Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Exhausted all my options so far for Windows Police Removal

  • This topic is locked This topic is locked
8 replies to this topic

#1 8eight


  • Members
  • 38 posts
  • Local time:01:14 PM

Posted 30 September 2009 - 01:58 PM

Exhausted all my options so far hope you guys can help.

There is a thread with a similar situation but the users desktop seems intact still


So last night I got the "Windows Police Pro" pop up telling me my system is infected and that I "need" to purchase the software. I thought nothing of it exited out the windows only to have it pop up again. I went ahead and ran CCleaner cleaning out my windows file and checking app registry. I then went ahead a tried to perform a full scan with malewarebyte's and it's been downhill since then. The system froze during the scan and I had to reboot, upon restarting the desktop icons/start menu weren't loading and I noticed explorer.exe was not in my task manager. I went on my other computer and searched for removal guides, and unfortunately for me in one it said "do not run a full scan with malwarebyte's as it will cause your computer to crash" ...d'oh.

What I've done since is to download the recommended software again on a clean computer (malwarebytes, SpyNoMore, etc) and tried following the guides to end the related .exe tasks and cleaning out my programs and documents folders. So now theres no more pop up but no more desktop either. I've tried Safe Mode, and my desktop doesn't load there either. After spending time with a microsoft tech, going through my registry they suggested I reinstall windows which I'm hoping to avoid if possible.

Current Status:

When login to Admin profile, Desktop doesn't load and further I am now locked out of Task Manager and can't even try manual cleaning.

For the time being I can still access my alternate profile and safe mode but again no desktop.

I've run Symantec which seems to work but its not succeeding in removing some of the objects found and I can't find them directly.

I have since been able to run CCleaner but doesn't solve the problem
Malewarebytes unfortunately crashes a few seconds into the scan as does SpyNoMore.

please I just want to get rid of this junk. Thanks

BC AdBot (Login to Remove)


#2 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 PM

Posted 30 September 2009 - 02:46 PM

Hi 88888888 :(

Can you tell me the name of the infected items Symantec is finding?

Boot up in to Safe mode with networking to do the Gmer scan.

We need to scan for Rootkits with GMER
  • Please download GMER from one of the following locations, and save it to your desktop:
    • Main Mirror
      This version will download a randomly named file (Recommended)
    • Zip Mirror
      This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs, as this process may crash your computer.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Double click on Gmer to run it.
  • Allow the gmer.sys driver to load if asked.
  • You may see a rootkit warning window, If you do, click No.
  • Click on Posted Image and wait for the scan to finish.
  • If you see a rootkit warning window, click OK.
  • Push Posted Image and save the logfile to your desktop.
  • Copy and Paste the contents of that file in your next post.



#3 8eight

  • Topic Starter

  • Members
  • 38 posts
  • Local time:01:14 PM

Posted 30 September 2009 - 04:32 PM

Hey Syler thanks for replying.

I haven't been able to run symantec, but I tried SpyNoMore again and it scanned for 30 seconds or so before it was shutdown. However it did find 1 "trojan" in the registry along the lines of "HKEY_Local Machine\Software\Microsoft\Windows NT\Current Version\Winlogon, useint

Also bear with me, as I said I've been locked out of Desktop/start menu/task manager on my admin profile so I can only access my secondary profile and safe mode and even then its only through task manager and manually running everything. Also in safe mode the screen resolution is at the wrong setting and I can't actually see the "save" button so I ended up just copying and saving it on notepad to post here. Anyways heres the log from GMER

GMER - http://www.gmer.net
Rootkit scan 2009-09-30 16:59:46
Windows 5.1.2600 Service Pack 3
Running: l0k1im5r.exe; Driver: C:\DOCUME~1\ADMINI~1.001\LOCALS~1\Temp\fwtcapob.sys

---- System - GMER 1.0.15 ----

Code 842ACB28 ZwEnumerateKey
Code 842B6260 ZwFlushInstructionCache
Code 842B09DE ZwSaveKey
Code 842ACB5E ZwSaveKeyEx
Code 8430059E IofCallDriver
Code 842E512E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 843005A3
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 842E5133
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 842ACB2C
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 842B6264
PAGE ntoskrnl.exe!ZwSaveKey 8064ED72 5 Bytes JMP 842B09E2
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064EE5D 5 Bytes JMP 842ACB62
? win32k.sys:1 The system cannot find the file specified. !
? win32k.sys:2 The system cannot find the file specified. !

