WiredWX Hobby Weather ToolsLog in

 


Need Help With Windows Police Pro

2 posters

descriptionNeed Help With Windows Police Pro EmptyNeed Help With Windows Police Pro

more_horiz
I got the Windows Police Pro virus recently. I tried doing my standard procedure for dealing with viruses (disconnect ethernet cord and run antivirus software in Safe Mode), but I'm running into some snags that I can't get around on my own.

First of all, I can't run any of my antivirus programs or Task Manager, because my computer claims that I do not have "appropriate permissions" and says I should talk to my administrator (I am the admin for the computer in question). System Restore has also been disabled under similar pretenses, something about "group policy" forbidding it. Originally I was able to run malwarebytes for a bit, but then it crashed. Hard. As in, not only can I not run it but I can't even delete the link from my desktop. Same goes for SUPER Anti Spyware. I managed to run the command line version of AVG 8.5 early on, it mentioned something called \\?\globalroot\Device\_max++>\26290FAC.x86.dll and claimed it got rid of Windows Police Pro, but it didn't.

I've tried a couple things suggested on these boards, but some of the solutions here are highly customized for the individual asking the question and other programs I've gotten run for a moment before crashing out and refusing to open. I now have a copy of HijackThis saved to my desktop as a screensaver which will neither run nor delete. I'm starting to get a little flustered here.

Sorry for the giant introduction, I just wanted to relay as much information as possible. Any help would be greatly appreciated.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Hi

No problem, a lot of detail is better than none. Smile...

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


  • Double-click SystemLook.exe to run it.
  • Copy the content of the following quotebox into the main textfield:


    :filefind
    scecli.dll
    netlogon.dll
    eventlog.dll

  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Here's the log. Also, I have a couple of questions.

Is it alright if I run all of these programs in Safe Mode, or could I run into any problems with programs that want me to restart my computer?

Also, I'm not posting from my own computer--I run over to a friend's and use his. Is it okay if I turn my computer off whenever I leave it, or should I leave it on? I'm a little paranoid about things suddenly getting worse if I left it on and walked away, but I get the feeling some of these problems could reset themselves on reboot.

Anyhow, the log.

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 20:59 on 11/09/2009 by HP_Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\scecli.dll --a--- 181248 bytes [12:58 27/08/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\dllcache\scecli.dll ------ 180224 bytes [21:00 09/08/2004] [21:00 09/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll ------ 180224 bytes [21:00 09/08/2004] [21:00 09/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\SoftwareDistribution\Download\555558d2c7916b118ad5baef62b18136\sp2qfe\netlogon.dll --a--- 408064 bytes [18:46 06/02/2009] [18:46 06/02/2009] 6C476D33D82F1054849790181E8F7772
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\netlogon.dll --a--- 407040 bytes [12:58 27/08/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\dllcache\netlogon.dll ------ 407040 bytes [21:00 09/08/2004] [21:00 09/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll ------ 407040 bytes [21:00 09/08/2004] [21:00 09/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\SoftwareDistribution\Download\cf8ec753e88561d2ddb53e183dc05c3e\eventlog.dll --a--- 56320 bytes [12:57 27/08/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\dllcache\eventlog.dll ------ 55808 bytes [21:00 09/08/2004] [21:00 09/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [21:00 09/08/2004] [21:00 09/08/2004] (Unable to calculate MD5)

-=End Of File=-

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Hi

Just follow directions from me. If I think you will need to go in to Safe Mode, I will say. If we have to use Malwarebytes or other tools, they work best in Normal Mode, not Safe Mode.

However, if you cannot boot in to Normal Mode, or objects don't work (such as programs and Internet, then we will go in to Safe Mode).

==

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl C):


Files to delete:
C:\WINDOWS\system32\eventlog.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:
  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Things appear to have gone from bad to worse on my end.

I downloaded Avenger and put it on my flash drive, then put it on my computer in normal mode as you said. Here's where I encountered two problems--first, the virus is calling itself "Total Security" now instead of "Windows Police Pro", and second it kills any attempt to open a .exe and claims it's a virus. I was unable to either unzip or run Avenger in normal mode, so I had to do both in Safe Mode. When it asked me to reboot, however, I was sure to let it do so into normal mode. Then my computer rebooted twice--once when Avenger prompted me, and again when it was trying to start explorer (when it's that light blue background with the windows icon on it). I don't know if this is normal for Avenger, but I'm mentioning it anyway.

Here's where things get much worse. The Avenger text file showed up in all its glory for about ten seconds, before three things happened: it went away, Total Security started up again, and I got a bizarre message box saying that Windows could not locate the disk located in drive ?????????????????????_??? etc. etc., and asked if I should abort, retry, or ignore. The My Computer icon wouldn't load things properly in this state, so I couldn't reach C:\Avenger.

Thoroughly disheartened, I fell back to Safe Mode, where things are still working, I'm relieved to say. I could reach C:\Avenger, but the .txt wasn't there. The backup was, however, and it contained Avenger.txt as well as eventlog.dll, but the blasted thing is password protected for some reason so I can't actually open Avenger.txt to show you. I put the backup on my flash drive and brought it here, so if you can tell me the password I can open it up, or I can send the backup to you in some way. Or we can just try something else, it's your call.

