Windows Police Pro

Please Help!

I am on a friends computer right now - as mine has been infected with Windows Police Pro. I cannot get a browser to work (so I can't download a fix). I can't get the taskmanager to work (Police Pro blocks it), and I can't run any .exe files as Police Pro has changed the extension and now they will now run.

I am using Windows Xp Pro

What can I do to get my computer to work again?

Thank you for any help you might offer!

Hello.
Can you use another machine to download files from and transport them via USB?

Belahzur wrote:

Hello.
Can you use another machine to download files from and transport them via USB?

I do have one that I think I can use. I just need to now what to do.

bump

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Belahzur wrote:

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

I downloaded to a flash drive and tried to install it on the infected PC - it will not run as Windows Police Pro blocks all *.exe files - what now?

Hello.
Do you get any errors that mention permission denied? or desot.exe? let me know.

Belahzur wrote:

Hello.
Do you get any errors that mention permission denied? or desot.exe? let me know.

The error I receive says:

Error: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

Thats all it says and it will not run

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Belahzur wrote:

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Here is the content of that log file:

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 19:37 on 11/09/2009 by Administrator (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\WINDOWS\system32\dllcache\scecli.dll --a--c 180224 bytes [23:56 03/08/2004] [23:56 03/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\system32\scecli.dll --a--- 180224 bytes [23:56 03/08/2004] [23:56 03/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A

Searching for "netlogon.dll"
C:\WINDOWS\system32\dllcache\netlogon.dll --a--c 407040 bytes [23:56 03/08/2004] [23:56 03/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [23:56 03/08/2004] [23:56 03/08/2004] 96353FCECBA774BB8DA74A1C6507015A

Searching for "eventlog.dll"
C:\WINDOWS\system32\dllcache\eventlog.dll --a--c 55808 bytes [23:56 03/08/2004] [23:56 03/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\system32\eventlog.dll --a--- 62464 bytes [23:56 03/08/2004] [23:56 03/08/2004] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Origin wrote:

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Here is the content of the avenger.txt file:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Download this version of HijackThis from here:
http://www.sendspace.com/pro/dl/932rpd

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\winlogon.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Origin wrote:

Download this version of HijackThis from here:
http://www.sendspace.com/pro/dl/932rpd

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\winlogon.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

ok I tried to run this and I get what looks like a cmd window that pops up real quick "desote.exe" and then it goes away and the winlogon.exe will not run.

Please delete this file in red:
C:\Windows\system32\desote.exe

Next, download this file.

Download it to your Desktop.
Double click it to run it; select yes to the registry merge prompt.

Can you run Hijack This now?

Belahzur wrote:

Please delete this file in red:
C:\Windows\system32\desote.exe

Next, download this file.

Download it to your Desktop.
Double click it to run it; select yes to the registry merge prompt.

Can you run Hijack This now?

I was able to delete the "desote.exe" file - but when I double click on the ExeErrorFix file I receive the following error:

"Registry editing has been disabled by your administrator." And it will not work.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  [Version]
  Signature=$CHICAGO$
  
  [DefaultInstall]
  AddReg=Add.Settings
  
  [Add.Settings]
  HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000000
  
  

  
  
• Save this as fixreg.inf, save it to your desktop.
  
• Right click fixreg.inf and select install.
  

Can you re-run the .reg file now and see if you still get that error.

Belahzur wrote:

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  [Version]
  Signature=$CHICAGO$
  
  [DefaultInstall]
  AddReg=Add.Settings
  
  [Add.Settings]
  HKCU,SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System,DisableRegistryTools,0x00000000
  
  

  
  
• Save this as fixreg.inf, save it to your desktop.
  
• Right click fixreg.inf and select install.
  

Can you re-run the .reg file now and see if you still get that error.

Was not able to do the last instruction given, as now I cannot even get to my desktop at all anymore... I receive many errors while starting pc up.... lsass.exe - Application Error - "memory could not be read" Click on OK to terminate program. Click on CANCEL to debug the program.

services.exe - Application Error - "memory could not be read" Click on OK to terminate program. Click on CANCEL to debug the program.

SAS window: winlogon.exe - "memory could not be read" Click on OK to terminate program. Click on CANCEL to debug the program.

winlogin.exe - - "memory could not be read" Click on OK to terminate program. Click on CANCEL to debug the program.

After clicking on OK to all of the above... I get a blue screen Fatal Error and PC restarts over and over again.

Hello. Looks like there is another infection hiding, possibly a file infector.

I would advise a format right now, many system files are damaged and can't be repaired.
See here:
http://miekiemoes.blogspot.com/2009/02/virut-and-other-file-infectors-throwing.html

Instructions how to format and reinstall Windows can be found Here