Windows Police Pro removal attempt caused computer not to boot in normal mode

[pkarsh]

I had previously posted this problem in the Windows XP forum as "Can't boot XP in normal mode after running SuperAntiSpyware scan." Someone in that forum strongly suggested I post in this forum.

In brief, here is what has happened. The "Windows Police Pro" malware program window showed up on my computer (while I was looking at Craigslist). I did a Google search and found some advice about files to remove to get rid of it. I did some of that, specifically the Windows Police Pro.exe in a Windows Police Pro folder in Program Files. I also removed some registry entries that said "Windows Police Pro" .

At this point I started consulting Computer Hope and started to execute the procedure described in the Malware Removal Guide. I ran CClean. I got the install for SuperAntiSpyware and tried to run it. The Wise Installer progress bar would flash briefly and then nothing else happened. I noticed that in a post in this forum entitled "Windows Police Pro is bugging" that someone had run into a similar problem. The poster was advised to download and run avpfind.bat and exehelp and then run the online version of SuperAntiSpyware. I carried out these steps. Please note that avpfind.bat never actually got to the point of appearing to complete but it appears to have gotten the information it was after. I ended it by closing the command window. exehelp appeared to run to completion. When SuperAntiSpyware restarted the computer it would not come up in normal mode and would only fall back to Safe mode. The boot would proceed to the point where the graphic with the Windows logo and the progress bar was displayed, with the progress bar running. After a while, I get a blue screen of death flashing briefly and then the system boots back up in Safe mode. I cannot get it to have the blue screen display such that I can actually see what it says.

Among other things, I am wondering how to proceed. Should I try to continue the virus removal procedure by running MalWare bytes and HijackThis in Safe mode or should I try to get the system to boot normally first?

I am attaching the logs from avpfind, exehelp, and SuperAntiSpyware.  Thanks in advance for the help.

Paul Karsh


[Saving space, attachment deleted by admin]

[harry 48]

http://www.computerhope.com/forum/index.php/topic,46313.0.html

go to above and complete , post the other 2 logs here and expert will be looking for them

[pkarsh]

Here are the logs you requested.

Because the procedure says to copy and paste the contents of the mbam log into the reply I am doing so below.

I was not able to update Java. As my machine is in a compromised state I want to reduce my network exposure as much as possible so I downloaded the Java update install for offline installation. When I tried to run it I got a message that said "The administrator has set policies to block this." I don't understand that as I am an administrator on this machine. The currently installed version of Java is 6.0.110.3 and appears to be dated 7/2/09.

Hope this helps. Thanks for your help.

Paul Karsh

-----------------------------------------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.41
Database version: 2991
Windows 5.1.2600 Service Pack 3 (Safe Mode)

10/21/2009 1:51:26 PM
mbam-log-2009-10-21 (13-51-26).txt

Scan type: Quick Scan
Objects scanned: 161947
Time elapsed: 8 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\kukolare.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{392f7b53-8576-4256-98a6-278b91bab301} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wofanifip (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{392f7b53-8576-4256-98a6-278b91bab301} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\najirehot (Trojan.Vundo.H) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: c:\windows\system32\kukolare.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Vundo.H) -> Data: system32\kukolare.dll -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\kukolare.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\RECYCLER\NPROTECT\00369017.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00369019.EXE (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00369020.exe (Rogue.Installer) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00370324.exe (Rogue.WindowsPolicePro) -> Quarantined and deleted successfully.
C:\RECYCLER\NPROTECT\00370374.DLL (Rogue.ASC-AntiSpyware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pubegadi.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bincd32.dat (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nuar.old (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\skynet.dat (Malware.Trace) -> Quarantined and deleted successfully.


