0

Hello all,
I am trying to remove WPP from my parents computer and started by reading phillphan's read this first post.
I am able to start the infected computer in safe mode with networking and have enabled viewing of hidden files as instructed.
I cannot however disable system restore because the properties link is not highlighted even when logged in as administrator.
What should my next step be?
Thanks,
Jodi

2
Contributors
7
Replies
8
Views
8 Years
Discussion Span
Last Post by PhilliePhan
0

I cannot however disable system restore because the properties link is not highlighted even when logged in as administrator.
What should my next step be?

Hi Jodi,

You don't want to disable system restore before your machine has been cleaned. We usually do it After the cleaning process.

As far as WPP is concerned, it is very nasty and often the easiest and least stressful method to deal with it is a re-format and re-install of Windows.

--- If you'd like to try to clean this, please download and install MBA-M as per the sticky post (if you are able), but DO NOT RUN IT YET. If you are unable to install it, please go on to the next step.

--- Then, please download FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.

I will try to check back as time permits.

PP :)

Edited by PhilliePhan: The Usual....

0

I would love to reformat and reload, however, I cannot locate the software - the infected computer belongs to my parents.

Tried to download MBA-M on the infected computer, but wasn't able.

I did run FindWPP and the log is posted below. I appreciate your help.
Please note that my mother thinks she may have run spyware doctor at some point recently and it detected 30 or so issues.

Microsoft Windows XP [Version 5.1.2600]
Mon 09/21/2009
03:23 PM

FindWPP is running from C:\Documents and Settings\Administrator

RUNNING PROCESSES


EXE KEY MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"


CHECKING SELECT POLICIES KEYS


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


LOOKING FOR REPLACED FILES

Looking for cngaudit.dll

Looking for eventlog.dll

Looking for imm32.dll

Looking for logevent.dll

Looking for netlogon.dll

Looking for qmgr.dll

Looking for rasauto.dll

Looking for scecli.dll


LOOKING FOR SUSPICIOUS FILES

SEARCH AND DESTROY KNOWN FILES

Looking for windows Police Pro.exe

Looking for dddesot.dll

Looking for wisdstr.exe

Looking for desote.exe

Looking for svchasts.exe

Looking for ppp4.dat

Looking for sysnet.dat

Looking for bincd32.dat

Looking for ppp3.dat

Looking for desot.exe

Looking for wispex.html

Looking for qcfbc.wbg

Looking for windows Police Pro.exe

Looking for svchast.exe

Looking for dbsinit.exe

Looking for braviax.exe

Looking for bennuar.old

EXE KEY STILL MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"


SUSPECT REG KEYS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"

CHECKING MBAM


Microsoft Windows XP [Version 5.1.2600]
Mon 09/21/2009
06:14 PM

FindWPP is running from C:\Documents and Settings\Administrator

RUNNING PROCESSES


EXE KEY MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"


CHECKING SELECT POLICIES KEYS


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


LOOKING FOR REPLACED FILES

Looking for cngaudit.dll

Looking for eventlog.dll

Looking for imm32.dll

Looking for logevent.dll

Looking for netlogon.dll

Looking for qmgr.dll

Looking for rasauto.dll

Looking for scecli.dll


LOOKING FOR SUSPICIOUS FILES

SEARCH AND DESTROY KNOWN FILES

Looking for windows Police Pro.exe

Looking for dddesot.dll

Looking for wisdstr.exe

Looking for desote.exe

Looking for svchasts.exe

Looking for ppp4.dat

Looking for sysnet.dat

Looking for bincd32.dat

Looking for ppp3.dat

Looking for desot.exe

Looking for wispex.html

Looking for qcfbc.wbg

Looking for windows Police Pro.exe

Looking for svchast.exe

Looking for dbsinit.exe

Looking for braviax.exe

Looking for bennuar.old

EXE KEY STILL MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"


SUSPECT REG KEYS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"

CHECKING MBAM

0

I did run FindWPP and the log is posted below. I appreciate your help.
Please note that my mother thinks she may have run spyware doctor at some point recently and it detected 30 or so issues.

