Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Windos Police Pro


  • This topic is locked This topic is locked
40 replies to this topic

#1 tolson09

tolson09

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 21 October 2009 - 12:36 AM

I am stuck. I cannot access the task manager to help get rid of this Windows police pro. someone help. Please. It tells me the task manager is blocked by my administrator, same goes for the registry.

Edited by tolson09, 21 October 2009 - 12:39 AM.


BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:19 AM

Posted 21 October 2009 - 07:21 PM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I will ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.


We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %systemdrive%\*.exe
    %systemroot%\system32\drivers\*.sys


  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============


The next log will show us any hidden files that are present.
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 22 October 2009 - 10:34 AM

sorry it took so long to get back to this. I have been really frustrated with this virus and have looked at other blogs and cant get anything to work. I am away from my home computer now but will be back later around lunchtime. I am able to download everything, extract files, except when I try to install, windows police pro pops up. Also anytime I try to open any program it pops up. The only thing I can access is IE and just have to keep clicking off the pop ups. The last time I was on it a blue screen came up telling me they had to shut down the computer before any more damage was done. I am bringing a laptop home so I will be able to reply to posts etc. Thanks for your help.

#4 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 22 October 2009 - 11:12 AM

Also, if I backed up some files onto a flash drive and then put them on another computer, is there a chance that I could infect the other computer?

#5 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 22 October 2009 - 02:26 PM

I have downloaded the OTL link but when I double click it, it doesnt open. A popup comes up that says Security Tool Warning, wscvc32.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using wscsvc32.exe to connect to remote host. I know this is just trying to get me to sign up for this police pro but just telling you what it says. Thanks

Edited by tolson09, 22 October 2009 - 02:28 PM.


#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:19 AM

Posted 22 October 2009 - 06:42 PM

Also, if I backed up some files onto a flash drive and then put them on another computer, is there a chance that I could infect the other computer?

Without having seen any logs I can't tell what type of infection you may have so I can't answer that question.

Skipping past OTL then, try to run Rootrepeal and post that log for me.


Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3

Posted Image


Posted Image
--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt so we can continue cleaning the system.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 22 October 2009 - 06:55 PM

I cannot open the combofix and cant open anything besides IE. I renamed it comhelp. Sorry I am not sure what to do. This Security Tool Warning pops up in bottom right

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:19 AM

Posted 22 October 2009 - 07:02 PM

Please download and run Win32kDiag:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 22 October 2009 - 10:29 PM

I downloaded the win32diag and when I double click it a black screen appears for a second and disappears. After clicking numerous times and writing it down this is what it said:

running from: C:\documents and settings\travis olson\win32diag.txt
Log file C:\documents and settings\travis olson\win32diag.txt
Warning could not get backup privelages
Searching C:\Windows . . . .

I even downloaded the other 2 links, renamed them. Thanks, sorry so sporatic getting back to your posts, we are different timezones and I couldnt get away from work.

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:19 AM

Posted 23 October 2009 - 07:37 AM

Download and run a batch file (peek.bat):
  • Download peek.bat from the download link below and save it to your Desktop.
  • Double-click peek.bat to run it.A black Command Prompt window will appear shortly: the program is running.
  • Once it is finished, copy and paste the entire contents of the Log.txt file it creates as a reply to this post.
==========
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 23 October 2009 - 08:59 AM

The log txt file opens momentarily and then closes. it says:

Volume in drive C has no label
Volume serial number is 600F-D56C

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:19 AM

Posted 24 October 2009 - 09:43 AM

Typically the main hard drive is named a C: drive. What letter drive is your Windows installation?
Are you saving these files directly to your desktop to run them?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:08:19 AM

Posted 24 October 2009 - 09:47 AM

Do a search on your computer for this file.

eventlog.dll

Let me know all locations it is found and the file size of each.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 26 October 2009 - 12:10 AM

I am saving direcly to the desktop and trying to run them from there. My hard drive is C: Here is what I found with the eventlog.dll

C:\I386, size 55kb
C:\Windows\System32
C:\Windows\ServicePackFiles\i386

Thanks

#15 tolson09

tolson09
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 26 October 2009 - 12:11 AM

Sorry size for the other 2 files

C:\Windows\System32, 55kb
C:\Windows\ServicePackFiles\i386, 55kb




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users