Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windows Police Pro. Possibly others


  • Please log in to reply
9 replies to this topic

#1 clifford.r.f

clifford.r.f

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 12 October 2009 - 05:06 PM

Hello Anyone who can help,

I'm trying to fix a laptop with the Windows Police Pro faux-security program on it. Possibly other malicious programs. A friend gave me the laptop in hopes I could fix it. I had a similar problem on my home computer that was fixed with Malwarebyte's Anti-Malware. When I first got the laptop the network driver was not installed so I found it and placed it on a thumb drive and loaded it back to the laptop. I have tried MBAM and many others. All with the same result. IF they install, then IF they start they are always closed and the program is deleted or not allowed to open until reinstalled. Doesn't matter what Mode I start the computer in. Internet Explorer was deleted when I tried the online version of WinDefender. I've been trying the different programs using a thumb drive. I haven't reinstalled IE yet.

I've tried getting the DDS and RootRepeal logs and failed. The DDS program opens then when the message at the end appears the other windows never open for me to save the logs. The RootRepeal program first opened to the prompt "Could not read boot sector. Try adjusting the Disk Access level in the Options dialog." I had to click the OK button 3 times before the program finally opened up. I started the scan on the Report page. During the scan the program closed and would not open again.

Any help would be GREATLY appreciated. I've looked through a lot of the other posts but none seem to fit my case and I'm not sure what logs would help. Or even work.

Cliff

Edited by The weatherman, 12 October 2009 - 05:09 PM.
Moved from HJT to a more appropriate forum. Tw


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:00 PM

Posted 12 October 2009 - 09:37 PM

Hello I think you should start by running The VIPRE Rescue Program.

Next: Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 clifford.r.f

clifford.r.f
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 15 October 2009 - 01:27 PM

Thanks boopme. The VIPRE Rescue Program was able to run and hopefully did it's job. When I try to update MBAM it gives me an Error Code: 732 (0, 0). Then when I try a quick scan it starts but only runs for about 2 secs before closing. Then I can't open it again, I have to reinstall it. Anymore ideas?

This is what is displayed after the VIPRE scan runs:

Scan completed.
Scan time: 01:43:23
Rootkits: 4847 scanned, 97 found
Processes: 43 scanned, 4 found
Modules: 2237 scanned, 19 found
Folders: 3877 scanned, 4 found
Files: 43884 scanned, 90 found
Registry: 19436 scanned, 22 found
Total: 74324 scanned, 236 found
236 threat traces were detected.
Starting clean.
Quarantine {D11003CC-47F3-4D08-B6C4-11FAFCC1F481} completed.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:00 PM

Posted 15 October 2009 - 01:37 PM

Good.. Let's see if we can go on.

MBAM 732 error
1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.

If that works or not try these also.

Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post 2 logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 clifford.r.f

clifford.r.f
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 15 October 2009 - 03:11 PM

I'm still having to use a thumb drive to get all these programs to the laptop. IE won't install and I haven't tried others.

I was able to remove MBAM then clean it. I reinstalled MBAM and was able to update it. I restarted the computer. I tried running a quick scan but it behaved just as it did before, closing after a second.

I downloaded both ATF and SAS. I couldn't get SAS to open while in Normal mode. I tried in Safe Mode with Networking. It still wouldn't open. I was able to open ATF. I ran it and emptied all selected. It said it deleted about 700 Mb of data.

Since I was unable to run both MBAM and SAS I don't have any logs, sorry.

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:00 PM

Posted 15 October 2009 - 03:28 PM

Rats .. Let's try this one
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 clifford.r.f

clifford.r.f
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 15 October 2009 - 03:42 PM

I downloaded Dr. Web CureIt to my thumb drive then moved it to the laptop. I clicked on the program, before it opened it brought up "IO error on "AutoRun.bmp". I clicked OK but it wouldn't run.

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:00 PM

Posted 15 October 2009 - 03:45 PM

It looks like there is a rootkit variant in here. The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 clifford.r.f

clifford.r.f
  • Topic Starter

  • Members
  • 68 posts
  • OFFLINE
  •  
  • Local time:09:00 PM

Posted 15 October 2009 - 03:50 PM

I'm still in Safe Mode. Does it matter?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:00 PM

Posted 15 October 2009 - 04:09 PM

It is better from Normal, but if thats' how you have to do it then do so. Mention it was a safe mode log when you post it. They will handle it from there.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users