WindowsPolicePRO & Resulting complications!

Hi all, first post (the post that hurts the most eh?) here on the forums. I hope you all can help! it's a doozey for me.

the problems started when I was told that something had gone wrong when my sister tried to access a document on her flash drive that she had previously used on a school computer earlier this week. After using her flash drive, things went wrong. I came to find Windows Police PRO on the computers, and after multiple tries to run antimalware programs and online scans, booting into safe mode, etc. I found a removal guide at bleepingcomputer.com and followed its instructions. I have two infected computers, and this procedure seemed to have a good result on one, but not the other.

The less fortunate pc failed to run malwarebytes after installation; it would start the scan, and then close after 2 seconds w/ no error given. None of the currently installed anti-malware programs were able to start. Then I found this site

I was running through the forum's required procedure for cleaning my pc. I ran SAS and it scanned successfully, cleaned some files, and required a reboot, which I did, expecting to be able to start SAS again to get the log after. But, lucky me, on restart, SAS wasn't able to start, giving this error (which is also the error I now get when I try to start MWB): "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item". (I am using an admin account, btw). So no log from SAS.

Tried un/reinstalling MWB, with the same aforementioned problem occurring. No scan, no log.

Start combofix (dl'd from link given here) as directed everything going well, install recovery console business and starts scanning. CF detects rootkit activity and requires reboot. I do it, and it starts scanning, and gives me the names of 6 files to take note of, and says it needs to reboot again. After I jot them down, I reboot, and CF starts up, but with a line at the top to the effect of this: "update-CF.cmd is not recognized as a valid internal or external command. update-CF.cmd not found". it then proceeds to scan again, and give me the same rootkit detection, file names, and request to reboot. The files it lists are:

C:\WINDOWS\system32\drivers\gasfkyrqrdktqw.sys
C:\WINDOWS\system32\gasfkyveutowqe.dll
C:\WINDOWS\system32\gasfkyvdpqjxme.dat
C:\WINDOWS\system32\gasfkythoehtki.dll
C:\WINDOWS\system32\gasfkyoywrgkcw.dat
C:\WINDOWS\system32gasfkyovnlnniq.dll

I downloaded rootrepeal and MGtools to use afterwards, but now that I'm in this ComboFix rootkit loop, I don't know how to safely get out of it and move on. I'm hesitating to do anything drastic like manually power-off the computer.

So, I'm reaching out to you for help! I started your protocol after trying to fix a previous issue, and I've caught a snag that I don't know how to get out of. I have no logs because I can't get them. All I know is that the pc was infected with windows police pro and I tried to remove it as directed by bleepingcomputer.com, which didn't work quite well.

Any thoughts? I'll try to provide whatever info I can. The computer is currently sitting on with the combofix "Rootkit!!" alert window up, telling me it needs to reboot.

 

After some reading, I learned that others with this problem had been told to just shutdown to break the cycle. So I did, and ran root repeal and mgtools successfully, logs are attached.

 

Welcome to Major Geeks!

Did ComboFix create a log? If so I need you to attach it on the next reply. There should be a copy in C:\combofix.txt

Please try this.

Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

AVPFind.bat

It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.

Now download and Run exeHelper

• Please download exeHelper to your desktop.
• Double-click on exeHelper.com to run the fix.
• A black window should pop up, press any key to close once the fix is completed.
• Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


Also please try running the below online scan:

http://www.superantispyware.com/onlinescan.html

Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


Now run a new scan with MGtools: Using MGtools

Attach the below logs when finished with all of the above:

• C:\avplog.txt - from AVPfind
• a log from online SAS scan if you could make one
• log.txt - from exeHelper
• C:\MGlogs.zip - from MGtools

The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.

 

Hi, and thank you so much for getting back to me, I know you all are very, very busy, and I genuinely appreciate it.

First, no ComboFix did not create a log. I got stuck in a rootkit detection & reboot loop that never let it complete any action and make a log. :confused

Anyways, I followed all your directions and everything went smoothly, no errors. I had to uninstall and reinstall MGtools as the one I had already had downloaded (only about a week ago) had been blocked from use, and that worked fine too.

Thanks again for the help, I'll wait for your reply before I explore how the computer is doing too much.

 

1. Download Win32kDiag from any of the following locations and save it to your Desktop.
   • Download Win32kDiag (Win32kDiag.exe) - #1
   • Download Win32kDiag (Win32kDiag.exe) - #2
   • Download Win32kDiag (Win32kDiag.exe) - #3
2. Double-click Win32kDiag.exe to run it and and let it finish.
3. When it states Finished! Press any key to exit..., press any key to close the program.
4. It will save a Win32kDiag.txt file to your desktop automatically. Attach this log file to your next message.

