Locked Out by Windows Police Pro!

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by 8eight, Sep 29, 2009.

  1. 8eight

    8eight Private E-2

    Exhausted all my options so far hope you guys can help.

    So last night I got the "Windows Police Pro" pop up telling me my system is infected and that I "need" to purchase the software. I thought nothing of it exited out the windows only to have it pop up again. I went ahead and ran CCleaner cleaning out my windows file and checking app registry. I then went ahead a tried to perform a full scan with malewarebyte's and it's been downhill since then. The system froze during the scan and I had to reboot, upon restarting the desktop icons/start menu weren't loading and I noticed explorer.exe was not in my task manager. I went on my other computer and searched for removal guides, and unfortunately for me in one it said "do not run a full scan with malwarebyte's as it will cause your computer to crash" ...d'oh.

    What I've done since is to download the recommended software again on a clean computer (malwarebytes, SpyNoMore, etc) and tried following the guides to end the related .exe tasks and cleaning out my programs and documents folders. So now theres no more pop up but no more desktop either. I've tried Safe Mode, and my desktop doesn't load there either. After spending time with a microsoft tech, going through my registry they suggested I reinstall windows which I'm hoping to avoid if possible.

    Current Status:

    When login to Admin profile, Desktop doesn't load and further I am now locked out of Task Manager and can't even try manual cleaning.

    For the time being I can still access my alternate profile and safe mode but again no desktop.

    I've run Symantec which seems to work but its not succeeding in removing some of the objects found and I can't find them directly.

    I have since been able to run CCleaner but doesn't solve the problem
    Malewarebytes unfortunately crashes a few seconds into the scan as does SpyNoMore.

    Hoping the majorgeeks forum can help, please I just want to get rid of this junk. Thanks
     
    8eight, Sep 29, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    Let's see if we can get some info so that we can determine which system file has been corrupted. That way we can try to replace it.

    Download and save the below to your PC (save it anywhere you can find it. The Desktop is fine). Then doube click on it to run it.

    AVPFind.bat

    It should take a couple minutes to run. You will see a black command prompt window while it is running and it should close when it is finished. Once it finishes, attach the c:\avplog.txt file that is will hopefully create as long as the malware does not block the batch file from running.


    Now download and Run exeHelper
    • Please download exeHelper to your desktop.
    • Double-click on exeHelper.com to run the fix.
    • A black window should pop up, press any key to close once the fix is completed.
    • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
    Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).


    Also please try running the below online scan:

    http://www.superantispyware.com/onlinescan.html

    Reboot immediately after scanning if it finds and removes anything. Let me know if anything was found. See if you can save a log with it.


    Then try running these instructions: Using MGtools

    Attach the below logs when finished with all of the above:
    • C:\avplog.txt - from AVPfind
    • a log from online SAS scan if you could make one
    • log.txt - from exeHelper
    • C:\MGlogs.zip - from MGtools
    The C:\ assumes that drive C is you Windows boot drive. If you boot from another drive, then use the correct drive letter above.
     
    chaslang, Oct 4, 2009
    #2
  3. 8eight

    8eight Private E-2

    Hey Chaslang,

    I downloaded those files you gave me and burned them onto a cd to run on the infected computer as I've disconnected that desktop from the internet. When I booted up the first time things were as they were before my admin profile is essentially useless as the desktop/start menu doesn't load and I get an error message when I try to access task manager. I started in safe mode with networking and tried launching AVPfind.bat from task manager. At that point task manager crashed and closed and I could not access that either. I tried rebooting to safe mode and now when it begins to load the computer turns of and begins to loop the start up process of getting to the load screen and turning off.

    Below is a post from another forum of a log obtained with GMER. I don't know if this helps. Although at this point if I can't boot in safe mode, regrettably reinstalling windows seems to be my only option.



    " I haven't been able to run symantec, but I tried SpyNoMore again and it scanned for 30 seconds or so before it was shutdown. However it did find 1 "trojan" in the registry along the lines of "HKEY_Local Machine\Software\Microsoft\Windows NT\Current Version\Winlogon, useint "



    GMER 1.0.15.15087 - http://www.gmer.net
    Rootkit scan 2009-09-30 16:59:46
    Windows 5.1.2600 Service Pack 3
    Running: l0k1im5r.exe; Driver: C:\DOCUME~1\ADMINI~1.001\LOCALS~1\Temp\fwtcapob.sys


    ---- System - GMER 1.0.15 ----

    Code 842ACB28 ZwEnumerateKey
    Code 842B6260 ZwFlushInstructionCache
    Code 842B09DE ZwSaveKey
    Code 842ACB5E ZwSaveKeyEx
    Code 8430059E IofCallDriver
    Code 842E512E IofCompleteRequest

    ---- Kernel code sections - GMER 1.0.15 ----

    .text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 843005A3
    .text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 842E5133
    PAGE ntoskrnl.exe!ZwEnumerateKey 80570D64 5 Bytes JMP 842ACB2C
    PAGE ntoskrnl.exe!ZwFlushInstructionCache 80577693 5 Bytes JMP 842B6264
    PAGE ntoskrnl.exe!ZwSaveKey 8064ED72 5 Bytes JMP 842B09E2
    PAGE ntoskrnl.exe!ZwSaveKeyEx 8064EE5D 5 Bytes JMP 842ACB62
    ? win32k.sys:1 The system cannot find the file specified. !
    ? win32k.sys:2 The system cannot find the file specified. !

