Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro


  • This topic is locked This topic is locked
9 replies to this topic

#1 txtchr

txtchr

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:37 PM

Posted 23 September 2009 - 08:05 PM

My son's computer got hit tonight. AV has been turned off. Security Warning keeps appearing with a dialog box to purchase Windows Police Pro. I tried system restore but got the error message that C:\Windows\System32\restore\restrui.exe is infected. Please activate your antivirus program. However, I can't even launch AVG at all to try to activate it.

When I finally got Firefox to load, his home page didn't load, either. A window came up showing: "This is embarrassing" message.

I don't even know where to start, as in order for me to post this message, I had to drag the Windows Security Center window down to the bottom of the screen so I could see what I was typing, because no matter what, it wouldn't go away. Pulling up Task Manager and ending the process does no good, either, as it ends the process, and then it starts right up again.

I have not shut the computer off. This all started about an hour and half ago.

Thanks for any guidance.

Edit: my son just told me that the system did shut down, with a countdown from 55 seconds down. When it restarted, the Acrobat welcome screen appeared then disappeared. It's almost as if an Acrobat file launched, then the havoc began.

That's where we stand.

Edit again: I found the self-help guide on BC for removing this nasty thing. I was printing the guide, and all of a sudden the system shut down. It got to the Windows "Saving your Settings" screen and froze there. We finally turned the machine off completely and have left it off. I did get the entire print-out, though, but don't know what to do now.

Edited by txtchr, 23 September 2009 - 09:13 PM.


BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:37 PM

Posted 24 September 2009 - 08:53 PM

Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:

DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt

A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 txtchr

txtchr
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:37 PM

Posted 25 September 2009 - 07:44 AM

About the time that you were posting this reply, I was working on cleaning this computer.

I had the BC removal guide instructions printed out and followed them. Firefox was disabled completely, but IE loaded finally. I downloaded and ran fixtm.reg and fixExe.reg. It took several attempts to get these files, as IE kept closing. I then was able to download and run Malwarebytes' Anti-Malware. It didn't take that long to run, but it found a laundry list of items, which I did remove. A log was created, and then I rebooted the computer at the prompt.

The computer did restart slowly, but everything seemed to work okay upon restart. AVG was now enabled, and when I went to check for updates, it listed that it had been updated while I was working on cleaning the machine, so there were no new updates available.

I have told my son not to connect any peripherals to the computer -- iPod, phone, flash drives, portable hard drives. He did tell me this morning that Firefox was working fine and that the computer did seem to operate a bit faster than when it initially restarted.

Can we assume that this is now gone? Do I need to do anything else?

Thanks -- appreciate the help :thumbsup:

#4 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:37 PM

Posted 25 September 2009 - 04:32 PM

If you got it all, you were lucky indeed
For piece of mind, try these two scans



ATF
Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

------------------------------------

SAS, may take a long time to scan
Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
    First
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.
---------------------------------------------------


Please download Dr.Web CureIt, the free version & save it to your desktop. DO NOT perform a scan yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on launch.exe to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All.
  • When complete, click Select All, then choose Cure > Move incurable.
    (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • Now put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and UNcheck "Heuristic analysis" under the "Scanning" tab, then click Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • When the scan is complete, a message will be displayed at the bottom indicating if any viruses were found.
  • Click "Yes to all" if asked to cure or move the file(s) and select "Move incurable".
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#5 txtchr

txtchr
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:37 PM

Posted 26 September 2009 - 07:18 AM

Thanks for your help, Mark. Obviously there's other stuff that remained, as you'll see below in the SAS log.

I followed your instructions and ran ATF. I then ran SAS in safe mode. It took a very long time to run, so I let it finish overnight. I'll be running Dr. Web CureIt shortly and will report back on those results when that's finished.

