Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected - Windows Police Pro/Windows Antivirus Removal/Windows antivirus Pro

  • This topic is locked This topic is locked
2 replies to this topic

#1 gothdiva1


  • Members
  • 2 posts
  • Local time:12:42 AM

Posted 10 September 2009 - 09:27 PM

Three weeks ago, my husband got a popup for windows antivirus pro, and being non computer savvy, clicked it and of course, it installed. It disabled the computer almost completely. No programs ran, it changed the internet settings, and made things difficult to do. I looked here for instructions to remove it, and after running spybot s&d and combing the registries, things returned to normal and I thought I had it contained.

Monday- he gets another one. This time Windows police pro. Again I turned to this forum for help. This one is nastier than the first. It completely disabled everything on his partition. error messages stating there were .exe errors on anything you tried to run. Taskbar popup stating "infected, install antivirus now" and the official looking popup stating that I had no firewall installed. I was able to get into the task manager on my partition, and on my partition, found the files that I could and deleted them. I had to run exefix to get anything to run at all. I disabled antiproex in the msconfig file. While nosing around, I found shortcuts to windows antivirus pro, which lead to the PAVRM.exe file, but it's nowhere to be found on my computer, so I think I have 2 going at once. I still cannot get anything to run. I downloaded malwarebytes - won't even open. Spybot won't open. SUPERantispyware only runs through the alternate start, and then just terminates without notice. I have, however, been able to remove some through short custom scans.

His partition starts up, and if i try to run anything, freezes and then re-boots. I can only access the computer through my partition, which I am an administrator, even though I got messages that the administrator has blocked access to certain programs. My partition's background has returned, my web surfing is no longer redirected, and no longer get any of the popups. I can run everything except what I need to remove this.

I tried to go through all your steps. I backed up what I could to cd, because the xp backup and drive image xml failed to complete.
I cleaned my computer.
I tried more than once to run the dss file. I get to the black screen telling me what it's going to do, and it closes and then nothing happens.
I tried to run rootrepeal. It opens, but the only thing it scans is the processes. It scans for about 10 seconds, and then terminates without an error message. the only thing I can get from it is - C:\hyberfil.sys - locked to the windows API! before it shuts down.

I disabled my avg, and unplugged the internet.

I am at the point that I'm not sure whether or not I should try to save it, or just wipe and reinstall. :(

edit: I was able to get rootrepeal to run on his partition in safemode. See report below.

ROOTREPEAL © AD, 2007-2009
Scan Start Time: 2009/09/11 13:39
Program Version: Version
Windows Version: Windows XP SP3

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF9886000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xFA128000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF94FE000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF9FAA000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF9DC2000 Size: 61440 File Visible: No Signed: -
Status: -

Stealth Objects
Object: Hidden Module [Name: UACdbonunoypa.dll]
Process: svchost.exe (PID: 400) Address: 0x006f0000 Size: 65536

Object: Hidden Module [Name: kbiwkmjgjktoqb.dll]
Process: svchost.exe (PID: 400) Address: 0x10000000 Size: 53248

Object: Hidden Module [Name: kbiwkmjgjktoqb.dll]
Process: svchost.exe (PID: 564) Address: 0x10000000 Size: 53248

Hidden Services
Service Name: kbiwkmkvdlftpj
Image Path: C:\WINDOWS\system32\drivers\kbiwkmbaqjnome.sys

Service Name: kbiwkmmpvydgir
Image Path: C:\WINDOWS\system32\drivers\kbiwkmivkmppjx.sys

Service Name: UACd.sys
Image Path: C:\WINDOWS\system32\drivers\UACrkpbuhvknt.sys


Edited by gothdiva1, 11 September 2009 - 02:12 PM.

BC AdBot (Login to Remove)


#2 gothdiva1

  • Topic Starter

  • Members
  • 2 posts
  • Local time:12:42 AM

Posted 11 September 2009 - 05:58 PM

Nevermind. It was time to wipe it anyway, so I did. But thanks! Keep up the good work here!

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests

Posted 11 September 2009 - 06:17 PM

Thank you for letting us know gothdiva1. :(

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users