Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


antivirus 2010, windows police pro, resident sheild,

  • Please log in to reply
2 replies to this topic

#1 regnaDkciN


  • Members
  • 3 posts
  • Local time:02:08 PM

Posted 05 September 2009 - 09:30 AM

Working on wife's Dell Inspiron 1501 laptop. Problem started with Antivirus 2010 showing up uninvited.

I started out by:
Disabled restore points.
Installed Sysinternals Process Explorer because I couldn't access the task manager.
Installed and ran Malwarebytes.

Everything seemed to be working as expected as I had cleaned 2 PCs at work earlier this week with these 2 tools without any problems. Then I got a pop up that was titled Resident Shield alert which I thought was part of AVG (guess what, it's not!). By selecting the "remove" I think I gave Windows Police Pro the go ahead to take over which stopped me from being able to open any of my repair executable files (task manager, systinternals, malwarebytes, Spybot S&D, MS Defender, AVG, etc.).

I changed Malwarebytes executable to a .com to trick the system to allow it to run and I have installed a reg hack called fixtm.reg to allow me to access the task manager.

I was able to log into safe mode and scan/clean all the crapware with malwarebytes but the crap kept coming back (rootkit?). Next I installed PC tools Spyware Dr which identified a lot of bad files and registry keys but they wanted me to purchase the product to remove the bad stuff. Since that reminded me of the Antivirus 2010 extortion scheme I opted out. However, PCT Spyware Dr does appear to be blocking the bad programs so that I can now run my other scans and repair tools.

I have run scans with Malwarebytes, AVG, MS Defender (all of which I had to re-install due to locking up while scanning), and Spybot S&D. For a while they they continued to find things that have been previously removed. Now I appear to be getting clean scans but I'm not convinced.


DDS (Ver_09-07-30.01) - NTFSx86
Run by xxxxxxxxx at 8:57:45.34 on Sat 09/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.894.264 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NetWaiting\netWaiting.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\xxxxxxxx\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uDefault_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6071210
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://pralerts.zonelabs.com/pralerts/pranalyze.jsp?PN=CLI+Application+(Command+Line+Interface)&VER=
mSearchAssistant = hxxp://www.google.com
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [ModemOnHold] c:\program files\netwaiting\netWaiting.exe
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [DVDLauncher] "c:\program files\cyberlink\powerdvd\DVDLauncher.exe"
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\CLIStart.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [Windows Defender] "c:\program files\windows defender\MSASCui.exe" -hide
mRun: [dellsupportcenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P dellsupportcenter
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: intuit.com
Trusted Zone: microsoft.com\office
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201974487921
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
AppInit_DLLs: c:\windows\system32\futateka.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\window~4\MpShHook.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\xxxxxxxx\applic~1\mozilla\firefox\profiles\d339b4ac.default\
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\

c:\program files\mozilla firefox\greprefs\all.js - pref("media.enforce_same_site_origin", false);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.cache_size", 51200);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.ogg.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.wave.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("media.autoplay.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("browser.urlbar.autocomplete.enabled", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("capability.policy.mailnews.*.wholeText", "noAccess");
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.storage.default_quota", 5120);
c:\program files\mozilla firefox\greprefs\all.js - pref("content.sink.event_probe_rate", 3);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.http.prompt-temp-redirect", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.dpi", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("layout.css.devPixelsPerPx", -1);
c:\program files\mozilla firefox\greprefs\all.js - pref("gestures.enable_single_finger_input", true);
c:\program files\mozilla firefox\greprefs\all.js - pref("dom.max_chrome_script_run_time", 0);
c:\program files\mozilla firefox\greprefs\all.js - pref("network.tcp.sendbuffer", 131072);
c:\program files\mozilla firefox\greprefs\all.js - pref("geo.enabled", true);
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.remember_cert_checkbox_default_setting", true);
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox-branding.js - pref("browser.search.param.yahoo-fr-cjkt", "moz35");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("extensions.blocklist.level", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.restrict.typed", "~");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.urlbar.default.behavior", 0);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.clearOnShutdown.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.history", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.formdata", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.passwords", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.downloads", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cookies", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.cache", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.sessions", true);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.offlineApps", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.cpd.siteSettings", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("privacy.sanitize.migrateFx3Prefs", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.ssl_override_behavior", 2);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("security.alternate_certificate_error_page", "certerror");
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.autostart", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("browser.privatebrowsing.dont_prompt_on_enter", false);
c:\program files\mozilla firefox\defaults\pref\firefox.js - pref("geo.wifi.uri", "https://www.google.com/loc/json");

