 |  |  |  |  |  |  |  |
Fun times with Windows Police Pro.
Thread Solved |
Hey. First of all, I guess I should apologise for making another thread on this nasty little piece of malware, given that there's a few already on here. But, none of the info in any of them could help me, and I was loath to hijack one of them with my own complaint, so here I am.
I'm running XP, SP2.
I'm writing from my laptop at the moment, as it's virtually shut down my tower PC.
I picked it up a few days ago, and after a good few hours of struggling with it, I've managed to get rid of the annoying popups, and the actual interface is gone too. However, the rootkit and the nasty little trojans that came with it are still on the PC. The task manager no longer shows any programs running that shouldn't be, initially there was "WindowsPolicePro.exe" and "svchast.exe". Having said that, there are two streams of random numbers in there, along the lines of "0.038538587632.exe". These can be closed down by ending the process tree, but doing that seems to have no effect on the computer. To begin with, these were listed as having been started by me, under my user name, but now they're listed as "SYSTEM". I don't know if that means anything or nothing, but it bothers me.
The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all. Nothing works, Windows just states that I haven't got the permissions to open the file. This includes regedit and msconfig. I can get into My Documents, and My Computer, but I can't open or view any files. Nor can I open my AV, or any anti-spyware. Unfortunately, this also means that I can't provide any logs for HijackThis, or MalwareBytes, for which I apologise. I don't have a flash drive to get them onto the affected PC, either
.
I also can't get the damn thing into Safe Mode. I don't know if that's down to the virus or not, but as soon as I get into the mode selection screen, my keyboard stops working, and I have to hit the reset button on the front of the tower.
I think that's all the information I can provide, I know it isn't what's mentioned in the sticky at the top of the forum, but I can't conform to that at the moment.
I have one more question: As mentioned above, I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.
Thank you for reading my long essay. Any help at all would be much, much appreciated. Thanks again!
I'm running XP, SP2.
I'm writing from my laptop at the moment, as it's virtually shut down my tower PC.
I picked it up a few days ago, and after a good few hours of struggling with it, I've managed to get rid of the annoying popups, and the actual interface is gone too. However, the rootkit and the nasty little trojans that came with it are still on the PC. The task manager no longer shows any programs running that shouldn't be, initially there was "WindowsPolicePro.exe" and "svchast.exe". Having said that, there are two streams of random numbers in there, along the lines of "0.038538587632.exe". These can be closed down by ending the process tree, but doing that seems to have no effect on the computer. To begin with, these were listed as having been started by me, under my user name, but now they're listed as "SYSTEM". I don't know if that means anything or nothing, but it bothers me.
The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all. Nothing works, Windows just states that I haven't got the permissions to open the file. This includes regedit and msconfig. I can get into My Documents, and My Computer, but I can't open or view any files. Nor can I open my AV, or any anti-spyware. Unfortunately, this also means that I can't provide any logs for HijackThis, or MalwareBytes, for which I apologise. I don't have a flash drive to get them onto the affected PC, either
.I also can't get the damn thing into Safe Mode. I don't know if that's down to the virus or not, but as soon as I get into the mode selection screen, my keyboard stops working, and I have to hit the reset button on the front of the tower.
I think that's all the information I can provide, I know it isn't what's mentioned in the sticky at the top of the forum, but I can't conform to that at the moment
.I have one more question: As mentioned above, I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.
Thank you for reading my long essay. Any help at all would be much, much appreciated. Thanks again!
0
#2 Oct 17th, 2009
Hello Asezat and welcome to the thrills and spills that are WPP, unfortunetely I have been in this same position a couple weeks ago. I was able to get my system back to normal and im no computer specialist so don't panic.
The thing is though from the sound of things your system seems to be reacting differently after your malware removel attempts. You might have made things worse since it seems you have removed the anoying pop-ups but the system sounds like its pretty much locked up.
In order for the people here to help you, you will need to explain every step you took to remove the processes so far. The first step is to post logs so we know whats going on but if your unable to gain acces to those we will need to know how to get you back to that state.
Best of luck, -R1p
The thing is though from the sound of things your system seems to be reacting differently after your malware removel attempts. You might have made things worse since it seems you have removed the anoying pop-ups but the system sounds like its pretty much locked up.
In order for the people here to help you, you will need to explain every step you took to remove the processes so far. The first step is to post logs so we know whats going on but if your unable to gain acces to those we will need to know how to get you back to that state.
Best of luck, -R1p
0
#3 Oct 17th, 2009
•
•
•
•
Originally Posted by Asezat 
The computer itself has been slowed down by this to such a degree that it's essentially non-functional. It takes almost 10 minutes to boot up. More irritating, however, is that it's now completely unable to open any exe files, at all.. . . .
•
•
•
•
Originally Posted by Asezat
I have no flash drive, but I do have a USB HD that I use to back stuff up from time to time. In the event that I can't fix this, and have to reformat, would it be possible to connect that up and transfer some files onto it before I restart the machine over? Or would the virus just infect the external HD too? I don't even know if it will let me do that in it's current state, but it's worth a try, I guess.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.