 

Here's the Win32k log. It ran without a problem, though avast! found a few malware (rootkit specifically) files while win32kdiag was running and moved them to it's malware chest. Hope this helps with the healing process.

 

Download The Avenger by Swandog46 and save it to your desktop.

* Extract avenger.exe from the Zip file and save it to your Desktop
* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Files to move:
C:\MGtools\temp\XPSP3\eventlog.dll | C:\WINDOWS\SYSTEM32\eventlog.dll

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Save the Avenger log to attach in your next post.


Next:

• Download this Win32kDiag and save to C:\Win32kDiag.exe. You must save it here!!!!
• Click on Start->Run, and copy-paste the following command (the below red text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop. Please attach this log in the next reply.

C:\win32kdiag.exe -f -r



Go to Add or Remove Programs and uninstall: (if found)

• MarketResearch

Now go here and follow the instructions for running MBAM. Save the log it creates to attach in your next reply. Using Malwarebytes Anti-Malware

• Note: If you already have Malwarebytes installed be sure to update it before running the scan.

Download ComboFix to your Desktop. http://download.bleepingcomputer.com/sUBs/ComboFix.exe

To run ComboFix. Please carefully follow the instructions in the below link to most effectively run ComboFix. If you have any problems running ComboFix, skip it and continue on but explain your problems when you come back to attach your logs.

• http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Now download the current version of MGtools and save it to your root folder. Overwrite your previous MGtools.exe file with this one.

Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )


In your reply attach the following logs:

• C:\avenger.txt
• win32kdiag.txt
• Malwarebytes log
• ComboFix.txt
  
• C:\MGlogs.zip

 

Here's almost everything. No problems in the scans.

 

And the last one. Thanks again!

 

We need to use Avenger again.

* Run avenger.exe by double-clicking on it.
* Do not change any check box options!!
* Copy everything in the Code box below, and paste it into the Input script here window:

Code:

Files to move:
C:\MGtools\temp\XPSP3\eventlog.dllmg | C:\WINDOWS\SYSTEM32\eventlog.dll

* Now click the Execute button.
* Click Yes to the prompt to confirm you want to execute.
* Click Yes to the "Reboot now?" question that will appear when Avenger finishes running.
* Your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt and it will pop-up for you to view when you login after reboot.

* Save the Avenger log to attach in your next post.



Now run a ne wscan with MGtools and attach the new log along with the Avenger log.

 

Here are the logs. Also an interesting new development, upon starting up, the computer notified me that my copy of windows xp that I'm running failed validation for being a genuine microsoft product, though it's been used on this computer for years.

 

Depending on what all the malware has done you might need to reactivate your Windows. Let's first make sure all of the malware is removed and then see how it is running.


Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

• O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
• O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
• O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
• O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -
• O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.6.0_05) -
• O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} (Java Plug-in 1.6.0_07) -
• O16 - DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} (Java Plug-in 1.6.0_13) -

After clicking Fix checked, exit HJT.



Download Disable/Remove Windows Messenger to the desktop to remove Windows Messenger.

Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

Unzip the file on the desktop. Open the MessengerDisable.exe and choose the bottom box - Uninstall Windows Messenger and click Apply.

Exit out of MessengerDisable then delete the two files that were put on the desktop.



Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code:

KillAll::

Folder::
C:\Program Files\AskBarDis

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-

[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif

ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze



Do you know what this is?

Suspicious files to scan

Please go to VirSCAN.org FREE on-line scan service
(If more than one file needs scanned they must be done separately and logs posted for each one)

1. Copy and paste the following file path into the Suspicious files to scan box on the top of the page.

Code:

C:\mb.exe

2. At the upload site, click once inside the window next to Browse.
3. Press Ctrl+V on the keyboard (both at the same time) to paste the file path into the window.
4. Click on the Upload button.
This will perform a scan across multiple different virus scanning engines.
Your file will possibly be entered into a queue which normally takes less than a minute to clear.
Important: Wait for all of the scanning engines to complete.
5. Once the Scan is completed scroll down and click on the Copy to Clipboard button. This will copy the link of the report into the Clipboard.
6. Paste the contents of the Clipboard in your next reply.

Note: If using FireFox you will need to copy the link in the address bar and post it back here instead. The Copy to Clipboard feature will not work.

Next post please attach:

• ComboFix log
• VirScan report

 

That C:\mb.exe is the malwarebytes install file that I had downloaded to that location. I still scanned it for you though. Combo fix log attached.