    ---- User code sections - GMER 1.0.15 ----

    .text C:\WINDOWS\system32\svchost.exe[864] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[864] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[864] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[984] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\system32\svchost.exe[984] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1080] USER32.dll!CallNextHookEx + 4A 7E42B410 7 Bytes CALL 35672D96 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1080] GDI32.dll!GetHFONT + 51 77F17EA7 7 Bytes CALL 35672DC2 \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    .text C:\WINDOWS\System32\svchost.exe[1080] GDI32.dll!GetTextExtentPoint32W + E4 77F18081 7 Bytes CALL 35672DDE \\?\globalroot\Device\__max++>\5D64D006.x86.dll

    ---- User IAT/EAT - GMER 1.0.15 ----

    IAT C:\WINDOWS\system32\svchost.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    IAT C:\WINDOWS\system32\svchost.exe[864] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    IAT C:\WINDOWS\system32\svchost.exe[984] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    IAT C:\WINDOWS\System32\svchost.exe[1080] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672A94] \\?\globalroot\Device\__max++>\5D64D006.x86.dll
    IAT C:\WINDOWS\System32\svchost.exe[1080] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A1E] \\?\globalroot\Device\__max++>\5D64D006.x86.dll

    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    Device \FileSystem\Fastfat \Fat F6E1DD20
    ---- Processes - GMER 1.0.15 ----

    Library \\?\globalroot\Device\__max++>\5D64D006.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [864] 0x35670000
    Library \\?\globalroot\Device\__max++>\5D64D006.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [984] 0x35670000
    Library \\?\globalroot\Device\__max++>\5D64D006.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1080] 0x35670000

    ---- Services - GMER 1.0.15 ----

    Service C:\WINDOWS\system32\drivers\rotscxuxoprqyh.sys (*** hidden *** ) [SYSTEM] rotscxyvljwjtp <-- ROOTKIT !!!

    ---- Registry - GMER 1.0.15 ----

    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@start 1
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@type 1
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@group file system
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main@aid 10002
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main@sid 1
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
    Reg HKLM\SYSTEM\ControlSet001\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@start 1
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@type 1
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@group file system
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main@aid 10002
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main@sid 1
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
    Reg HKLM\SYSTEM\ControlSet002\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@start 1
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@type 1
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@group file system
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main@aid 10002
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main@sid 1
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
    Reg HKLM\SYSTEM\ControlSet003\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@start 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@type 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@group file system
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main@aid 10002
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main@sid 1
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main@cmddelay 14400
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\delete
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\injector
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\main\tasks
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
    Reg HKLM\SYSTEM\CurrentControlSet\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@start 1
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@type 1
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@group file system
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp@imagepath \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main@aid 10002
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main@sid 1
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main@cmddelay 14400
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\delete (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\injector (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\injector@* rotscxwsp8.dll
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\main\tasks (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules (not active ControlSet)
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxrk.sys \systemroot\system32\drivers\rotscxuxoprqyh.sys
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxcmd.dll \systemroot\system32\rotscxmihraewb.dll
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxlog.dat \systemroot\system32\rotscxqmcegeis.dat
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxwsp.dll \systemroot\system32\rotscxaqbvtiww.dll
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscx.dat \systemroot\system32\rotscxkfxhklyx.dat
    Reg HKLM\SYSTEM\ControlSet005\Services\rotscxyvljwjtp\modules@rotscxwsp8.dll \systemroot\system32\rotscxmyxirfvk.dll

    ---- Files - GMER 1.0.15 ----

    File C:\congrat.bmz 5758 bytes
    File C:\hpfinst.dll 270336 bytes executable
    File C:\hpsetup.ini 976 bytes
    File C:\inline.bmz 7496 bytes
    File C:\intro.bmz 5844 bytes
    File C:\license.bmz 4725 bytes
    File C:\makedisk.bmz 5720 bytes
    File C:\nt4 0 bytes
    File C:\oval.bmp 16438 bytes
    File C:\port.bmz 5443 bytes
    File C:\printer.bmp 223758 bytes
    File C:\prnmask.bmp 223758 bytes
    File C:\restart.bmz 3211 bytes
    File C:\setup.exe 12608 bytes
    File C:\status.bmz 4352 bytes
    File C:\unstall.bmz 2429 bytes
    File C:\usb.bmz 3542 bytes
    File C:\wowdemo.bmz 5758 bytes

    ---- EOF - GMER 1.0.15 ----
     
    8eight, Oct 5, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Do you have your Windows XP boot CD so that you can boot to the Recovery Console?

    If you are already actively working on another forum, you should not be posting here. You should only be working on one forum.

    You GMER log only tells us what we already know..... that you have one of the many forms of a Windows Police Pro infection; however it is not showing the infected system file which is the source of your problems. One of the below files is infected:

    C:\Windows\System32\scecli.dll
    C:\Windows\System32\netlogon.dll
    C:\Windows\System32\eventlog.dll

    AVPFind.bat would have showed us which one if it ran. If you can boot to the Recovery Console, you can still determine which one is infected and replace it with a backup that the infection will create. The infection will create one of the below backups based on which one of the original 3 files it infects. Notice the play on the names:

    C:\Windows\System32\sceclt.dll
    C:\Windows\System32\ntelogon.dll
    C:\Windows\System32\logevent.dll
     
    chaslang, Oct 10, 2009
    #4

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds