Jump to content

Unable to remove Policepro


pwr_slave

Recommended Posts

  • Staff

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

ComboFix won't run in safemode, either.

Hi and welcome to Malwarebytes.

Please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

See if the instructions in this post allow MBAM to run:

http://www.malwarebytes.org/forums/index.php?showtopic=23983

If no joy, try this:

Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

Link to post
Share on other sites

DDS (Ver_09-09-24.01) - NTFSx86

Run by user at 12:39:03.06 on Sun 09/27/2009

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_10

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1285 [GMT -4:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost -k DcomLaunch

svchost.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

svchost.exe

svchost.exe

C:\WINDOWS\system32\LEXBCES.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\LEXPPS.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

svchost.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Common Files\LightScribe\LSSrvc.exe

svchost.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc

C:\WINDOWS\system32\DRIVERS\WtSrv.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\system32\dllhost.exe

C:\Program Files\HPQ\SHARED\HPQWMI.exe

C:\WINDOWS\System32\svchost.exe -k HTTPFilter

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = hxxp://google.com/

uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8

uInternet Connection Wizard,ShellNext = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q405&bd=pavilion&pf=laptop

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll

BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll

BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll

BHO: Java Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll

TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File

uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background

uRun: [AROReminder] c:\program files\advanced registry optimizer\ARO.exe -rem

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [sUPERAntiSpyware] c:\program files\superantispyware\SUPERAntiSpyware.exe

mRun: [hpWirelessAssistant] c:\program files\hpq\hp wireless assistant\HP Wireless Assistant.exe

mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot

mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe

mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime

mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"

mRun: [sunJavaUpdateSched] "c:\program files\java\jre1.5.0_10\bin\jusched.exe"

mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript

StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe

IE: Copy to Semagic - c:\program files\semagic\copy.htm

IE: Semagic - c:\program files\semagic\link.htm

IE: {d9288080-1baa-4bc4-9cf8-a92d743db949}

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab

DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} - hxxp://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: AtiExtEvent - Ati2evxx.dll

Notify: avgrsstarter - avgrsstx.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\user\applic~1\mozilla\firefox\profiles\yhfosx1y.default\

FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=

FF - prefs.js: browser.search.selectedEngine - Google

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll

FF - plugin: c:\documents and settings\user\application data\mozilla\firefox\profiles\yhfosx1y.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll

FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npagent.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-6-27 335240]

R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-5-6 27784]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2008-6-27 108552]

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2009-9-15 9968]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2009-9-15 74480]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\avg\avg8\avgemc.exe [2008-7-5 908056]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2008-7-5 297752]

R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-6 99328]

R3 HSFHWATI;HSFHWATI;c:\windows\system32\drivers\HSFHWATI.sys [2005-8-22 231424]

R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2009-9-15 7408]

S3 PLUsbbc2;High-Speed USB Bridge Cable Driver;c:\windows\system32\drivers\usbbc2.sys [2006-11-9 8960]

S3 USBAS4X4;M Audio USB Quattro Midi Driver;c:\windows\system32\drivers\usbas4x4.sys [2007-7-21 32544]

=============== Created Last 30 ================

2009-09-26 22:14 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SUPERAntiSpyware.com

