Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro attack, no desktop


  • Please log in to reply
4 replies to this topic

#1 someguy1

someguy1

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 10 October 2009 - 09:23 PM

I run a legit copy of XP home. I wasn't actually dumb enough to download WPP, but I was stupid not to check that damned torrent. It was supposed to be a skype plugin.

-I downloaded and ran the fake exe
-This strange thing called "Windows Police Pro" starts running.
-I am suspicious, so I open the task manager and kill the process.
-After doing this, the computer gives me one of those annoying messages, saying it will shut down in 60 seconds. (It all happened so fast, I did not write down any specific error messages)
-Not knowing what happened, I try to boot into safe mode with networking and get a blue screen. Not I am terrified. This computer has a few years of specific programs I do not know how to find again, and important documents from my office.

On a whim, I try to start windows normally and find that it does in fact boot, but WPP is right there.
I have booted 2 or 3 times, but did not leave the system on for more than a minute each time. The last time, I could not even see my desktop.

Is there anything I can try short of the dreaded windows reinstall?
Is it safe to access the hard drive and remove documents?
Is it safe to plug my flash drive in or can this malware jump from system to system via usb stick?

I hope my description is clear. Any help would be very much appreciated!

BC AdBot (Login to Remove)

 


#2 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 AM

Posted 10 October 2009 - 10:59 PM

Hello someguy1
Lets see whats going on withhh this program http://www.malwarebytes.org/
MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

* Make sure you are connected to the Internet.
* Double-click on mbam-setup.exe to install the application.
* When the installation begins, follow the prompts and do not make any changes to default settings.
* When installation has finished, make sure you leave both of these checked:
o Update Malwarebytes' Anti-Malware
o Launch Malwarebytes' Anti-Malware
* Then click Finish.

MBAM will automatically start and you will be asked to update the program before performing a scan.

* If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
* If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.

On the Scanner tab:

* Make sure the "Perform Quick Scan" option is selected.
* Then click on the Scan button.
* If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
* The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
* When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
* Click OK to close the message box and continue with the removal process.

Back at the main Scanner screen:

* Click on the Show Results button to see a list of any malware that was found.
* Make sure that everything is checked, and click Remove Selected.
* When removal is completed, a log report will open in Notepad.
* The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
* Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
* Exit MBAM when done.

Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you cannot use the Internet or download any required programs to the infected machine, you are going to need access to another computer (family member, friend, library etc) with an Internet connection. Save mbam-setup.exe to a flash (usb, pen, thumb, jump) drive or CD, transfer it to the infected machine, then install and run the program. If you cannot transfer to or install on the infected machine, try running the setup (installation) file directly from the flash drive or CD by double-clicking on mbam-setup.exe so it will install on the hard drive. If you cannot copy files to your usb drive, make sure its not "Write Protected". Some flash drives have a switch on the side which could have accidentally been moved to write protect.

#3 someguy1

someguy1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 10 October 2009 - 11:22 PM

I can not access my desktop, and I can not launch firefox.

One other point, which might not be relevant. I read a story from about 2 weeks ago, on whatthetech, where somebody named fredll tried using MBAM and could not even boot after the attempt.

-----

This is what happens when I "boot normally"

I see the desktop for a moment, then it is gone. Replaced by a white screen. I can not right click on the white screen to bring up any options. Only the start menu and task bar remain. I have a quick launch icon for firefox, but clicking the icon does not open a browser.

After a few seconds the WPP "Security Tool" pops up

Fake (I assume) warnings keep poping up in baloons by the system clock
They start like this:

"Security Tool Warning"
"NAMEOFFILE.exe is infected with the worm Lsas.Blaster.Keyloger..."
where NAMEOFFILE keeps changing through files

EDIT: Is it safe to use my flash drive on the machine? I do not want to spread the infection.

Edited by someguy1, 10 October 2009 - 11:24 PM.


#4 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:10:32 AM

Posted 10 October 2009 - 11:35 PM

Hello someguy1
Have you tried running safe mode?
if not reboot your PC and keep taping f8 (above the #8 key) then select safe mode.
please run a scan with whatever antivirus you have and post a log for us to look at.

Regards

D_N_M

#5 someguy1

someguy1
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:09:32 AM

Posted 11 October 2009 - 03:07 AM

The computer will not boot in safe mode, with or without networking, only "normally."

And hey I'm sorry, I do not want to sound like a jackass when you are trying to help me, but I did say a lot of this in my original post.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users