Member Avatar for Xiados

Earlier I randomly noticed the Police Pro, pop-up on my desktop and immediately attempted to run McAfee, since it was what's on this laptop. Seeing as it wouldn't load up I rebooted to safe mode and found this site after attempting to do various things and failing.

I deleted desote.exe, hopped into regedit through "as Administrator" and edited the required entry, as well as deleting any others that I could find that had to do with desote or WPPro. I wanted to just keep going with any steps to check things. McAfee did find a trojan file that it deleted. A random name type of thing I believe. I also ran the Win32kDiag? Here is the Log:

Log file is located at: C:\Users\Michael\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\Windows'...


Cannot access: C:\Windows\bthservsdp.dat

[1] 2009-09-09 23:08:20 12 C:\Windows\bthservsdp.dat ()


Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl

[1] 2009-09-10 00:09:17 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl ()


Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl

[1] 2009-09-10 00:08:48 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl ()


Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl

[1] 2009-09-10 00:08:48 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl ()


Cannot access: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl

[1] 2009-09-10 00:08:48 64 C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl ()


Finished!


Any further info would be appreciated. And sorry if I've forgotten anything, I was tired long before this happened.

  • 2 Contributors
  • 3 Replies
  • 293 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by PhilliePhan

Recommended Answers

All 3 Replies

Member Avatar for PhilliePhan

Any further info would be appreciated. And sorry if I've forgotten anything, I was tired long before this happened.

Hi Xiados,

Please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.


I will check back as time permits.

PP :)

Member Avatar for Xiados

Thanks for any time you have! Here's the find it results:

Looking for cngaudit.dll

C:\WINDOWS\SYSTEM32\
cngaudit.dll Thu Nov 2 2006 5:46:04a A.... 11,776 11.50 K

C:\WINDOWS\WINSXS\X8D921~1.163\
cngaudit.dll Thu Nov 2 2006 5:46:04a A.... 11,776 11.50 K

D:\WINDOWS\SYSTEM32\
cngaudit.dll Thu Nov 2 2006 5:46:04a A.... 11,776 11.50 K

D:\WINDOWS\WINSXS\X81D05~1.180\
cngaudit.dll Sat Jan 19 2008 4:51:16a A.... 11,776 11.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 47,104 bytes 46.00 K


Looking for eventlog.dll

C:\PROGRA~1\FINGER~1\
eventlog.dll Tue Apr 17 2007 1:06:36a A.... 33,280 32.50 K

C:\WINDOWS\SYSTEM32\NDF\
eventlog.etl Tue Aug 25 2009 11:56:50a A.... 327,680 320.00 K

2 items found: 2 files, 0 directories.
Total of file sizes: 360,960 bytes 352.50 K


Looking for logevent.dll

No matches found.


Looking for netlogon.dll

C:\WINDOWS\SYSTEM32\
netlogon.dll Sat Apr 11 2009 2:28:24a A.... 592,896 579.00 K

C:\WINDOWS\WINSXS\X8834C~1.180\
netlogon.dll Sat Apr 11 2009 2:28:24a A.... 592,896 579.00 K

C:\WINDOWS\WINSXS\X8EB3B~1.180\
netlogon.dll Sun Jan 20 2008 10:24:06p A.... 592,384 578.50 K

D:\WINDOWS\SYSTEM32\
netlogon.dll Sat Jan 19 2008 3:35:38a A.... 592,384 578.50 K

D:\WINDOWS\WINSXS\X8EB3B~1.180\
netlogon.dll Sat Jan 19 2008 4:51:18a A.... 592,384 578.50 K

5 items found: 5 files, 0 directories.
Total of file sizes: 2,962,944 bytes 2.82 M


Looking for scecli.dll

C:\WINDOWS\SYSTEM32\
scecli.dll Sat Apr 11 2009 2:28:26a A.... 177,152 173.00 K

C:\WINDOWS\WINSXS\X84EB9~1.180\
scecli.dll Sun Jan 20 2008 10:24:52p A.... 177,152 173.00 K

C:\WINDOWS\WINSXS\X8FE87~1.180\
scecli.dll Sat Apr 11 2009 2:28:26a A.... 177,152 173.00 K

D:\WINDOWS\SYSTEM32\
scecli.dll Sat Jan 19 2008 3:36:20a A.... 177,152 173.00 K

D:\WINDOWS\WINSXS\X84EB9~1.180\
scecli.dll Sat Jan 19 2008 4:52:46a A.... 177,152 173.00 K

5 items found: 5 files, 0 directories.
Total of file sizes: 885,760 bytes 865.00 K

Member Avatar for PhilliePhan

Thanks for any time you have! Here's the find it results:

Happy to try to help :)

Let's try this:

If you already have combofix on your machine, DELETE it.

Then follow the instructions in the link below to DL a fresh Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Zappafix.exe and then download it to your desktop as that and follow the instructions in the linky very carefully to run Combofix and then post the Combofix log for me.

Let me know if you have trouble with that. I'll be back tonight.

PP :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.