Windows Police Plus trojan - help!

twl845 · #1 October 17th, 2009, 03:30 PM

I have a computer that has contracted this trojan "Windows Police Plus" and has taken it over. This happened once before and I went to a web page that had the instructions to remove it. The problem is I can't remember the name of the page. I think it started Gee... or Bee.. Does anyone recall a site that has the instructions for removal? The last time I was hit I followed the instructions and used MalwareBytes, and got rid of it. Now when I boot up, I have no sys tray icons, and I can't access anything. Thanks in advance.

lifetweaker · #2 October 17th, 2009, 03:41 PM

You can try the following: http://www.tech21century.com/remove-...o-permanently/

http://www.spywarevoid.com/remove-wi...oval-help.html

LockBox · #3 October 17th, 2009, 03:49 PM

This won't help you now, but getting hit with something like this make many realize the importance of light virtualization, imaging and other things that would have you back up and running in minutes. Just something to think about once you get this cleaned up. Maybe time for a fresh install and then a "perfect image" of that tweaked system and next time it goes from a disaster to a minor annoyance.

Just what you wanted to be doing this weekend I'm sure. (Ugh.) Good luck to you!

lifetweaker · #4 October 17th, 2009, 04:15 PM

+1 LockBox...

JRViejo · #5 October 17th, 2009, 04:19 PM

twl845, perhaps this is the page: Remove Windows Police Pro (Removal Guide), from bleepingcomputer.com?

Franklin · #6 October 17th, 2009, 05:01 PM

Another Link that may be of help in removing this rogue.

twl845 · #7 October 17th, 2009, 06:15 PM

Quote:

Originally Posted by LockBox

This won't help you now, but getting hit with something like this make many realize the importance of light virtualization, imaging and other things that would have you back up and running in minutes. Just something to think about once you get this cleaned up. Maybe time for a fresh install and then a "perfect image" of that tweaked system and next time it goes from a disaster to a minor annoyance.

Just what you wanted to be doing this weekend I'm sure. (Ugh.) Good luck to you!

This is my Daughters computer. After she got hit the first time, I instructed her to run Returnil every time she and the grandchildren went on line. Then if they got hit all they would have to do is shut down, and it would clear the infection. It was running virtual under Returnil when it hit, and it's still there.

twl845 · #8 October 17th, 2009, 06:37 PM

Quote:

Originally Posted by JRViejo

twl845, perhaps this is the page: Remove Windows Police Pro (Removal Guide), from bleepingcomputer.com?

JRViego - YES that's the site I'm looking for. Thank you big time.

twl845 · #9 October 17th, 2009, 06:44 PM

Lifetweaker and Franklin - Thank you for your help. I will keep your sites to use also.

JRViejo · #10 October 17th, 2009, 06:51 PM

Quote:

Originally Posted by twl845

JRViego - YES that's the site I'm looking for. Thank you big time.

twl845, you're welcome big time! Take care.

Franklin · #11 October 17th, 2009, 10:04 PM

Quote:

Originally Posted by twl845

It was running virtual under Returnil when it hit, and it's still there.

XP VM and installed the latest version of Windows Police Pro with Returnil active with not a byte around after a reboot to normal mode.

MBAB wouldn't run while the rogue was active but at reboot ran no probs and didn't find a thing?

PC_protect.exe - Result: 13/40

Name: WARN.JPG
Views: 317
Size: 78.1 KB

twl845 · #12 October 17th, 2009, 10:13 PM

Quote:

Originally Posted by Franklin

XP VM and installed the latest version of Windows Police Pro with Returnil active with not a byte around after a reboot to normal mode.

MBAB wouldn't run while the rogue was active but at reboot ran no probs and didn't find a thing?

PC_protect.exe - Result: 13/40

Attachment 213105

My Daughter mustn't be telling me the whole story.

prairie dog · #13 October 17th, 2009, 10:15 PM

There is also this from the MBAM forums

EDIT: just saw that Franklin already posted this link. Sorry bout that

BlueZannetti · #14 October 17th, 2009, 10:26 PM

Quote:

Originally Posted by twl845

This is my Daughters computer. After she got hit the first time, I instructed her to run Returnil every time she and the grandchildren went on line. Then if they got hit all they would have to do is shut down, and it would clear the infection. It was running virtual under Returnil when it hit, and it's still there.

Since users can always surprise....., I assume this infection would either have not occurred or been contained within the confines of the infected user's account under LUA and readily handled even if RVS was not active. From prior comments I noticed you used RVS 2008 - I used that version for some time under LUA/SuRun with no issue at all.

