Hello all,
I am trying to remove WPP from my parents computer and started by reading phillphan's read this first post.
I am able to start the infected computer in safe mode with networking and have enabled viewing of hidden files as instructed.
I cannot however disable system restore because the properties link is not highlighted even when logged in as administrator.
What should my next step be?
Thanks,
Jodi
jlludwig 0 Newbie Poster
PhilliePhan 171 Central Scrutinizer Team Colleague
I cannot however disable system restore because the properties link is not highlighted even when logged in as administrator.
What should my next step be?
Hi Jodi,
You don't want to disable system restore before your machine has been cleaned. We usually do it After the cleaning process.
As far as WPP is concerned, it is very nasty and often the easiest and least stressful method to deal with it is a re-format and re-install of Windows.
--- If you'd like to try to clean this, please download and install MBA-M as per the sticky post (if you are able), but DO NOT RUN IT YET. If you are unable to install it, please go on to the next step.
--- Then, please download FindWPP.zip and Extract the FindWPP folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.
I will try to check back as time permits.
PP :)
jlludwig 0 Newbie Poster
I would love to reformat and reload, however, I cannot locate the software - the infected computer belongs to my parents.
Tried to download MBA-M on the infected computer, but wasn't able.
I did run FindWPP and the log is posted below. I appreciate your help.
Please note that my mother thinks she may have run spyware doctor at some point recently and it detected 30 or so issues.
Microsoft Windows XP [Version 5.1.2600]
Mon 09/21/2009
03:23 PM
FindWPP is running from C:\Documents and Settings\Administrator
RUNNING PROCESSES
EXE KEY MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"
CHECKING SELECT POLICIES KEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
LOOKING FOR REPLACED FILES
Looking for cngaudit.dll
Looking for eventlog.dll
Looking for imm32.dll
Looking for logevent.dll
Looking for netlogon.dll
Looking for qmgr.dll
Looking for rasauto.dll
Looking for scecli.dll
LOOKING FOR SUSPICIOUS FILES
SEARCH AND DESTROY KNOWN FILES
Looking for windows Police Pro.exe
Looking for dddesot.dll
Looking for wisdstr.exe
Looking for desote.exe
Looking for svchasts.exe
Looking for ppp4.dat
Looking for sysnet.dat
Looking for bincd32.dat
Looking for ppp3.dat
Looking for desot.exe
Looking for wispex.html
Looking for qcfbc.wbg
Looking for windows Police Pro.exe
Looking for svchast.exe
Looking for dbsinit.exe
Looking for braviax.exe
Looking for bennuar.old
EXE KEY STILL MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"
SUSPECT REG KEYS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
CHECKING MBAM
Microsoft Windows XP [Version 5.1.2600]
Mon 09/21/2009
06:14 PM
FindWPP is running from C:\Documents and Settings\Administrator
RUNNING PROCESSES
EXE KEY MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"
CHECKING SELECT POLICIES KEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
LOOKING FOR REPLACED FILES
Looking for cngaudit.dll
Looking for eventlog.dll
Looking for imm32.dll
Looking for logevent.dll
Looking for netlogon.dll
Looking for qmgr.dll
Looking for rasauto.dll
Looking for scecli.dll
LOOKING FOR SUSPICIOUS FILES
SEARCH AND DESTROY KNOWN FILES
Looking for windows Police Pro.exe
Looking for dddesot.dll
Looking for wisdstr.exe
Looking for desote.exe
Looking for svchasts.exe
Looking for ppp4.dat
Looking for sysnet.dat
Looking for bincd32.dat
Looking for ppp3.dat
Looking for desot.exe
Looking for wispex.html
Looking for qcfbc.wbg
Looking for windows Police Pro.exe
Looking for svchast.exe
Looking for dbsinit.exe
Looking for braviax.exe
Looking for bennuar.old
EXE KEY STILL MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"
SUSPECT REG KEYS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
CHECKING MBAM
PhilliePhan 171 Central Scrutinizer Team Colleague
I did run FindWPP and the log is posted below. I appreciate your help.
Please note that my mother thinks she may have run spyware doctor at some point recently and it detected 30 or so issues.
Happy to try to help :)
I have to say, though, that the success rate for repairing this is not great.
