Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police,Desote.exe ,Google Hijack,Only able to us Internet in Safe Mode


  • This topic is locked This topic is locked
5 replies to this topic

#1 SanSan

SanSan

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 01 September 2009 - 09:53 AM

Well, were should I start. This all happened on August 30 Sunday, I had finished downloading a program packaged in a rar file. I unrared that file to take its contents out(which included the program and its "crack" file). Everything in the computer running smoothly still. Installed the program(FL Studio), and tried to open the crack, but the Data Prevention in vista stopped me. So I open up my Firefox, internet still working after I installed the program(I may be wrong, probably opened it before I installed it), anyways. I go online to see if the person that provided this program had instructions and he/she didnt. So I right away remembered "oh yeah the data prevention thing, all I gotta do is add to the allowed programs and it should work." So I exactly did that with the crack, I added it to the Data prevention to allow to run. So I double click on the crack, and then I click on the "crack this or crack" w.e it was, and it told me couldnt find the program it needed to crack,so then it says find the program and I click yes. I browse through my folders find FL studio and crack it. After I did that my internet connection no longer worked, like something was blocking it. Spent countless hours trying to figure this out, even uninstalled FL studios and still it didnt work, Firefox and IE opened up find, just something was blocking my internet connection.

So I decide to restart my comp after I had uninstalled FL studios. And bleep just got worse, I went to restart, everything was going smoothly, logging off then it goes to shutting down, and after a little bit it goes to a blue screen and Im like wth. The computer starts but goes to the menu Start windows in safe mode, start it on safe mode with networking, or start it normally. So I start it normally, and still the internet is being blocked by something. So basically I think to myself I should try safe mode with networking, so I restart my computer thinking that blue screen was a one thing deal but nope, it goes to log off, then it goes to shutting down and then a little bit afterwards blue screen with all this writting on it. So It goes into that menu again and I choose safe mode with networking. And to my surprise the internet works in safe mode with networking, like w.e was blocking me in normal mode isnt doing that here. So I right away go to look for whats my problem in google.

I type up my problem , hit search. And then something else happened, everytime I clicked on one of the google search results it redirected me to something else, now im even more confused, I thought it was just the site that was doing that but it kept doing that like 90% of time. But I was able to get through, and I read some of the peoples answers, that I had some program or service blocking my net, or my networking driver had been corrupted. So I did the only one I could and went on a stopping programs/service rampage for like hours. After many restarts, and stoppings, I had not fixed my problem on being able to use my internet in safe mode. I went on safe mode with networking once again to search my problem, was pissed, I clicked on this search result and it redirected me like always but this time it redirected me to this page where it tells me my computer is infected. Iwas already furious so I clicked on the x on its tab to get out of it but it didnt let me, so I kept clicking no on the message where it tells me something about letting it scan or fix my comp and it just wouldnt go away, so in my idiot part I clicked yes, and it finally went away. I restarted my comp normally again and things just got worse. Once it started up, it hit me with like 23 Debugger Detected 97 messages. This was becoming utter BS, couldnt click on any .exe program without getting that and to top it off I got this thing that popped up called "windows Police pro".

So I went and restarted my comp and like always I get this blue screen with all this writting on it. So I got into safe mode with networking again. And even in safe mode with networking I cant open up any .exe , it give me Debugger detected 97. So I decide to shut off my comp and call it a night. I decide to hook my Wii to the internet the next morning to search this on google since I longer was able to open up any .exe. I found this site while looking through google on my wii and found this whole thing, these symptoms this problem has just recently been going on like a rampant rage. So I read through everyones similar problem, where I found out that people had Desote.exe and I wondered myself if I had that. So I decided not to turn on my comp that day. Now this morning on Sep 1st, I turn my comp up with all that knowledge ive gathered from peoples similar problems on this site. Once windows started I got hit with the 23 Debbugger dected messages again, but no Windows Police Pro. But I noticed that the Debbugger detected 97 message appeared as Desote.exe on the bottom, so I put 2 and 2 together , went to my windows folder, found that and deleted it. And I went to my control panel, remove programs, and clicked on uninstall windows police pro. But it said it had already been unistalled but if I wanted to remove other components associated with it or w.e and I clicked yes. I went to check if it had gotten rid of windows police pro in my program files and it didnt. So I decided not to delete or touch anything with that just yet. So I restarted my comp to go to safe mode with networking so I can use my internet, and like always blue screen at the end with all this writting. So I keep hitting F8, I choose safe mode with networking. It loads up, and things just get even worse.

I double click on firefox and instead of opening it, I get the window you get whenever you try to "Open with" And im puzzled as to why I get that for every .exe program. So I restart my computer (Oh and my bad for not saying this until now, but I only get the blue screen whenver I restart in normal mode) to go into normal mode, to see if this is going on there too. And to my disbelief it is, but I found that MPcStar is still able to open without getting that at all. Anyways, I go back to Safe mode with networking, and I try to figure out how to open firefox, and then I try run as administrator, and it opens it. So now im even more confused and this is just sucking even more. SoI dowload Malwerebytes and then i restart my computer so I can go into safe mode. I had a little problem getting the installer for malwarebytes to start, but I did it eventually.

I installed it, and then I ran a quick scan. And it found a little over 30 problems, so I clicked on the save the log button and then clicked on the button that deletes all the bad stuff it found. And then it said to finish u will have to restart, so I did, after the logging off and the shutting down I got the blue screen like usual so I got a little depressed knowing I wasnt even out of the woods yet. So It loads up again, and I double click on an .exe program to see if it fixed that problem where I get the "open with" window and it just turned into another problem. This time I whenever I try to open a .exe I get this message; "This file does not have a program associated with it for performing this action. Create an association in the set associations control panel." But MPcStar still opens with no problems e.e.

