Windos Police Pro

Forum Guidelines

Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help

Posted Image

Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.

Posted Image

DO NOT RUN ComboFix unless requested to.

Posted Image

Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.

Posted Image

When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.

Posted Image

Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.

3 Pages
1
2
3
→

You cannot start a new topic
This topic is locked

Windos Police Pro Cant access task manager or registry

#1 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 21 October 2009 - 12:36 AM

I am stuck. I cannot access the task manager to help get rid of this Windows police pro. someone help. Please. It tells me the task manager is blocked by my administrator, same goes for the registry.

This post has been edited by tolson09: 21 October 2009 - 12:39 AM

#2 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 21 October 2009 - 07:21 PM

Hello!

My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

We need to create an OTL Report

Please download OTL from here
Save it to your desktop.
Double click on the icon on your desktop.
Click the "Scan All Users" checkbox.
Under the Custom Scan box paste this in

netsvcs
%systemdrive%\*.exe
%systemroot%\system32\drivers\*.sys
Click the "Quick Scan" button.
The scan should take just a few minutes.
Please copy and paste both logs back here in your next reply.

=============

The next log will show us any hidden files that are present.

Download RootRepeal from the following location and save it to your desktop.
- Direct Download (Recommended)
- Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
- Rar Mirrors - Only if you know what a RAR is and can extract it.
Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
Open on your desktop.
Click the tab.
Click the button.
Check all seven boxes:
Push Ok
Check the box for your main system drive (Usually C:), and press Ok.
Allow RootRepeal to run a scan of your system. This may take some time.
Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

If I have helped you in any way, please consider a donation to help me continue the fight against malware.

Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!

========================================================

#3 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 22 October 2009 - 10:34 AM

sorry it took so long to get back to this. I have been really frustrated with this virus and have looked at other blogs and cant get anything to work. I am away from my home computer now but will be back later around lunchtime. I am able to download everything, extract files, except when I try to install, windows police pro pops up. Also anytime I try to open any program it pops up. The only thing I can access is IE and just have to keep clicking off the pop ups. The last time I was on it a blue screen came up telling me they had to shut down the computer before any more damage was done. I am bringing a laptop home so I will be able to reply to posts etc. Thanks for your help.

#4 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 22 October 2009 - 11:12 AM

Also, if I backed up some files onto a flash drive and then put them on another computer, is there a chance that I could infect the other computer?

#5 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 22 October 2009 - 02:26 PM

I have downloaded the OTL link but when I double click it, it doesnt open. A popup comes up that says Security Tool Warning, wscvc32.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using wscsvc32.exe to connect to remote host. I know this is just trying to get me to sign up for this police pro but just telling you what it says. Thanks

This post has been edited by tolson09: 22 October 2009 - 02:28 PM

#6 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 22 October 2009 - 06:42 PM

tolson09, on Oct 22 2009, 11:12 AM, said:

Also, if I backed up some files onto a flash drive and then put them on another computer, is there a chance that I could infect the other computer?

Without having seen any logs I can't tell what type of infection you may have so I can't answer that question.

Skipping past OTL then, try to run Rootrepeal and post that log for me.

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

Please post the C:\ComboFix.txt so we can continue cleaning the system.

#7 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 22 October 2009 - 06:55 PM

I cannot open the combofix and cant open anything besides IE. I renamed it comhelp. Sorry I am not sure what to do. This Security Tool Warning pops up in bottom right

#8 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 22 October 2009 - 07:02 PM

Please download and run Win32kDiag:

Download Win32kDiag from any of the following locations and save it to your Desktop.
Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.

#9 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 22 October 2009 - 10:29 PM

I downloaded the win32diag and when I double click it a black screen appears for a second and disappears. After clicking numerous times and writing it down this is what it said:

running from: C:\documents and settings\travis olson\win32diag.txt
Log file C:\documents and settings\travis olson\win32diag.txt
Warning could not get backup privelages
Searching C:\Windows . . . .

I even downloaded the other 2 links, renamed them. Thanks, sorry so sporatic getting back to your posts, we are different timezones and I couldnt get away from work.

#10 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 23 October 2009 - 07:37 AM

Download and run a batch file (peek.bat):

Download peek.bat from the download link below and save it to your Desktop.
Double-click peek.bat to run it.
Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.

==========

#11 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 23 October 2009 - 08:59 AM

The log txt file opens momentarily and then closes. it says:

Volume in drive C has no label
Volume serial number is 600F-D56C

#12 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 24 October 2009 - 09:43 AM

Typically the main hard drive is named a C: drive. What letter drive is your Windows installation?
Are you saving these files directly to your desktop to run them?

#13 Buckeye_Sam

Malware Expert

Group: Malware Response Team
Posts: 17,382
Joined: 23-December 04
Gender:Male
Location:Pickerington, Ohio

Posted 24 October 2009 - 09:47 AM

Do a search on your computer for this file.

eventlog.dll

Let me know all locations it is found and the file size of each.

#14 tolson09

Member

Group: Members
Posts: 25
Joined: 20-October 09

Posted 26 October 2009 - 12:10 AM

I am saving direcly to the desktop and trying to run them from there. My hard drive is C: Here is what I found with the eventlog.dll

C:\I386, size 55kb
C:\Windows\System32
C:\Windows\ServicePackFiles\i386

Thanks