VirSCAN.org Scanned Report :
Scanned time : 2009/10/08 10:53:25 (EDT)
Scanner results: All Scanners reported not find malware!
File Name : mb.exe
File Size : 4045544 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 7e68c6f7e3f4e1fa363374301de0b15d
SHA1 : 46d6a1cf6c116140f00cb27f44e8dc3aafda4053
Online report : http://virscan.org/report/affad5f5337009cdc3bb4d895731bc87.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.5.0.8 20091008223330 2009-10-08 8.81 -
AhnLab V3 2009.10.08.05 2009.10.08 2009-10-08 2.24 -
AntiVir 8.2.1.35 7.1.6.88 2009-10-08 0.21 -
Antiy 2.0.18 20091008.2980424 2009-10-08 0.48 -
Arcavir 2009 200910071309 2009-10-07 0.09 -
Authentium 5.1.1 200910072307 2009-10-07 1.39 -
AVAST! 4.7.4 091007-0 2009-10-07 1.26 -
AVG 8.5.288 270.14.7/2422 2009-10-08 2.35 -
BitDefender 7.81008.4324059 7.28167 2009-10-08 8.73 -
CA (VET) 9.0.0.143 35.1.7056 2009-10-08 16.34 -
ClamAV 0.95.2 9873 2009-10-08 0.93 -
Comodo 3.12 2537 2009-10-08 0.89 -
CP Secure 1.3.0.5 2009.10.08 2009-10-08 0.66 -
Dr.Web 4.44.0.9170 2009.10.08 2009-10-08 10.26 -
F-Prot 4.4.4.56 20091007 2009-10-07 3.50 -
F-Secure 7.02.73807 2009.10.08.07 2009-10-08 0.52 -
Fortinet 2.81-3.120 10.918 2009-10-08 0.42 -
GData 19.8288/19.502 20091008 2009-10-08 6.39 -
ViRobot 20091007 2009.10.07 2009-10-07 0.73 -
Ikarus T3.1.01.72 2009.10.08.74004 2009-10-08 4.56 -
JiangMin 11.0.800 2009.10.08 2009-10-08 14.37 -
Kaspersky 5.5.10 2009.10.08 2009-10-08 0.07 -
KingSoft 2009.2.5.15 2009.10.8.18 2009-10-08 1.08 -
McAfee 5.3.00 5764 2009-10-07 4.84 -
Microsoft 1.5101 2009.10.08 2009-10-08 7.55 -
Norman 6.01.09 6.01.00 2009-10-08 2.00 -
Panda 9.05.01 2009.10.07 2009-10-07 2.92 -
Trend Micro 8.700-1004 6.519.00 2009-10-07 0.03 -
Quick Heal 10.00 2009.10.08 2009-10-08 2.83 -
Rising 20.0 21.49.22.00 2009-09-30 0.81 -
Sophos 2.90.1 4.45 2009-10-08 3.82 -
Sunbelt 5435 5435 2009-10-07 2.52 -
Symantec 1.3.0.24 20091007.002 2009-10-07 0.24 -
nProtect 20091008.02 5754855 2009-10-08 40.22 -
The Hacker 6.5.0.2 v00033 2009-10-07 1.19 -
VBA32 3.12.10.11 20091007.1940 2009-10-07 2.42 -
VirusBuster 4.5.11.10 10.112.62/2570460 2009-10-08 3.55 -

 

Thank you.

Let's do a full virus scan now to make sure nothing else id hiding.

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log



Also let me know how the computer is running now.

 

Thank you very much! ESET didn't find any threats, so there was no log to produce. The computer is running fine, and now that I know there's nothing sneaking around on it, I'll let my parents back on it so they can do their personal work. I really appreciate the help you've given!

One last question: Another computer in my house was exposed to the same infected flash drive this one was, but it wasn't as crippled. It's running okay, a little slow but that might be due to low RAMs on it. Normal scans don't find any malware. It isn't used for private/personal information or transactions. I'm wondering if it would be wise to start a new thread for that computer when my current complaint is just sluggishness post-infection with no inhibition of anti-malware programs?

Again, thank you very much for all your help, you do great work.

 

It could be infected but we can't tell without the logs from the READ ME. If you would like to run the scans and start a new topic we will have a look.

Your welcome.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
2. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /u
     • Notes: The space between the combofix" and the /u, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
7. Go to add/remove programs and uninstall HijackThis.
8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
9. If you are running Vista, Windows XP or Windows ME, do the below:
   • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!