Member Avatar for darkrecess

Okay, got home from work to find my mother-in-law's computer was popping up Windows Police Pro. Won't let her run programs (like MSN msngr, etc..) and now, on system boot, WPP pops up and wont let me move beyond it.

On boot to safe mode w/ networking, it takes me to just a black screen. WPP doesn't come up, but neither does anything else.

Last Known Good Config just does same thing as a normal boot.

Her computer has an option for a system restore -- should I just do that?

Also, I posted on the end of another thread earlier. Most boards I usually post on encourage people to look for similar threads before starting a new one.

  • 3 Contributors
  • 5 Replies
  • 113 Views
  • 1 Day Discussion Span
  • Latest Post Latest Post by jholland1964

Recommended Answers

All 5 Replies

Member Avatar for PhilliePhan

Also, I posted on the end of another thread earlier. Most boards I usually post on encourage people to look for similar threads before starting a new one.

Most security forums prefer that you start a fresh thread - less confusion.

-- Do you have a viable System Restore point from before this infection?
If so, use it and then see if you can run MBA-M as per the step in this linky:

http://www.daniweb.com/forums/thread134865.html

PP :)

Member Avatar for darkrecess

Most security forums prefer that you start a fresh thread - less confusion.

-- Do you have a viable System Restore point from before this infection?
If so, use it and then see if you can run MBA-M as per the step in this linky:

http://www.daniweb.com/forums/thread134865.html

PP :)

It's the system restore using F10 on the boot menu -- backs up my files and re-installs windows. I am using the problem computer now because my mother in law needs it up and running.

I still need to go through and delete all the WPP files, what all should I look for when deleting the files? Any ideas?

Member Avatar for PhilliePhan

I still need to go through and delete all the WPP files, what all should I look for when deleting the files? Any ideas?

It is difficult to remove this file by file due to the rootkit components and protected registry keys.

The first step would be to try to get MBA-M to run as per the linky I posted. If it can run, do a Full Scan and have it remove all that it finds. Post the log.

If you are unable to run MBA-M, please download FindIt.zip and Extract the FindIt folder to your desktop.
-- Inside the folder, you'll see RunThis.bat - DoubleClick it and let it run. (10-20 seconds)
A log should pop up - please post that for me.

PP :)

Edited by PhilliePhan because: n/a
Member Avatar for darkrecess

mbam log

Malwarebytes' Anti-Malware 1.41
Database version: 2806
Windows 5.1.2600 Service Pack 1

9/16/2009 12:17:09 AM
mbam-log-2009-09-16 (00-17-03).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 189270
Time elapsed: 1 hour(s), 23 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 78

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images (Rogue.WindowsPolicePro) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Windows Police Pro (Rogue.WindowsPolicePro) -> No action taken.

Files Infected:
C:\pfhoc.exe (Rootkit.Agent) -> No action taken.
C:\scmhux.exe (Trojan.Vundo) -> No action taken.
C:\udtcnn.exe (Trojan.Agent) -> No action taken.
C:\xjehx.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\F6.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\a.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\csrss.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\d.exe (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\drweb.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\svchost.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\taskmgr.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\2563347166.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\3.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\installb[1].exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\login.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\ajka823idf.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\~TM3BD.tmp (Worm.KoobFace) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\5.tmp (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\UAC273b.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\UACb62d.tmp (Malware.Packer) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8W1RS489\pvjtgk[1].htm (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8W1RS489\xdaaxkl[1].htm (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8W1RS489\bqqaob[1].htm (Malware.Packer) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8W1RS489\qwxhuhvvjw[1].htm (Rootkit.Agent) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXTY6T1M\fcmmaabo[1].htm (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\KXTY6T1M\cvwjj[1].htm (Trojan.Dropper) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T868QMO4\Install[1].exe (Rogue.AntivirusPro) -> No action taken.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\T868QMO4\xdajk[1].htm (Spyware.Banker) -> No action taken.
C:\Program Files\drv\drv.dll (Rootkit.Agent) -> No action taken.
C:\Program Files\drv\drv.sys (Rootkit.Agent) -> No action taken.
C:\Program Files\Windows Police Pro\windows Police Pro.exe (Antivirus2009) -> No action taken.
C:\WINDOWS\cru629.dat (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\freddy49.exe (Worm.KoobFace) -> No action taken.
C:\WINDOWS\ld12.exe (Worm.KoobFace) -> No action taken.
D:\sousogysob.exe (Worm.Spambot) -> No action taken.
C:\Program Files\Windows Police Pro\msvcm80.dll (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\msvcp80.dll (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\msvcr80.dll (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\dbsinit.exe (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\wispex.html (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\i1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\i2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\i3.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\j1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\j2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\j3.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\jj1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\jj2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\jj3.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\l1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\l2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\l3.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\pix.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\t1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\t2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\up1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\up2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\w1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\w11.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\w2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\w3.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\w3.jpg (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\wt1.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\wt2.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Program Files\Windows Police Pro\tmp\images\wt3.gif (Rogue.WindowsPolicePro) -> No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\Windows Police Pro\Windows Police Pro.lnk (Rogue.WindowsPolicePro) -> No action taken.
C:\WINDOWS\010112010146118114.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\0101120101464849.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\934fdfg34fgjf23 (Worm.KoobFace) -> No action taken.
C:\WINDOWS\bf23567.dat (Worm.KoobFace) -> No action taken.
C:\WINDOWS\braviax.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\msa.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\svchast.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> No action taken.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> No action taken.
C:\kqbvc.exe (Trojan.Downloader) -> No action taken.

Member Avatar for jholland1964

darkrecess, you didn't have MBA-M do any removal. Update MBA-M again and run another Full Scan. This time when it shows what it finds be sure to Select All and then Click Remove Selected. This will clean the infected files. Then reboot the computer and post the new log back here.

Edited by jholland1964 because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.