Jump to content

Police Pro virus - can't run Mwarebytes or HJT


cbird01

Recommended Posts

I have a computer that has been infected by Police Pro. I was able to stop processes on one of my User profiles in order to get regedit running and deleted all the registry entries for it. Found and deleted program files according to this tutorial I found:

C:\Program Files\Windows Police Pro\Windows Police Pro.exe

C:\Program Files\Windows Police Pro\tmp\dbsinit.exe

%System Root%\Samples - did not exist

%User Profile%\Local Settings\Temp

%Program Files%\Windows Police PRO

%Program Files%\LabelCommand - did not exist

%Documents and Settings%\All Users\Start Menu\Programs\Windows Police PRO

%Documents and Settings%\All Users\Application Data\Windows Police PRO

When I run HJT or MWB they run the first time and just stop after 5 seconds and then I can't open them unless I uninstall or reinstall them. Then same thing.

I then rebooted and found that it was still blocking things with desote.exe. I deleted dddesot.dll (probably should not have) and now it says "Windows can not access the specified device, path, or file. You may not have the appropriate permissions to access the item"

Link to post
Share on other sites

Welcome to Malwarebytes!!!! ;)

Please download Win32kDiag.exe by AD to your Desktop.

Double-click on Win32kDiag.exe.

It will create Win32kDiag.txt on your Desktop.

In your next reply, please include the log. Thanks

My post was hijacked...not sure if this needs to go in another thread.....will get rather confusing.

======================================================================

Running from: C:\Documents and Settings\Espi\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\Espi\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Found mount point : C:\WINDOWS\$hf_mig$\KB919007\KB919007

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB933729\KB933729

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\$hf_mig$\KB943460\KB943460

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\CustomMarshalers\CustomMarshalers

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\ISymWrapper\ISymWrapper

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\mscorlib\mscorlib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\System.Data\System.Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\System.Data.OracleClient\System.Data.OracleClient

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\System.EnterpriseServices\System.EnterpriseServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\System.Transactions\System.Transactions

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_32\System.Web\System.Web

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Accessibility\Accessibility

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\AspNetMMCExt\AspNetMMCExt

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\cscompmgd\cscompmgd

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\IEExecRemote\IEExecRemote

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\IEHost\IEHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\IIEHost\IIEHost

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.Build.Engine\Microsoft.Build.Engine

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.Build.Framework\Microsoft.Build.Framework

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.Build.Tasks\Microsoft.Build.Tasks

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.Build.Utilities\Microsoft.Build.Utilities

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.JScript\Microsoft.JScript

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic\Microsoft.VisualBasic

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Compatibility\Microsoft.VisualBasic.Compatibility

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\Microsoft.VisualBasic.Compatibility.Data

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.VisualBasic.Vsa\Microsoft.VisualBasic.Vsa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.VisualC\Microsoft.VisualC

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.Vsa\Microsoft.Vsa

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\Microsoft.Vsa.Vb.CodeDOMProcessor

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\Microsoft_VsaVb\Microsoft_VsaVb

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\sysglobl\sysglobl

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System\System

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Configuration\System.Configuration

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Configuration.Install\System.Configuration.Install

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Data.SqlXml\System.Data.SqlXml

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Deployment\System.Deployment

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Design\System.Design

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.DirectoryServices\System.DirectoryServices

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.DirectoryServices.Protocols\System.DirectoryServices.Protocols

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Drawing\System.Drawing

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Drawing.Design\System.Drawing.Design

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Management\System.Management

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Messaging\System.Messaging

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Runtime.Remoting\System.Runtime.Remoting

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\System.Runtime.Serialization.Formatters.Soap

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Security\System.Security

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.ServiceProcess\System.ServiceProcess

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Web.Mobile\System.Web.Mobile

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Web.RegularExpressions\System.Web.RegularExpressions

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Web.Services\System.Web.Services

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Windows.Forms\System.Windows.Forms

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\GAC_MSIL\System.Xml\System.Xml

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\NativeImages_v2.0.50727_32\Temp\ZAPC81.tmp\ZAPC81.tmp