Let me know where you stand.
If you are able to download to the ill machine, please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.
-- I should note that, while we could probably make some progress with tools on a CD, a flash drive would allow us more flexibility. Yes, it runs the risk of getting infected, but we can run some tools from it.......
Cheers
PP
Last edited by PhilliePhan; Oct 17th, 2009 at 4:09 pm. Reason: The Usual. . . .
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#4 Oct 18th, 2009
•
•
•
•
Originally Posted by R1pperZ
The thing is though from the sound of things your system seems to be reacting differently after your malware removel attempts. You might have made things worse since it seems you have removed the anoying pop-ups but the system sounds like its pretty much locked up.
•
•
•
•
Originally Posted by PhilliePhan
Are you able to access the internet and download files with the ill computer? I know you can't run programs, but can you download them?
There is a good chance that any re-writable media will get infected.
-- Are you able to burn tools onto a CD if I gave you a list of what we need?
-- Why not purchase a cheap flash drive?
-- If it came to it, we could back up your files to your external drive, but you do run the risk of infecting it.
Let me know where you stand.
If you are able to download to the ill machine, please download FindWPP.zip and RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
A log should pop up - please post that for me.
-- I should note that, while we could probably make some progress with tools on a CD, a flash drive would allow us more flexibility. Yes, it runs the risk of getting infected, but we can run some tools from it.......
Cheers
PP
I can't get onto any of my browsers, so unfortunately downloading onto the infected PC directly is out of the question for now. What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it.
I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though.
Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, I'll do what has to be done.
Thank you both for your responses
. 0
#5 Oct 18th, 2009
•
•
•
•
Originally Posted by Asezat
Hey, I'm glad you managed to sort your comp out..... After I'd done that, I rebooted to try and get into safe mode, and that was when the real problems hit me. Prior to the reboot, although the system had immediately slowed right down, I hadn't suffered any exe lockout.
•
•
•
•
Originally Posted by Asezat
What I can do, though, is burn files from here onto a CD and then try running them on the computer, though I don't know if it will let me. If you can give me a list of what to pick up, I'll get right on it.
•
•
•
•
Originally Posted by Asezat
I'm not sure how to actually get you logs from my main PC onto here, unless one of the tools is an AV, though.
•
•
•
•
Originally Posted by Asezat
Regarding a flash drive, I've never needed one until now. If you think it's important I'll get a cheap one on monday (damn sunday trading laws!), but I'm kind of loath to risk infecting it and possibly spreading the infection, if there's a good chance of that. The same goes for my external HD, really. Having said that, I'll do what has to be done.
You'll have to do a little "cost/benefit analysis."
Truth be told, I generally recommend a reformat in these cases. 'Course that depends upon a number of factors, the biggest usually being whether a user has their Windows OS Disk.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
OK - Here are the tools you'll need - I'm assuming you'll pick up a Flash Drive:
FIRST: Download and Install ImgBurn if you do not already have it on your machine.
THEN: Download the Avira Rescue System.ISO and use ImgBurn to burn the ISO onto a CD.
NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD
FOR THE THIRD CD:
• http://ad13.geekstogo.com/Win32kDiag.exe
• http://swandog46.geekstogo.com/avenger.zip
• http://www.bleepingcomputer.com/comb...o-use-combofix
With combofix, what I want you to do, though, is this:
When you download it and it asks you to "Save File As," rename combofix to Combo-Fix and then download it to working compy and put it on the CD.
• FindWPP.zip
• DDS by sUBs and save it to your Desktop
• http://download.sysinternals.com/Files/Junction.zip
• http://www.raktor.net/exeHelper/exeHelper.com
• http://download.bleepingcomputer.com...es/Inherit.exe
• SysProt Anti-Rootkit
I know it seems like a lot, but I like to cover all bases.....
NEXT: Repeat the step for the third CD and put all those programs on your Flash Drive
Post back when you are all set (or if you have any questions).
I am usually around in the evenings (EST) working on other things but will keep an eye on this thread.
Cheers
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#6 Oct 18th, 2009
•
•
•
•
Originally Posted by PhilliePhan
NEXT: Download Trinity Rescue Kit.ISO and use ImgBurn to burn the ISO to a second CD
PP
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#7 Oct 19th, 2009
Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.
I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. Two and a half to three years back, I had an issue with the PC refusing to start, and a friend advised me to pop the little battery out of the motherboard and then put it back in, which I duly did. It fixed that particular problem, but when I started the PC up again, the start-up sequence had totally changed. It now informs me each time that "BIOS is not installed". It's never been a problem, until now, Windows starts fine, etc, but I'm a little concerned. Will that be an issue?
Thanks!
