Need Help - Windows Police Pro?? Totally Locked Up.

Junior Poster in Training

50 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

0

I'm totally locked up - I can't do anything. I'm posting this from another computer.

-- What OS?
-- Can you get into Safe Mode by tapping F8 at boot ?(do not use msconfig)
-- Safe Mode with Networking to DL and run HJT and MBA-M?

Let us know what you are able to do via Safe Mode and we'll go from there.

PP :)

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Just to get ppl up to speed, this is a little more info on Windows Police Pro.... and it ain't pretty :(

NB: They do seem to provide a dedicated removal tool, but having no direct experience at this doozy, would await any feedback on the source of this "removal" tool to be sure.

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

kaninelupus

Practically a Posting Shark

860 posts since Jul 2009

Reputation Points: 357

Solved Threads: 52

0

Just to get ppl up to speed, this is a little more info on Windows Police Pro.... and it ain't pretty :(

NB: They do seem to provide a dedicated removal tool, but having no direct experience at this doozy, would await any feedback on the source of this "removal" tool to be sure.

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

kaninelupus, the link you posted, according toWeb Of Trust has an extremely POOR reputation
Thanks to WOT...this failure website...IS FAKE...ROGUE...DON'T USE it's instructions....Although it has a similar name to remove-malware.com, it is totally different. Malware distributor, not a malware removal site....It may contain virus/ads....This website promotes a ROGUE software.
Also presents fake description and lies about other legitimate software in order to promote theirs....Exploits your browser,scares you into purchasing a fake anti-virus software you do not need,downloads contain trojans and rogue security programs which can infect your computer badly.

If the OP can find a way to download Malwarebytes Anti-Malware , possibly to a flash drive and transfer it to the infected computer then install and run a Full Scan, Removing Everything found when the scan is complete this would be the first recommended step. Obviously the program could not be updated but at this point it would give the poster a place to begin.

jholland1964

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

No worries on that front :) Have done hundreds - literally.

What worries me here is possible rootkit/stealth components in the mix. Have you heard or seen anything pointing in that direction?
I've been away from the battle for too long to be up to date on many details.

I do think MBA-M will get this baddie . . . If it can be run.

PP :)EDIT: @Judy - Interestingly enough, the removal tool for download at the site KL linked looks like PCTools Spyware Doctor, a legitimate and well-respected product, last I heard. Maybe WOT is a bit off?
PP :)

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

EDIT: @Judy - Interestingly enough, the removal tool for download at the site KL linked looks like PCTools Spyware Doctor, a legitimate and well-respected product, last I heard. Maybe WOT is a bit off?
PP :)

Could be, but all the other links I found with same instructions, word for word by the way, do not include the link calledWindows Police Pro Automatic Remover. Why don't they call it Spyware Doctor?

Ok, you know more than me PP so I bow to you and take back my comment.

jholland1964

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Could be, but all the other links I found with same instructions, word for word by the way, do not include the link called Windows Police Pro Automatic Remover. Why don't they call it Spyware Doctor?

Ok, you know more than me PP so I bow to you and take back my comment.

You're being too kind, Judy :)

That's a good question about SD - I did not bother to download the whole package, but if the site is affiliated with PCTools, then I would think it would be legit.
Even "legit" affiliates have been known to use scare tactics.....

BTW - OP cannot run any programs. I'd like to see what can be done in safe mode.

PP :)

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

kaninelupus, the link you posted, according to Web Of Trust has an extremely POOR reputation

Cheers for heads up, although your following edit seems to suggest that opinion may be worth reviewing. I'll keep the peepers open on that one.What worries me here is possible rootkit/stealth components in the mix. Have you heard or seen anything pointing in that direction?Rootkit? no that I'm aware of (or not that I can find anyhow - am btwn a few task right at present so not had the chance to dig right in)

Stealth? - almost definitely. All info have been able to quickly dig up suggests a high threat level and a complex infection-type (has only very recently hit the ground - or at least been detected - so information still coming in).

kaninelupus

Practically a Posting Shark

860 posts since Jul 2009

Reputation Points: 357

Solved Threads: 52

0

I guess we'll see where we are once Kevin posts back.