To summarize, for all the things I did I have nothing to show you for it. Sorry.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Hi

Please re-run SystemLook, and paste the code in to the box and press Look:

Code:

:Filefind
C:\WINDOWS\system32\eventlog.dll
c:\windows\ServicePackFiles\i386\eventlog.dll


Post that log in your next reply.

==
!! NOTE: THIS INSTRUCTION IS FOR GreenOnions only. Do not follow it if you are not this user. !!

Need Help With Windows Police Pro Mbamicontw5 Please download Malwarebytes Anti-Malware from here. Save to the Desktop, and RENAME to iexplore.exe, then click the Save button.

Double Click iexplore.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Wow, two fast replies! Thanks, guys. I'll try combofix and then systemloox/malwarebytes.

Question: I already have Malwarebytes on my computer, only it doesn't run because of the "appropriate permissions" thing. Should I try to delete the old one first with Add/Remove programs, should I download the new Malwarebytes and just save it over the old Malwarebytes, or should I save the new program into a different folder?

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Hi

Uninstall the old Malwarebytes and install the new one as noted above, please. Malware is blocking Malwarebytes from running so it has to be renamed.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
OKAY. Finally got back after wrestling with this for a while.

First off, I couldn't follow those instructions to use Combofix (which is just as well, since that suggestion seems to have been removed). AVG wouldn't run in normal mode, I couldn't deactivate resident shield in safe mode, and attempting to run Combofix anyway gave me a prompt along the lines of "AVG is running and you could cause major system damage if you run Combofix while that's true". So, no Combofix.

I DID, however, run systemlook and reinstall malwarebytes as iexplore.exe. Here're systemlook's results:


SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 15:03 on 12/09/2009 by HP_Administrator (Administrator - Elevation successful)

========== Filefind ==========

Searching for "C:\WINDOWS\system32\eventlog.dll"
No files found.

Searching for "c:\windows\ServicePackFiles\i386\eventlog.dll"
No files found.

-=End Of File=-


Once I got Malwarebytes running in safe mode (normal mode wouldn't let me do ANYTHING), it managed to do a full scan and found a TON of infections, seen here.


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 2 (Safe Mode)

9/12/2009 4:08:15 PM
mbam-log-2009-09-12 (16-08-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 295821
Time elapsed: 52 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 14
Registry Values Infected: 12
Registry Data Items Infected: 10
Folders Infected: 5
Files Infected: 80

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1b6f4516-ea24-430f-8767-29aef2db712e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{76dc0b63-1533-4ba9-8be8-d59eb676fa02} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbdriver (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Win Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yabizuner (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\11245154 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kibahiwif (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{1b6f4516-ea24-430f-8767-29aef2db712e} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vuhikamog (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\poprock (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gevodimoye (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sunjavaupdatesched (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\All Users\Application Data\11245154 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13535004 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.

Files Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\11245154\11245154 (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11245154\11245154.exe (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\11245154\pc11245154ins (Rogue.Multiple.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\a.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dddesot.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\lriaxaso.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\4XMJSHUV\firewall[1].dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\KHIJSLQ3\SetupAdvancedVirusRemover[1].exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\windows Police Pro.exe (Antivirus2009) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\dbsinit.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\AVR09.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jagepeyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jeyiniyo.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\korumore.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nevorefa.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nudeleze.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\olgdjlba.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tapi.nfo (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\toronitu.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACrvkklvdtlk.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwkkylmhote.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winhelper.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wisahiri.exe (Rogue.SystemSecurity) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wscsvc32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\1968292036.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\7D8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\Installer.exe (Rogue.ProtectionSystem) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\services.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\smss.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\UACed47.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\ueja73hkjd.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlogon.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\13535004\13535004 (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcm80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcp80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\msvcr80.dll (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\wispex.html (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\i3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\j3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\jj3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\l3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\pix.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\t1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\t2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\up1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\up2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w11.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\w3.jpg (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt1.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt2.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\Program Files\Windows Police Pro\tmp\images\wt3.gif (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bennuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\onhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sonhelp.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\sysnet.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACmnlcsmpeho.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACtxejpaumul.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\UACwpbmjnwbng.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\winupdate.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp3.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\ppp4.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\HP_Administrator\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


After that, I was able to run my computer in normal mode without getting assailed by Total Security or having my .exe files killed. Task Manager's back up, too.

Just to be thorough, I ran another Malwarebytes scan in normal mode and found 19 results:


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 2

9/12/2009 5:08:08 PM
mbam-log-2009-09-12 (17-08-08).txt

Scan type: Full Scan (C:\|)
Objects scanned: 297790
Time elapsed: 53 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 3
Registry Keys Infected: 4
Registry Values Infected: 6
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yabizuner (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kibahiwif (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\idstrf (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gevodimoye (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\BITS\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemRoot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wuauserv\ImagePath (Hijack.WindowsUpdates) -> Bad: (%fystemroot%\system32\svchost.exe -k netsvcs) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.
C:\WINDOWS\system32\sumopuwu.dll (Trojan.Vundo) -> Delete on reboot.


