Windows Police Pro

First off, new face here, but my gf just got her computer infected with this. What I did was ended the svchasts.exe and the police pro services as soon as I could, which allowed me enough down time of it restarting itself to install file assassin. (if you're not familiar with file assassin, it deletes the files that viruses and mal-ware "lock"). I got it installed and deleted all of the files in the windows police pro program folder. I then rebooted the computer, full knowing the registry keys were still there, especially when it popped up all the dialogue boxes saying "Error: and then listed the file path of all of the executable files that try to run on start up" (in their own windows of course) basically aknowledging the fact that the computer wanted to run them, but it was blocking them. After that, I got MBAM installed I am currently running a full system scan to try and get rid of the rest of the reg key traces and such that are still sitting around on the computer. Big thanks to everyone here!

My parents PC got this today and I'm trying to get rid of it for them. I've booted up into SafeMode and deleted Windows Police Pro and the folder from Program Files. I then deleted the processes but still can't run MBA-M. Now what do I do??? I booted back to normal mode and can see my TaskManager however I can't run any programs. It says program to big to load into memory......

First of all, welcome to daniweb to you both;

twolfcorner2009, you need to create your own thread. This one is rusluckplay64's thread and though you may have the same problem you do not have the same computer. It is impossible to work with two different posters and computers within the same thread.
You need to make your own and post your logs there and somebody will help you. Please give your thread a distinctive title so that people will know what you are dealing with ok? Somebody will be most happy to work with you to be sure this infection is cleaned.

Now to rusluckplay64 we really need a bit more information from you. Exactly what symptoms are you showing, just saying "same problem" doesn't tell us much. We don't know your operating system, I do see you are running McAfee but really other than that I don't know anything. Can you give us some more to go on...what are the symptoms, what have you tried...programs I mean. Can you get to safe mode with networking? Are you posting from the infected computer?

yeah, that's my fault. I hit reply on the old thread, apparently while I was typing my post, it was labeled as solved and locked, so it by default got posted here. i did not mean to post that into this thread, it was mean to be posted into the original 6 page thread stating what I did to correct my problem in hopes it might help someone else. Once again my apologies to both of you, didn't mean for it to be here!

They are running XP SP 3 Media Center Edition.

Every time I try to double click an application it won't run and get some dialog box saying to purchase Windows Police Pro. My parents use McAfee for virus protection, but somehow managed to get this on their machine. I posted last night from their infected machine via normal mode. I can get into the machine via Safe Mode with Networking and deleted Windows Pro from Add/Remove software and deleted the file folder in Program Files. I did the Dos (Command.com) steps from the other thread and was able to install MBA-M and HIJackThis via DOS. I ran MBA-M and it found several issues but was still running when I left. I will be heading over there after work to finish getting rid of this bug

Post the MBA-M log when you get there.

Malwarebytes' Anti-Malware 1.40
Database version: 2720
Windows 5.1.2600 Service Pack 3

8/31/2009 5:42:00 PM
mbam-log-2009-08-31 (17-42-00).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 245990
Time elapsed: 1 hour(s), 8 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 6
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 12

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{02ffac45-0b10-5633-4296-1801f1a36678} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{f710fa10-2031-3106-8872-93a2b5c5c620} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Userinit (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\exefile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\WINDOWS\system32\desote.exe "%1" %*) Good: ("%1" %*) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe tapi.nfo beforeglav) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP712\A0051498.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP712\A0051506.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP712\A0051513.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\audio.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem\video.dll.cla (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.

Now post a HiJackThis Full System Scan log.

Here is the list of the process after I rebooted after using MBA-M. Everything seems to be working ok now, but how do I make sure I get everything out of the Registry? I ran HIJackThis and nothing wrong came back!

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 532 Console 0 420 K
csrss.exe 604 Console 0 4,564 K
winlogon.exe 632 Console 0 6,284 K
services.exe 676 Console 0 6,516 K
lsass.exe 688 Console 0 1,572 K
ati2evxx.exe 848 Console 0 2,256 K
svchost.exe 864 Console 0 5,528 K
svchost.exe 940 Console 0 4,932 K
svchost.exe 1008 Console 0 28,528 K
svchost.exe 1096 Console 0 6,244 K
svchost.exe 1152 Console 0 3,196 K
spoolsv.exe 1316 Console 0 7,488 K
ati2evxx.exe 1512 Console 0 2,920 K
explorer.exe 1656 Console 0 64,748 K
svchost.exe 396 Console 0 3,852 K
AppleMobileDeviceService. 464 Console 0 2,216 K
arservice.exe 476 Console 0 2,428 K
ehrecvr.exe 164 Console 0 4,620 K
ehSched.exe 576 Console 0 2,588 K
IntuitUpdateService.exe 924 Console 0 1,120 K
LSSrvc.exe 1112 Console 0 2,572 K
mcmscsvc.exe 1168 Console 0 3,084 K
McNASvc.exe 1428 Console 0 7,744 K
McProxy.exe 1744 Console 0 1,992 K
Mcshield.exe 1792 Console 0 77,140 K
MDM.EXE 288 Console 0 2,948 K
MpfSrv.exe 188 Console 0 5,120 K
HPZipm12.exe 1844 Console 0 1,768 K
svchost.exe 1064 Console 0 3,928 K
svchost.exe 2104 Console 0 4,748 K
mcrdsvc.exe 2212 Console 0 3,068 K
mcagent.exe 2940 Console 0 2,128 K
dllhost.exe 3208 Console 0 6,332 K
alg.exe 3508 Console 0 3,620 K
mcsysmon.exe 3128 Console 0 3,704 K
iexplore.exe 216 Console 0 5,500 K
iexplore.exe 3540 Console 0 72,448 K
infocard.exe 3372 Console 0 13,052 K
ntvdm.exe 3368 Console 0 2,516 K
cmd.exe 3448 Console 0 2,636 K
tasklist.exe 2236 Console 0 4,296 K
wmiprvse.exe 3656 Console 0 5,860 K

