Jump to content

Windows Police Pro

Recommended Posts

Hello everyone,

I woke up to the big monstrosity that is Windows Police Pro. I kind of messed around to be honest, manually deleted the files after googling the symptom (yes, and I did make sure that I deleted the correct files). Finally, I stumbled across these guys http://www.myantispyware.com/2009/08/31 ... tructions/

After deleting desote.exe, I fixed the .exe files as the site instructed. Everything is working, except for the anti-malware applications. I cannot open Malwarebytes, and when I reinstall it, it crashes about 3 seconds after I start up a Quick Scan, the same goes for SpyBot: Search and Destroy. ComboFix does not do anything after it prompts me to disable my anti-virus software.

And since you guys need to know what's going on, I have a win32kdiag.exe txt. It seems rather suspicious though.

Log file is located at: D:\Documents and Settings\Administrator\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'D:\WINDOWS'...

Found mount point : D:\WINDOWS\addins\addins

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP391.tmp\ZAP391.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3AC.tmp\ZAP3AC.tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\assembly\tmp\tmp

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\chsime\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imejp\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imejp98\imejp98

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imjp8_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imkr6_1\applets\applets

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\imkr6_1\dicts\dicts

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\ime\shared\res\res

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109411090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109440090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109511090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109711090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109910090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109B10090400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100A0C00000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\00002109F100C0400000000000F01FEC\12.0.4518\12.0.4518

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\0DC1503A46F231838AD88BCDDC8E8F7C\3.2.30729\3.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Installer\$PatchCache$\Managed\DC3BF90CC0D3D2F398A9A6D1762F70F3\2.2.30729\2.2.30729

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\java\classes\classes

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\java\trustlib\trustlib

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files\Temporary ASP.NET Files

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\msapps\msinfo\msinfo

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\ERRORREP\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\ERRORREP\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\ERRORREP\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : D:\WINDOWS\pchealth\helpctr\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: D:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe

[1] 2004-08-04 01:56:52 743936 D:\WINDOWS\pchealth\helpctr\binaries\HelpSvc.exe ()

And here is the HijackThis log

Logfile of HijackThis v1.98.2

Scan saved at 2:18:31 PM, on 9/6/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:











D:\Program Files\AVG\AVG8\avgrsx.exe





D:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


D:\Program Files\Bonjour\mDNSResponder.exe

D:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe


D:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


D:\Program Files\Analog Devices\SoundMAX\SMTray.exe

D:\Program Files\D-Tools\daemon.exe


D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

D:\Program Files\Razer\razerhid.exe

D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

D:\Program Files\Support.com\bin\tgcmd.exe

D:\Program Files\QuickTime\QTTask.exe

D:\Program Files\iTunes\iTunesHelper.exe

D:\Program Files\ATI Multimedia\main\ATIDtct.EXE

D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

D:\Program Files\Razer\razerofa.exe

D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe

D:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

D:\Program Files\Olympus\DeviceDetector\DevDtct2.exe


D:\Program Files\palmOne\Hotsync.exe

D:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

D:\Program Files\VIA\RAID\raid_tool.exe


D:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\\GoogleCrashHandler.exe

D:\Program Files\iPod\bin\iPodService.exe



D:\Program Files\Mozilla Firefox\firefox.exe




E:\Titan Utilities\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

F2 - REG:system.ini: Shell=Explorer.exe rundll32.exe tapi.nfo beforeglav

F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\userinit.exe,D:\WINDOWS\system32\sdra64.exe,

O1 - Hosts: ::1 localhost

O1 - Hosts: osawarepro.microsoft.com

O1 - Hosts: osawarepro.com

O1 - Hosts: www.osawarepro.com

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - D:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - D:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll

O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - D:\PROGRA~1\COMCAS~1\COMCAS~1.DLL

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - D:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O4 - HKLM\..\Run: [smapp] D:\Program Files\Analog Devices\SoundMAX\SMTray.exe

O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [sunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe

O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

O4 - HKLM\..\Run: [razer] D:\Program Files\Razer\razerhid.exe

O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [tgcmd] D:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf

O4 - HKLM\..\Run: [startCCC] D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

O4 - HKLM\..\Run: [AVG8_TRAY] D:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [Windows Defender] "D:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKCU\..\Run: [steam] "d:\program files\valve\steam\steam.exe" -silent

O4 - HKCU\..\Run: [skype] "D:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ATI Launchpad] "D:\Program Files\ATI Multimedia\main\launchpd.exe"

O4 - HKCU\..\Run: [ATI DeviceDetect] D:\Program Files\ATI Multimedia\main\ATIDtct.EXE