-- Are you able to run Spyware Doctor? If so, have it remaove all it finds. Post the log.
-- Are you able to find the log from Spyware Doctor's previous run?
-- I need you to run FindWPP again. You need RightClick on FindWPP.zip and EXTRACT the FindWPP folder from the ZIP to your desktop. Otherwise it will not run properly. Please post the new log.
-- Do you have a flash drive that you can use to transfer tools to the ill computer in the event we cannot download what we need?
PP :)
jlludwig 0 Newbie Poster
I have not located the previus spyware doctor log, will try to run it again and will post the results along with the correct FindWPP log tomorrow.
After running the SpywareDoctor do I "Fix" the files found or is there an option to remove them?
j
PhilliePhan 171 Central Scrutinizer Team Colleague
After running the SpywareDoctor do I "Fix" the files found or is there an option to remove them?
I haven't used SD in years - Whatever option it gives you to remove them, go for it. Let me know.
If you have an empty flash drive (chances are that it will get infected) I'll give you a list of tools to download and have handy. A couple will require special steps to "rename" them before you DL them:
-- http://ad13.geekstogo.com/Win32kDiag.exe
-- http://swandog46.geekstogo.com/avenger.zip
-- Go to this linky and Download Combofix (Just DL - Don't worry about anything else):
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
What I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to svchost.com and then download it to your flash drive as that.
-- DDS by sUBs
-- http://download.sysinternals.com/Files/Junction.zip
-- http://download.bleepingcomputer.com/sUBs/Beta/fr33.exe
-- http://www.malwarebytes.org/mbam-download.php
Hopefully those will be all we will need. . . . Also, please keep the ill computer offline as much as possible to prevent re-infection.
Let me know when you are ready to start - I'm generally available in the evenings EST.
PP :)
jlludwig 0 Newbie Poster
FindWPP log below SP to follow
Microsoft Windows XP [Version 5.1.2600]
Mon 09/21/2009
10:20 PM
FindWPP is running from C:\Documents and Settings\Administrator\Desktop\FindWPP
RUNNING PROCESSES
PROCESS PID PRIO PATH
smss.exe 520 Normal C:\WINDOWS\System32\smss.exe
csrss.exe 572 Normal C:\WINDOWS\system32\csrss.exe
winlogon.exe 596 High C:\WINDOWS\system32\winlogon.exe
services.exe 640 Normal C:\WINDOWS\system32\services.exe
lsass.exe 652 Normal C:\WINDOWS\system32\lsass.exe
svchost.exe 808 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 900 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1068 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1124 Normal C:\WINDOWS\system32\svchost.exe
svchost.exe 1208 Normal C:\WINDOWS\system32\svchost.exe
Explorer.EXE 1436 Normal C:\WINDOWS\Explorer.EXE
pctsAuxs.exe 1528 Normal C:\Program Files\Spyware Doctor\pctsAuxs.exe
pctsSvc.exe 1548 High C:\Program Files\Spyware Doctor\pctsSvc.exe
pctsTray.exe 1688 Normal C:\Program Files\Spyware Doctor\pctsTray.exe
pctsGui.exe 772 High C:\Program Files\Spyware Doctor\pctsGui.exe
iexplore.exe 860 Normal C:\Program Files\Internet Explorer\iexplore.exe
ctfmon.exe 1448 Normal C:\WINDOWS\system32\ctfmon.exe
cmd.exe 1424 Normal C:\WINDOWS\system32\cmd.exe
pv.exe 848 Normal C:\Documents and Settings\Administrator\Desktop\FindWPP\pv.exe
EXE KEY MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="C:\\WINDOWS\\system32\\desot.exe \"%1\" %*"
CHECKING SELECT POLICIES KEYS
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"HonorAutoRunSetting"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
LOOKING FOR REPLACED FILES
Looking for cngaudit.dll
No matches found.
Looking for eventlog.dll
C:\I386\
eventlog.dll Wed Aug 4 2004 5:00:00a A.... 55,808 54.50 K
C:\WINDOWS\$NTSER~3\
eventlog.dll Wed Aug 4 2004 5:00:00a ..... 55,808 54.50 K
C:\WINDOWS\SYSTEM32\
eventlog.dll Sun Apr 13 2008 6:11:54p A.... 56,320 55.00 K
C:\WINDOWS\SERVIC~1\I386\
eventlog.dll Sun Apr 13 2008 6:11:54p ..... 56,320 55.00 K
4 items found: 4 files, 0 directories.