So I cant use my internet in normal mode and now I got these other problems I have mentioned so I have come to a conclusion that I myself cant fix this problem, so I come to you guys for help e.e please save my comp. I would like to post my log for malwarebytes but it seems like it didnt stay safe(I think cus I didnt even name it) but I do have this:

Logfile of The Avenger Version 2.0, by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:


Error: file "C:\Windows\System32\bszip.dll" not found!
Deletion of file "C:\Windows\System32\bszip.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\System32\dddesot.dll" not found!
Deletion of file "C:\Windows\System32\dddesot.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat"
Deletion of file "C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "C:\Windows\System32\bennuar.old" not found!
Deletion of file "C:\Windows\System32\bennuar.old" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\System32\sysnet.dat" not found!
Deletion of file "C:\Windows\System32\sysnet.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\ppp3.dat" not found!
Deletion of file "C:\Windows\ppp3.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\ppp4.dat" not found!
Deletion of file "C:\Windows\ppp4.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\System32\bszip.dll" not found!
Deletion of file "C:\Windows\System32\bszip.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\System32\dddesot.dll" not found!
Deletion of file "C:\Windows\System32\dddesot.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open file "C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat"
Deletion of file "C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: file "C:\Windows\System32\bennuar.old" not found!
Deletion of file "C:\Windows\System32\bennuar.old" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\System32\sysnet.dat" not found!
Deletion of file "C:\Windows\System32\sysnet.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\ppp3.dat" not found!
Deletion of file "C:\Windows\ppp3.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: file "C:\Windows\ppp4.dat" not found!
Deletion of file "C:\Windows\ppp4.dat" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: folder "C:\Program Files\MyWebSearch" not found!
Deletion of folder "C:\Program Files\MyWebSearch" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "C:\Program Files\MyWebSearch\bar"
Deletion of folder "C:\Program Files\MyWebSearch\bar" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "C:\Program Files\MyWebSearch\bar\History"
Deletion of folder "C:\Program Files\MyWebSearch\bar\History" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "C:\Program Files\MyWebSearch\bar\Settings"
Deletion of folder "C:\Program Files\MyWebSearch\bar\Settings" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: folder "C:\Program Files\FunWebProducts" not found!
Deletion of folder "C:\Program Files\FunWebProducts" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: could not open folder "C:\Program Files\FunWebProducts\ScreenSaver"
Deletion of folder "C:\Program Files\FunWebProducts\ScreenSaver" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: could not open folder "C:\Program Files\FunWebProducts\ScreenSaver\Images"
Deletion of folder "C:\Program Files\FunWebProducts\ScreenSaver\Images" failed!
Status: 0xc000003a (STATUS_OBJECT_PATH_NOT_FOUND)
--> bad path / the parent directory does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist


Completed script processing.

*******************

Finished! Terminate.

Edited by SanSan, 01 September 2009 - 09:56 AM.


BC AdBot (Login to Remove)

 


#2 mack211

mack211

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:52 PM

Posted 03 September 2009 - 12:13 PM

SanSan,

I just got finished fixing this virus on one of my co-workers pcs.

1. Start winodws in 'safe mode with networking'
2. Download (http://www.winhelponline.com/exefix_xp.com) to desktop
3. Remove the following files:
C:\WINDOWS\svchast.exe
C:\WINDOWS\system32\dddesot.dll
(If it wont let you remove them.... pull up taskmanager and make sure to stop all processes of Desote and Svchast. Then try again)

4. Do a search in the C:\WINDOWS directory for 'desot' and delete anything that comes up.
5. With desote removed you will not be able to run any .exe files. The association to .exe in your registry was hi-jacked. Run the 'exefix_xp.com' file that you saved to your desktop to fix the registry issue.
6. Reboot

When finished run any antivirus/trojan software detection software you might have to clean your system up.

Edited by mack211, 03 September 2009 - 12:14 PM.


#3 tonight33

tonight33

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 03 September 2009 - 01:45 PM

Just wanted to say thanks...I've been wrestling with this all week and this worked.

#4 SanSan

SanSan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 04 September 2009 - 09:14 AM

@mack211
thanks dude's but this problem of mine has gotten more complicated than that. Just waiting for a response from the these guys.

-------------

Update on My problem.

Alright it seems like mostly everything is in order now. The only problems I still have left is clicking on a google result redirects me(most of the time) and my number one problem, not being able to use internet in normal mode.

Things I believe might be related is the issue with my internet not working in normal mode and the blue screen I get whenever I try restarting from normal mode or turning the computer off in normal mode.

Theres all this writing on the blue screen and the thing that sticks out the most is IRQL_NOT_LESS_OR_EQUAL.

Edited by SanSan, 04 September 2009 - 12:59 PM.


#5 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:09:52 PM

Posted 05 September 2009 - 07:46 PM

Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 SanSan

SanSan
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:08:52 PM

Posted 06 September 2009 - 11:06 AM

Thanks for the reply but 2 days ago when restarting in safe mode my computer never booted past the little blinking dash at the top left corner. Sucks alot all there is a black screen, idk what may had caused this problem to begin, maybe all that restarting i did must have messed it up. but i took it to where they repair comps ugh and they told me it may be caused by faulty ram or a faulty hardrive or a faulty MB. Hoping it isnt my hardrive, put too much work into it. well they are running a diagnostic on it, so i'll post back here when i get my comp back and hopefully in working order.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users