Windows Police Plus trojan - help!

Discussion in 'malware problems & news' started by twl845, Oct 17, 2009.

Thread Status:
Not open for further replies.
  1. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    I have a computer that has contracted this trojan "Windows Police Plus" and has taken it over. This happened once before and I went to a web page that had the instructions to remove it. The problem is I can't remember the name of the page. I think it started Gee... or Bee.. Does anyone recall a site that has the instructions for removal? The last time I was hit I followed the instructions and used MalwareBytes, and got rid of it. Now when I boot up, I have no sys tray icons, and I can't access anything. Thanks in advance.
     
  2. lifetweaker

    lifetweaker Registered Member

    Joined:
    Jun 24, 2009
    Posts:
    63
    Location:
    127.0.0.1
  3. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    This won't help you now, but getting hit with something like this make many realize the importance of light virtualization, imaging and other things that would have you back up and running in minutes. Just something to think about once you get this cleaned up. Maybe time for a fresh install and then a "perfect image" of that tweaked system and next time it goes from a disaster to a minor annoyance.

    Just what you wanted to be doing this weekend I'm sure. (Ugh.) Good luck to you!
     
  4. lifetweaker

    lifetweaker Registered Member

    Joined:
    Jun 24, 2009
    Posts:
    63
    Location:
    127.0.0.1
    +1 LockBox...
     
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,966
    Location:
    U.S.A.
  6. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Another Link that may be of help in removing this rogue.
     
  7. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    This is my Daughters computer. After she got hit the first time, I instructed her to run Returnil every time she and the grandchildren went on line. Then if they got hit all they would have to do is shut down, and it would clear the infection. It was running virtual under Returnil when it hit, and it's still there.
     
  8. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    JRViego - YES that's the site I'm looking for. Thank you big time. :D
     
  9. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Lifetweaker and Franklin - Thank you for your help. I will keep your sites to use also. :D
     
  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,966
    Location:
    U.S.A.
    twl845, you're welcome big time! Take care.
     
  11. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    XP VM and installed the latest version of Windows Police Pro with Returnil active with not a byte around after a reboot to normal mode.

    MBAB wouldn't run while the rogue was active but at reboot ran no probs and didn't find a thing?

    PC_protect.exe - Result: 13/40

    WARN.JPG
     
  12. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    My Daughter mustn't be telling me the whole story.
     
  13. prairie dog

    prairie dog Registered Member

    Joined:
    Jun 9, 2009
    Posts:
    129
    There is also this from the MBAM forums:thumb:


    EDIT: just saw that Franklin already posted this link. Sorry bout that
     
  14. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Since users can always surprise....., I assume this infection would either have not occurred or been contained within the confines of the infected user's account under LUA and readily handled even if RVS was not active. From prior comments I noticed you used RVS 2008 - I used that version for some time under LUA/SuRun with no issue at all.

    Blue
     
  15. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Windows Police Plus is a strange beast, so much to stop any program from running yet very easy to terminate it via tm.
     
  16. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    I haven't gone to my Daughters house to clear this up yet, but speaking to her further, it seems she panicked when the Police Plus window appeared, and did a hard shut down. Why? Got me! I think that although returnil was running, shutting down the wrong way caused Returnil to not do its job. Do you agree?
     
  17. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Update: I booted my Daughters computer, and clicked her account to access it, and it took about 10 minutes to get the desktop. Clicking the IE icon wouldn't access IE and no other icons worked either. I shut down and rebooted to last good configuration. I was able to access IE, but as soon as I typed in the www.bleepingcomputer url, the virus popped up saying I couldn't access IE, and the only way I had to get out was to do a hard shut down because the Police Plus window was on top and I couldn't get rid of it. Then I tried to boot to safe mode, and when I clicked enter, I got a BSOD saying my system was corrupt and I should do a check disk. How can I do a check disk if I can't boot up? Does anyone have a solution? Thanks in advance.
     
  18. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I'm not exactly an expert, so this may not be helpful.

    I'd think that if your system is corrupt a check disk (chkdsk ?) alone won't do much good.

    About repairing system files: https://www.wilderssecurity.com/showthread.php?t=255099

    BartPE may be useful, but I know little about it.

    I'm not sure if the OS is corrupt.
    Regardless, I think it would be a good idea to scan the computer with a bootable CD, for example an Avira Rescue CD or DR WEB LiveCD. Make sure (check BIOS) that during the bootup sequence the CD is scanned/read first.
     
  19. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Thanks for the suggestions, but if I can get a desktop, I can't access the internet, not to mention apps.
    If anyone can help I would appreciate it. Thanks
     
    Last edited: Oct 18, 2009
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    All I can suggest is to slave the drive to another machine and run scans such as MBAM and chkdsk from there but to be honest with the hard reboot it may be be too far gone with a save data, format reinstall being the best solution maybe?
     
  21. twl845

    twl845 Registered Member

    Joined:
    Apr 12, 2005
    Posts:
    4,186
    Location:
    USA
    Thanks for the response Franklin. I played with it a little longer and then saving the data, am having someone do a re-install for me.
     
  22. Fly

    Fly Registered Member

    Joined:
    Nov 1, 2007
    Posts:
    2,069
    I'm not sure I understand.

    Can't you use a different computer to download and burn the bootable CDs ?
     
Loading...
Thread Status:
Not open for further replies.