Total of file sizes: 224,256 bytes 219.00 K
Looking for imm32.dll
C:\I386\
imm32.dll Wed Aug 4 2004 5:00:00a A.... 110,080 107.50 K
C:\WINDOWS\$NTSER~3\
imm32.dll Wed Aug 4 2004 5:00:00a ..... 110,080 107.50 K
C:\WINDOWS\SYSTEM32\
imm32.dll Sun Apr 13 2008 6:11:54p A.... 110,080 107.50 K
C:\WINDOWS\SERVIC~1\I386\
imm32.dll Sun Apr 13 2008 6:11:54p ..... 110,080 107.50 K
4 items found: 4 files, 0 directories.
Total of file sizes: 440,320 bytes 430.00 K
Looking for logevent.dll
No matches found.
Looking for netlogon.dll
C:\I386\
netlogon.dll Wed Aug 4 2004 5:00:00a A.... 407,040 397.50 K
C:\WINDOWS\$NTSER~3\
netlogon.dll Wed Aug 4 2004 5:00:00a ..... 407,040 397.50 K
C:\WINDOWS\SYSTEM32\
netlogon.dll Sun Apr 13 2008 6:12:02p A.... 407,040 397.50 K
C:\WINDOWS\SERVIC~1\I386\
netlogon.dll Sun Apr 13 2008 6:12:02p ..... 407,040 397.50 K
4 items found: 4 files, 0 directories.
Total of file sizes: 1,628,160 bytes 1.55 M
Looking for qmgr.dll
C:\I386\
qmgr.dll Wed Aug 4 2004 5:00:00a A.... 382,464 373.50 K
qmgr.inf Wed Aug 4 2004 5:00:00a A.... 6,140 5.99 K
C:\WINDOWS\$NTSER~3\
qmgr.dll Wed Aug 4 2004 5:00:00a ..... 382,464 373.50 K
qmgr.inf Wed Aug 4 2004 5:00:00a ..... 6,140 5.99 K
C:\WINDOWS\INF\
qmgr.inf Thu Apr 26 2007 4:13:44a A.... 6,547 6.39 K
qmgr.pnf Sat Dec 27 2008 1:00:14a A.... 11,920 11.64 K
C:\WINDOWS\SYSTEM32\
qmgr.dll Sun Apr 13 2008 6:12:04p A.... 409,088 399.50 K
C:\WINDOWS\SERVIC~1\I386\
qmgr.dll Sun Apr 13 2008 6:12:04p ..... 409,088 399.50 K
qmgr.inf Thu Apr 26 2007 4:13:44a ..... 6,547 6.39 K
C:\WINDOWS\SYSTEM32\BITS\
qmgr.dll Sun Apr 13 2008 6:12:04p ..... 409,088 399.50 K
10 items found: 10 files, 0 directories.
Total of file sizes: 2,029,486 bytes 1.93 M
Looking for rasauto.dll
C:\I386\
rasauto.dll Wed Aug 4 2004 5:00:00a A.... 89,088 87.00 K
C:\WINDOWS\$NTSER~3\
rasauto.dll Wed Aug 4 2004 5:00:00a ..... 89,088 87.00 K
C:\WINDOWS\SYSTEM32\
rasauto.dll Sun Apr 13 2008 6:12:04p A.... 88,576 86.50 K
C:\WINDOWS\SERVIC~1\I386\
rasauto.dll Sun Apr 13 2008 6:12:04p ..... 88,576 86.50 K
4 items found: 4 files, 0 directories.
Total of file sizes: 355,328 bytes 347.00 K
Looking for scecli.dll
C:\I386\
scecli.dll Wed Aug 4 2004 5:00:00a A.... 180,224 176.00 K
C:\WINDOWS\$NTSER~3\
scecli.dll Wed Aug 4 2004 5:00:00a ..... 180,224 176.00 K
C:\WINDOWS\SYSTEM32\
scecli.dll Sun Apr 13 2008 6:12:06p A.... 181,248 177.00 K
C:\WINDOWS\SERVIC~1\I386\
scecli.dll Sun Apr 13 2008 6:12:06p ..... 181,248 177.00 K
4 items found: 4 files, 0 directories.
