Nasty virus

[kviez]

Hello,

I have a Dell laptop with Windows XP, media center edition, version 2002, service pack 3 with 1G of ram.  I use AVG Free 8.5 for virus protection. I have SuperAntispyware free edition.  Also, I have Malwarebytes.  I also scan with Ad-Aware. I have Online Armor for a firewall. If that is not enough info on my system please let me know.

With all of that I am still in serious trouble.  Two days ago I started getting what I assumed were phony security alert messages.  I rebooted in safe mode and tried to run scans.  AVG scanned and showed that trojans and other harmful programs were removed, but my other scans were shut down before completion.  When I rebooted the problem was still there.  I tried safe mode again and again and occasionally my computer would open other times it would freeze.  I have the log from the AVG scan if that would help - it has been a few days and additional problems have come up.  As I searched your site for self help answers on my desktop I continued to try safe mode and new scans on my laptop.  I can not get online on my laptop and all scans shut down before completion.  I now have a new program installed called Window Police Pro and I am unable to open almost all programs.  I cannot open Add/Remove Programs or even Windows Explorer. I get this error message - C:\WINDOWS\explorer.exe.  My laptop will not shutdown unless I hold the power button for a few seconds.

Is this enough information to get started?

[Karnac]

You'll have to go here....

http://www.computerhope.com/forum/index.php/topic,46313.0.html

If you've lost your connection, download the programs to a USB stick on a good PC and transfer them to your PC.
If you have difficulty, you may have to run them in safe mode, tap F8 at start, .
If you have difficulty, you may have to rename the programs when you save them.
If you get stuck on a step, proceed to the next .

Post the logs for step 3,4 and 6.

[kviez]

Thank you for the help so far.

I saved superantispyware, MBAM, CCleaner slim, and HJT to a memory stick.  I then opened my laptop in safe mode.  Black boxes with blue bars across the top came up and then went away.  The first read “C:\WINDOWS\system32\NTVDM.exe” in the blue bar.  The body of the box was empty.  The second read “C:\WINDOWS\system32\desote.exe.

I noticed a new icon on my desktop titled “R140747.exe” I tried to remove this in Add/Remove Programs. When I tried to open “Add/Remove Programs” I got an error message titled: C:\WINDOWS\system32\rundll.exe.

I tried to open superantispyware and a box came up with a blue bar across the top that read “C:\WINDOWS\system32\desote.exe. Another box came up over the top of the last one and it read: 16 bit MS-DOS subsystem in the top blue bar.  The internal message bar read: C:\WINDOWS\system32\desote.exe. With an error message of “The NTVDM CPU has encountered an illegal instruction

CS:0de 8 1D OP: ff ff ff ff ff chose ‘close’ to terminate the application.  Below the message were two options to click ‘Close’ and ‘ignore’.

I received the same message when I tried to open MBAM, HJT, and CCleaner.

I rebooted in normal mode, tried to run the programs and received an error message each time. That looked like this: F:\ccsetup223_slim.exe

At one point in normal mode a box appeared with the blue bar reading “svchose.exe” and the message “svdhost.exe has encountered a problem and needs to close.  I renamed the files, but kept getting the same error message the only thing different was file name.

While in normal mode “Windows Police Pro” kept automatically starting up. At one point I counted seven sessions along the bottom bar.

I re-booted in safe mode and tried to open the files with changed names. This time a black box with a blue bar across the top would pop up, but disappear before I could read it.

I am not sure if this will help, but about two months ago I backed up my whole system to an external hard drive.

I hope the info that I provided above is useful. Thanks for taking the time to help me. I really am a novice here and I appreciate any help that you have to offer.

[SuperDave]

Hello Kviez. Welcome to Computer Hope Forum. Sorry for the mixup and delay in getting to your post. My name is Superdave but you can just call me SD. I will be helping you out with your particular problem on your computer. I'm working under the guidance of one of the Malware experts on this forum so it may take a bit longer to fix your problem but not too long.

Use the following instructions to remove Windows Police Pro (Uninstall instructions)

1. Remove Windows Police Pro main components.
Please download OTM by OldTimer from here to your desktop.
Note: If you are running on Vista, right-click on OTM.exe and choose Run As Administrator.
* Save it to your Desktop.
* Double-click OTM.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code: [Select]

:Processes
explorer.exe
svchasts.exe
windows Police Pro.exe

:services
AntipPro2009_100

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{76DC0B63-1533-4ba9-8BE8-D59EB676FA02}]

:files
%windir%\system32\desote.exe
%windir%\system32\dddesot.dll
%windir%\svchasts.exe
%ProgramFiles%\Windows Police Pro

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

Return OTM. right-click in the “Paste Instructions for Items to be Moved” window (under the yellow bar): and choose paste.

Click the red Moveit! button.

* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

2. Repair running .exe files.
Click Start, Run. Type command and press Enter. Type notepad and press Enter.
Notepad opens. Copy all the text below into Notepad.

Code: [Select]

Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\exefile\shell\open\command]
@="\"%1\" %*"
Save this as fix.reg to your Desktop (remember to select Save as file type: All files in Notepad.)
Double Click fix.reg and click YES for confirm.
Reboot your computer.