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-9-4 206256]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-9-4 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-9-4 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-9-4 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-9-4 297752]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-9-4 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-9-4 1097096]
R2 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-09-04 22:47 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-09-04 22:47 108,552 a------- c:\windows\system32\drivers\avgtdix.sys
2009-09-04 22:47 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-09-04 22:47 <DIR> --d----- c:\windows\system32\drivers\Avg
2009-09-04 22:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\avg8
2009-09-04 22:38 <DIR> --d----- c:\docume~1\xxxxxxxx\applic~1\AVG8
2009-09-04 22:12 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-04 22:12 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-09-04 22:12 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-04 18:51 <DIR> --d----- C:\tool kit
2009-09-04 15:58 7,396 a------- c:\windows\system32\drivers\pctcore.cat
2009-09-04 14:29 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-09-04 14:29 206,256 a------- c:\windows\system32\drivers\PCTCore.sys
2009-09-04 14:29 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-09-04 14:29 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-09-04 14:29 <DIR> --d----- c:\program files\common files\PC Tools
2009-09-04 14:29 <DIR> --d----- c:\program files\Spyware Doctor
2009-09-04 14:29 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-09-04 14:29 <DIR> --d----- c:\docume~1\xxxxxxxx\applic~1\PC Tools
2009-09-04 07:51 <DIR> --d-h--- c:\windows\PIF
2009-09-03 21:58 <DIR> --d----- c:\windows\pss
2009-09-03 20:31 <DIR> --d----- C:\spoolerlogs
2009-09-03 13:16 687,104 a------- c:\windows\isRS-000.tmp
2009-09-03 13:01 2 a------- C:\-1461749611
2009-08-12 17:39 128,512 -------- c:\windows\system32\dllcache\dhtmled.ocx
2009-08-12 17:39 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2009-08-10 02:06 1,089,593 -------- c:\windows\system32\dllcache\ntprint.cat
2009-08-09 07:47 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-09 07:46 597,504 -------- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 07:46 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-09 07:46 575,488 -------- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 07:46 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-09 07:46 89,088 -------- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 07:46 <DIR> --d----- C:\d0b71ef69f700e9b2e
2009-08-09 07:46 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-09 07:46 1,676,288 -------- c:\windows\system32\dllcache\xpssvcs.dll