Happy to try to help :)
I have to say, though, that the success rate for repairing this is not great.

-- Are you able to run Spyware Doctor? If so, have it remaove all it finds. Post the log.
-- Are you able to find the log from Spyware Doctor's previous run?

-- I need you to run FindWPP again. You need RightClick on FindWPP.zip and EXTRACT the FindWPP folder from the ZIP to your desktop. Otherwise it will not run properly. Please post the new log.

-- Do you have a flash drive that you can use to transfer tools to the ill computer in the event we cannot download what we need?

PP :)

Edited by PhilliePhan: The Usual...

0

I have not located the previus spyware doctor log, will try to run it again and will post the results along with the correct FindWPP log tomorrow.
After running the SpywareDoctor do I "Fix" the files found or is there an option to remove them?
j

Edited by jlludwig: I do have a flash drive and another computer to use nearby if necessary.

0

After running the SpywareDoctor do I "Fix" the files found or is there an option to remove them?

I haven't used SD in years - Whatever option it gives you to remove them, go for it. Let me know.

If you have an empty flash drive (chances are that it will get infected) I'll give you a list of tools to download and have handy. A couple will require special steps to "rename" them before you DL them:

-- http://ad13.geekstogo.com/Win32kDiag.exe

-- http://swandog46.geekstogo.com/avenger.zip

-- Go to this linky and Download Combofix (Just DL - Don't worry about anything else):
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your flash drive as that.

-- DDS by sUBs

-- http://download.sysinternals.com/Files/Junction.zip

-- http://download.bleepingcomputer.com/sUBs/Beta/fr33.exe

-- http://www.malwarebytes.org/mbam-download.php

Hopefully those will be all we will need. . . . Also, please keep the ill computer offline as much as possible to prevent re-infection.

Let me know when you are ready to start - I'm generally available in the evenings EST.

PP :)

Edited by PhilliePhan: n/a

0

FindWPP log below SP to follow

Microsoft Windows XP [Version 5.1.2600]
Mon 09/21/2009
10:20 PM

FindWPP is running from C:\Documents and Settings\Administrator\Desktop\FindWPP

RUNNING PROCESSES

PROCESS PID PRIO PATH
smss.exe 520 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 572 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 596 High C:\WINDOWS\system32\winlogon.exe
services.exe 640 Normal C:\WINDOWS\system32\services.exe
lsass.exe 652 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 808 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 900 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1068 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1124 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1208 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 1436 Normal C:\WINDOWS\Explorer.EXE
pctsAuxs.exe 1528 Normal C:\Program Files\Spyware Doctor\pctsAuxs.exe
pctsSvc.exe 1548 High C:\Program Files\Spyware Doctor\pctsSvc.exe
pctsTray.exe 1688 Normal C:\Program Files\Spyware Doctor\pctsTray.exe
pctsGui.exe 772 High C:\Program Files\Spyware Doctor\pctsGui.exe
iexplore.exe 860 Normal C:\Program Files\Internet Explorer\iexplore.exe
ctfmon.exe 1448 Normal C:\WINDOWS\system32\ctfmon.exe
cmd.exe 1424 Normal C:\WINDOWS\system32\cmd.exe
pv.exe 848 Normal C:\Documents and Settings\Administrator\Desktop\FindWPP\pv.exe

EXE KEY MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"


CHECKING SELECT POLICIES KEYS


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001


LOOKING FOR REPLACED FILES

Looking for cngaudit.dll

No matches found.