2009-09-26 22:14 <DIR> --d----- c:\program files\SUPERAntiSpyware

2009-09-26 22:14 <DIR> --d----- c:\docume~1\user\applic~1\SUPERAntiSpyware.com

2009-09-26 21:41 <DIR> a-dshr-- C:\cmdcons

2009-09-26 21:40 229,888 a------- c:\windows\PEV.exe

2009-09-26 21:40 161,792 a------- c:\windows\SWREG.exe

2009-09-26 21:40 98,816 a------- c:\windows\sed.exe

2009-09-26 21:39 <DIR> --d----- C:\ComboFix

2009-09-26 20:26 <DIR> --d----- c:\docume~1\user\applic~1\Sammsoft

2009-09-26 20:26 <DIR> --d----- c:\program files\Advanced Registry Optimizer

2009-09-09 23:19 153,088 -------- c:\windows\system32\dllcache\triedit.dll

2009-09-04 21:50 <DIR> --d----- c:\program files\Eusing Free Registry Cleaner

2009-09-02 22:55 <DIR> --d----- c:\docume~1\user\applic~1\Malwarebytes

2009-09-02 22:54 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys

2009-09-02 22:54 19,160 a------- c:\windows\system32\drivers\mbam.sys

2009-09-02 22:54 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware

2009-09-02 22:54 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes

==================== Find3M ====================

2009-09-21 11:26 187,676 a------- c:\program files\WilhelmScream.wav

2009-09-01 07:40 2,670 a------- c:\docume~1\user\applic~1\wklnhst.dat

2009-08-28 09:35 11,952 a------- c:\windows\system32\avgrsstx.dll

2009-08-28 09:35 335,240 a------- c:\windows\system32\drivers\avgldx86.sys

2009-08-05 05:01 204,800 a------- c:\windows\system32\mswebdvd.dll

2009-08-05 05:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll

2009-07-19 18:48 11,067,392 -------- c:\windows\system32\dllcache\ieframe.dll

2009-07-19 09:18 5,937,152 -------- c:\windows\system32\dllcache\mshtml.dll

2009-07-17 15:01 58,880 a------- c:\windows\system32\atl.dll

2009-07-17 15:01 58,880 -------- c:\windows\system32\dllcache\atl.dll

2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll

2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll

2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll

2009-07-10 09:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll

2009-07-03 13:09 915,456 -------- c:\windows\system32\wininet.dll

2009-07-03 13:09 915,456 -------- c:\windows\system32\dllcache\wininet.dll

2009-07-03 13:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll

2009-07-03 13:09 206,848 a------- c:\windows\system32\dllcache\occache.dll

2009-07-03 13:09 1,208,832 -------- c:\windows\system32\dllcache\urlmon.dll

2009-07-03 13:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll

2009-07-03 13:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll

2009-07-03 13:09 1,985,536 -------- c:\windows\system32\dllcache\iertutil.dll

2009-07-03 13:09 25,600 -------- c:\windows\system32\dllcache\jsproxy.dll

2009-07-03 13:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll

2009-07-03 13:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll

2009-07-03 13:09 386,048 -------- c:\windows\system32\dllcache\iedkcs32.dll

2009-07-03 07:01 173,056 -------- c:\windows\system32\dllcache\ie4uinit.exe

2008-06-20 03:58 0 ---sh--- c:\program files\desktoq.ini

2008-06-11 10:00 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008061120080612\index.dat

============= FINISH: 12:39:27.85 ===============

Link to post
Share on other sites

  • Staff

Hi,

I see you have Viewpoint installed...

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". I suggest you remove the program now. Navigate to Start --> Control Panel --> Add or Remove Programs and uninstall the following programs if present.


  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar

Let me know if you decided to uninstall it.

Next, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

  • Click Start Scanning.
  • You should get a notification bar (on top) to install the ActiveX control.
  • Click on it and select to install the ActiveX.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • In case you are having problems with installing the ActiveX/starting the scan, please read here.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Let me know how things are running now and what issues remain.

-screen317

Link to post
Share on other sites

Scanning Report

Monday, September 28, 2009 00:00:26 - 01:17:11

Computer name: YOUR-727A0A4E7C

Scanning type: Scan system for malware, spyware and rootkits

Target: C:\

--------------------------------------------------------------------------------

No malware found

--------------------------------------------------------------------------------

Statistics

Scanned:

Files: 57953

System: 3758

Not scanned: 9

Actions:

Disinfected: 0

Renamed: 0

Deleted: 0

Not cleaned: 0

Submitted: 0

Files not scanned:

C:\HIBERFIL.SYS

C:\PAGEFILE.SYS

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

C:\WINDOWS\SYSTEM32\CONFIG\SAM

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY

C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ETILQS_VPBUOBIACKNUDUGJRQ0F

C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MUVEE TECHNOLOGIES\030625\0102\0310\VALUES

--------------------------------------------------------------------------------

Options

Scanning engines:

Scanning options:

Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR

Use advanced heuristics

Link to post
Share on other sites

Results of screen317's Security Check version 0.99.0

Windows XP Service Pack 3

``````````````````````````````

Antivirus/Firewall Check:

Windows Firewall Disabled!

AVG Free 8.5

Antivirus up to date!

``````````````````````````````

Anti-malware/Other Utilities Check:

SUPERAntiSpyware Free Edition

CCleaner (remove only)

Eusing Free Registry Cleaner

Adobe Flash Player 10

Adobe Reader 7.1.0

Out of date Adobe Reader installed!

``````````````````````````````

Process Check:

objlist.exe by Laurent

AVG avgwdsvc.exe

AVG avgtray.exe

AVG avgrsx.exe

AVG avgnsx.exe

AVG avgemc.exe

AVG avgemc.exe

``````````````````````````````

DNS Vulnerability Check:

GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````

----

I'm haven't noticed any issues that are affecting how my machine operates.

Link to post
Share on other sites

  • Staff

Hi,

Things are looking good. ;)

Navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Delete SecurityCheck.

After that, navigate to Start --> Control Panel --> Add or Remove Programs, and uninstall the following programs (if present):

Adobe Reader 7.1.0

Restart your computer.

Get the latest version of Adobe Reader.

Let me know if any issues remain.

-screen317

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.