Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Desote.exe / Windows Police Pro


  • This topic is locked This topic is locked
14 replies to this topic

#1 norsewulf

norsewulf

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 24 September 2009 - 01:53 AM

Hi, I actually started a thread here(just in case it helps you out): http://www.bleepingcomputer.com/forums/t/253729/desoteexe-and-windows-police-pro/

And now I've arrived here to post my HJT log. Unfortunately I wasn't able to run the dds.scr application thanks to the desote.exe virus. But I was able to run rootrepeal thanks to the 'run as' option when i right clicked it.

I've attached my log. I hope you can help me move forward with this! Thanks!

Attached Files



BC AdBot (Login to Remove)

 


#2 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 25 September 2009 - 05:05 PM

Hello, and :( to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!

In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.

Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.
  • I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.
  • Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine.
  • Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding the current state of your computer.
  • I ask that you please refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. If you act independently it will cause changes to your system that I will not be aware of, which will make the process of cleaning the machine a much slower and more difficult process. Additionally, some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you are unsure or confused about any instructions I give you, you should ask me to clarify before doing anything. Additionally, if you run into any problems while carrying out instructions, you should STOP and reply back here explaining what happened.
  • After 5 days if a topic is not replied to we assume it has been abandoned and it is closed. If you need additional time, that is perfectly alright; you just need to let us know beforehand. :(
  • As I am in the final stages of training an Expert Coach will also oversee your fix. Your benefit will be two people helping you instead of just one, but responses may be somewhat delayed so please be patient!!!!
Please give me a little time to go through your logs. My instructions will be forthcoming.

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#3 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 26 September 2009 - 05:44 AM

Hello again.

Before we start:

Go to Start > My Computer
Go to Tools > Folder Options
Click on the View tab
Untick the following:
  • Hide extensions for known file types
  • Hide protected operating system files (Recommended)
You will get a message warning you about showing protected operating system files, click Yes
Make sure this option is selected:
  • Show hidden files and folders
Click Apply and then click OK

***************************************************

First off, let's try and get your programs running.

(Using Firefox) Please right-click the following link and select Save Link As... from the context menu. Save UnHookExec.inf to your Desktop. Note that it will appear on your Desktop as UnHookExec.inf.txt.
Once saved, right-click on UnHookExec.inf.txt and select Rename. Rename the file to UnHookExec.inf (Click okay to any warning that appears).
Then right-click once more on UnHookExec.inf and select Install.
After doing this you should be able to run programs again.

Right-click here

***************************************************

Download Combofix from any of the links below but rename it to renamed.exe before saving it to your desktop.

Link 1
Link 2

--------------------------------------------------------------------

VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Double click on renamed.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt in your next reply so we can continue cleaning the system.
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.
This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper


~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#4 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 29 September 2009 - 10:21 AM

Hello again. . . do you still require assistance??? If you have resolved your issue please let us know. Thanks!

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#5 norsewulf

norsewulf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 01 October 2009 - 01:56 AM

Yes, I still require assistance. I've been in and out with the internet and busy as well. So it will often take me a few days to tackle each step.

I've been having troubles running ComboFix just now because I had to disable Norton Antivirus. Unfortunately I couldn't even find a trace of this thing running, so I'm in the process of uninstalling. I might not get to the scan + log till tomorrow now. But I'll be here till we get it fixed!

Thanks

#6 norsewulf

norsewulf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 01 October 2009 - 02:23 AM

Alright, so I've ran combofix and things are looking better already. Here's the log.

Thanks!!

Attached Files



#7 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 01 October 2009 - 02:59 PM

Hello norsewulf :(

Excellent! Things are looking much better now. We still have a little bit of work to do though.

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case uTorrent). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

I would recommend going to Add/Remove Programs and uninstalling uTorrent now. If you wish to keep these programs, it is imperative that you do not use them until I have declared you clean.

***************************************************

Set the desktop to its default:
  • Right click on desktop and select Properties. Alternatively go to start -> Control Panel -> Display.
  • Go to the Desktop tab.
  • click the "Customize Desktop" button.
  • Go to the Web tab in the new window that comes up.
  • Uncheck everything you find there.
  • Also delete everything you can delete there except for "My Current Home Page" (which you won't be able to delete anyway).

    Note: If you see an empty bracket you may select and remove it.
***************************************************

1. Open notepad and copy/paste the text in the codebox below into it:

http://www.bleepingcomputer.com/forums/t/259909/desoteexe-windows-police-pro/

Collect::c:\windows\svchasts.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#8 norsewulf

norsewulf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 02 October 2009 - 01:24 AM

Hi Blade,

The infected computer is only able to hook up to the internet through a hardwire connection, and in my suite there is only wireless. Do I absolutely need to be hooked up to internet in order to follow this next step?

Thanks

#9 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 03 October 2009 - 01:24 PM

Hello.

Since you don't have internet access you should use the following script instead of the one provided above. The instructions regarding on how to run the script are repeated for your convenience.

1. Open notepad and copy/paste the text in the codebox below into it:

File::c:\windows\svchasts.exe

Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#10 norsewulf

norsewulf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 05 October 2009 - 12:18 AM

Hi Blade,

Here's my log.

Thanks!

Attached Files



#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 05 October 2009 - 04:46 AM

Hello.

For some reason the script didn't run correctly. We need to try it again. I will repeat the instructions below, but please ensure that you only copy the contents of the quotebox when you create the script. Do not include the word "Quote"

***************************************************

1. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\svchasts.exe


Save this as CFScript.txt, in the same location as ComboFix.exe

2. Close any open browsers.

3. VERY IMPORTANT: Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix. Click on this link to see a list of programs that should be disabled. NOTE: This list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask.

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

~Blade


In your next reply, please include the following:
ComboFix log

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 10 October 2009 - 10:32 AM

do you still require assistance?

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#13 norsewulf

norsewulf
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:07 AM

Posted 10 October 2009 - 04:19 PM

Hi, I still require assistance. Here's my new log

Thanks!

Attached Files



#14 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:12:07 PM

Posted 10 October 2009 - 09:37 PM

Hello again. :(

The log looks good! Now we need to clean up.
  • Click on Start > Run
  • Now type combofix /u in the runbox and click OK. Notice the space between the "x" and "/".
    Posted Image
  • You will then recieve a message letting you know that Combofix was uninstalled Successfully.
This will remove files/folders assoicated with combofix and uninstall it.

***************************************************

Your machine appears to be clean!

I highly recommend that you read through the below set of very helpful suggestions and implement them; they will help protect you from reinfectionI recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download [http://www.softpedia.com/progDownload/HostsMan-Download-21113.html]HostsMan[/url]. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#15 Farbar

Farbar

    Just Curious


  • Security Developer
  • 21,713 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:06:07 PM

Posted 15 October 2009 - 07:28 AM

This thread will now be closed since the issue seems to be resolved.

If you need this topic reopened, please send me a PM and I will reopen it for you.

If you should have a new issue, please start a new topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users