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\svchost.exe[864] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\system32\svchost.exe[864] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\system32\svchost.exe[864] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1080] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
.text C:\WINDOWS\System32\svchost.exe[1080] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\5D64D006.x86.dll

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\svchost.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1080] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
IAT C:\WINDOWS\System32\svchost.exe[1080] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\5D64D006.x86.dll

---- Devices - GMER 1.0.15 ----

AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

Device \FileSystem\Fastfat \Fat F6E1DD20
---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\5D64D006.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [864] 0x35670000
Library \\?\globalroot\Device\__max++>\5D64D006.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [984] 0x35670000
Library \\?\globalroot\Device\__max++>\5D64D006.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1080] 0x35670000

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\rotscxuxoprqyh.sys (*** hidden *** ) [SYSTEM] rotscxyvljwjtp <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@start 1
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@type 1
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@group file system
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main@aid 10002
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main@sid 1
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main@aid 10002
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main@sid 1
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@start 1
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@type 1
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@group file system
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main@aid 10002
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main@sid 1
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main@aid 10002
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main@sid 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@start 1
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@type 1
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@group file system
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main@aid 10002
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main@sid 1
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll

---- Files - GMER 1.0.15 ----

File C:\congrat.bmz 5758 bytes
File C:\hpfinst.dll 270336 bytes executable
File C:\hpsetup.ini 976 bytes
File C:\inline.bmz 7496 bytes
File C:\intro.bmz 5844 bytes
File C:\license.bmz 4725 bytes
File C:\makedisk.bmz 5720 bytes
File C:\nt4 0 bytes
File C:\oval.bmp 16438 bytes
File C:\port.bmz 5443 bytes
File C:\printer.bmp 223758 bytes
File C:\prnmask.bmp 223758 bytes
File C:\restart.bmz 3211 bytes
File C:\setup.exe 12608 bytes
File C:\status.bmz 4352 bytes
File C:\unstall.bmz 2429 bytes
File C:\usb.bmz 3542 bytes
File C:\wowdemo.bmz 5758 bytes

---- EOF - GMER 1.0.15 ----

I did get the second warning of a root kit. Let me know what you think and what to do from here. Thanks

#4 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 PM

Posted 30 September 2009 - 04:43 PM

No need to run Symantec for now, I can see what you have on your system and it's not good, I will give you the format option although Im aware you
want to try and avoid it.

Their is no hurry I understand that you have the other issues.

One or more of the identified infections is a backdoor trojan/Rootkit.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide you want to proceed with trying to clean your machine please follow these next steps.

Download and run Win32kDiag:
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • Once it has finished, press any key to close the program.
  • It will create the file Win32kDiag.txt on your Desktop Copy and paste the contents in your next reply.


#5 8eight

  • Topic Starter

  • Members
  • 38 posts
  • Local time:01:14 PM

Posted 30 September 2009 - 05:13 PM

The issue with reinstalling the OS is that I'm not sure I ever got a backup disc for this computer, I have tried contacting hp about getting another copy but since I am out of warranty they said they could not provide another. I do have windows pro disc but it was distributed through dell would this be an option or would it be incompatible. Also in the event of a OS reboot, I know I would loose the software but what about my files (word docs, pictures, music) would they be lost if so whats the best method to back them up (I have some things backed up but not all). Depending on these factors we can see how to continue.

As for security, the computer that is infected is the desktop that the main connection for the wireless router, I also have another family computer and my desktop that run on the same network. Are they at risk? My laptop is more updated and I have been scanning with avg, malewarebytes, and ccleaner.


#6 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 PM

Posted 30 September 2009 - 05:26 PM

You can only use OEM OS disks with the machine they came with, so that is not an option. To backup files you want to keep you can either use a usb storage
device and copy them across or burn them to CD\DVD, which ever option you have.

If all your computers are networked then their is a chance that the infection can spread to the other machines, I would isolate all the other machines from the
known infected machine till you get it cleaned.


#7 8eight

  • Topic Starter

  • Members
  • 38 posts
  • Local time:01:14 PM

Posted 01 October 2009 - 11:21 AM

Alright I was able to get a copy of the disc to backup the computer so I'm going to pursue that solution. If you have any other tips or recommendations for that I'd appreciate it. Can I take out the HD and connect it with a converter usb cable and transfer my files to my laptop?

Other then that thank you for your help Syler, I appreciate it.

#8 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 PM

Posted 01 October 2009 - 12:19 PM

Can I take out the HD and connect it with a converter usb cable and transfer my files to my laptop?

I suppose you could do that although I would be very carefull what you copy across, and I would also suggest you disable the Autoplay feature,
on the machine that you are transferring too.

good luck with it :(


#9 syler


  • Malware Response Team
  • 8,150 posts
  • Gender:Male
  • Location:Warrington, UK
  • Local time:06:14 PM

Posted 02 October 2009 - 08:58 AM

Since this issue appears resolved ... this Topic is closed. Glad we could help.

If you need this topic reopened, please request this by sending me a PM
with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users