Blue

Meriadoc · #15 October 18th, 2009, 09:11 AM

Windows Police Plus is a strange beast, so much to stop any program from running yet very easy to terminate it via tm.

twl845 · #16 October 18th, 2009, 10:01 AM

Quote:

Originally Posted by twl845

My Daughter mustn't be telling me the whole story.

I haven't gone to my Daughters house to clear this up yet, but speaking to her further, it seems she panicked when the Police Plus window appeared, and did a hard shut down. Why? Got me! I think that although returnil was running, shutting down the wrong way caused Returnil to not do its job. Do you agree?

twl845 · #17 October 18th, 2009, 12:55 PM

Update: I booted my Daughters computer, and clicked her account to access it, and it took about 10 minutes to get the desktop. Clicking the IE icon wouldn't access IE and no other icons worked either. I shut down and rebooted to last good configuration. I was able to access IE, but as soon as I typed in the www.bleepingcomputer url, the virus popped up saying I couldn't access IE, and the only way I had to get out was to do a hard shut down because the Police Plus window was on top and I couldn't get rid of it. Then I tried to boot to safe mode, and when I clicked enter, I got a BSOD saying my system was corrupt and I should do a check disk. How can I do a check disk if I can't boot up? Does anyone have a solution? Thanks in advance.

Fly · #18 October 18th, 2009, 04:28 PM

Quote:

Originally Posted by twl845

Update: I booted my Daughters computer, and clicked her account to access it, and it took about 10 minutes to get the desktop. Clicking the IE icon wouldn't access IE and no other icons worked either. I shut down and rebooted to last good configuration. I was able to access IE, but as soon as I typed in the www.bleepingcomputer url, the virus popped up saying I couldn't access IE, and the only way I had to get out was to do a hard shut down because the Police Plus window was on top and I couldn't get rid of it. Then I tried to boot to safe mode, and when I clicked enter, I got a BSOD saying my system was corrupt and I should do a check disk. How can I do a check disk if I can't boot up? Does anyone have a solution? Thanks in advance.

I'm not exactly an expert, so this may not be helpful.

I'd think that if your system is corrupt a check disk (chkdsk ?) alone won't do much good.

About repairing system files: http://www.wilderssecurity.com/showthread.php?t=255099

BartPE may be useful, but I know little about it.

I'm not sure if the OS is corrupt.
Regardless, I think it would be a good idea to scan the computer with a bootable CD, for example an Avira Rescue CD or DR WEB LiveCD. Make sure (check BIOS) that during the bootup sequence the CD is scanned/read first.

twl845 · #19 October 18th, 2009, 05:05 PM

Quote:

Originally Posted by Fly

I'm not exactly an expert, so this may not be helpful.

I'd think that if your system is corrupt a check disk (chkdsk ?) alone won't do much good.

About repairing system files: http://www.wilderssecurity.com/showthread.php?t=255099

BartPE may be useful, but I know little about it.

I'm not sure if the OS is corrupt.
Regardless, I think it would be a good idea to scan the computer with a bootable CD, for example an Avira Rescue CD or DR WEB LiveCD. Make sure (check BIOS) that during the bootup sequence the CD is scanned/read first.

Thanks for the suggestions, but if I can get a desktop, I can't access the internet, not to mention apps.
If anyone can help I would appreciate it. Thanks

Franklin · #20 October 18th, 2009, 07:00 PM

Quote:

Originally Posted by twl845

How can I do a check disk if I can't boot up? Does anyone have a solution? Thanks in advance.

All I can suggest is to slave the drive to another machine and run scans such as MBAM and chkdsk from there but to be honest with the hard reboot it may be be too far gone with a save data, format reinstall being the best solution maybe?

twl845 · #21 October 19th, 2009, 03:47 PM

Quote:

Originally Posted by Franklin

All I can suggest is to slave the drive to another machine and run scans such as MBAM and chkdsk from there but to be honest with the hard reboot it may be be too far gone with a save data, format reinstall being the best solution maybe?

Thanks for the response Franklin. I played with it a little longer and then saving the data, am having someone do a re-install for me.

Fly · #22 October 19th, 2009, 04:29 PM

Quote:

Originally Posted by twl845

Thanks for the suggestions, but if I can get a desktop, I can't access the internet, not to mention apps.
If anyone can help I would appreciate it. Thanks

I'm not sure I understand.

Can't you use a different computer to download and burn the bootable CDs ?

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search