-1

I have a desktop Windows XP system. After getting hit with the Police Pro virus and who knows what else, I was preparing to post here. I was following the directions under "Read First Before Posting" post. I downloaded the ATF Cleaner, MBA-M and ESET scan. I performed all of these actions several times in an attempt to clean up my cpu which seemed to help a lot of problems, but did not completely rid the nasties. The next day, before I could download Hi-Jack This and post here, I was blocked from acessing the internet through Explorer or Firefox. A reoccuring window pops up stating (paraphrasing) "Windows is unable to connect to the internet..." even when I do nothing. Also, I cannot open MBA-M or ATF Cleaner. I previously had AVG Anti-virus installed and Adaware installed, which I can open and did run. AVG picked up a lot of stuff but had no effect on solving the problem, nor did Adaware. I ran Windows in Safe Mode with and without networking and tried to run the blocked programs to no avail. Any help would be greatly appreciated!

5
Contributors
18
Replies
19
Views
8 Years
Discussion Span
Last Post by PhilliePhan
0

It would help us if you had the logs, at least the MBA-M and ESET logs. Is there a way you can get them. Can you get MBA-M to open at all? If you can go to the Logs tab and copy it and bring it to the computer you are using now and post it here.

0

I have the MBA-M log for sure because I copied and saved it before MBA-M crashed. I will post that soon even if I have to type it in manually. Fun!

0

I had to attach the mbam log. I'm sorry I was not able to cut and paste it to this window. I tried to run the eset scanner again but my cpu crashed while I was running it. I hope this helps.

0

This doesn't seem to be working.

If somebody could help me to reboot my cpu to factory settings, maybe that would help? I'm totally ok with that. I saved all the files I need onto a zip drive.

0

Are you saying that nothing is working? I am a bit leery of that zip drive. How can you be certain there are not infected files saved on that?

0

I haven't yet tried to rid the virus except by what I have already mentioned. I'm concerned the MBAM log I posted is not enough information to get help. I hope I'm wrong???

Actually, what I meant is a memory stick, not a zip drive. I saved my photos, word docs, music files and excel docs onto it. Everything else on my cpu is expendable. I'm not 100% any of those files are not infected, but I imagine it is pretty uncommon for those files to be infected, right?

0

Music files can definitely be infected if they were downloaded from the web via file sharing. Really anything can be infected, or pretty much anything.
You need to scan that memory stick too.
The MBA-M scan got rid of a LOT of that Police Pro infection but your MBA-M program is out of date. The current version is 1.41, yours is 1.40 and the current database is 2825 so yours is more than 100 behind. You need to update that program and run it again, Full Scan and Remove everything found. Save the log. Reboot. Then run HiJackThis and post the log here.
And please DON'T attach logs but copy/paste them into your post.

Edited by jholland1964: n/a

0

Well, the music and pic files I saved I have had for quite some time now -- nothing new. But... I managed to download HiJackthis onto my memory stick and run it on my cpu! Maybe there's light at the end of this tunnel? Again, any help would be so appreciated. I'm so close to junking my whole cpu. Here it is!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:49 PM, on 9/22/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18241)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\drivers\smss.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\divxsm.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
G:\hijack\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\drivers\smss.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: C:\WINDOWS\system32\tajf83ikdmf.dll - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunOnce: [PrivacyGuardianIndex] C:\Program Files\Privacy Guardian\PgIndex.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [Protection System] "C:\Program Files\Protection System\psystem.exe" -noscan
O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Donald\LOCALS~1\Temp\win.exe
O4 - HKUS\S-1-5-18\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\csrss.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\csrss.exe (User 'Default user')
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all links using BitComet - res://C:\DOCUME~1\Donald\MYDOCU~1\MYMUSI~1\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\DOCUME~1\Donald\MYDOCU~1\MYMUSI~1\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\DOCUME~1\Donald\MYDOCU~1\MYMUSI~1\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-18.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1126510382156
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1127928764093
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} - http://www.gamespot.com/KDX22/download/kdx.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O22 - SharedTaskScheduler: ghya673gidh87we9inkff - {BF56A325-23F2-42AD-F4E4-00AAC39CAA53} - C:\WINDOWS\system32\tajf83ikdmf.dll
O23 - Service: McAfee Application Installer Cleanup (0098481209173578) (0098481209173578mcinstcleanup) - - (no file)
O23 - Service: McAfee Application Installer Cleanup (0107311213418383) (0107311213418383mcinstcleanup) - - (no file)
O23 - Service: McAfee Application Installer Cleanup (0239221217917816) (0239221217917816mcinstcleanup) - - (no file)
O23 - Service: McAfee Application Installer Cleanup (0244271221269447) (0244271221269447mcinstcleanup) - - (no file)
O23 - Service: McAfee Application Installer Cleanup (0327041220469233) (0327041220469233mcinstcleanup) - - (no file)
O23 - Service: AntipyProex (AntipPro2009_100) - Unknown owner - C:\WINDOWS\svchasts.exe (file missing)
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O24 - Desktop Component 0: (no name) - http://www.sueupton.net/vidcaps/gossamer/SNAG-043.jpg
O24 - Desktop Component 1: (no name) - http://www.seriouswheels.com/pics-1970-1979/1971-Cadillac-Sedan-DeVille-Front-Angle-PO.jpg

--
End of file - 10477 bytes

0

Still a huge amount of infection showing there. Choice is yours, we have one more tool we can try if you wish or if you have the original install disks you can do a reformat the computer. You do need those disks though.

0

I downloaded the latest version of MBAM on my memory stick and I am going to try to run that tonight. What other tool do you recommend?

0

You need to update the MBA-M. Here is the offline database update. It won't be as up to date as it would be if you could do it normally but it will give you a higher database than the one you downloaded with the new version.
http://www.malwarebytes.org/mbam/database/mbam-rules.exe
Download that to the USB stick also. Then put the MBA-M program on the infected computer and then update it using the database file from the usb stick.
See what you can come up with there. Honestly not sure if the other tool I was thinking about can run from a memory stick but we will see. Let's wait and see what the next MBA-M scan finds and removes and what the results will be on the infected computer.

0

The MBA-M file is being blocked by something evil. I cannot open the program on the infected cpu no matter what.

I have the back up cd's that came with the cpu.

0

I have the back up cd's that came with the cpu.

I assume you mean that came with the computer. The cpu is only a part of a computer...

The Central Processing Unit (CPU) or processor is the portion of a computer system that carries out the instructions of a computer program,and is the primary element carrying out the computer's functions.

If you are willing and able then probably your best bet is reformat and reload.

0

Yes. I think that's my best option. Thank y ou for your help. Can you please tell me how to reformat and reload?

0

Mine was also attacked by the same thing.
All i did was backup important files to another system and formatted the whole drive.
:)

0

I have a desktop Windows XP system. After getting hit with the Police Pro virus and who knows what else,

I came across this on one of the laptops that I have to support, and after multiple scans with different software, and about a half day's worth of work, my only option was to back up the user's data, and recreate the system from an image that we have archived.

Lucky for me there was very little user data, which was scanned before installing on the new image.

0

I came across this on one of the laptops that I have to support, and after multiple scans with different software, and about a half day's worth of work, my only option was to back up the user's data, and recreate the system from an image that we have archived.

Lucky for me there was very little user data, which was scanned before installing on the new image.

Yup - that is usually the best option.
Unfortunately, it is unavailable to many because they fail to regularly back up important data and/or have no copy of Windows for re-install.
The big manufacturers not including Windows Disks with their machines ticks me off!
How many users actually burn recovery disks? I can tell you: too few!

/End Rant :)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.