Here, Judy:
http://remove-malware.net/sofware/

They seem to be pimping PCTools, even if they spelled software wrong... LOL!

Registration Service Provided By: RESELLERCLUB
Contact: +1.4152361970

Domain Name: REMOVE-MALWARE.NET

Registrant:
Private Person
Bryan Stenberg ()
4 Trubek Farm Rd
Annandale
New Jersey,08801
US
Tel. +001.9087350422

Creation Date: 17-Oct-2008
Expiration Date: 17-Oct-2009

Hey . . . He's not in the Ukraine! LOL ;)

Cheers :)
PP

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

http://www.bleepingcomputer.com/forums/index.php?showtopic=253376&st=0&p=1404306entry1404306
http://www.bleepingcomputer.com/forums/topic253555.html

0

OK - just looked over at Bleeping Computer, and advice is NOT to use the advice on original link (although description of actual infection seems fairly legit, so go figure)

Am posting links to original post for assistance on BP (same infection), and follow up post on spyware board... again, may help keep ppl up to speed on this one :)

@jholland - again cheers for the heads-up.... missed your post the first time.

kaninelupus

Practically a Posting Shark

860 posts since Jul 2009

Reputation Points: 357

Solved Threads: 52

0

Thanks for the responses all. OS is Windows XP. I am able to boot up into Safe Mode with Networking and get online (posting from the problem computer now) - however I can't run Hijack This or Anti Malware...nothing happening when I try to run them.

Junior Poster in Training

50 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

0

Thanks for the responses all. OS is Windows XP. I am able to boot up into Safe Mode with Networking and get online (posting from the problem computer now) - however I can't run Hijack This or Anti Malware...nothing happening when I try to run them.

Let's try this:
-- Download the attached file to the desktop and re-name itTSKLST.bat
Boot to normal windows and doubleclick on TSKLST.bat to run it. A log should pop up - Copy and paste that for us, if possible...

Best Luck :)
PP

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Another interesting bit of info on this linked website...There are 3 domains hosted on this IP address....one is the one in question here and the other two are Ukraine web sites.

jholland1964

Posting Expert

Moderator

5,785 posts since Jul 2008

Reputation Points: 725

Solved Threads: 340

0

Tried to run TSKLST.bat in normal mode - nothing happens..no log.

Also, when I boot in normal mode - various errors appear immediately...windows/system32/.........

This is a doozy.

Junior Poster in Training

50 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

0

Can you get a command prompt in Normal Windows Boot?
Start > Run > cmd

-- Also, when booting to Safe Mode, do you have option for "Last Known Good Configuration?"

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

No - screen blanks for a second and then just goes back to desktop with all the Windows Police Pro windows....won't open command prompt box

Junior Poster in Training

50 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

0

No - screen blanks for a second and then just goes back to desktop with all the Windows Police Pro windows....won't open command prompt box

Try Start > Run > command.com

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Ok, that worked...I have a command prompt

Junior Poster in Training

50 posts since Jul 2005

Reputation Points: 10

Solved Threads: 0

0

Ok, that worked...I have a command prompt

Ok, great.Type tasklist >> %systemdrive%\TSKLST.txt ENTER
Type notepad %systemdrive%\TSKLST.txt ENTER

See if the log pops up now and post it for us.

Also, see my edited post above RE Last Known Good

PP :)

Central Scrutinizer

Moderator

1,942 posts since Dec 2006

Reputation Points: 184

Solved Threads: 110

0

Here is log....and yes, "Last Know Good Config" option is there when I go into Safe Mode....