Problem is, every time I scan, bisenova.dll, tajf83ikdmf.dll, and sumopuwu.dll survive the reboot deletion (though sumopuwu.dll didn't show up the last time I scanned), and bring with them a small entourage of malware:


Malwarebytes' Anti-Malware 1.41
Database version: 2785
Windows 5.1.2600 Service Pack 2

9/12/2009 5:18:06 PM
mbam-log-2009-09-12 (17-18-06).txt

Scan type: Full Scan (C:\|)
Objects scanned: 23844
Time elapsed: 1 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 3
Registry Values Infected: 4
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Downloader) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Downloader) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\yabizuner (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{bf56a325-23f2-42ad-f4e4-00aac39caa53} (Trojan.Zlob.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{024ccf01-f871-455e-94b8-1d465b090847} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\kibahiwif (Trojan.Vundo.H) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\bisevona.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\tajf83ikdmf.dll (Trojan.Zlob.H) -> Delete on reboot.


Normal mode is working again though, so I'm fairly excited. I'm grateful for all the help, and I eagerly await the next step you suggest.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Also, while I'm here, I have a few questions to ask that have been nagging me.

There are a bunch of new folders that have shown up in C:\ that I'd like to know if I should/shouldn't get rid of.

C:\1aa9a6127fb447cef54cbc (I've had this a while, I looked it up and it's supposedly just shoddy cleanup from a windows update. I'd like to know if I can delete it, though.)

C:\32788R22FWJFW (This folder is about 6 megs big and chock full of odd files and folders, it was made today so I'm kind of distrusting of it)

C:\Avenger (once this whole thing's settled, I can delete this, right?)

C:\Qoobox (has a single empty folder in it called "quarantine")


There are also some miscelaneous files here:

C:\Avenger.txt (I can see it now!)

C:\Bug.txt (no idea what this is)

C:\Cleanup.bat (no idea what program this is for, it was made today)

C:\Cleanup.exe (ditto)

C:\zip.exe (also made today, also don't know what it's for)


Thanks again for all the help.

descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

more_horiz
Hi

Sorry about the deletion of the ComboFix instructions. After ComboFix runs, and I can see the files, then I will decide if those files are deletable. Smile...

Please download ComboFix from Here or Here to your Desktop.

**Note:
In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**


  1. If you are using Firefox, make sure that your download settings are as follows:

    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

  • During the download, rename Combofix to Combo-Fix as follows:

    Need Help With Windows Police Pro CF_download_FF

    Need Help With Windows Police Pro CF_download_rename
  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------


    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------



    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------


  • Double click on combo-Fix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:Combo-Fix.txt" along with a new HijackThis log for further review.

  • **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

    If you still cannot get this to run, try booting into Safe Mode, and run it there.

    To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode."

    If this doesn't work either, try the same method (above method), but name
    Combofix.exe to iexplore.exe instead, or winlogon.exe.
    This is because it also happens in some cases that malware blocks EVERY process except for what is in its own whitelist, so this whitelist also includes system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

    more_horiz
    Okay, I'll give this a try. Is it okay if I put Combo-Fix on my flash drive, then move it to my computer from there? I'll follow all the renaming instructions to the letter, just to my flash drive first instead of directly to my desktop.

    Also, will I need to do any fancy renaming to HijackThis, or should it run normally now?

    descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

    more_horiz
    Hi

    HijackThis will not be able to handle the remaining infections. And yes, go ahead with the movement of ComboFix. ComboFix will still run once transferred. :smile2:

    descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

    more_horiz
    ComboFix is giving me some trouble. When I try to run it, a progress bar appears over the Combo-Fix icon on my desktop and fills up. Then my desktop icons flicker a couple of times, the progress bar goes away, and nothing happens. I even check the task manager, nothing combofix-ish seems to be running.

    It started to run yesterday when I tried it before malwarebytes was up and running again, but as I said it warned me about AVG, which I couldn't turn off, so I didn't run it. Now AVG's active scanner is off, but ComboFix won't run. I renamed it as you told me to (Combo-Fix, that punctuation and capitalization), but is there anything else I could have done wrong?

    descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

    more_horiz
    Hi

    I am going to paste here a download link for eventlog.dll:
    http://rapidshare.com/files/279594809/eventlog.dll.html

    Please download it to your Desktop. Then, right click on it and click cut, then paste it in to the following folder: C:\Windows\System32

    Please reboot your system, and try ComboFix again. If it does not work, delete the old ComboFix and download another copy, except when saving the file, rename it to WinInit.com then click the save button. Run it as noted above, please.

    In your next reply, please include the ComboFix log, or tell me if you encountered any problems.

    descriptionNeed Help With Windows Police Pro EmptyRe: Need Help With Windows Police Pro

    more_horiz
    privacy_tip Permissions in this forum:
    You cannot reply to topics in this forum