Why am I paying for Norton Antivirus when they cannot block this crap? Right after Windows Police Pro downloaded itself and began wrecking havoc on my computer, NAV did a scheduled scan and found nothing. This is my second go-around with this virus (with Norton up to date) so I already had Malwarebytes installed. I ran 3 scans with Malwarebytes and these are the log files:
First Scan:Malwarebytes' Anti-Malware 1.41Database version: 2837Windows 5.1.2600 Service Pack 3 (Safe Mode) 9/21/2009 11:05:21 AMmbam-log-2009-09-21 (11-05-21).txt Scan type: Full Scan (C:\|)Objects scanned: 33300Time elapsed: 6 minute(s), 52 second(s) Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 16Registry Values Infected: 0Registry Data Items Infected: 1Folders Infected: 0Files Infected: 1 Memory Processes Infected:(No malicious items detected) Memory Modules Infected:(No malicious items detected) Registry Keys Infected:HKEY_CLASSES_ROOT\main.bho (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\main.bho.1 (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\toolbar.tb (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\toolbar.tb.1 (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{8eee58d5-130e-4cbd-9c83-35a0564ea119} (Adware.Bargain.Buddy) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Interface\{986a8ac1-ab4d-4f41-9068-4b01c0197867} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\AppID\{a0e1054b-01ee-4d57-a059-4d99f339709f} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77dc0b63-1535-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\CLSID\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CLASSES_ROOT\Typelib\{8e3c68cd-f500-4a2a-8cb9-132bb38c3573} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{afd4ad01-58c1-47db-a404-fbe00a6c5486} (Trojan.BHO) -> Quarantined and deleted successfully. Registry Values Infected:(No malicious items detected) Registry Data Items Infected:HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINNT\system32\desot.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully. Folders Infected:(No malicious items detected) Files Infected:C:\WINNT\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully. Second Scan:
Malwarebytes' Anti-Malware 1.41
Database version: 2837
Windows 5.1.2600 Service Pack 3 (Safe Mode)
9/21/2009 11:23:45 AM
mbam-log-2009-09-21 (11-23-45).txt
Scan type: Quick Scan
Objects scanned: 115136
Time elapsed: 11 minute(s), 27 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\antippolice_ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\antippolice_ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\antippolice_ (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\svchast.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Common\helper.sig (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\desot.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\wispex.html (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully. Third scan:alwarebytes' Anti-Malware 1.41
Database version: 2971
Windows 5.1.2600 Service Pack 3
10/16/2009 11:01:44 AM
mbam-log-2009-10-16 (11-01-44).txt
Scan type: Quick Scan
Objects scanned: 121592
Time elapsed: 18 minute(s), 53 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINNT\system32\pump.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINNT\system32\gasfkyfowjuwvn.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINNT\system32\gasfkynucswdsf.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINNT\system32\gasfkytlesyokb.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINNT\system32\drivers\gasfkyaplhdkro.sys (Rootkit.TDSS) -> Delete on reboot.
C:\WINNT\Temp\gasfkywipyycdecw.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\WINNT\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINNT\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.
[edit: Changed subject to reflect moved post.]