Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help with Windows Police Pro Removal


  • This topic is locked This topic is locked
18 replies to this topic

#1 Chrono.Naut

Chrono.Naut

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 27 September 2009 - 11:29 PM

:thumbsup: Alright,
Sorry to be so long-winded here but I am looking for assistance with the removal of Windows Police Pro after trying to complete a few steps on my own first. Computer belongs to a friend of mine and is currently running Win. XP. Computer is also running AVG anti-virus which was set to update automatically and as of a couple weeks ago, it had updated versions of MalwareBytes, Spybot S&D and Adaware loaded although the owner is very inconsistent with updating and running these utilities that I have loaded for his protection and allows several of his small children to use this machine. They are prone to clicking on any banner that flashes or moves on the screen when they are playing kids games online so there is no telling what else we may encounter here. Could likely be multiple issues.

When I received the machine and took a look at it, the Window Police Pro window appeared upon start-up showing it's fake virus scan window followed by a message saying that the computer was infected with 30+ viruses along with at least a dozen error messages. The first significant hurdle that I discovered after getting into it was that this infection seems to prevent the user from opening & running all of the above mentioned utilities. Actually Spybot shows up in the taskbar indicating that it loaded at start-up but it will not allow you to run a scan. When trying to open and run MalwareBytes, I obtained the following error message:
"Windows cannot access the specified device, path or file. You may not have the appropriate permission to access the item."

I tried uninstalling Malwarebytes, and then re-loading a fresh copy from a USB storage device since I don't have this machine hooked up to an internet connection to download it. It let me re-install it but with no connectivity I couldn't update it. As soon as I tried to run it after the install though, it started up normally but then within about five seconds of the scan beginning, it disappeared and the scan window and program seemed to close all by itself. When I tried to run it again, I received the same error message above about not having the appropriate permission. Then it thawrted my attempt at renaming the malwarebytes mbam.exe file as well. When i tried to rename it, it told me that the file could not be re-named.

Surprisingly, I soon discovered that it would allow me to at least get to windows task manager and stop it's process from running. Within a few seconds to upwards of a minute though, it would restart automatically and the Windows Police Pro window would come back again. After a few repetitive tries, I was finally able to stop it and get SuperAntispyware downloaded. The only way that I could get it started was to rename it by changing the .exe to .com After the scan, it came back with the following results:
Adaware.Vundo/Variant-[fixed]
Rootkit.Agent/Gen-Skynet
Trojan.Downloader-Gen/A
Trojan.Unclassified:BaviaX
Trojan.Vundo-Variant/nextGen

I also found another suspicious program running in taskmngr named Desote.exe. I ended that program and after a quick search I found this program located in the system32 folder and deleted it manually.

After the requested restart by SuperAntispyware, the Windows Police Pro window is gone. I'm now left with two RunDLL errors that appear now. The message indicates that there was an error loading the following two items and the specified modules could not be found:
C:\Windows\system32\zuvimape.dll
& also something called tapi.nfo

Since none of the other installed utilities would run even after this scan, I tried to run SuperAntispyware again. It will start it's scan and it quickly indicates that Rootkit.Agent/Gen-Skynet is still alive and well. If I let this program run for more than about 4-5 minutes as it continues looking for problems, it will eventually quit all by itself and just disappear before finishing the scan. I tried running it again and stopping it right AFTER it located the Rootkit.Agent/Gen-Skynet but BEFORE it was finished so it wouldn't get forced closed again. I allowed the program to remove this item and did the restart but it came right back again.

I successfully installed hijack this and upon running it to try and obtain a log for reference purposes, it closed all by itself as well and there appears to be no log that was stored. Now it won't let me run it again.

This thing has kicked my butt. Without the ability to use any of these utilities that I have I am at a loss for what to do next. Hopefully someone with more experience can help me get rid of this problem. I will say this upfront...the owner of this machine recently moved and has been unable to locate the Windows XP back-up disc that came with the machine when they purchased it new several years ago so i'm not sure that reformatting is an option. Also, I don't really have a way to connect the problem pc to the internet as it is sitting on my dining room table while I try to repair it. Therefore, I will have to download any repair programs to it via the USB storage device that I am using.

I apologize again for the long explanation here. I just want to provide any potential helpers with as much info as possible upfront especially since I have made several attempts to fix this problem. Thanks for reading and thanks in advance for any help that may be offered.

BC AdBot (Login to Remove)

 


#2 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 28 September 2009 - 01:04 PM

For what it is worth, I forgot to mention that I also attempted to use the very detailed tutorial here at http://www.bleepingcomputer.com/virus-remo...dows-police-pro
After killing the Windows Police Pro process in task manager like it suggested, I installed and ran the suggested FixExe.reg that was mentioned from my desktop and I am still having trouble getting any executables/utilities to open and run and as I mentioned above, it doesn't seem to want to allow me to rename these types of files either.