[Saving space, attachment deleted by admin]

[harry 48]

ok read this and see if you can post it

You're running Hijackthis from Safe Mode, which means all processes that may be running in Normal mode will not be displayed in this log. Unless you're unable to boot into Normal mode we suggest running Hijackthis from there to get a full listing of programs running on the computer.

you have a number of errors and threats

you will have to delete your java and d/load from a safe pc to re-install as you said

==============================================================

Step 5: Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old version

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.
4. Run CCleaner.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

[pkarsh]

At the moment I can't boot into Normal mode. See my post in Windows XP forum "Can't boot Windows XP in Normal mode after running SuperAntiSpyWare" for more details.

I will try again to upgrade the Java.

[harry 48]

ok do what you can and wait for an expert , harry

edit ; you where given help by someone who may not be an expert , do not take it

[pkarsh]

I tried again to update my Java. I downloaded the offline install onto a USB memory stick on another computer and then tried to run the install on my computer. I got the same error. I enquired and saw that one can set software installation policies under Security settings under Administrative functions. I looked there and saw that there were no restrictions set for software installations. I looked further in the Registry. Under HKLM\Software\JavaSoft there was a key for Installed JRE Version that said 1.6.0_11 and a key for New JRE Version that said 1.6.0_15.003. It also said said Last Update Finished on 13 Oct. 2009.

I looked in Services and saw that Windows Installer service was not started. I tried to start it and it said that it cannot be started in Safe mode.

It kind of looks like I have to be able to get my computer to boot in Normal mode to proceed. How should I proceed?

[pkarsh]

I have managed to view the contents of the blue screen of death that comes up when I try to boot normally. Unfortunately, it doesn't help much. The screen reads:

A problem has been detected and Windows has benn shut down to prevent damage to your computer. Run a system diagnostic utility supplied by your hardware manufacturer. In particular, run a memory check, and check for fgaulty or mismatched memory. Try changing video adapters.

...

Disable or remove any newly-installed hardware and drivers. Disable or remove any newly-installed software ...

(at this point the message describes booting in Safe mode)

Technical Information:

STOP:  0x0000007F(0x8, 0x80042000, 0x0)

------------------------------------------------------------------------------------------------------

Among the "newly-installed software" is the Windows Police Pro malware, which I am in the process of trying to remove. Any other advice on repairing XP and/or being able to do a successful system restore would be appreciated. I have tried to do system restores. The process runs to completion but when the machine restarts a screen that says something like "System restore was not successful. System was not changed." appears. This message appears regardless of which restore point I use.

[evilfantasy]

Download Win32kDiag.exe

Be sure to save the Win32kDiag file to your desktop.

Click on Start->Run, and copy-paste the following command (the below red text) into the "Open" box, and click OK. When it's finished, there will be a log called Win32kDiag.txt on your desktop.

"%userprofile%\desktop\win32kdiag.exe" -f -r

Post that log please.

[pkarsh]

When I click on the link to Win32kdiag.exe I get an error that basically says "forbidden".

I am trying to download it on a "safe" PC and then copy it onto my messed-up machine.

[evilfantasy]

Try this please.

Download ComboFix from one of the below links. You must rename it before saving it!

Important! You MUST save ComboFix to your desktop.

Link 1
Link 2

Rename ComboFix to Combo-Fix before saving it to the desktop.





Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click on Combo-Fix.exe & follow the prompts.

Vista users Right-Click on Combo-Fix.exe and select Run as administrator (you will receive a UAC prompt, please allow it)

Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

When the scan completes it will open a text window.
 
Post the contents of that log in your next reply.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

[pkarsh]

The error I got when trying to download Win32kdiag.exe was:

Error 403!

/chaslang/files/Win32kDiag.exe

Forbidden

I assume I was trying to access a directory to which I did not have access rights.

Should I run ComboFix in place of WindDiag, or before it, or after it?

Can I download ComboFix to another machine and then copy it to my messed-up machine (MUM) or do I have to download it directly to my machine? I am able to boot in Safe Mode with Networking so I think I can download it directly if necessary but I want to minimize the network exposure of that machine, given its compromised state.
 

Thanks for your help.

Paul K.

