Windows Police Pro removal attempt caused computer not to boot in normal mode

[pkarsh]

I had previously posted this problem in the Windows XP forum as "Can't boot XP in normal mode after running SuperAntiSpyware scan." Someone in that forum strongly suggested I post in this forum.

In brief, here is what has happened. The "Windows Police Pro" malware program window showed up on my computer (while I was looking at Craigslist). I did a Google search and found some advice about files to remove to get rid of it. I did some of that, specifically the Windows Police Pro.exe in a Windows Police Pro folder in Program Files. I also removed some registry entries that said "Windows Police Pro" .

At this point I started consulting Computer Hope and started to execute the procedure described in the Malware Removal Guide. I ran CClean. I got the install for SuperAntiSpyware and tried to run it. The Wise Installer progress bar would flash briefly and then nothing else happened. I noticed that in a post in this forum entitled "Windows Police Pro is bugging" that someone had run into a similar problem. The poster was advised to download and run avpfind.bat and exehelp and then run the online version of SuperAntiSpyware. I carried out these steps. Please note that avpfind.bat never actually got to the point of appearing to complete but it appears to have gotten the information it was after. I ended it by closing the command window. exehelp appeared to run to completion. When SuperAntiSpyware restarted the computer it would not come up in normal mode and would only fall back to Safe mode. The boot would proceed to the point where the graphic with the Windows logo and the progress bar was displayed, with the progress bar running. After a while, I get a blue screen of death flashing briefly and then the system boots back up in Safe mode. I cannot get it to have the blue screen display such that I can actually see what it says.

Among other things, I am wondering how to proceed. Should I try to continue the virus removal procedure by running MalWare bytes and HijackThis in Safe mode or should I try to get the system to boot normally first?

I am attaching the logs from avpfind, exehelp, and SuperAntiSpyware.  Thanks in advance for the help.

Paul Karsh


[Saving space, attachment deleted by admin]

[harry 48]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

go to above and complete , post the other 2 logs here and expert will be looking for them

[pkarsh]

Here are the logs you requested.

Because the procedure says to copy and paste the contents of the mbam log into the reply I am doing so below.

I was not able to update Java. As my machine is in a compromised state I want to reduce my network exposure as much as possible so I downloaded the Java update install for offline installation. When I tried to run it I got a message that said "The administrator has set policies to block this." I don't understand that as I am an administrator on this machine. The currently installed version of Java is 6.0.110.3 and appears to be dated 7/2/09.

Hope this helps. Thanks for your help.

Paul Karsh

-----------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/21/2009 1:51:26 PM
mbam-log-2009-10-21 (13-51-26).txt

Scan type: Quick Scan
Objects scanned: 161947
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\kukolare.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{392f7b53-8576-4256-98a6-278b91bab301} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofanifip (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{392f7b53-8576-4256-98a6-278b91bab301} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\najirehot (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kukolare.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kukolare.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\kukolare.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\RECYCLER\NPROTECT\00369017.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00369019.EXE (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00369020.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00370324.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00370374.DLL (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pubegadi.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.


[Saving space, attachment deleted by admin]

[harry 48]

ok read this and see if you can post it

You're running Hijackthis from Safe Mode, which means all processes that may be running in Normal mode will not be displayed in this log. Unless you're unable to boot into Normal mode we suggest running Hijackthis from there to get a full listing of programs running on the computer.

you have a number of errors and threats

you will have to delete your java and d/load from a safe pc to re-install as you said

==============================================================

Step 5: Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old version

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

[pkarsh]

At the moment I can't boot into Normal mode. See my post in Windows XP forum "Can't boot Windows XP in Normal mode after running SuperAntiSpyWare" for more details.

I will try again to upgrade the Java.

[harry 48]

ok do what you can and wait for an expert , harry

edit ; you where given help by someone who may not be an expert , do not take it

[pkarsh]

I tried again to update my Java. I downloaded the offline install onto a USB memory stick on another computer and then tried to run the install on my computer. I got the same error. I enquired and saw that one can set software installation policies under Security settings under Administrative functions. I looked there and saw that there were no restrictions set for software installations. I looked further in the Registry. Under HKLM\Software\JavaSoft there was a key for Installed JRE Version that said 1.6.0_11 and a key for New JRE Version that said 1.6.0_15.003. It also said said Last Update Finished on 13 Oct. 2009.