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TEMP\TEMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ASSEMBLY\TMP\TMP

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Config\Config

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Connection Wizard\Connection Wizard

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Debug\UserMode\UserMode

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.1\CONFLICT.1

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Downloaded Program Files\CONFLICT.2\CONFLICT.2

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\ftpcache\ftpcache

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Cbz\Cbz

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Lib\Lib

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Help\SBSI\Training\WXPPer\Wave\Wave

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHSIME\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\CHTIME\Applets\Applets

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMEJP98\IMEJP98

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\APPLETS\APPLETS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\IMKR6_1\DICTS\DICTS

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\IME\SHARED\RES\RES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Installer\$PatchCache$\Managed\D7314F9862C648A4DB8BE2A5B47BE100\1.0.0\1.0.0

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\CLASSES\CLASSES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\JAVA\TRUSTLIB\TRUSTLIB

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary ASP.NET Files\Bind Logs\Bind Logs

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MSAPPS\MSINFO\MSINFO

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\MUI\MUI

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QHEADLES\QHEADLES

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\QSIGNOFF\QSIGNOFF

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\ErrorRep\UserDumps\UserDumps

Mount point destination : \Device\__max++>\^

Found mount point : C:\WINDOWS\PCHEALTH\HELPCTR\BATCH\BATCH

Mount point destination : \Device\__max++>\^

Cannot access: C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\helpsvc.exe

[1] 2004-08-04 04:00:00 743936 C:\WINDOWS\$NtServicePackUninstall$\helpsvc.exe (Microsoft Corporation)

Link to post
Share on other sites

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

CF_download_FF.gif

CF_download_rename.gif

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

Link to post
Share on other sites

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1

Link 2

Link 3

--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

  • When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a HijackThis log so we can continue cleaning the system.

================================================================================

====

I downloaded and changed the name of combofix. I ran it and it ran ok and asked to reboot. Upon reboot a cmd screen popped up. It said " 'Grep' is not recognized as an internal or external command, operable program or batch file" and closed. No other action or logs created.

I downloaded and renamed HijackThis. I ran the setup and it asked where to install. I kept the default directory and it closed and nothing happened. I also tried in safe mode and same thing.

Thank you for you help.

Link to post
Share on other sites

================================================================================

====

EDIT: I used a version of hijackthis that was already on the computer. After posting I decided to download a new version on another computer, rename it then put on infected computer. It allowed me to run HJT this time, but the scan ran and it was showing on the screen, but then shut down and no log was created. Upon double clicking the renamed HJT exe file again I got an error "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item." and I can no longer run it. This was in Safe Mode.

Link to post
Share on other sites

Do you have a ComboFix.txt on your C:\ folder?

Please download the attached file to your desktop, Extract lockedfilesearch.bat to your desktop. Double-click on lockedfilesearch.bat and a log shall appear. In your next reply, please include the log. Thanks

There was no ComboFix.txt on C:\ drive. There was an Smax.log which may be from MG Tools? I attached anyway.

Attached the lockedfilesearch results. It would not run until I ran ComboFix through the first step for license agreement, then it seemed to run after that.

log.txt

smax.txt

Link to post
Share on other sites

1. Please download The Avenger2 by Swandog46 to your Desktop.

  • Right click on the Avenger.zip folder and select "Extract All..."
  • Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to move:
C:\WINDOWS\SYSTEM32\logevent.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

  • Right click on the window under Input script here:, and select Paste.
  • You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
  • Click on Execute
  • Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

[*]It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)

[*]On reboot, it will briefly open a black command window on your desktop, this is normal.

[*]After the restart, it creates a log file that should open with the results of Avenger

Link to post
Share on other sites

I have attached the Avenger log. Combo-Fix seems to be running, but scan has been going for over an hour. I will let it continue and post if it finishes.

The Combo-Fix will run and get to where there is a blue "AutoScan" window and it says Scanning for infected files....but it just stays on that and doesn't finish. I let it run for 4 hours.