Looking for eventlog.dll

C:\I386\
eventlog.dll Wed Aug 4 2004 5:00:00a A.... 55,808 54.50 K

C:\WINDOWS\$NTSER~3\
eventlog.dll Wed Aug 4 2004 5:00:00a ..... 55,808 54.50 K

C:\WINDOWS\SYSTEM32\
eventlog.dll Sun Apr 13 2008 6:11:54p A.... 56,320 55.00 K

C:\WINDOWS\SERVIC~1\I386\
eventlog.dll Sun Apr 13 2008 6:11:54p ..... 56,320 55.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 224,256 bytes 219.00 K

Looking for imm32.dll

C:\I386\
imm32.dll Wed Aug 4 2004 5:00:00a A.... 110,080 107.50 K

C:\WINDOWS\$NTSER~3\
imm32.dll Wed Aug 4 2004 5:00:00a ..... 110,080 107.50 K

C:\WINDOWS\SYSTEM32\
imm32.dll Sun Apr 13 2008 6:11:54p A.... 110,080 107.50 K

C:\WINDOWS\SERVIC~1\I386\
imm32.dll Sun Apr 13 2008 6:11:54p ..... 110,080 107.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 440,320 bytes 430.00 K

Looking for logevent.dll

No matches found.

Looking for netlogon.dll

C:\I386\
netlogon.dll Wed Aug 4 2004 5:00:00a A.... 407,040 397.50 K

C:\WINDOWS\$NTSER~3\
netlogon.dll Wed Aug 4 2004 5:00:00a ..... 407,040 397.50 K

C:\WINDOWS\SYSTEM32\
netlogon.dll Sun Apr 13 2008 6:12:02p A.... 407,040 397.50 K

C:\WINDOWS\SERVIC~1\I386\
netlogon.dll Sun Apr 13 2008 6:12:02p ..... 407,040 397.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 1,628,160 bytes 1.55 M

Looking for qmgr.dll

C:\I386\
qmgr.dll Wed Aug 4 2004 5:00:00a A.... 382,464 373.50 K
qmgr.inf Wed Aug 4 2004 5:00:00a A.... 6,140 5.99 K

C:\WINDOWS\$NTSER~3\
qmgr.dll Wed Aug 4 2004 5:00:00a ..... 382,464 373.50 K
qmgr.inf Wed Aug 4 2004 5:00:00a ..... 6,140 5.99 K

C:\WINDOWS\INF\
qmgr.inf Thu Apr 26 2007 4:13:44a A.... 6,547 6.39 K
qmgr.pnf Sat Dec 27 2008 1:00:14a A.... 11,920 11.64 K

C:\WINDOWS\SYSTEM32\
qmgr.dll Sun Apr 13 2008 6:12:04p A.... 409,088 399.50 K

C:\WINDOWS\SERVIC~1\I386\
qmgr.dll Sun Apr 13 2008 6:12:04p ..... 409,088 399.50 K
qmgr.inf Thu Apr 26 2007 4:13:44a ..... 6,547 6.39 K

C:\WINDOWS\SYSTEM32\BITS\
qmgr.dll Sun Apr 13 2008 6:12:04p ..... 409,088 399.50 K

10 items found: 10 files, 0 directories.
Total of file sizes: 2,029,486 bytes 1.93 M

Looking for rasauto.dll

C:\I386\
rasauto.dll Wed Aug 4 2004 5:00:00a A.... 89,088 87.00 K

C:\WINDOWS\$NTSER~3\
rasauto.dll Wed Aug 4 2004 5:00:00a ..... 89,088 87.00 K

C:\WINDOWS\SYSTEM32\
rasauto.dll Sun Apr 13 2008 6:12:04p A.... 88,576 86.50 K

C:\WINDOWS\SERVIC~1\I386\
rasauto.dll Sun Apr 13 2008 6:12:04p ..... 88,576 86.50 K

4 items found: 4 files, 0 directories.
Total of file sizes: 355,328 bytes 347.00 K

Looking for scecli.dll

C:\I386\
scecli.dll Wed Aug 4 2004 5:00:00a A.... 180,224 176.00 K

C:\WINDOWS\$NTSER~3\
scecli.dll Wed Aug 4 2004 5:00:00a ..... 180,224 176.00 K

C:\WINDOWS\SYSTEM32\
scecli.dll Sun Apr 13 2008 6:12:06p A.... 181,248 177.00 K

C:\WINDOWS\SERVIC~1\I386\
scecli.dll Sun Apr 13 2008 6:12:06p ..... 181,248 177.00 K

4 items found: 4 files, 0 directories.
Total of file sizes: 722,944 bytes 706.00 K


LOOKING FOR SUSPICIOUS FILES


No matches found.

