Hello - need some help with my wife's computer. As soon as I boot up, a window which says "windows police pro" opens and does an apparent scan which says the computer is infected with various viruses. At that point, another window opens which doesn't give any option to exit and basically locks everything up. I can get on the internet quickly, but it almost immediately blocks it and freezes it up. I can't run any programs such as Hijack This, Ad Aware, Virus Scan, etc as I get an error message which says "Running of application is impossible. File is infected".....

I'm totally locked up - I can't do anything. I'm posting this from another computer. Can't even provide a log or anything as it has taken over the computer. Any thoughts on how I can at least get some control back to try to attack the problem would be appreciated.

Thanks.

I'm totally locked up - I can't do anything. I'm posting this from another computer.

-- What OS?
-- Can you get into Safe Mode by tapping F8 at boot ?(do not use msconfig)
-- Safe Mode with Networking to DL and run HJT and MBA-M?

Let us know what you are able to do via Safe Mode and we'll go from there.

PP :)

Just to get ppl up to speed, this is a little more info on Windows Police Pro.... and it ain't pretty :(

NB: They do seem to provide a dedicated removal tool, but having no direct experience at this doozy, would await any feedback on the source of this "removal" tool to be sure.

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

Just to get ppl up to speed, this is a little more info on Windows Police Pro.... and it ain't pretty :(

NB: They do seem to provide a dedicated removal tool, but having no direct experience at this doozy, would await any feedback on the source of this "removal" tool to be sure.

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

kaninelupus, the link you posted, according to Web Of Trust has an extremely POOR reputation

Thanks to WOT...this failure website...IS FAKE...ROGUE...DON'T USE it's instructions....Although it has a similar name to remove-malware.com, it is totally different. Malware distributor, not a malware removal site....It may contain virus/ads....This website promotes a ROGUE software.
Also presents fake description and lies about other legitimate software in order to promote theirs....Exploits your browser,scares you into purchasing a fake anti-virus software you do not need,downloads contain trojans and rogue security programs which can infect your computer badly.

If the OP can find a way to download Malwarebytes Anti-Malware, possibly to a flash drive and transfer it to the infected computer then install and run a Full Scan, Removing Everything found when the scan is complete this would be the first recommended step. Obviously the program could not be updated but at this point it would give the poster a place to begin.

@PhilliePhan - how good are you at guiding someone through a reg-fix? Looking more and more at this one, that may well be required here.

No worries on that front :) Have done hundreds - literally.

What worries me here is possible rootkit/stealth components in the mix. Have you heard or seen anything pointing in that direction?
I've been away from the battle for too long to be up to date on many details.

I do think MBA-M will get this baddie . . . If it can be run.

PP :)

EDIT: @Judy - Interestingly enough, the removal tool for download at the site KL linked looks like PCTools Spyware Doctor, a legitimate and well-respected product, last I heard. Maybe WOT is a bit off?
PP :)


EDIT: @Judy - Interestingly enough, the removal tool for download at the site KL linked looks like PCTools Spyware Doctor, a legitimate and well-respected product, last I heard. Maybe WOT is a bit off?
PP :)

Could be, but all the other links I found with same instructions, word for word by the way, do not include the link called Windows Police Pro Automatic Remover. Why don't they call it Spyware Doctor?

Ok, you know more than me PP so I bow to you and take back my comment.

Could be, but all the other links I found with same instructions, word for word by the way, do not include the link called Windows Police Pro Automatic Remover. Why don't they call it Spyware Doctor?

Ok, you know more than me PP so I bow to you and take back my comment.

You're being too kind, Judy :)

That's a good question about SD - I did not bother to download the whole package, but if the site is affiliated with PCTools, then I would think it would be legit.
Even "legit" affiliates have been known to use scare tactics.....

BTW - OP cannot run any programs. I'd like to see what can be done in safe mode.

PP :)

kaninelupus, the link you posted, according to Web Of Trust has an extremely POOR reputation

Cheers for heads up, although your following edit seems to suggest that opinion may be worth reviewing. I'll keep the peepers open on that one.

What worries me here is possible rootkit/stealth components in the mix. Have you heard or seen anything pointing in that direction?

Rootkit? no that I'm aware of (or not that I can find anyhow - am btwn a few task right at present so not had the chance to dig right in)

Stealth? - almost definitely. All info have been able to quickly dig up suggests a high threat level and a complex infection-type (has only very recently hit the ground - or at least been detected - so information still coming in).

I guess we'll see where we are once Kevin posts back.

Here, Judy:
http://remove-malware.net/sofware/

They seem to be pimping PCTools, even if they spelled software wrong... LOL!