==================== Find3M ====================

2009-08-05 04:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 04:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 08:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 14:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 14:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 10:08 286,720 a------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-13 10:08 5,537,792 a------- c:\windows\system32\dllcache\wmp.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\wininet.dll
2009-07-03 12:09 915,456 a------- c:\windows\system32\dllcache\wininet.dll
2009-07-03 12:09 12,800 -------- c:\windows\system32\dllcache\xpshims.dll
2009-07-03 12:09 1,208,832 a------- c:\windows\system32\dllcache\urlmon.dll
2009-07-03 12:09 206,848 a------- c:\windows\system32\dllcache\occache.dll
2009-07-03 12:09 594,432 a------- c:\windows\system32\dllcache\msfeeds.dll
2009-07-03 12:09 55,296 a------- c:\windows\system32\dllcache\msfeedsbs.dll
2009-07-03 12:09 1,985,536 a------- c:\windows\system32\dllcache\iertutil.dll
2009-07-03 12:09 25,600 a------- c:\windows\system32\dllcache\jsproxy.dll
2009-07-03 12:09 184,320 a------- c:\windows\system32\dllcache\iepeers.dll
2009-07-03 12:09 246,272 -------- c:\windows\system32\dllcache\ieproxy.dll
2009-07-03 12:09 386,048 a------- c:\windows\system32\dllcache\iedkcs32.dll
2009-07-03 06:01 173,056 a------- c:\windows\system32\dllcache\ie4uinit.exe
2009-06-25 03:25 730,112 a------- c:\windows\system32\lsasrv.dll
2009-06-25 03:25 301,568 a------- c:\windows\system32\kerberos.dll
2009-06-25 03:25 147,456 a------- c:\windows\system32\schannel.dll
2009-06-25 03:25 136,192 a------- c:\windows\system32\msv1_0.dll
2009-06-25 03:25 56,832 a------- c:\windows\system32\secur32.dll
2009-06-25 03:25 54,272 a------- c:\windows\system32\wdigest.dll
2009-06-25 03:25 730,112 -------- c:\windows\system32\dllcache\lsasrv.dll
2009-06-25 03:25 301,568 -------- c:\windows\system32\dllcache\kerberos.dll
2009-06-25 03:25 147,456 -------- c:\windows\system32\dllcache\schannel.dll
2009-06-25 03:25 136,192 -------- c:\windows\system32\dllcache\msv1_0.dll
2009-06-25 03:25 56,832 -------- c:\windows\system32\dllcache\secur32.dll
2009-06-25 03:25 54,272 -------- c:\windows\system32\dllcache\wdigest.dll
2009-06-24 06:18 92,928 -------- c:\windows\system32\dllcache\ksecdd.sys
2009-06-16 09:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 09:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-16 09:36 119,808 -------- c:\windows\system32\dllcache\t2embed.dll
2009-06-16 09:36 81,920 -------- c:\windows\system32\dllcache\fontsub.dll
2009-06-12 07:31 76,288 a------- c:\windows\system32\telnet.exe
2009-06-12 07:31 76,288 -------- c:\windows\system32\dllcache\telnet.exe
2009-06-10 09:19 2,066,432 a------- c:\windows\system32\mstscax.dll
2009-06-10 09:19 2,066,432 -------- c:\windows\system32\dllcache\mstscax.dll
2009-06-10 09:13 84,992 a------- c:\windows\system32\avifil32.dll
2009-06-10 09:13 84,992 -------- c:\windows\system32\dllcache\avifil32.dll
2009-06-10 01:14 132,096 a------- c:\windows\system32\wkssvc.dll
2009-06-10 01:14 132,096 -------- c:\windows\system32\dllcache\wkssvc.dll
2007-12-21 15:48 156 a------- c:\docume~1\xxxxxxxx\applic~1\wklnhst.dat
2008-08-28 17:19 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082820080829\index.dat

============= FINISH: 8:59:13.98 ===============

ROOTREPEAL AD, 2007-2009
Scan Start Time: 2009/09/05 09:08
Program Version: Version
Windows Version: Windows XP SP3

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB21D7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7AC6000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7C7B000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB27CE000 Size: 49152 File Visible: No Signed: -
Status: -

#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf73ded72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73bf9a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf73bfb98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf73df568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73df820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf73dda80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf73dfc8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf73df036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf73bf656

Hidden Services
Service Name: rotscxeexetjlk
Image Path: C:\WINDOWS\system32\drivers\rotscxspwmtklt.sys

Service Name: UACd.sys
Image Path:


The question is, what should I do next?

Update: AVG stops scanning after approx 400k files

Edited by regnaDkciN, 06 September 2009 - 08:14 AM.

BC AdBot (Login to Remove)


#2 regnaDkciN

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:08 PM

Posted 10 September 2009 - 05:55 PM

so, no response after 5 days. should I have put this request for help in a different forum?