In the meantime, here's the SAS log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/25/2009 at 10:15 PM

Application Version : 4.29.1002

Core Rules Database Version : 4125
Trace Rules Database Version: 2064

Scan type : Complete Scan
Total Scan Time : 03:52:16

Memory items scanned : 231
Memory threats detected : 0
Registry items scanned : 7030
Registry threats detected : 14
File items scanned : 95187
File threats detected : 1

Spyware.WebSearch (WinTools/HuntBar)
HKU\S-1-5-21-2167907348-1609644546-3602070185-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183}
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINTOOLSSVC\0000#DeviceDesc

Adware.Lycos/SideSearch
HKU\S-1-5-21-2167907348-1609644546-3602070185-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5183ABC-EB6E-4E05-B8C9-500A16B6CF94}

Rogue.IEAntiVirus
C:\Documents and Settings\Tim\Start Menu\Programs\ANTIVIRUS

Rogue.WindowsPolicePro
HKU\.DEFAULT\Software\Softimer
HKU\S-1-5-18\Software\Softimer
HKU\.DEFAULT\Software\Windows Police Pro
HKU\S-1-5-18\Software\Windows Police Pro


Thanks again -- Mary :thumbsup:

Edited by txtchr, 26 September 2009 - 07:19 AM.


#6 txtchr

txtchr
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:37 PM

Posted 26 September 2009 - 12:31 PM

Mark -- Dr.Web finally finished scanning. It took all morning to run. I followed your instructions carefully.

Here is the log:

chris clark pleen 1930s - best track ever.mp3;C:\Documents and Settings\Tim\Shared;Trojan.WMALoader;Cured.;
WxBug.EXE\data008;C:\Program Files\AIM\Sysfiles\WxBug.EXE;Adware.Aws;;
WxBug.EXE;C:\Program Files\AIM\Sysfiles;Archive contains infected objects;Moved.;
gasfkycvhqyxva.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.2788;Deleted.;
gasfkyfwkrapij.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.2788;Deleted.;
gasfkyuxwituwo.dll;C:\WINDOWS\SYSTEM32;Trojan.Packed.2788;Deleted.;


Again, thanks for your help. Let me know what I need to do next.

Mary :thumbsup:

Edit: the computer has Windows Updates that are waiting to be installed. Should I install them, or just leave them alone and wait?

Edited by txtchr, 26 September 2009 - 12:36 PM.


#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:37 PM

Posted 26 September 2009 - 06:30 PM

the computer has Windows Updates that are waiting to be installed. Should I install them, or just leave them alone and wait?

Wait and see what the HJT team says


HKU\.DEFAULT\Software\Windows Police Pro
HKU\S-1-5-18\Software\Windows Police Pro


You need to run the scans I listed in post #2
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 txtchr

txtchr
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:37 PM

Posted 26 September 2009 - 06:57 PM

Here's the log that was created after following the instructions you listed in post #2:

Volume in drive C has no label.
Volume Serial Number is 4072-3032

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 180,224 scecli.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 407,040 netlogon.dll

Directory of C:\WINDOWS\$NtServicePackUninstall$

08/04/2004 02:56 AM 55,808 eventlog.dll
3 File(s) 643,072 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\ServicePackFiles\i386

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SYSTEM32

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Total Files Listed:
9 File(s) 1,932,288 bytes
0 Dir(s) 8,275,963,904 bytes free


I should add that the command prompt was not a C:\> with nothing after it, but rather C:\>Documents and Settings\Tim Should I have gone to a straight C prompt? I tried typing just C:\ and pressing enter, but I got an error message and it would default back to the Document and Settings path.

#9 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:07:37 PM

Posted 27 September 2009 - 06:13 PM

See if you can run a DDS scan and a Root Repeal scan
If not, include the scan you just ran and tell them that it is all you could get to run




Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

There will also be instructions to create a Root Repeal Log

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

The HJT team is very busy and it will take awhile to get to your post
Please be patient and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 txtchr

txtchr
  • Topic Starter

  • Members
  • 153 posts
  • OFFLINE
  •  
  • Location:Texas
  • Local time:05:37 PM

Posted 27 September 2009 - 06:33 PM

Thank you Mark. I'm following your instructions and will post those logs in the HJT section.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users