GMER anti-rootkit wrecked my Win XP install

Jun 7, 2010
  1. Hello all,

    My first post here. Found the site when searching for 'nettir32', a new virus I got hit by about a week ago.

    It is found in this thread, but I'm not allowed to post a reply there:

    I had gotten rid of the nettir32.exe file via Sophos anti-rootkit, but installation of a firewall revealed that the pc was constantly making connection atempts to suspect looking IP adresses, so I seemingly still had malware on it.

    Followed your 8-step guide and at first it went well. TFC, the program deleting temp files apparently stopped the flurry of connection attempts. Malwarebytes scan found and cured two infections, but this triggered the connection frenzy again. Ran TFC once more and again it stopped the connection attempts.

    Next updated Java & Adobe Reader.

    Then I ran GMER. It started scanning automatically and immediatedly reported a problem, asking if I wanted a complete scan. Clicked 'no', as per your instructions, and then started a scan.

    It listed a suspicious boot-related problem, called something like pwtlzn. Scan continued and I left the pc for a while. Came back to a BSOD. Rebooted and did another scan, this time unchecking 'Devices', again per your instructions.

    Came back after a while and found a blank screen and locked-up pc. Tried rebooting, but Windows wouldn't start. Tried all options of safe-mode and last-known-good, to no avail.

    Googling with another computer found this forum thread, where another poor chap has the exact same problem:

    Tried all the suggestions about repairing the boot.ini, but it didn't work for me either. Next tried a repair of the XP install, but like the poster in that thread, it didn't help me either; except for getting the boot process a little further - it now displays the Win XP start screen, but invariably ends with a BSOD. Have not tried the parallel installation that helps the poster, as I plan on trying to boot on another, old harddrive and then add the present one as secondary drive, hoping to save my data.

    Unless you have a miraculous suggestion, it seems I'm royally screwed with regards to saving my current installation.

    As I'm not the only one who's encountered this, I think a warning in your 8-step guide would be appropriate. You can of course argue that it has solved my malware problems, but it wasn't exactly the way I anticipated... :-(

    Erling G-P
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    And this 'warning' you think we need is what? Instead of referring to other users threads, I suggest you give us the logs from the programs you ran in the steps.

    As for this:
    Any help given on a malware thread- if given by the person who is the malware cleaning 'helper' is specific for that problem for that thread for that system. And the reason we're closing threads is so that others don't post their problem on someone else's thread.

    so- if you would like help checking your system for malware, please follow the steps and leave the logs for our review. Right now I have nothing from your system to work with.


    is a new threat (first found on 6/2/2010) so it is possible that fixes are still being worked out for it.

    But it's not GMER that "wrecked my Win XP install" but more likely the corruption caused by the malware itself and/or running other cleaning/scanning programs without supervision.
  3. EGP

    EGP TS Rookie Topic Starter

    Thanks for the reply.

    At the moment, I can't give you any logs, as I can't get my system running on the installation that's corrupted. I'm working on getting the computer running on an old harddrive I haven't used in years. Naturally, it's far behind with regards to Win updates etc and challenged on free space, as it's only 40Gb, with a 10Gb C: partition. Couldn't install SP3, due to lack of space, so will have to try and free some.

    If I succed and if I can acces files from the old installation once I try adding the corrupted drive as secondary, I may be able to give you something. Whether GMER produced a log before the pc froze remains to be seen.

    With regards to a warning; the pc did work a full week after the infection and only locked up in connection with the GMER scan. As others have had the same problem in connection with a scan with this program, I still believe a warning about a potential risk would be in order. The net result is that my pc isn't working anymore, whether the cause is GMER itself or the infection agressively defending itself against detection.

    Erling G-P
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...