Jump to content

Infected with Windows Police Pro - MWAM exits after 2 seconds


bowler2005
 Share

Recommended Posts

Couple of days back my PC is infected with Windows Police Pro. I manually removed Windows Police Pro folder and associated svchasts.exe file. But the virus persists. When I run MWAM ( renamed as mba.com)quick scan in safe mode, it scans for a second and the window vanishes. When I run the actual mwam.exe, it gives a error messages saying I cannot access the file,specifed path etc.

I ran win32Kdiag in safe mode and the log is attached.

When I try to run ComboFix.exe (renamed as svchosts.exe from flash drive), it detects Kaspersky and prompts to disable it. I am unable to disable it as I could not see kaspersky running in task mgr. Windows Police pro also made kaspersky not runnable. As I went ahead with combofix, it renames itself to combofix.exe and uninstalls itself after prompting "ComboFix Uninstalled". No log file is generated.

This problem is bugging me a lot and any help is deeply appreciated.

Win32kDiag.txt

Link to post
Share on other sites

Hi bowler,

I'll try to get your system cleaned up. Please delete your current copy of Combofix first.

NOTE: Any solutions posted in this topic are for the sole use of bowler and applying these same solutions to your own computer without guidance can result in an inoperable computer!

First, rerun Win32kDiag as follows in normal (not safe) mode:

Please save this file to your desktop.

Click on Start->Run, and copy-paste the following command (the bolded text) into the "Open" box, and click OK.

"%userprofile%\desktop\win32kdiag.exe" -f -r

When it's finished, there will be a log called Win32kDiag.txt on your desktop.

Please open it with notepad and post the contents here.

---

Download The Avenger by Swandog46:

http://swandog46.geekstogo.com/avenger2/download.php

  • Unzip/extract it to a folder on your desktop.
  • Double click on avenger.exe to launch Avenger.
  • Click OK.
  • Make sure that the box next to "Scan for rootkits" is checked and that the box next to Automatically "Disable any rootkits found" is not checked.

Copy and Paste the text in the Code Box into the Avenger's "Input Script here" Box:

Files to move:
C:\WINDOWS\system32\logevent.dll | C:\WINDOWS\system32\dllcache\eventlog.dll
C:\i386\eventlog.dll | C:\WINDOWS\system32\eventlog.dll

  • Click the Execute button.
  • You will be prompted with "Are you sure you want to execute the current script?"
  • Click "Yes"
  • You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
  • Click "Yes".
  • Your PC will reboot.
  • After your PC has completed the necessary reboot, a log should automatically open.
  • If it the log does not automatically open, then it can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt)
  • Please post the Avenger log in your next reply.

Reboot

Next, download this Antirootkit Program to a folder that you create such as C:\ARK.

Disable the active protection component of your antivirus by following the directions that apply here:

http://www.bleepingcomputer.com/forums/topic114351.html

Next, please perform a Quick Rootkit Scan:

  • Double-click the randomly name EXE located in the C:\ARK folder that you just downloaded to run the program.
  • When the program opens, it will automatically initiate a very fast scan (quick scan) of common rootkit hiding places.
  • When the "quick" scan is finished (a few seconds), if the program alerts you of rootkit activity
    then select Copy, to copy the quick scan log to the Windows clipboard
  • Open Notepad or a similar text editor
  • Paste the clipboard contents into a text file by clicking Edit | Paste or Ctl V
  • Exit the Program (do not perform a complete scan)
  • Save the Scan log as ARKQuick.txt and post it in your next reply.

Please download Combofix from:HERE

Delete your current copy of Combofix!!

I want you to rename Combofix.exe as you download it to explorer.exe Make sure you use this name!

Notes:

  • It is very important that save the newly renamed EXE file to your desktop.
  • You must rename Combofixe.exe as you download it and not after it is on your computer.
    You may have to modify your browser settings if you use Firefox, so you can rename Combofix.exe as you download it. To do that:
    • Open Firefox
    • Click Tools -> Options -> Main
    • Under the downloads section check the button that says "Always ask me where to save files".
    • Click OK

    [*]For Internet Explorer:

    • Choose to save, not open the file
    • When prompted - save the file to your desktop, and rename it anything with an .exe extension on the end.

Here is a tutorial that describes how to download, install and run Combofix more thoroughly. Please review it and follow the prompts to install Recovery Console - if you have not done that already (if your OS is Vista - then you don't need to install the recovery console):

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Very Important! Temporarily disable your antivirus and antimalware real-time protection and any script blocking components of them or your firewall before performing a scan. They can interfere with ComboFix and even remove onboard components so it is rendered ineffective:

http://www.bleepingcomputer.com/forums/topic114351.html

Also, disable your firewall!

You can enable the Window firewall in the interim, until the scan is complete.

Note: The above tutorial does not tell you to rename Combofix as I have instructed you to do in the above instructions, so make sure you complete the renaming step before launching Combofix.

Running Combofix

In the event you already have Combofix, please delete it as this is a new version.

  • Close any open browsers.
  • Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

1. Double click on the renamed combofix.exe on your desktop (explorer.exe) & follow the prompts.

2. When finished, it will produce a logfile located at C:\ComboFix.txt

Note: if you have trouble running combofix as directed above launch it as follows:

Click start -> run, then copy and paste the following line into the Open box (include the quotes) and click OK.

"%userprofile%\desktop\explorer.exe" /killall

Please attach the new Win32kDiag.txt

Copy/paste the following logs into your reply (do NOT attach them):

C:\Avenger.txt, ARKQuick.txt, and C:\ComboFix.txt in your next reply.

Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this Topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

The fixes and advice in this thread are for this machine only. Do not apply the instructions from this thread to your own machine. Please start a new thread describing your issue and someone will be along to assist you.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.