O4 - HKCU\..\Run: [ATI Remote Control] D:\Program Files\ATI Multimedia\RemCtrl\ATIRW.exe

O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1

O4 - HKCU\..\Run: [igndlm.exe] D:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork

O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [Google Update] "D:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c

O4 - HKCU\..\Run: [Monopod] D:\WINDOWS\TEMP\b.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = D:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader\reader_sl.exe

O4 - Global Startup: DataViz Inc Messenger.lnk = D:\Program Files\Common Files\DataViz\DvzIncMsgr.exe

O4 - Global Startup: Device Detector 2.lnk = D:\Program Files\Olympus\DeviceDetector\DevDtct2.exe

O4 - Global Startup: HotSync Manager.lnk = D:\Program Files\palmOne\Hotsync.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: VIA RAID TOOL.lnk = D:\Program Files\VIA\RAID\raid_tool.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll

O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - D:\Program Files\ATI Multimedia\tv\EXPLBAR.DLL

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM\aim.exe

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: d:\program files\bonjour\mdnsnsp.dll

O11 - Options group: [iNTERNATIONAL] International

O14 - IERESET.INF: START_PAGE_URL=http://www.titancomp.com

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/ ... .6.108.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 3928992890

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - D:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - D:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll

I would be greatly appreciative if someone can help me out. This thing just smacked me in the face like a bullet train and while I have removed most of the problem, I'm still going out in hives that this computer is still plagued. Please, help me out here!

P.S.: I also am unable to run Safe Mode because I get the blue screen of death everytime I run it. It seems that all the solutions I have googled have been blocked out; perhaps the virus is monitoring my every move?

Link to post
Share on other sites

UPDATE: (sorry, I don't know where the edit button is!)

I was able to get AVG completely off my computer, and therefore my anti-virus is disabled, but as with all anti-malware, Combo-Fix (which seems to be my only hope, also disappears after its first prompt).

Also, I was an idiot and tried removing some rootkits (which apparently were NOT recommended to remove) and now I can't even launch Malwarebytes anymore. I'm sorry for my impatience, but I am getting into a very desperate situation! Any help would be greatly appreciated!

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarebytes.

Please delete all copies of ComboFix that you have.

Please visit this webpage for instructions for running ComboFix:


However, before you download it, rename it to CrazedRaven.exe

Save it to your Desktop but do not run it yet.

Next, navigate to Start --> Run, and enter the following command exactly as shown:

"%userprofile%\desktop\CrazedRaven.exe" /killall

See if ComboFix will run now; if so, post its log.

If no joy, please run a GMER Rootkit scan:

Download GMER's application from here:


Unzip it and start the GMER.exe

Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.

This will copy the results to your clipboard.

Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.


Link to post
Share on other sites

Hey there,

I'm terribly sorry, but I went into a major panic and messed with the registry to the point where the computer was no longer bootable. Thus, I had to wipe the drive.

Once again, my most profuse apologies for wasting your time (perhaps I should have been more patient with someone to help me rather than trying to take things in my own hands).

You wouldn't mind, however, if I were to stay on this forum and learn more about stopping this sort of thing from ever happening again, would you?

Link to post
Share on other sites

  • Staff

Thanks for letting me know.

You wouldn't mind, however, if I were to stay on this forum and learn more about stopping this sort of thing from ever happening again, would you?
I personally don't mind lol; stick around as long as you'd like.

Here is my standard prevention speech.

Now that your computer seems to be in proper working order, please take the following steps to help prevent reinfection:

1) It is vital that you have a firewall. The one that comes with Windows XP is not sufficient in that it only checks incoming data. I recommend selecting one of the following free firewalls. Be sure to only install one.




2) It is imperative that you have an antivirus. You are basically asking for infection without one. :rolleyes:

All of the following are excellent free antiviruses. Be sure to only install one.




3) Download and install Javacool's SpywareBlaster, which will prevent malware from being installed on your computer. A tutorial on it can be found here.

4) Download and install IE-Spyad, which will place over 5000 'bad' sites on your Internet Explorer Restricted List. A tutorial on it can be found here.

5) Make sure your programs are up to date! Older versions may contain security risks. To find out what programs need to be updated, please run Secunia's Software Inspector.

6) Go to Windows Update frequently to get all of the latest updates (security or otherwise) for Windows.

7) WOT, Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:

  • Green to go
  • Yellow for caution
  • Red to stop

WOT has an addon available for both Firefox and IE.

8) Be sure to update your Antivirus and Antispyware programs often!

Finally, please also take the time to read Tony Klein's excellent article on: So How Did I Get Infected in the First Place?

Safe surfing,


Link to post
Share on other sites

  • 3 weeks later...
This topic is now closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.