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 244 K
smss.exe 536 Console 0 416 K
csrss.exe 608 Console 0 4,120 K
winlogon.exe 636 Console 0 7,080 K
services.exe 680 Console 0 5,500 K
lsass.exe 692 Console 0 1,560 K
ati2evxx.exe 848 Console 0 2,256 K
svchost.exe 864 Console 0 5,576 K
svchost.exe 944 Console 0 4,740 K
svchost.exe 1012 Console 0 27,232 K
svchost.exe 1100 Console 0 6,864 K
svchost.exe 1160 Console 0 3,196 K
spoolsv.exe 1344 Console 0 7,448 K
ati2evxx.exe 1520 Console 0 2,916 K
explorer.exe 1656 Console 0 50,548 K
rundll32.exe 1980 Console 0 2,732 K
iTunesHelper.exe 2020 Console 0 11,424 K
mcagent.exe 2040 Console 0 4,084 K
Weather.exe 184 Console 0 16,684 K
NMBgMonitor.exe 192 Console 0 6,716 K
NMIndexStoreSvr.exe 380 Console 0 13,028 K
svchost.exe 392 Console 0 3,836 K
AppleMobileDeviceService. 520 Console 0 2,296 K
arservice.exe 556 Console 0 2,432 K
ehrecvr.exe 604 Console 0 4,620 K
ehSched.exe 760 Console 0 2,596 K
IntuitUpdateService.exe 1004 Console 0 5,028 K
LSSrvc.exe 1420 Console 0 2,576 K
mcmscsvc.exe 1472 Console 0 3,420 K
McNASvc.exe 1432 Console 0 12,204 K
McProxy.exe 1784 Console 0 2,020 K
Mcshield.exe 1276 Console 0 62,304 K
MDM.EXE 2108 Console 0 3,324 K
MpfSrv.exe 2332 Console 0 5,728 K
HPZipm12.exe 2384 Console 0 1,760 K
svchost.exe 2500 Console 0 3,920 K
svchost.exe 2548 Console 0 4,628 K
mcrdsvc.exe 2716 Console 0 3,064 K
dllhost.exe 1996 Console 0 6,328 K
iPodService.exe 1552 Console 0 4,092 K
alg.exe 2832 Console 0 3,632 K
mcsysmon.exe 2908 Console 0 4,464 K
ntvdm.exe 3204 Console 0 2,516 K
chrome.exe 1756 Console 0 18,224 K
chrome.exe 940 Console 0 32,708 K
SpybotSD.exe 1680 Console 0 46,036 K
TeaTimer.exe 4072 Console 0 95,356 K
chrome.exe 3916 Console 0 17,548 K
cmd.exe 1976 Console 0 2,612 K
tasklist.exe 3108 Console 0 4,300 K
wmiprvse.exe 1932 Console 0 5,848 K

I didn't ask for a Process list, I asked for a HiJackThis log. You have TeaTimer in there, it may interfere with fixes. MBA-M all ready cleaned out the registry.

How do I save out the HiJackThis log file? After I ran MBA-M, I ran HiJackThis and then I was able to update McAfee and SpyBot Search and Destroy (which TeaTimer is from). Do you not recommend SpyBot? Plus I switched my parents over to Google Chrome instead of IE since I think that is how they got this virus.

How do I save out the HiJackThis log file? After I ran MBA-M, I ran HiJackThis and then I was able to update McAfee and SpyBot Search and Destroy (which TeaTimer is from). Do you not recommend SpyBot? Plus I switched my parents over to Google Chrome instead of IE since I think that is how they got this virus.

When you open HiJackThis click the So system scan and save the log file button...first one at the top. It will scan and when the scan is complete wait a few minutes and the log should open in Notepad, be sure that word wrap is not turned on.
Go to the top of the log, choose Edit, Copy, then come here that open a reply. Place your cursor within that reply and Right Click with your mouse and choose Paste.

Spybot itself is an Excellent program. The TeaTimer portion is used to monitor and sometimes automatically stop changes made to the registry. As you can see by the infection...this didn't work. The infection did put itself into the registry. But often times when doing fixes TeaTimer WILL stop those necessary removals. So that is why I recommend you KEEP Spybot for scanning and removal BUT TURN OFF the TeaTimer portion. To do this do the following:
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer
Now when you run Updates to Spybot just don't download any TeaTimer updates either.

Honestly, as far as how they got the infection, you are very possibly correct. There must be a glitch in IE which is allowing this onto computers. As you can see we have seen numerous infections by this thing in just the last 48 hours! I would suggest also that you might try Firefox browser or Opera, both are very good browsers and more secure. I have tried the Google Chrome, just didn't like the interface of it so i removed it. I use Firefox all the time, and I also have Opera though I rarely use it only because I am used to Firefox. I rarely if ever use IE.
You can get an IE plugin for Firefox which will allow Windows Updates through Firefox.