No matches found.

No matches found.

No matches found.


SEARCH AND DESTROY KNOWN FILES

Looking for windows Police Pro.exe

No matches found.

Looking for dddesot.dll

C:\WINDOWS\SYSTEM32\
dddesot.dll Mon Sep 21 2009 1:49:04p A.... 1,142,272 1.09 M

1 item found: 1 file, 0 directories.
Total of file sizes: 1,142,272 bytes 1.09 M
File: "C:\WINDOWS\system32\dddesot.dll"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for wisdstr.exe

No matches found.

Looking for desote.exe

No matches found.

Looking for svchasts.exe

No matches found.

Looking for ppp4.dat

C:\WINDOWS\
ppp4.dat Mon Sep 21 2009 1:51:34p A.... 58 0.05 K

1 item found: 1 file, 0 directories.
Total of file sizes: 58 bytes 0.05 K
File: "C:\WINDOWS\ppp4.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for sysnet.dat

C:\WINDOWS\SYSTEM32\
sysnet.dat Sun Sep 20 2009 7:41:56p A.... 36 0.04 K

1 item found: 1 file, 0 directories.
Total of file sizes: 36 bytes 0.04 K
File: "C:\WINDOWS\system32\sysnet.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for bincd32.dat

C:\WINDOWS\SYSTEM32\
bincd32.dat Mon Sep 21 2009 7:06:36a A.... 4 0.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 4 bytes 0.00 K
File: "C:\WINDOWS\system32\bincd32.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for ppp3.dat

C:\WINDOWS\
ppp3.dat Mon Sep 21 2009 1:51:34p A.... 2 0.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 2 bytes 0.00 K
File: "C:\WINDOWS\ppp3.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for desot.exe

C:\WINDOWS\SYSTEM32\
desot.exe Mon Sep 21 2009 1:51:34p A.... 345,088 337.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 345,088 bytes 337.00 K
File: "C:\WINDOWS\system32\desot.exe"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for wispex.html

No matches found.

Looking for qcfbc.wbg

No matches found.

Looking for windows Police Pro.exe

No matches found.

Looking for svchast.exe

C:\WINDOWS\
svchast.exe Sun Sep 20 2009 7:41:58p A.... 69,632 68.00 K

1 item found: 1 file, 0 directories.
Total of file sizes: 69,632 bytes 68.00 K
File: "C:\WINDOWS\svchast.exe"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

Looking for dbsinit.exe

No matches found.

Looking for braviax.exe

No matches found.

Looking for bennuar.old

C:\WINDOWS\SYSTEM32\
bennuar.old Sun Sep 20 2009 7:41:56p A.... 9 0.01 K

1 item found: 1 file, 0 directories.
Total of file sizes: 9 bytes 0.01 K
File: "C:\WINDOWS\system32\bennuar.old"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"

EXE KEY STILL MODIFIED?


[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"


SUSPECT REG KEYS

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"

CHECKING MBAM

No matches found.

0

FindWPP log below SP to follow

Hi Jodi,

Let's keep our fingers crossed, but that does not look nearly as bad as some of the other infections I have seen. Granted, a lot can hide from my simple batch tool, but a couple key items are not showing.

It would be best to keep this compy offline as much as we can until it is clean.

--- After running Spyware Doctor, see if you are able to install and run MalwareBytes' Anti-Malware.
Update it and do the Quick Scan and have it REMOVE all that it finds and then post that log along with the SD log.

With any luck, it will remove most of this baddie.

Let me know how you fare and any problems that crop up along the way.

PP:)

Edited by PhilliePhan: n/a

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.