Police Pro and other Virus Problems

I had the Windows police pro virus. I managed to get my registry restored to a previous version and was then able to run MALWAREBYTES. Most everything returned to normal except:

1) I cannot run Norton 360
2) The Pane for turning on system restore is missing
3) I have a new ANTIPOL service listed which I cannot remove but was able to disable.
4) The automatic updates is disabled in my registry and I cannot change it because I get an "Error deleting value" error. It changed %system to %fsytem and I cant change it.
5) I cannot delete Norton 360 either because it says that it "may already be deleted".

This has been a real mess. I have read the other posts on this problem (or simular ones) and have download AVPFind, exe helper and Mtools. I have made a file of the instructions and will try them tonight and then try and get the logs posted here.

Anything else you can think of will be appreciated.

 

I ran some scans last night 9-30-09 and here are the logs. I would really appreciate some help here.

 

Hello Excob.

Please don't follow instructions from other help topics. Each computer is set up different and you can cause a lot of damage by removing something that "sounds" bad when in fact your computer might rely on it to function properly.

It looks like you didn't let MGtools finish or it was interrupted so we will need to run that again.

First though please try running the other scanners and saving logs from them to attach in your reply.

Follow the instructions in the below link for installing and running SuperAntiSpyware

• SUPERAntiSpyware - running & getting a log

Download combofix.exe to your Desktop. It MUST be on your Desktop!

• Now we need to run ComboFix. Please carefully follow the instructions in the below link to most effectively run ComboFix. PLEASE DO NOT stop and post the ComboFix log as suggested in the below procedure. We want you to finish ALL of our procedures and attach all logs at the end. If you have any problems running ComboFix, skip it and continue on but explain your problems when you come back to attach your logs.
  • http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• Now run this procedure Running RootRepeal to get a RootRepeal log

• Now follow the directions in the below link for running MGtools (let it overwrite the other version you already installed). It also explains possible reasons for not being able to run MGtools
  • Using MGtools

Next post please attach:

• SUPERAntiSpyware log
• ComboFix log
• RootRepeal log
• New MGtools.zip

Note: If something will not run then take note and let me know why in the next reply but keep going and get all of the logs you can.

 

Thanks for the information. Will comply. However, I do not dare go online because each time I do, I get reinfected. I presently do not have a virus protection program because the other Trojans, viruses deleted Norton 360 off my computer. I will post the logs on Tuesday, 6 October.

 

You are already infected so going online won't reinfect the computer.

However you can transfer the programs over on a flash drive or CD and install them that way but I think SUPERAntiSpyware needs an internet connection to install properly. Or use Safe Mode With Networking.

 

Here are the log files requested:
I look forward to hearing from you.

 

Sorry for the delay.

As instructed in the READ ME you need to set Msconfig to Normal Startup.

Now run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O4 - HKLM\..\Run: [calc] rundll32.exe C:\WINDOWS\system32\calc.dll,_IWMPEvents@0
• O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\NETWOR~1\protect.dll,_IWMPEvents@0
• O4 - S-1-5-19 Startup: scandisk.dll (User 'LOCAL SERVICE')
• O4 - S-1-5-19 Startup: scandisk.lnk = ? (User 'LOCAL SERVICE')
• O4 - S-1-5-20 Startup: scandisk.dll (User 'NETWORK SERVICE')
• O4 - S-1-5-20 Startup: scandisk.lnk = ? (User 'NETWORK SERVICE')
• O4 - S-1-5-18 Startup: scandisk.dll (User 'SYSTEM')
• O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')
• O4 - .DEFAULT Startup: scandisk.dll (User 'Default user')
• O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')
• O4 - Startup: scandisk.dll
• O4 - Startup: scandisk.lnk = ?

After clicking Fix checked, exit HJT and then run CCleaner.



Delete your current version of ComboFix and download the new one. ComboFix.exe

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Driver::
AntipPolice_

File::
C:\2.tmp
C:\3.tmp
C:\4.tmp
C:\42.tmp
C:\44.tmp
C:\5.tmp
C:\6.tmp
C:\7.tmp
C:\74.tmp
C:\76.tmp
C:\8.tmp
C:\9.tmp
C:\b.tmp
C:\c.tmp
C:\d.tmp
C:\smftnww.exe
C:\woavkf.exe
C:\hiugurwb.exe
C:\deho.exe
c:\windows\svchast.exe
c:\windows\system32\calc.dll
c:\documents and settings\LocalService\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\LocalService\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\Rick\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\Rick\Start Menu\Programs\Startup\scandisk.lnk
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\scandisk.dll
c:\documents and settings\NetworkService\Start Menu\Programs\Startup\scandisk.lnk

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"calc"=-

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze




Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

-For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
- Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
- Double click on the esetsmartinstaller_enu.exe icon on your desktop.
- Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please attach the ESET Online Scan Log



Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).


Also let me know how the computer is running now.


Next post please attach:

• ComboFix log
• ESET log
  
• New C:\MGlogs.zip

 

EvilFantasy,

I ran combofix and log is attached. I could not get a log for the Online Virus Scan. It found 26 errors and it said it fixed 26 errors. I then ran mgtools and log is attached. All seems to be running great ! You DAH MAN.

 

MSCONFIG is still not set to Normal Startup. Please fix that before continuing.

Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

C:\2.tmp
C:\3.tmp

FCopy::
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\dllcache\ndis.sys
c:\windows\ServicePackFiles\i386\ndis.sys | c:\windows\system32\drivers\ndis.sys

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



I would like to have a second opinion with another antivirus scanner since the ESET log wans't saved. It helps to know what was found in order to know if we need to dig deeper or not. Although first please update and run MBAM. Save the log it creates.

Open Malwarebytes' Anti-Malware.

* Click the Update tab.
* Click Check for Updates
* If an update is found, it will download and install.
* Click the Scanner tab.
* Select Perform Quick Scan, then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy & Paste the entire report in your next reply.

Extra Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts, click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.



Now run the BitDefender Online Scanner. Save the log to attach. Using BitDefender Online Scan



Last run a new MGtools scan and attach the log.



Next post please attach:

• ComboFix log
• Malwarebytes log
• BitDefender log
• New MGtools.zip

 

I just got to work (6am central) and read your last instructions. I also am noticing that when I go online either with IE8 or with FireFox... I go online right away and then it slows to a snails pace. Then when I look on the C: drive root that all the temp files return. Temps like 1.temp etc and a,b,c,d,e.tmp also. I will comply with the above instructions this afternoon when I get home. Thank you so much for all your continuing efforts on my behalf.

 

Dear EvilFantasy,
I go home and discovered that my Trendmicro Internet Security was disabled and I had 32 more viruses and my system registry was different. Also in addition I was not able to go online - got the error message that "The RPC server is unavailable and when I tried to remove Trend Micro Internet security I got the message "The windows installer service could not be accessed".

I want to thank you so very much for all your efforts on my behalf and I want you to know I have learned a great deal through this experience. I have especially learned the value of doing a backup once a week and getting a really good virus protection program.
However, I am throwing in the towel and reformatting and doing a clean install.

I am attaching the log files (Don't know why) from last night.

Once again, thanks and I am taking Thursday off to reinstall everything back on my PC.

Thanks a Million for your Herculian efforts,
Rick

 

Thanks for letting me know.

Be sure and have a look at this. How to Protect yourself from malware!