Total of file sizes: 722,944 bytes 706.00 K
LOOKING FOR SUSPICIOUS FILES
No matches found.
No matches found.
No matches found.
No matches found.
SEARCH AND DESTROY KNOWN FILES
Looking for windows Police Pro.exe
No matches found.
Looking for dddesot.dll
C:\WINDOWS\SYSTEM32\
dddesot.dll Mon Sep 21 2009 1:49:04p A.... 1,142,272 1.09 M
1 item found: 1 file, 0 directories.
Total of file sizes: 1,142,272 bytes 1.09 M
File: "C:\WINDOWS\system32\dddesot.dll"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for wisdstr.exe
No matches found.
Looking for desote.exe
No matches found.
Looking for svchasts.exe
No matches found.
Looking for ppp4.dat
C:\WINDOWS\
ppp4.dat Mon Sep 21 2009 1:51:34p A.... 58 0.05 K
1 item found: 1 file, 0 directories.
Total of file sizes: 58 bytes 0.05 K
File: "C:\WINDOWS\ppp4.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for sysnet.dat
C:\WINDOWS\SYSTEM32\
sysnet.dat Sun Sep 20 2009 7:41:56p A.... 36 0.04 K
1 item found: 1 file, 0 directories.
Total of file sizes: 36 bytes 0.04 K
File: "C:\WINDOWS\system32\sysnet.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for bincd32.dat
C:\WINDOWS\SYSTEM32\
bincd32.dat Mon Sep 21 2009 7:06:36a A.... 4 0.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 4 bytes 0.00 K
File: "C:\WINDOWS\system32\bincd32.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for ppp3.dat
C:\WINDOWS\
ppp3.dat Mon Sep 21 2009 1:51:34p A.... 2 0.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 2 bytes 0.00 K
File: "C:\WINDOWS\ppp3.dat"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for desot.exe
C:\WINDOWS\SYSTEM32\
desot.exe Mon Sep 21 2009 1:51:34p A.... 345,088 337.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 345,088 bytes 337.00 K
File: "C:\WINDOWS\system32\desot.exe"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for wispex.html
No matches found.
Looking for qcfbc.wbg
No matches found.
Looking for windows Police Pro.exe
No matches found.
Looking for svchast.exe
C:\WINDOWS\
svchast.exe Sun Sep 20 2009 7:41:58p A.... 69,632 68.00 K
1 item found: 1 file, 0 directories.
Total of file sizes: 69,632 bytes 68.00 K
File: "C:\WINDOWS\svchast.exe"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
Looking for dbsinit.exe
No matches found.
Looking for braviax.exe
No matches found.
Looking for bennuar.old
C:\WINDOWS\SYSTEM32\
bennuar.old Sun Sep 20 2009 7:41:56p A.... 9 0.01 K
1 item found: 1 file, 0 directories.
Total of file sizes: 9 bytes 0.01 K
File: "C:\WINDOWS\system32\bennuar.old"
Granting NTFS rights (F access for This Folder and Files) for "Everyone"
EXE KEY STILL MODIFIED?
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
SUSPECT REG KEYS
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ANTIPPOLICE_\0000]
"Service"="AntipPolice_"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Security]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AntipPolice_\Enum]
"0"="Root\\LEGACY_ANTIPPOLICE_\\0000"
CHECKING MBAM
No matches found.
PhilliePhan 171 Central Scrutinizer Team Colleague
FindWPP log below SP to follow
Hi Jodi,
Let's keep our fingers crossed, but that does not look nearly as bad as some of the other infections I have seen. Granted, a lot can hide from my simple batch tool, but a couple key items are not showing.
It would be best to keep this compy offline as much as we can until it is clean.
--- After running Spyware Doctor, see if you are able to install and run MalwareBytes' Anti-Malware.
Update it and do the Quick Scan and have it REMOVE all that it finds and then post that log along with the SD log.
With any luck, it will remove most of this baddie.
Let me know how you fare and any problems that crop up along the way.
PP:)
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.