I looked in Services and saw that Windows Installer service was not started. I tried to start it and it said that it cannot be started in Safe mode.

It kind of looks like I have to be able to get my computer to boot in Normal mode to proceed. How should I proceed?

[pkarsh]

I have managed to view the contents of the blue screen of death that comes up when I try to boot normally. Unfortunately, it doesn't help much. The screen reads:

A problem has been detected and Windows has benn shut down to prevent damage to your computer. Run a system diagnostic utility supplied by your hardware manufacturer. In particular, run a memory check, and check for fgaulty or mismatched memory. Try changing video adapters.

...

Disable or remove any newly-installed hardware and drivers. Disable or remove any newly-installed software ...

(at this point the message describes booting in Safe mode)

Technical Information:

STOP:  0x0000007F(0x8, 0x80042000, 0x0)

------------------------------------------------------------------------------------------------------

Among the "newly-installed software" is the Windows Police Pro malware, which I am in the process of trying to remove. Any other advice on repairing XP and/or being able to do a successful system restore would be appreciated. I have tried to do system restores. The process runs to completion but when the machine restarts a screen that says something like "System restore was not successful. System was not changed." appears. This message appears regardless of which restore point I use.

[evilfantasy]

Download Win32kDiag.exe

Be sure to save the Win32kDiag file to your desktop.

Click on Start->Run, and copy-paste the following command (the below red text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Post that log please.

[pkarsh]

When I click on the link to Win32kdiag.exe I get an error that basically says "forbidden".

I am trying to download it on a "safe" PC and then copy it onto my messed-up machine.

[evilfantasy]

Try this please.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link 1
Link 2

Rename ComboFix to Combo-Fix before saving it to the desktop.





Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[pkarsh]

The error I got when trying to download Win32kdiag.exe was:

Error 403!

/chaslang/files/Win32kDiag.exe

Forbidden

I assume I was trying to access a directory to which I did not have access rights.

Should I run ComboFix in place of WindDiag, or before it, or after it?

Can I download ComboFix to another machine and then copy it to my messed-up machine (MUM) or do I have to download it directly to my machine? I am able to boot in Safe Mode with Networking so I think I can download it directly if necessary but I want to minimize the network exposure of that machine, given its compromised state.
 

Thanks for your help.

Paul K.

[evilfantasy]

but I want to minimize the network exposure of that machine, given its compromised state.

Your already infected so it can't get much worse.

Try Safe Mode With Networking. If that doesn't work then you can try transferring ComboFix over.

You are on an account with Administrator privileges right?

[pkarsh]

I downloaded and renamed ComboFix as you instructed. I have Norton Internet Security installed but partly because I'm running in Safe mode and partly, I think, because of the virus attack I think it is compromised. When I click on it in my Start menu all I get is a window asking if I would like to run a full system scan. I said No. I looked in my Service Manager and noticed that there a couple of services associated with NIS that were supposed to start automatically but were not running.

When I started the Combo-Fix.exe (renamed as you instructed) I got a message saying that NIS was running. I had a chat session with Norton and they said it could not start in Safe mode. I also had an issue where Combo-Fix wanted to download the Microsoft Recovery Console and then reported an error that c:\boot.ini was not correctly formatted. The error is valid because c:\boot.ini is an empty file. At this point I elected to stop the process because I wasn't sure about the Norton situation.

Here are my questions:
Should I ignore the Norton issue or is there some process I can shut down so ComboFix doesn't think Norton is running? I have attached a screen shot of my task manager showing my running processes.
Is the boot.ini error a real problem or should I proceed regardless? ComboFix offered me the choice of proceeding or quitting. I had decided to quit as explained above.

One last question - Can I run ComboFox disconnected from the network?
You may notice that I am deliberately erring on the side of being fastidious and cautious. If you find this irksome I apologize. Thanks for your help.
Paul K.


[Saving space, attachment deleted by admin]

[evilfantasy]

You don't have to install the Microsoft Recovery Console and you can ignore Norton and just keep going with ComboFix.

One last question - Can I run ComboFox disconnected from the network?

Yes.