Link to post
Share on other sites

Run ComboFix again

When it stalls press Ctrl Alt Delete at the sametime, windows taskmanager shall appear. Look for a process similer to cf***.exe *** mean random numbers. If that process is found, please choose End process. Let me know if you able to proceed. Thanks

Link to post
Share on other sites

Run ComboFix again

When it stalls press Ctrl Alt Delete at the sametime, windows taskmanager shall appear. Look for a process similer to cf***.exe *** mean random numbers. If that process is found, please choose End process. Let me know if you able to proceed. Thanks

Thanks, I tried this and let it run another hour after stopping the process during scan. Still no results or logs, just keeps scanning and doesn't finish.

Link to post
Share on other sites

What Security programs are installed on your system. They are likely causing it to hang. I need you to either fully disable them.

Removed:

Removing SpywareBlaster, SpyBot, MalwareBytes, Windows Defender didn't seem to do anything, but I switched to a different User (which I think the infection started on) and it ran.

Here is log attached

ComboFix.txt

Link to post
Share on other sites

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

3. Open notepad and copy/paste the text in the quotebox below into it:

File::
c:\windows\system32\zetoyago.exe
c:\windows\svchasts.exe
c:\windows\system32\tujumape.dll
c:\program files\Common Files\uzunisozel.ban
c:\program files\Common Files\ozydamyq._sy
c:\windows\system32\tyxid.dll
c:\program files\Common Files\mabeguzodo.pif
c:\windows\imyvypip.bin
c:\windows\yfoqav.com
c:\program files\Common Files\ivoto.dat
c:\windows\system32\mojeluru.dll
c:\windows\SYSTEM32\hapabofa.dll.tmp
c:\windows\SYSTEM32\kimumeki.dll.tmp
c:\windows\SYSTEM32\memadaro.dll.tmp
c:\windows\SYSTEM32\puwohuwu.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5b3d8d24-36d3-4be7-809a-776c2ce1094f}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
RegLock::
[HKEY_USERS\.Default\Software\Microsoft\Internet Explorer\User Preferences]

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

===============================================

mbamicontw5.gif Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.

How is everything running???

Link to post
Share on other sites

It is running pretty good, Thanks!

I have attached the ComboFix and Malwarebytes logs.

I have not hooked up the infected computer to the internet as it is in a different room and no wireless, but I manually downloaded from http://mbam.malwarebytes.org/database/mbam-rules.exe and installed them prior to running the scan.

Thank you for your help...I see the light

ComboFix.txt

mbam_log_2009_10_06__10_40_07_.txt

Link to post
Share on other sites

Everything seems to be running very well...no pop ups or anything.

I did run into a problem. I am trying to install Spybot, and there are remnants of the old installation in the Program Files folder. When I open the folder, you can not see any files, but there are like 9MB of data showing on it. When I install new Spybot it says it can not overwrite the main program file and I have to abort or ignore. If I ignore, the install finishes but the program does not run.

I have tried deleting this invisible data and it says it is read only or in use. The Read only check mark is ticked and I can't get it to change.

I seem to doing something about disabling the UAC before I got help on this forum while trying to fix this PC. Maybe that has something to do with it?

I can't even seem to delete a shortcut on the desktop, even in safe mode

Link to post
Share on other sites

I did run into a problem. I am trying to install Spybot, and there are remnants of the old installation in the Program Files folder. When I open the folder, you can not see any files, but there are like 9MB of data showing on it. When I install new Spybot it says it can not overwrite the main program file and I have to abort or ignore. If I ignore, the install finishes but the program does not run.

I have tried deleting this invisible data and it says it is read only or in use. The Read only check mark is ticked and I can't get it to change.

I seem to doing something about disabling the UAC before I got help on this forum while trying to fix this PC. Maybe that has something to do with it?

I can't even seem to delete a shortcut on the desktop, even in safe mode

Ok, it just seems to be the Spybot folder. I can delete other folders. I mistakenly ran a Vista tool in MGTools called Disable UAC before coming here. I just ran the reversal Enable UAC. Can't find any problems other than this spybot folder problem - just can't erase the damn thing, nor see the files.

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.