I must have caught it a little after midnight PST on the 29th, but it didn't manifest itself until I used the computer again the afternoon of the 30th. I was getting a whole bunch of blue screens and was able to get into Windows only once after having it load last known good configuration. That's when I found WPP on my desktop and discovered I could no longer run any applications.

Since then, I can only run in Safe Mode. I now always get a blue screen in normal mode, usually in under 10 seconds from when I see the login screen. It's a new virus, so I did not find any solutions on the forums from browsing on my other computer at the time, so I did the following things on my own:

-tried system restore, but failed because of the blue screen issue
-deleted the folder and all files I could find for WPP
-found the culprit for my inability to run any applications even in safe mode to be desote.exe as I was looking in Task Manager to see what might be causing the problem
-looked up desote.exe and learned about it's partner-in-crime svchasts.exe and proceeded to move them into the C:\temp folder I created as a kind of temporary quarantine location.
-still couldn't find run apps because it would ask me what to use to run the apps.
-learned about MBAM and ran it as Admin, the results I will paste after the end of my message

MBAM fixed 8 problems on it's first run (see below), but it did not see svchasts.exe as a threat. I still got the blue screen trying to get into Windows, so I had to leave that PC alone until I had more time to try and solve it. Last night, I updated MBAM and scanned again, it picked up the svchasts.exe and serr.exe that it missed before. But the blue screens did not go away. By the way, the blue screens usually just give me a generic, "A problem has occured..." message, but I saw a couple earlier on about Page Fault in Non-Page Area. (I've got a whole bunch of minidump files if you need to look at them.)

Even though I already suspected my McAfee AV to have been compromised, I let it update and run a full scan. It told me I had the NTOSKRNL-HOOK virus. McAfee seemed to have gotten rid of them, but they always return after restart. I also used MBAM and it seems to be more potent at getting rid of it, but when I tried McAfee scan again and it detected it again even though I was looking in the System32 folder and did not see them there. It actually looks as if the virus files do not exist until McAfee "finds" them. Is it possible for a major AV software to be corrupted into making viruses rather than kill them?

I don't know if the WPP and NTOSKRNL-HOOK problems are related, I just know I have a very sick computer. What can I do?

One other question is, have either of these viruses, or others like them in nature, been known to affect personal files? I want to know if rescuing my files without spreading the virus to my other systems is an option.


Malwarebytes' Anti-Malware 1.40
Database version: 2723
Windows 6.0.6001 Service Pack 1 (Safe Mode)

8/31/2009 8:43:15 PM
mbam-log-2009-08-31 (20-43-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 671037
Time elapsed: 2 hour(s), 1 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Windows\system32\desote.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\temp\desote.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Users\Administrator\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Users\mo\Desktop\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Windows\System32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\System32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\Windows\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

Is the only way you can run programs like MBA-M via Safe Mode?
Did you reboot fully after running MBA-M?

I have not been able to load Windows normally except for the one time after loading last known good settings which got me in to find I had WPP on my desktop and could not run any apps. Ever since then, I get the blue screen in under 10 seconds of seeing the login screen, regardless of if I log in or stay on that screen.

Safe mode is my only way into Windows at this time.