I also looked for the suggested svchast.exe & svchasts.exe files that were identified with this malware and did not find them running in task manager nor did I locate them after performing a search.

#3 Guest_The weatherman_*

Guest_The weatherman_*

  • Guests
  • OFFLINE
  •  

Posted 28 September 2009 - 05:08 PM

Moved from HJT to a more appropriate forum. Tw

#4 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA

Posted 28 September 2009 - 06:10 PM

Let's take a look with GMER. I have a feeling we will need to transfer you to the HJT forum for advanced help.

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#5 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 28 September 2009 - 09:22 PM

Thank you for the assistance rigel. Nice to have someone right here in SC trying to help me out. :thumbsup:

I followed your instructions to the letter and had no problems at first. Shut-off AVG, also turned off Spybot which was running in background and turned off screensaver so it wouldn't interupt anything. Machine is not connected to the internet so no worries there. Used the USB storage device to download GMER to the desktop of the affected machine and opened it as instructed. It started the quick scan and then gave me the warning about possible rootkit activity and asked if I wanted to do the complete scan. I clicked "No" as instructed. (btw-I noticed the Skynet rootkit that I mentioned earlier listed in the quick scan results though, I believe it was shown in red text)

After clicking "No" to the full scan, I then clicked "Scan" on the right side toolbar as instructed and the scan began as expected. Shortly after this though, the same old problem reared it's ugly head. After the scan ran for approx 3-4 minutes, it basically just stopped all by itself and the scan window closed & disappeared from the screen before it could finish and obviously before I could save the log. It appears to have been forced closed/shutdown prematurely exactly like what I experienced with the MalwareBytes & SuperAntispyware utilities that I attempted to use.

I attempted to restart the GMER program again to see if the result was the same and as I suspected, it will no longer allow me to open the randomly named GMER.exe file from the desktop. When I click on it's desktop icon, I now receive the same frustrating error message which states: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item." This is the same message that I get when trying to open MalwareBytes and SuperAntispyware either from the desktop folder or from the programs folder.

Please let me know how you would like me to proceed from here. Thanks again for the assistance rigel and my apologies to "theweatherman" for posting this in the wrong area of the forum here. Thanks for relocating it to the correct area.

#6 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 AM

Posted 28 September 2009 - 11:24 PM

btw-I noticed the Skynet rootkit that I mentioned earlier listed in the quick scan results though, I believe it was shown in red text)


That is what I wanted to verify. Since we are 100% a rootkit is present, we need to move you to the advanced malware forum. They are your best chance at completely removing the infection. I know you mentioned HJt was not running. Have you tried DDS? Please follow this guide from step (6). Post a DDS log to the HJT/Malware forum and a Team member will be along to help you as soon as possible.


If DDS will not run, please try this scan:
If you cannot get DDS to work, please try this instead.

Please download RSIT by random/random and save it to your Desktop.
Note: You will need to run this tool while connected to the Internet so it can download HijackThis if it is not located on your system. If you get a warning from your firewall or other security programs regarding Rist attempting to contact the Internet, please allow the connection.
  • Close all applications and windows so that you have nothing open and are at your Desktop.
  • Double-click on RSIT.exe to start the program.
  • If using Windows Vista, be sure to Run As Administrator.
  • Click Continue after reading the disclaimer screen.
  • Leave the drop down box set to default: "List/folders created or modified in the last 1 month (30 days).
  • When the scan is complete, a text file named log.txt will automatically open in Notepad.
  • Save the log file to your desktop and copy/paste the contents into a new topic in the HijackThis Logs and Malware Removal forum, NOT here.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.
If RSIT did not work, then reply back here.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#7 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 September 2009 - 12:05 PM

Thank you again rigel.

I have not tried DDS yet but I will follow your instructions regarding that later this evening in hopes of generating a log to post in the HJT/Malware forum as suggested. **fingers crossed**

If this doesn't work, is there any other options with regards to the use of RSIT? The problem that I have is that the infected desktop machine that I am working on belongs to someone else and I really don't have a way to connect it to the internet at the moment without disconnecting my own pc and changing all of the connection configurations on the infected machine in order to use it on my DSL line. It is currently configured for cable service which I do not have available at my home. Just wondering what other options I might have that might allow me to work on it without being connected.

Thanks again for your valued assistance.

#8 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 AM

Posted 29 September 2009 - 05:19 PM

I would download DDS and RSIT to your flash drive and then transfer the program. Likewise, move the logs back via flash drive. As a precaution, run this program first on your flash drive.

Please download Flash_Disinfector.exe by sUBs and save it to your desktop.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
  • Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#9 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 September 2009 - 08:41 PM

rigel,
First let me preface this by confirming that I am logged in as the owner on this machine and I have checked again to be sure that Windows Firewall, AVG, Spybot S&D, Spyware Blaster & SuperAntispyware are all turned off.