I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. Two and a half to three years back, I had an issue with the PC refusing to start, and a friend advised me to pop the little battery out of the motherboard and then put it back in, which I duly did. It fixed that particular problem, but when I started the PC up again, the start-up sequence had totally changed. It now informs me each time that "BIOS is not installed". It's never been a problem, until now, Windows starts fine, etc, but I'm a little concerned. Will that be an issue?
Thanks!
Last edited by Asezat; Oct 19th, 2009 at 2:37 am. Reason: Added the bit about the re-writable.
0
#8 Oct 19th, 2009
•
•
•
•
Originally Posted by Asezat
Ok, well, everything is downloaded, burnt, and I'm ready to go. I believe Trinity is on a re-writable CD/DVD, too.
(I wish they would add an option for MBAM or combofix to be downloaded and run...)
•
•
•
•
Originally Posted by Asezat
I do have one slight possible problem, though. I note that both Avira and Trinity say that I might have to go into the BIOS and change the boot order to allow me to boot from the CD. .....Will that be an issue?
-- With any luck your compy will detect the CD on startup and offer the option to boot from it. We'll cross that bridge when we come to it.
Those CDs are strictly a last option in the event that nothing else works - Hopefully we'll not have to use them. (they are good to have around, though - hold onto them)
Let's start with the CD with all the tools on it.
-- See if you are able to transfer FindWPP to the ill computer.
RightClick on FindWPP.zip and Extract the FindWPP folder to your Desktop. Hopefully you won't be blocked from doing that.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run for as long as it takes.
If the log pops up, save it to the Desktop and then copy it to Flash Drive and post it for me.
Even if that step does not work, go ahead and try this as well:
Move Win32kDiag.exe from the CD to the Desktop.
-- DoubleClick on Win32kDiag.exe to run it. Let it run for as long as it needs to.
-- When it says Finished – Press any key to exit, do that to exit the program.
-- You should now have a Win32kDiag.txt on your Desktop. Please copy to flash drive and post the entire log for me and we’ll go from there.
Be sure to let it run until is says "Finished" before posting the log!
-- Are you able to get a command prompt on ill computer?
Either START > Run >type cmd > OK
or
START > Run >type command.com > OK
-- I suspect we are in very different timezones which may slow us a bit. I am on Eastern Standard Time (GMT-4) and generally around in the evenings.
Anyhoo, let me know if those tools could be run and about command prompt.
Best Luck
PP
Last edited by PhilliePhan; Oct 19th, 2009 at 3:46 pm. Reason: The Usual . . . .
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
0
#9 Oct 20th, 2009
Ok, well, I stuck the thrid CD into the drive and fired it up, and it let me read the CD. Having said that, before I could start actually extracting and running the programs, it froze up, and I had to restart the computer. When I went to try again, to my surprise, the CD was empty. Apparently I used a re-writable CD, and whatever it is that's on the computer is either deleting whatever's on it, or making it appear as though it has. I haven't tried running them from the flash drive because I'm still worried about infecting my laptop, too.
I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.
Regarding timezones, I'm in the UK so I'm on GMT, and your afternoon is my evening. I would normally be around then, but due to work issues I haven't been recently, unfortunately. I should be tonight, though.
Thanks!
I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.
Regarding timezones, I'm in the UK so I'm on GMT, and your afternoon is my evening. I would normally be around then, but due to work issues I haven't been recently, unfortunately. I should be tonight, though.
Thanks!
0
#10 Oct 20th, 2009
•
•
•
•
Originally Posted by Asezat
I had no joy with "cmd", but "command.com" does bring up the DOS prompt, which is encouraging.
-- Do this: Open a command prompt and type exactly as I have here in red:
dir /s %windir%\eventlog.dll > "%userprofile%\desktop\logit.txt" & hit ENTER
Logit.txt will be on the desktop - I need to see that, however possible.
I just need the various paths to eventlog.dll and the exact size in bytes for each. You'll not need to copy everything.
-- One of the options I was keeping in reserve in the event that nothing else works (nothing could be transferred to the Desktop of ill compy an then run) is to run Combofix directly from the flash drive.
Perhaps we should go ahead and try that? What do you think?
You won't be able to update it, but it should run and make some progress. Let me know if you want to jump ahead and try that.
But before that, give me the eventlog.dll info.
PP
Last edited by PhilliePhan; Oct 20th, 2009 at 4:37 pm.
In some sort of crude sense, which no vulgarity, no humor, no overstatement can quite extinguish, the physicists have known sin; and this is a knowledge which they cannot lose.
~ J. Robert Oppenheimer
ASAP
~ J. Robert Oppenheimer
ASAP
 |
Similar Threads
- Windows Police Pro - Can't run MalwareBytes (Viruses, Spyware and other Nasties)
- Need Help - Windows Police Pro?? Totally Locked Up. (Viruses, Spyware and other Nasties)
- Windows Police Pro and Desote.exe (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Infected Computer, Please help.
- Next Thread: Control Panel not working
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