#3 jrcolbert


  • Members
  • 1 posts
  • Local time:02:08 PM

Posted 11 September 2009 - 02:02 AM

I hope I am not breaking any rules by posting this in here... but I see some people are having problems with this or similar to this... Mine had to do with Windows Police Pro (pain in the A$$)

Computer will not open .exe files???
Recently I was brought a computer that would not open any .exe files. Well this brings an interesting problem, how do you install any program to fix this?

Well first you will need to get on a computer that works, has an internet connection and go to the following site... http://www.dougknox.com/xp/file_assoc.htm and download the (Restore default association for EXE files) and then put that on a thumb drive.

Next get Avast home free antivirus, and the vps update file... put that on the same thumb drive

Next you will have to figure out a way once you boot up the computer you are working on to get into the registry to import that reg_fix file. This is done by a series of keystrokes.

Try the following:

Press CTRL-ALT-DEL and open Task Manager. Once there, click File, then hold down the CTRL key and click New Task (Run). This will open a Command Prompt window. Enter REGEDIT.EXE and press Enter. Once regedit is open click File>Import and locate that "fix_exe.reg" file fix, hilite it and click Open.

Now you should be able to reboot the computer and start the cleaning process. Install avast, it will ask at the end of the installation if you wish to schedule a boot time scan, say yes! then choose restart later.... Now install your VPSupdate file that will update your virus definitions to the most current available! (That is Very Important) Then reboot the computer... Avast should start scanning and once it finds the first virus, it will bring up a selection menu... select 2 Delete all..... If it is a virus you DO NOT WANT IT ON YOUR SYSTEM AT ALL!!! Do not move it to the chest... Delete it! Once all the viruses are deleted from the system and scan is done your OS should open up and be virus free! It worked for me anyway.

If you have problems with you computer and live in Southern Illinois you can always hit me up and I can help you fix your computer problems. I hope this helps people out.

Saving the Internet One Computer At A Time!!! That's my job, it's what I do!

Thanks for reading,

John Colbert

Oh Crap! UPDATE!!!....

Thought i had this problem fixed until I rebooted the machine, hey nothing is ever easy. If it was easy everyone would be doing it right? Avast would not start, the service would not start and i was getting error 5: The service cannot start! I was like WTF?!?!? The avast Icon and spybot search and destroy were on the desktop but looked different, like they were not recognized by the windows OS.

anyway, once I rebooted the machine, I found all of the permissions for the C:\Program Files\ anitivirus and spyware / malware programs were gone... I had to reset them all manually! This is a nasty varmint! So I reset all the permissions by hand.. not an easy task! Started doing research on the computer and looking up folder names on the internet... Google is my friend!

I found windows police pro which is a new variant of msa.exe | MS Antivirus (malware) Rogue Virus and or Antivirus 2010 and others that do the same thing. (Hey don't bust my chops about this, I do not know for fact what every variant does, I just know that all the stuff I have read, they are all similar)

I did a lot of reading and found several programs listed in forums that were supposed to help, so off i went. With the folder permissions all straight now I ran a program called Combofix.exe (which would have probably fixed the permissions problem to but anyway) That program, they said sometimes causes other problems, but I figured if it would make the computer run anti spyware programs like spybot search and destroy and malwarebytes it would be all good!

I ran the program and it took a long time going through some 58 or more steps, rebooting several times but when it was done I reinstalled all my antivirus and spyware programs again and was able to run everything just fine! Avast now loads properly and I have no error 5 anymore. which was the avast! service trying to start!

Ran another boot scan with avast, ok! ran spybot search and destroy found 133 problems.. fixed 131 and ran at boot time again and fixed the others. Everything is ok with the system now.. yes 8 hours later! Sometimes you just need to reinstall the OS... would have been a lot quicker and less of a headache, but if your like me, you like to try to fix the problem, you learn more from doing it that way but you have to sacrifice some of your time!

Anyway I hooked the computer up to the net all is ok with it, "netstat -an" comes up clean! No popups and all seems to be good! I am calling it fixed and going to shut it down, I will take another look at the system tomorrow to make sure I didn't miss anything before it goes back to it's owner! when you're tired you can make stupid mistakes!

Good Night!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users