Registration Service Provided By: RESELLERCLUB
Contact: +1.4152361970

Domain Name: REMOVE-MALWARE.NET

Registrant:
Private Person
Bryan Stenberg ()
4 Trubek Farm Rd
Annandale
New Jersey,08801
US
Tel. +001.9087350422

Creation Date: 17-Oct-2008
Expiration Date: 17-Oct-2009

Hey . . . He's not in the Ukraine! LOL ;)


Cheers :)
PP

OK - just looked over at Bleeping Computer, and advice is NOT to use the advice on original link (although description of actual infection seems fairly legit, so go figure)

Am posting links to original post for assistance on BP (same infection), and follow up post on spyware board... again, may help keep ppl up to speed on this one :)

@jholland - again cheers for the heads-up.... missed your post the first time.

http://www.bleepingcomputer.com/forums/index.php?showtopic=253376&st=0&p=1404306&#entry1404306
http://www.bleepingcomputer.com/forums/topic253555.html

Thanks for the responses all. OS is Windows XP. I am able to boot up into Safe Mode with Networking and get online (posting from the problem computer now) - however I can't run Hijack This or Anti Malware...nothing happening when I try to run them.

Thanks for the responses all. OS is Windows XP. I am able to boot up into Safe Mode with Networking and get online (posting from the problem computer now) - however I can't run Hijack This or Anti Malware...nothing happening when I try to run them.

Let's try this:
-- Download the attached file to the desktop and re-name it TSKLST.bat
Boot to normal windows and doubleclick on TSKLST.bat to run it. A log should pop up - Copy and paste that for us, if possible...

Best Luck :)
PP

Another interesting bit of info on this linked website...There are 3 domains hosted on this IP address....one is the one in question here and the other two are Ukraine web sites.

Tried to run TSKLST.bat in normal mode - nothing happens..no log.

Also, when I boot in normal mode - various errors appear immediately...windows/system32/.........

This is a doozy.

Can you get a command prompt in Normal Windows Boot?
Start > Run > cmd

-- Also, when booting to Safe Mode, do you have option for "Last Known Good Configuration?"

No - screen blanks for a second and then just goes back to desktop with all the Windows Police Pro windows....won't open command prompt box

No - screen blanks for a second and then just goes back to desktop with all the Windows Police Pro windows....won't open command prompt box

Try Start > Run > command.com

Ok, that worked...I have a command prompt

Ok, that worked...I have a command prompt

Ok, great.

Type tasklist >> %systemdrive%\TSKLST.txt ENTER
Type notepad %systemdrive%\TSKLST.txt ENTER

See if the log pops up now and post it for us.

Also, see my edited post above RE Last Known Good

PP :)

Here is log....and yes, "Last Know Good Config" option is there when I go into Safe Mode....

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 848 Console 0 424 K
csrss.exe 1164 Console 0 3,820 K
winlogon.exe 1332 Console 0 6,624 K
services.exe 1468 Console 0 4,776 K
lsass.exe 1552 Console 0 1,592 K
svchost.exe 864 Console 0 6,428 K
svchost.exe 1828 Console 0 6,108 K
svchost.exe 704 Console 0 25,816 K
svchost.exe 1020 Console 0 4,820 K
svchost.exe 1540 Console 0 4,392 K
AAWService.exe 1968 Console 0 16,056 K
LEXBCES.EXE 1232 Console 0 3,600 K
spoolsv.exe 1348 Console 0 6,332 K
LEXPPS.EXE 1768 Console 0 3,664 K
svchost.exe 1660 Console 0 4,552 K
svchasts.exe 228 Console 0 1,424 K
isafe.exe 296 Console 0 21,168 K
ehrecvr.exe 536 Console 0 5,120 K
ehSched.exe 932 Console 0 2,872 K
ITMRTSVC.exe 1148 Console 0 3,160 K
sprtsvc.exe 2004 Console 0 1,264 K
svchost.exe 452 Console 0 5,160 K
svchost.exe 652 Console 0 5,704 K
vetmsg.exe 2408 Console 0 4,696 K
ViewpointService.exe 2504 Console 0 2,556 K
mcrdsvc.exe 2964 Console 0 3,136 K
windows Police Pro.exe 3604 Console 0 23,416 K
dllhost.exe 316 Console 0 7,524 K
unsecapp.exe 1068 Console 0 4,312 K
alg.exe 2836 Console 0 4,148 K
wscntfy.exe 2936 Console 0 2,368 K
wmiprvse.exe 3164 Console 0 6,200 K
AAWTray.exe 3996 Console 0 1,488 K
explorer.exe 3432 Console 0 29,932 K
ntvdm.exe 2356 Console 0 3,460 K
ctfmon.exe 2712 Console 0 3,740 K
cmd.exe 876 Console 0 3,048 K
tasklist.exe 2132 Console 0 4,868 K
wmiprvse.exe 2948 Console 0 6,168 K

Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 848 Console 0 424 K
csrss.exe 1164 Console 0 3,820 K
winlogon.exe 1332 Console 0 6,624 K
services.exe 1468 Console 0 4,776 K
lsass.exe 1552 Console 0 1,480 K
svchost.exe 864 Console 0 6,436 K
svchost.exe 1828 Console 0 6,108 K
svchost.exe 704 Console 0 25,712 K
svchost.exe 1020 Console 0 4,820 K
svchost.exe 1540 Console 0 4,392 K
AAWService.exe 1968 Console 0 16,476 K
LEXBCES.EXE 1232 Console 0 3,600 K
spoolsv.exe 1348 Console 0 6,332 K
LEXPPS.EXE 1768 Console 0 3,664 K
svchost.exe 1660 Console 0 4,552 K
svchasts.exe 228 Console 0 1,424 K
isafe.exe 296 Console 0 21,168 K
ehrecvr.exe 536 Console 0 5,120 K
ehSched.exe 932 Console 0 2,872 K
ITMRTSVC.exe 1148 Console 0 3,160 K
sprtsvc.exe 2004 Console 0 1,264 K
svchost.exe 452 Console 0 5,160 K
svchost.exe 652 Console 0 5,704 K
vetmsg.exe 2408 Console 0 4,696 K
ViewpointService.exe 2504 Console 0 2,556 K
mcrdsvc.exe 2964 Console 0 3,136 K
windows Police Pro.exe 3604 Console 0 23,464 K
dllhost.exe 316 Console 0 7,524 K
unsecapp.exe 1068 Console 0 4,312 K
alg.exe 2836 Console 0 4,148 K
wscntfy.exe 2936 Console 0 2,368 K
wmiprvse.exe 3164 Console 0 6,200 K
AAWTray.exe 3996 Console 0 1,488 K
explorer.exe 3432 Console 0 29,932 K
ntvdm.exe 2356 Console 0 3,464 K
ctfmon.exe 2712 Console 0 3,740 K
wmiprvse.exe 2948 Console 0 6,460 K
cmd.exe 3900 Console 0 3,044 K
tasklist.exe 1728 Console 0 4,864 K

Here is log....and yes, "Last Know Good Config" option is there when I go into Safe Mode....

Cool - We'll keep that in mind in case we need it.

-- Are you able to access Task Manager?

Obviously, there is a process we want to kill listed there ;)
Also, I think there are a couple less obvious ones. Once we kill them, you ought to be able to run MBA-M.....

Go ahead and answer my Task Manager question while I have a look at that list.....

PP :)

Yes..I can access task manager in normal mode.

Yes..I can access task manager in normal mode.

Cool!
Use Task Manager to kill windows Police Pro.exe & svchasts.exe (note the spelling).

Now, you ought to be able to run some programs. I suggest you start with MBA-M and post the log for us.

Best Luck :)
PP

ok, did that - but now for some reason desktop is blank, no programs showing, no start menu....not sure how to run anything if I can't see it....

nevermind...dumb question, figured it out...running now

nevermind...dumb question, figured it out...running now

Great! Well done! :)

You should be good to go, assuming MBA-M is up to date with build and definitions.

I am going to cut out - will check back Sunday evening. Please post the MBA-M log and I'm sure Judy or kaninelupus will be happy to assist you further.


Cheers :)
PP

Thanks so much for your help...calling it a night myself once this scan is done.

Thanks so much for your help...calling it a night myself once this scan is done.

You're welcome! Happy to help :)

Keeping my fingers crossed that things go well.

PP :)

Kevin, when you get that MBA-M done, be sure to have it clean everything. Unless it tells you to reboot in order to clean, don't until you run the HJT scan and post back with both the logs. Of course if you do have to reboot in order to complete the cleaning process by all means do so. Be sure though to check the task manager for those processes again before you do anything.
You also might want to check in Scheduled Tasks to see if there are any unusual entries there. This one is similar to a couple others which put a scheduled task entry in order to download more infections. If you see something you didn't add yourself, delete it.
Judy

Will keep an eye your way. One thing though, before you call it a night. As Crunchie likes to point out, MBA-M doesn't run at full strength in Safe Mode, so if after the scan you can at least boot and run in normal boot, would be a good idea - just let run over-night :)

Keep us posted as to how you go.

@Judy - good point on the Scheduled Tasks. As an aside to the Task Manager tip, would suggest SysInternal's Process Manager, as should give a more accurate look-over as to what is still running in the back-ground

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.