[evilfantasy]

but I want to minimize the network exposure of that machine, given its compromised state.

Your already infected so it can't get much worse.

Try Safe Mode With Networking. If that doesn't work then you can try transferring ComboFix over.

You are on an account with Administrator privileges right?

[pkarsh]

I downloaded and renamed ComboFix as you instructed. I have Norton Internet Security installed but partly because I'm running in Safe mode and partly, I think, because of the virus attack I think it is compromised. When I click on it in my Start menu all I get is a window asking if I would like to run a full system scan. I said No. I looked in my Service Manager and noticed that there a couple of services associated with NIS that were supposed to start automatically but were not running.

When I started the Combo-Fix.exe (renamed as you instructed) I got a message saying that NIS was running. I had a chat session with Norton and they said it could not start in Safe mode. I also had an issue where Combo-Fix wanted to download the Microsoft Recovery Console and then reported an error that c:\boot.ini was not correctly formatted. The error is valid because c:\boot.ini is an empty file. At this point I elected to stop the process because I wasn't sure about the Norton situation.

Here are my questions:
Should I ignore the Norton issue or is there some process I can shut down so ComboFix doesn't think Norton is running? I have attached a screen shot of my task manager showing my running processes.
Is the boot.ini error a real problem or should I proceed regardless? ComboFix offered me the choice of proceeding or quitting. I had decided to quit as explained above.

One last question - Can I run ComboFox disconnected from the network?
You may notice that I am deliberately erring on the side of being fastidious and cautious. If you find this irksome I apologize. Thanks for your help.
Paul K.


[Saving space, attachment deleted by admin]

[evilfantasy]

You don't have to install the Microsoft Recovery Console and you can ignore Norton and just keep going with ComboFix.

One last question - Can I run ComboFox disconnected from the network?

Yes. 

[pkarsh]

I ran Combo-Fix. I stepped away from the computer for a few minutes and when I came back it appeared to have rebooted in Normal mode! Progress! The bad news is that I didn't get the log. How should I proceed? Should I run Combo-Fix again to try to get the log? I see that when I logged in I got some messages about "bad boy" dll's not found (e. g. kukolare.dll) so I know I'm not out of the woods yet by any means.

Also, would it be a good thing for me to create a boot.ini file? I have seen the text of a sample on the Web and it looks pretty straightforward.

Thanks for your help so far.

Paul K.

[evilfantasy]

Also, would it be a good thing for me to create a boot.ini file?

No! Please don't do anything until we get this sorted out.

Look in C:\Combofix.txt and see if the log is there.

If not, run Combo-Fix again. It should produce a log this time.

[pkarsh]

Here is the log!!

Keep in mind that as this is the 2nd execution of ComboFix you might not see some things you were expecting or hoping to see deleted. In particular I didn't see stuff being deleted from c:\windows\system32\schtml . In fact the reason I walked away from the computer last night was to go to another computer to find out what schtml was.

Thanks for your help and for bearing with me.


[Saving space, attachment deleted by admin]

[evilfantasy]

Delete Combo-Fix from your desktop and download a new copy. BUT don not rename it this time!

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note:  It is important that it is saved directly to your Desktop

DO NOT run it yet!

Note: the below instructions were created specifically for this user. If you are not this user, DO NOT follow these directions as they could damage the workings of your system

Delete these files/folders, as follows:

1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C

Code: [Select]

KillAll::

Folder::
c:\program files\AskBarDis

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=-

[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]

[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]


3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!



ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze

[pkarsh]

Here is the log.


[Saving space, attachment deleted by admin]

[evilfantasy]

Ok we are looking good now.

Let's do some cleanup and a final scan to make sure nothing was missed.

* Click START then RUN - Vista users press the Windows Key and the R keys for the Run box.
* Now type Combofix /u in the runbox
* Make sure there's a space between Combofix and /u
* Then hit Enter

* The above procedure will:
* Delete the following:
* ComboFix and its associated files and folders.
* Reset the clock settings.
* Hide file extensions, if required.
* Hide System/Hidden files, if required.
* Set a new, clean Restore Point.