I downloaded the Flash Disinfector executable to my pc as instructed and followed the prompts. Inserted my flash drive as instructed and it found no issues there.

I then proceeded to download DDS & RSIT to the flash drive and transferred them to the infected pc one at a time starting with DDS. I followed the easy instructions that you provided for running DDS and after clicking on the desktop icon the DDS script did indeed open and the black window appeared on screen but subsequently closed and disappeared all by itself within about 1-2 seconds exactly like MalwareBytes had done. In fact it disappeared before I could even read any of the text in the black window. It did not appear to be running in the background so I attempted to open it again after waiting about 10-minutes and the result was the same.

I then moved to the RSIT tool. After transferring it to the desktop, I attempted to open it's executable and it did begin to start. I clicked continue after the disclaimer screen, leaving the drop-down box set to default and as soon as it started to scan....bam! It just disappears and closes prematurely also and did not appear to be running in the background. I attempted to click the RSIT icon a second time just to see what would happen and I then received the same error message on screen again: "Windows cannot access the specified device, path or file. You may not have the appropriate permissions to access the item."

Whatever this thing is infected with, it seems to have a component in it that disables exe files and has the ability to force them closed somehow. I also noticed that once an attempt has been made to open and run any of these downloaded exe files, it will not allow me to go back and rename them. Very strange indeed.

I am obviously open to any further suggestions that you may have on how to proceed.

As another FYI, I was able to pull the scan results that I got when I ran the SuperAntispyware program a few days ago before our discussion began. Keep in mind that these were the results that were found up until I manually stopped the scan after letting it run for only about 90 seconds. I elected to stop it before it was stopped for me by whatever keeps closing these utilities. It's not much but I wasn't sure if this might assist in the process.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/26/2009 at 10:12 PM

Application Version : 4.27.1002

Core Rules Database Version : 4040
Trace Rules Database Version: 1980

Scan type : Quick Scan
Total Scan Time : 00:00:29

Memory items scanned : 434
Memory threats detected : 1
Registry items scanned : 81
Registry threats detected : 0
File items scanned : 0
File threats detected : 1

Rootkit.Agent/Gen-Skynet
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\SKYNETLKDVBEPF.DLL
\?\GLOBALROOT\C:\WINDOWS\SYSTEM32\SKYNETLKDVBEPF.DLL

#10 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 AM

Posted 29 September 2009 - 08:51 PM

We will beat this :thumbsup:

Two more possibilities. These logs should be used in the HJT forum

Download and Run Scan with SREng2

Please download SREng2 from here and save it to your desktop.
  • Please Extract it to Desktop. To do this, right-click on the Sreng2.zip file and select Extract All.... Follow the prompts to extract it. (Click here for information on how to do this if not sure. Win 2000 users click here. )
  • Open the Sreng2 folder and then Double-click on SREngLdr.exe to run it. (If you are using Vista, please right-click and select run as administrator)
  • Select Smart Scan on the left side.
  • Make sure ALL the scan options there are checked and that Verify Digital Signatures of process modules is checked at the bottom as well.
  • Please close all open programs and applications except Sreng.
  • Now click on the Scan button.
  • Please be patient until the scan is complete. Once the scan is complete, please click on the Save Reports button.
  • Save the log file on your desktop and please post back with the contents of that log file in your next reply.

Part II

Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and re-enable all active protection when done.
-- If you encounter any problems, try running GMER in Safe Mode.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#11 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 September 2009 - 09:09 PM

rigel,
I attempted to download the SREng2 but it appears that the link you provided is dead. It would not open or link me to this download.

I went to the KZTechs website and it looks like they are showing the current version for this software is v2.71
Could it be that this v2.71 replaced an older version that this link was tied to?

#12 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 AM

Posted 29 September 2009 - 09:13 PM

My apologies. It looks like they have changed the location of the software. You can find SRE here: Link

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith


#13 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:01:07 AM

Posted 29 September 2009 - 09:50 PM

Okay....I was indeed able to get the SREng2 downloaded, extracted and opened as instructed. The scan even finished this time however I wasn't sure about how and where you wanted the log posted that it generated. I initially tried to post it here but the log was too long and generated an error message when I attempted to post it here.

Is there a way to post the log as an attachment here or am I supposed to post it in a new thread on the HJT forum?

#14 Chrono.Naut

Chrono.Naut
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:12:07 AM

Posted 29 September 2009 - 09:54 PM

Also, should I proceed with step two (GMER) or wait until I can get this SREng2 log posted and evaluated? I don't want to create problems for you or anyone else here by getting too far ahead.

#15 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:12:07 AM

Posted 30 September 2009 - 05:27 PM

You can skip the GMER log. Post the SRENG2 log in the HJT forum as two posts - that should work fine.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users