post. Thanks to el_wayman for the registry key.

To begin with I booted into Safe Mode and killed all unrecognized tasks by using CTRL - ALT - ESC to get into Task Manager, as normal opening of EXEs, including Task Manager, was bushwhacked. I didn't find anything weird running, but I was in Safe Mode, so not too weird there. I was also not able to open regedit or regedt32 normally, nor was I able to get any Control Panel apps to run, such as Add/Remove Programs. I was able to get to Add/Remove Programs by using Start/Run --> appwiz.cpl and then I was able to get rid of the Windows Police Pro listing, and then made sure that all remnants of the WPP folder were removed from C:\Program Files.

I was able to open Windows Explorer and pull up an EXE from a USB drive, but got several errors before the file actually opened. That got me to thinking about regedit and so I navigated to C:\Windows\System32 and there double-clicked on regedt32.exe. I got the same error like 4 or 5 times but eventually Regedt32 popped up. I immediately went to HKCR\exefile\shell\open\command and removed everything there but the "%1" %*. I closed out of the registry editor and lo and behold, EXEs would execute again!

I am currently running SpyBot in Safe Mode and have a few other tools to run after that, just to be sure. However, since this post was still only a week old I thought that I would share my experience in the hopes that it will help someone else out with this nasty problem.

0

I had a very similar problem on my laptop this afternoon. I have a lot of experience removing viruses but this one was a little trickier than some.

The thing that I really found strange was that I had no symptoms when I turned off the laptop last night. I turned it on earlier today but had walked away for about 20 minutes, and no one else had touched it. When I came back there was a new icon for Windows Police Pro on the Desktop, not to mention that somehow Active Desktop seemed to have been turned on as my background image was overlayed with three paragraphs of pretty standard "You have an infection...." verbiage. Surprisingly enough I was not able to right-click on the Desktop and get to Properties page, that process errored out indicating that I did not have the necessary permissions to pull up the Property Sheet.

One of the first things that I checked was the EXE file associations in Windows Explorer (Tools\Folder Options...\File Types) and found that EXE was curiously missing from the list. I clicked on New and typed in EXE and then clicked on the Advanced button to associate with APPLICATION. However, once I did that it wanted to load apps by using DESOTE.EXE and that was confusing to me, which actually led me to this post.

Aside from all of the flaming that was going I did pull some knowledge from this post. Thanks to el_wayman for the registry key.

To begin with I booted into Safe Mode and killed all unrecognized tasks by using CTRL - ALT - ESC to get into Task Manager, as normal opening of EXEs, including Task Manager, was bushwhacked. I didn't find anything weird running, but I was in Safe Mode, so not too weird there. I was also not able to open regedit or regedt32 normally, nor was I able to get any Control Panel apps to run, such as Add/Remove Programs. I was able to get to Add/Remove Programs by using Start/Run --> appwiz.cpl and then I was able to get rid of the Windows Police Pro listing, and then made sure that all remnants of the WPP folder were removed from C:\Program Files.

I was able to open Windows Explorer and pull up an EXE from a USB drive, but got several errors before the file actually opened. That got me to thinking about regedit and so I navigated to C:\Windows\System32 and there double-clicked on regedt32.exe. I got the same error like 4 or 5 times but eventually Regedt32 popped up. I immediately went to HKCR\exefile\shell\open\command and removed everything there but the "%1" %*. I closed out of the registry editor and lo and behold, EXEs would execute again!

I am currently running SpyBot in Safe Mode and have a few other tools to run after that, just to be sure. However, since this post was still only a week old I thought that I would share my experience in the hopes that it will help someone else out with this nasty problem.

im not really sure how to do all of that stuff, but i am going to try it, im having the same problem and this is very annoying since i dont know that much about all the stuff you said lol

0

I am currently running SpyBot in Safe Mode and have a few other tools to run after that, just to be sure. However, since this post was still only a week old I thought that I would share my experience in the hopes that it will help someone else out with this nasty problem.

Don't forget that this just addresses the obvious symptoms of the infection.
In just about all of the infections that I have seen, there is a rootkit component that you will need to remove as well. This is the real security risk to your machine!

If you'd like some assistance with that, please start a fresh thread as per forum policy and somebody will be happy to help you.

Cheers :)
PP

0

im not really sure how to do all of that stuff, but i am going to try it, im having the same problem and this is very annoying since i dont know that much about all the stuff you said lol

And . . . . this is why "hit and run" posts of incomplete fixes are a pain in the ass in "open" forums such as daniweb.

You can call it flaming or whatever you want to call it, but the bottom line is this: I know an effective way to attack and try to clean all aspects of this infection (to the extent that a rootkit-infected computer can be cleaned) and I am willing to spend some of my free time sticking with a poster's problem and talking them through the cleaning process until it has been resolved.

@tinyart49 - Please start your own thread and a volunteer will be happy to help you.


Best Luck :)
PP

0

PP, With the flaming thing, I only meant that more than half of the posts up to that time were attacking or defending and not actually contributing to the solution. I just had to weed through that to find the helpful information that I was looking for.

I also agree that there is rootkit cleanup that had to be done. I did not mention in my earlier post that in the registry I found a reference to c:\documents and settings\my username\local settings\temp\a.exe. This was in the Run key for HKCU. I went to that directory in Windows Explorer and found a file called b.exe and several .tmp files with single letter names that were all less than 48 hours old. I deleted all of these as well. I also checked several other places in the registry that I have seen affected in the past.

Also, I has to get rid of the Active Desktop problem that it generated. I know this is a little off the topic but it was caused by the same infection. I basically took these steps:
Right-click on Desktop, choose Properties
Click on the Desktop tab
Click the Customize Desktop button
Click the Web tab
In the Web pages: window I found an item called TETS. I don't use Active Desktop and so I knew that I didn't put the file there, so...
Check the checkbox next to the file name
Click the Delete button, click on Yes then click on OK
Click on Apply or OK to continue

I only wanted to share what worked for me in case someone else happened upon this as I did. I certainly agree with your earlier posts about specific software to clean up these types of problems for most users. But for me, I do this type of stuff for a living and often will skim through forums in search of a clue to point me in the right direction. If you use software to automate the process for you then my steps would not be needed. But I'm sure that there are also others that might see some of the things that I tried and help themselves. I'll be glad to provide more specific info to anyone that asks for it.

0

PP, With the flaming thing, I only meant that more than half of the posts up to that time were attacking or defending and not actually contributing to the solution. I just had to weed through that to find the helpful information that I was looking for.

No worries! :)
This guy comes out of nowhere and gives me grief for asking someone to start their own thread, as per forum policy.... In no other security forum would that be tolerated - we dedicated volunteers are hard to come by....

But I'm sure that there are also others that might see some of the things that I tried and help themselves. I'll be glad to provide more specific info to anyone that asks for it.

To be honest with you (and I mean absolutely no disrespect) - I would prefer that posters not try to follow any advice in other threads. YOU know what you are doing, but I have learned from many years in different forums that most posters are novices and we really need to walk them through things....

BTW - As far as this baddie, I am seeing a lot of the same rootkit (TDSS / seneka /UAC Rootkit) + it is often replacing a valid system file with a baddie. Usually eventlog.dll.....


Hey - If you are up for volunteering, I'm sure Daniweb could use the help!:)

Cheers :)
PP

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.