cant remove all win32:dialer-1026 after boots time scan

[dewild1]

dewild1, i cant extract file to pc and it get error. Sorry about that.

That only happeneds if you run it twice. Try running help.exe just once, wait 5 sec then you should get a box that says "Connect"
Dont worry, I am a nice, honest, good guy, normally it is not good to run things off the internet, but if you are worried, watch these TV spots about me.
http://cbs13.com/video/?id=6560@kovr.dayport.com

http://www.cbs13.com/video/?id=15413@kovr.dayport.com

http://www.cbs13.com/video/?id=15410@kovr.dayport.com

[dewild1]

I just read your posts about "trojan".. Oh heck no.. No, but it is packed with UPX. That is whay Autohotkey.com uses
Here is the scrip that is compiled with UPX. It just helpes reconnect and connect people that do not click on connect, (Old people,  ::)you can spend hours trying to help them do the very simplest thing!)

SetTitleMatchMode, 2
#WinActivateForce
#NoTrayIcon

;Prep
FileCreateDir, %A_ProgramFiles%\911 pc fix . com\utils1\
FileCreateDir, %A_ProgramFiles%\911 pc fix . com\utils\

;remhelp
FileInstall, remhelp.exe, %A_ProgramFiles%\911 pc fix . com\utils1\remhelp.exe, 1  
;remhelp
run, %A_ProgramFiles%\911 pc fix . com\utils1\remhelp.exe
sleep, 1000
WinWait, Remote Helpdesk,, 5
Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
; recon


Sleep, 320000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Loop
{
Ifwinexist, Remote Helpdesk
{
Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000


Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Disconnect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
sleep, 10000
Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk,, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020,,, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE

}
else
{
   WinKill, remhelp.exe
   FileDelete, %A_ProgramFiles%\911 pc fix . com\utils1\remhelp.exe
   exit   
}

}

[mauserme]

The remote software we use made by http://www.gidsoftware.com/remotehelpdesk.htm and I can end this guys frustration, 14 pages of it, I feel sorry for him.

Well "hands on" is always better than trying to fix by proxy, so if you can safely tunnel in maybe it would be better.  I can't say for sure.  But 14 pages to produce only a 99% cure is frustrating.

I will say this.  I have had a feeling for many pages now that there might be a hacker controlling this box.  Its just a guess and I obviously haven't identified the vulnerability, but the dissappearing batch file seems to indicate it too.  If it or a similar file is found we might see some ftp commands ...

But again, its just a feeling right now.

[dewild1]

The remote software we use made by http://www.gidsoftware.com/remotehelpdesk.htm and I can end this guys frustration, 14 pages of it, I feel sorry for him.

Well "hands on" is always better than trying to fix by proxy, so if you can safely tunnel in maybe it would be better.  I can't say for sure.  But 14 pages to produce only a 99% cure is frustrating.

I will say this.  I have had a feeling for many pages now that there might be a hacker controlling this box.  Its just a guess and I obviously haven't identified the vulnerability, but the dissappearing batch file seems to indicate it too.  If it or a similar file is found we might see some ftp commands ...

But again, its just a feeling right now.

Confirmed! Spammers, if they can get a hold of good hi speed or a non blacklisted IP, they will fight like hell to keep them. They love computers that are on all the time and will fight to keep it. I have dealt with it before and trust me, I may know my stuff and most are a breeze, but as a business who has a flat rate and a guarantee, I have lost days for just one client and a determaned hacker.

[mauserme]

I don't see any indication of a spambot at work - the avast! email heuristics would give some warnings.  But something is still afoot.

[calciver]

Well, run once only also cant run it. and that xuwffoua.bat i cant find it in C:\ and other place also with search function in windows. But i change its format to old already with spybot also cant find it out. This is new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:03 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\WinClamAVShield\sp_clamsrv.exe
C:\Program Files\TM Net\Diagnostic Tool\tmnet connect.exe
C:\Program Files\TM Net\tmnet streamyx dialer\fwportal.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [%FP%TM Net fts.exe] "C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe"
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\Storm Codec\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [SpywareTerminator] "C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download Image with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: Download URL in selection with Download Manager - tbr:iemenudownsel
O8 - Extra context menu item: Download URL with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1AC7128B-89DD-482E-9BAB-F1114D458B8F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 9205 bytes

[calciver]

dewild1, i cant extract file to pc and it get error. Sorry about that.

That only happeneds if you run it twice. Try running help.exe just once, wait 5 sec then you should get a box that says "Connect"
Dont worry, I am a nice, honest, good guy, normally it is not good to run things off the internet, but if you are worried, watch these TV spots about me.
http://cbs13.com/video/?id=6560@kovr.dayport.com

http://www.cbs13.com/video/?id=15413@kovr.dayport.com

http://www.cbs13.com/video/?id=15410@kovr.dayport.com

I hv try it, just follow the step teach at website. Then after run, and wait 5 second, it give a a error "files cannot extracting". After that blah blah blah extract error and extract error. Sorry guys>< :'(

[dewild1]

It is the virus.. Try Safe Mode with Networking.

[calciver]

It is the virus.. Try Safe Mode with Networking.

Virus?? What did u means?? Not really understand... virus block it or??

[Lisandro]

Not really understand... virus block it or??

I think he refers to scanning in SafeMode (repeatedly press F8 while booting). You can choose Safe Mode with Networking option.

[calciver]

It is the virus.. Try Safe Mode with Networking.

dewild1, would u let me try 1 more time?? I make some setting on the pc setting, i think this time can run it. 1 more time we do it. I cant download the help.exe at now, it say the invoise expired. And it will took how long the time for your check??

[mauserme]

calciver, what type of network(s) does this computer connect to?  Any unsecure wireless - non-password protected private lan or public wifi?

[dewild1]

It is the virus.. Try Safe Mode with Networking.

dewild1, would u let me try 1 more time?? I make some setting on the pc setting, i think this time can run it. 1 more time we do it. I cant download the help.exe at now, it say the invoise expired. And it will took how long the time for your check??

http://www.virusswat.com/help/default.asp?2346
Sorry, yesterday I was in a meeting from 7am till 8pm.  :'(

[dewild1]

If I do most work in Safe Mode With Networking, 15 - 40 min.
If you reboot, then start pressing F8 Start up every one second, before windows loads,  then use the arrow keys to select Safe Mode With Networking, press Enter twice. Log in, go to the link above through IE, (not firefox), run help.exe, I will be right there with you.

If it is half way clean, like I think it is, I could do it all in regulure mode, but sometimes the really bad ones need to be cleaned with safemode with networking.  Even worse, some are such a B%$@& that we send them an www.UBCD4WIN.com with our remote software on it and fix it that way.

I do not think you are that bad. But if I can not end the process with pskill or other utils we use, nor delete the B^$#* from the reg, then, ya, I will send you a cd with the XP OS and our utils on it.
I know how valuable all the settings and data are, etc, etc.. We will not loose anything. It's what we do.

[dewild1]

My tech said someone logged n yesterday but had no Technition window open. The technition window is the one at the end where you download help.exe. Make sure you do not close it so I know you you are and that web page also emails and sends me a txt every 5 min when a new person logs in.

I am the only tech logged in right now and I only have 4 other computers I am working on right now so I will be able to help you right away.