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 848 Console 0 424 K
csrss.exe 1164 Console 0 3,820 K
winlogon.exe 1332 Console 0 6,624 K
services.exe 1468 Console 0 4,776 K
lsass.exe 1552 Console 0 1,592 K
svchost.exe 864 Console 0 6,428 K
svchost.exe 1828 Console 0 6,108 K
svchost.exe 704 Console 0 25,816 K
svchost.exe 1020 Console 0 4,820 K
svchost.exe 1540 Console 0 4,392 K
AAWService.exe 1968 Console 0 16,056 K
LEXBCES.EXE 1232 Console 0 3,600 K
spoolsv.exe 1348 Console 0 6,332 K
LEXPPS.EXE 1768 Console 0 3,664 K
svchost.exe 1660 Console 0 4,552 K
svchasts.exe 228 Console 0 1,424 K
isafe.exe 296 Console 0 21,168 K
ehrecvr.exe 536 Console 0 5,120 K
ehSched.exe 932 Console 0 2,872 K
ITMRTSVC.exe 1148 Console 0 3,160 K
sprtsvc.exe 2004 Console 0 1,264 K
svchost.exe 452 Console 0 5,160 K
svchost.exe 652 Console 0 5,704 K
vetmsg.exe 2408 Console 0 4,696 K
ViewpointService.exe 2504 Console 0 2,556 K
mcrdsvc.exe 2964 Console 0 3,136 K
windows Police Pro.exe 3604 Console 0 23,416 K
dllhost.exe 316 Console 0 7,524 K
unsecapp.exe 1068 Console 0 4,312 K
alg.exe 2836 Console 0 4,148 K
wscntfy.exe 2936 Console 0 2,368 K
wmiprvse.exe 3164 Console 0 6,200 K
AAWTray.exe 3996 Console 0 1,488 K
explorer.exe 3432 Console 0 29,932 K
ntvdm.exe 2356 Console 0 3,460 K
ctfmon.exe 2712 Console 0 3,740 K
cmd.exe 876 Console 0 3,048 K
tasklist.exe 2132 Console 0 4,868 K
wmiprvse.exe 2948 Console 0 6,168 K

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 848 Console 0 424 K
csrss.exe 1164 Console 0 3,820 K
winlogon.exe 1332 Console 0 6,624 K
services.exe 1468 Console 0 4,776 K
lsass.exe 1552 Console 0 1,480 K
svchost.exe 864 Console 0 6,436 K
svchost.exe 1828 Console 0 6,108 K
svchost.exe 704 Console 0 25,712 K
svchost.exe 1020 Console 0 4,820 K
svchost.exe 1540 Console 0 4,392 K
AAWService.exe 1968 Console 0 16,476 K
LEXBCES.EXE 1232 Console 0 3,600 K
spoolsv.exe 1348 Console 0 6,332 K
LEXPPS.EXE 1768 Console 0 3,664 K
svchost.exe 1660 Console 0 4,552 K
svchasts.exe 228 Console 0 1,424 K
isafe.exe 296 Console 0 21,168 K
ehrecvr.exe 536 Console 0 5,120 K
ehSched.exe 932 Console 0 2,872 K
ITMRTSVC.exe 1148 Console 0 3,160 K
sprtsvc.exe 2004 Console 0 1,264 K
svchost.exe 452 Console 0 5,160 K
svchost.exe 652 Console 0 5,704 K
vetmsg.exe 2408 Console 0 4,696 K
ViewpointService.exe 2504 Console 0 2,556 K
mcrdsvc.exe 2964 Console 0 3,136 K
windows Police Pro.exe 3604 Console 0 23,464 K
dllhost.exe 316 Console 0 7,524 K
unsecapp.exe 1068 Console 0 4,312 K
alg.exe 2836 Console 0 4,148 K
wscntfy.exe 2936 Console 0 2,368 K
wmiprvse.exe 3164 Console 0 6,200 K
AAWTray.exe 3996 Console 0 1,488 K
explorer.exe 3432 Console 0 29,932 K
ntvdm.exe 2356 Console 0 3,464 K
ctfmon.exe 2712 Console 0 3,740 K
wmiprvse.exe 2948 Console 0 6,460 K
cmd.exe 3900 Console 0 3,044 K
tasklist.exe 1728 Console 0 4,864 K