3. Remove Windows Police Pro associated malware.

Download MalwareBytes Anti-malware (MBAM) from here . Close all programs and Windows on your computer.

Double Click mbam-setup.exe to install the application. When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing, make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Select Perform Quick Scan, then click Scan, it will start scanning your computer for Windows Police Pro infection. This procedure can take some time, so please be patient.

When the scan is complete, click OK, then Show Results to view the results. You will see a list of infected items.

Make sure that everything is checked, and click Remove Selected to start Windows Police Pro removal process. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.
In your next post please include OTM results and MBAM log

[kviez]

SD,

You can call me Karen.  I really appreciate your help. 

Okay, I can not get online on my laptop. I downloaded OTM to my uninfected desktop and moved then moved it to a memory stick.  I powered up my laptop and tried to open OTB from my memory stick and received the following error message:

Error
“F:\OTM.exe” with an OK box to check.

A message box popped up along the bottom right– similar to the “you have lost your connection” or “Windows updates are ready to be installed” messages.  This stated: Running of application is impossible the file OTM.exe is infected.

 I then moved OTM to my desktop, tried to open it and received the following message:

Error
“C:\Documents and Settings\James Robinson\Desktop.OTM.exe”  with an OK box to click

Another error message came up and I am not sure what triggered it.

Error
“C:\WINDOWS\System32\regsvr32.exe”  /s C:\WINDOWS\Temp~19dll

I then tried to turn of my laptop – as everything was powering down windows police pro popped up and began its phony scan.  I had to hold down the power button in order to turn it off.

Next I rebooted in safe mode.  OTM.exe was no longer on my desktop.  I moved OTM.exe to my desktop once again from my memory stick.  When I tried to open it a black message box would appear and then go away very quickly.  In the blue space at the top of the box this was written:

C:\WINDOWS\System32\desote.exe

I could go no further with your instructions.  Let me know if there is a way for me to proceed.

Thanks again for your help!

Karen

[SuperDave]

Hi Karen. I sometimes have problems transferring programs with a memory stick. Can you try burning OTM to a CD-RW and see how that works?

[kviez]

SD,

I tied like you said from CD RW.  I had the same result.

Error
“C:\Documents and Settings\James Robinson\Desktop.OTM.exe”  with an OK box to click

[SuperDave]

Hi Karen, That is a nasty infection that you have and we'll have to try something else. First, try renaming OTM.exe to something else and see if it will run. If you still get an error go to this link to create a Rescue CD or to this site to create a Rescue USB. Carefully follow all the instructions for whichever method you choose.

[kviez]

SD,

Thank you for your patience and your help.  The BitDefender scan is complete and the message reads "No threats have been detected.

The top of the box reads:
BitDefener Antivirus scanner for Unices

I downloaded the file for windows: unetbootin-windows-372

How should I proceed?

[evilfantasy]

Can you try the Avira Rescue CD also. You can put it on the USB just like you did with BitDefender.

You did have it scan the C drive right?

[kviez]

Yes, I did have it on the C drive.  The scan ran fine on the infected computer - it just didn't find any threats.

Last night I tried the Avira Rescue CD, although I could not get it to load.  I moved on to the DrWeb rescue CD and had that scanning overnight.  I am not sure what happened - when I checked this morning the computer was on, but non responsive.  I powered down by holding the 'off' button and rebooted from the CD drive.  The DrWeb scan in currently running.  I will advise when the scan is complete.

Thanks for your help.

[kviez]

Okay, I re-started the DR.Web scanner about 7:30 this morning.  The scanner was running fine until 10:40 pacific time.  It has now been frozen for an hour.

Three items where identified by the scanner before it froze.

D:/Program Files/Dell/Launcher/files/3 Months Free NetZero.exe
Status: infected with Trojan.Click.1487

D:/System Volume Information/_restore{129201FA-BOAC-49B3-96B2-DEB8B91E727B}/RP475/A0040681.exe
Status: Infected with Trojan.PWS.Banker.orgin


D:/System Volume Information/_restore{129201FA-BOAC-49B3-96B2-DEB8B91E727B}/RP475/A0040932.exe
Status: archive WISE

The file being scanned when it froze, which still appears along the bottom is as follows:


D:/System Volume Information/_restore{129201FA-BOAC-49B3-96B2-DEB8B91E727B}/RP506/A00407062.exe


I do not know if the above information will help?  Please let me know.

Once again I really appreciate the help!

Karen

[evilfantasy]

Nothing there should be causing the problems you are having.

Has the scan finished and have you restarted the computer? How is it now?

[kviez]

The scan never finished. it was frozen for over an hour  - the computer was completely un-responsive.  I turned it off and re-booted from the CD drive and selected ' run scan in safe mode'.  That was at about noon pacific time and it is still scanning.

Many thanks for the support!

Karen

[evilfantasy]

Try this please.

Go to Start > Run > and type command.com then press Enter on the keyboard. Hopefully the Command window will open.

In the Command window type %systemdrive%\TSKLST.txt then press Enter on the keyboard.

See if a log pops up and post it for us please. You may need to put the notepad file on the flash drive and transfer it over to the good computer and post it from your good PC.