----------

Clean out your temporary internet files and temp files.

Download TFC by OldTimer to your desktop.

Double-click TFC.exe to run it.

Note: If you are running on Vista, right-click on the file and choose Run As Administrator

TFC will close all programs when run, so make sure you have saved all your work before you begin.

* Click the Start button to begin the cleaning process.
* Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. 
* Please let TFC run uninterrupted until it is finished.

Once TFC is finished it should restart your computer. If it does not, please manually restart the computer yourself to ensure a complete cleaning.

----------

ESET Online Scan

Scan your computer with the ESET FREE Online Virus Scan

* Click the ESET Online Scanner button.

* For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
* Click on the esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop
* Double click on the esetsmartinstaller_enu.exe icon on your desktop.
* Place a check mark next to YES, I accept the Terms of Use.

* Click the Start button.
* Accept any security warnings from your browser.
* Leave the check mark next to Remove found threats and place a check next to Scan archives.
* Click the Start button.
* ESET will then download updates, install, and begin scanning your computer. Please be patient as this can take some time.
* When the scan completes, click List of found threats.
* Next click Export to text file and save the file to your desktop using a name such as ESETScan. Include the contents of this report in your next reply.
* Click the <<Back button then click Finish.

In your next reply please include the ESET Online Scan Log

[pkarsh]

Here is the ESET scan log


[Saving space, attachment deleted by admin]

[evilfantasy]

Looks good. How is the computer running now?

[pkarsh]

It comes up in Normal mode OK and I don't think I'm getting any errors when I log in. I think my Norton Internet Security is seriously compromised as the icon is not in the startup tray or whatever that thing is called on the bottom right corner. When I select it from the menu or the desktop nothing happens. When I select Norton SystemWorks a box comes up that says something to the effect that the installation is corrupted and that I should uninstall it. I also notice that my screen saver isn't running, that is, my desktop is still showing after the computer has been sitting for several hours. I disconnected the network cable as soon as I was done with your instructions as I am concerned about not having a good antivirus installation (even though it didn't exactly come through in the clutch for me before).

I have been out since very early this morning and so I haven't looked at my computer today. I am thinking that I will try reconfiguring my screen saver to see if that makes it work. I will then try to uninstall my Norton SystemWorks as it says to do. I will then disconnect from the network if I am connected and uninstall my Norton Internet Security. I will then reinstall these products.

Does this sound reasonable? Also, is there a product you would recommend if someone wants to do a one-time scan for viruses and malware when they are not seeing any symptoms of infection?

Thanks you very very much for your help. Is there something I could do like making a token donation or something?

Regards,
Paul Karsh

[evilfantasy]

Yes reinstall Norton. Any other computer problems (non-malware) will need to be addressed in the Windows forum.

Here are a few more suggestions..

Use the Secunia Software Inspector to check for out of date software.

• Click Start Now
  
• Check the box next to Enable thorough system inspection.
  
• Click Start
  
• Allow the scan to finish and scroll down to see if any updates are needed.
• Update anything listed.

.
----------

Go to Microsoft Windows Update and get all critical updates.

----------

I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

SpywareBlaster - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* Using SpywareBlaster to protect your computer from Spyware and Malware
* If you don't know what ActiveX controls are, see here

Protect yourself against spyware using the Immunize feature in Spybot - Search & Destroy. Guide: Use Spybot's Immunize Feature to prevent spyware infection in real-time. Note: To ensure you have the latest Immunizations always update Spybot - Search & Destroy before Immunizing. Spybot - Search & Destroy FAQ

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.

[pkarsh]

OK. Thanks again for your help! I think I'm pretty much up-to-date on Windows updates (SP3+). I assume that after I reinstall Norton I'm good to go and can then work with the other products you suggested.

Paul K.