cant remove all win32:dialer-1026 after boots time scan

system · September 23, 2007, 7:15am

Very thanks for this. It gone and could not found, but i still will watch for it.

system · September 23, 2007, 8:35am

Monday, dang, I feel for ya, you could have built a new computer and, rebuilt the NY twin towers by now… Monday, let me give it a try.

system · September 23, 2007, 2:47pm

Scan this file at Virus Total

C:\xuwffoua.bat

If it scans clean open it in notepad and post the contents.

If its not clean don’t open it, but post the Virus Total results.

system · September 23, 2007, 5:16pm

Ok, after use avenger and pc boot, this file try to change registry and i deny the change when the spybot warn me. Then i try to look at this file but i cant find it on the C drive. Even unhide all files include protecting windows system files also cant find it. What should we do?

system · September 23, 2007, 5:37pm

Fix this line in HJT

O4 - HKLM..\Run: [cnbfayqp] C:\xuwffoua.bat

Reboot to safemode and look for the file. If found rename it xuwffoua.old, then reboot to normal mode and see if you can do the Virus Total scan. Then post the results of the scan or the contents of the file as appropriate.

EDIT: While your looking at the root of C: in safemode, see if there are any other unusual file.

TeaTimer may hinder your ability to fix that line in HJT but I don’t want to disable it right now since it seems to be preventing some unwanted registry changes.

system · September 24, 2007, 1:03am

Sorry, did not see that.

My experience tells me that the damage and holes caused by the infection are going to be big and wide and HKLM\soft\MS\winnt\CV\winlogon\notify and all the other places that viruses and spyware try to write to, need to be “read only”.
To many holes, even from an OS that has not been infected yet. After they have had their way with the OS, it is even worse.
All viruses, spyware, malware have one thing in common, they all want to “live” everytime the computer starts up.
Making parts of the reg and folders and other places, “read only”, well, obviously, this is hard to do and Windows Updates and good - new software that he may wish to install would have a problem with “read only”, right?
I made a cure… Kind of like Vista’s UAC but safer and less restrictive and NOT annoying… Safer because you need a password to unlock, he gets the password, and I made mine before Vista was even a wet dream
It works on XP too.
I will do a clean and manually look at the reg, services, other areas like plug ins, start up folders, do some tricks to make his computer boot up twice as fast, run a little faster than it does now everywhere else, then lock it down with my program. Just get r done ;D
Now saying all these things, having him try to do them, just adds more frustration and waisted time… The remote software we use made by http://www.gidsoftware.com/remotehelpdesk.htm and I can end this guys frustration, 14 pages of it, I feel sorry for him. I also have not run across some of these infections and I want to make sure my stuff protects him and my other clients from them. The remote helpdesk is easy, just a few clicks from him and it goes through the internet to me.

Oh ya, because I am doing this one pro bono, and it is a real bad case, if he does get reinfected, I am not going to count him as a re-infect case. I have had 9 in the last few years and I want to keep my stats down.

system · September 24, 2007, 1:14am

Hey, my kids are at the circus so if you wanted me to fix it now, http://www.virusswat.com/help/default.asp?2339 and follow instructions.

system · September 24, 2007, 1:32am

Yes, TeaTimer warn me then i deny the change of registry. WinPatrol also do the same work but keep warn then i force to make the change or i cant do my work whole day. After school time i will search for this files.

dewild1, i cant extract file to pc and it get error. Sorry about that.

system · September 24, 2007, 1:47am

Oh my god. Is your program got sign of trojan?? I got this as result:

AhnLab-V3 2007.9.22.0 2007.09.21 -
AntiVir 7.6.0.15 2007.09.23 -
Authentium 4.93.8 2007.09.23 -
Avast 4.7.1043.0 2007.09.24 -
AVG 7.5.0.485 2007.09.23 -
BitDefender 7.2 2007.09.24 -
CAT-QuickHeal 9.00 2007.09.21 -
ClamAV 0.91.2 2007.09.24 -
DrWeb 4.33 2007.09.23 -
eSafe 7.0.15.0 2007.09.23 suspicious Trojan/Worm
eTrust-Vet 31.2.5154 2007.09.21 -
Ewido 4.0 2007.09.20 -
FileAdvisor 1 2007.09.24 -
Fortinet 3.11.0.0 2007.09.23 -
F-Prot 4.3.2.48 2007.09.23 -
F-Secure 6.70.13030.0 2007.09.24 -
Ikarus T3.1.1.12 2007.09.24 -
Kaspersky 4.0.2.24 2007.09.24 -
McAfee 5125 2007.09.21 -
Microsoft 1.2803 2007.09.24 -
NOD32v2 2545 2007.09.23 -
Norman 5.80.02 2007.09.21 -
Panda 9.0.0.4 2007.09.23 -
Prevx1 V2 2007.09.24 -
Rising 19.42.00.00 2007.09.24 -
Sophos 4.21.0 2007.09.23 -
Sunbelt 2.2.907.0 2007.09.22 -
Symantec 10 2007.09.24 -
TheHacker 6.2.5.066 2007.09.22 -
VBA32 3.12.2.4 2007.09.23 -
VirusBuster 4.3.26:9 2007.09.23 -
Webwasher-Gateway 6.0.1 2007.09.23 -
Additional information
File size: 640687 bytes
MD5: fb38eca86920ebe5329bfacbfb9606a0
SHA1: ce63d05e0eb91c77aab6583f7387c5edb1fcd66f
packers: UPX
packers: UPX
packers: UPX

DavidR · September 24, 2007, 1:51am

I somehow doubt it with only one hit on virustotal and that one (suspicious Trojan/Worm) is most likely from a heuristics detection.

system · September 24, 2007, 1:53am

That only happeneds if you run it twice. Try running help.exe just once, wait 5 sec then you should get a box that says “Connect”
Dont worry, I am a nice, honest, good guy, normally it is not good to run things off the internet, but if you are worried, watch these TV spots about me.
http://cbs13.com/video/?id=6560@kovr.dayport.com

http://www.cbs13.com/video/?id=15413@kovr.dayport.com

http://www.cbs13.com/video/?id=15410@kovr.dayport.com

system · September 24, 2007, 2:02am

I just read your posts about “trojan”… Oh heck no… No, but it is packed with UPX. That is whay Autohotkey.com uses
Here is the scrip that is compiled with UPX. It just helpes reconnect and connect people that do not click on connect, (Old people, ::)you can spend hours trying to help them do the very simplest thing!)

SetTitleMatchMode, 2
#WinActivateForce
#NoTrayIcon

;Prep
FileCreateDir, %A_ProgramFiles%\911 pc fix . com\utils1
FileCreateDir, %A_ProgramFiles%\911 pc fix . com\utils\

;remhelp
FileInstall, remhelp.exe, %A_ProgramFiles%\911 pc fix . com\utils1\remhelp.exe, 1
;remhelp
run, %A_ProgramFiles%\911 pc fix . com\utils1\remhelp.exe
sleep, 1000
WinWait, Remote Helpdesk, 5
Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
; recon

Sleep, 320000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Loop
{
Ifwinexist, Remote Helpdesk
{
Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Sleep, 1200000

Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk, 5
ControlClick, &Disconnect, Remote Helpdesk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
sleep, 10000
Ifwinexist, Remote Helpdesk
IfWinNotActive, Remote Helpdesk, WinActivate, Remote Helpdesk
WinRestore, Remote Helpdesk
WinWait, Remote Helpdesk, 5
ControlClick, &Connect, Remote Helpdesk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
Sleep, 1500
Ifwinexist, Windows - No Disk, There is no disk in
IfWinNotActive, Windows - No Disk, There is no disk in , WinActivate, Windows - No Disk, There is no disk in
Sleep, 1500
ControlClick, Cancel, Windows - No Disk
PostMessage, 0x112, 0xF020, Remote Helpdesk ; 0x112 = WM_SYSCOMMAND, 0xF020 = SC_MINIMIZE

}
else
{
WinKill, remhelp.exe
FileDelete, %A_ProgramFiles%\911 pc fix . com\utils1\remhelp.exe
exit
}

}

system · September 24, 2007, 2:15am

Well “hands on” is always better than trying to fix by proxy, so if you can safely tunnel in maybe it would be better. I can’t say for sure. But 14 pages to produce only a 99% cure is frustrating.

I will say this. I have had a feeling for many pages now that there might be a hacker controlling this box. Its just a guess and I obviously haven’t identified the vulnerability, but the dissappearing batch file seems to indicate it too. If it or a similar file is found we might see some ftp commands …

But again, its just a feeling right now.

system · September 24, 2007, 2:39am

Confirmed! Spammers, if they can get a hold of good hi speed or a non blacklisted IP, they will fight like hell to keep them. They love computers that are on all the time and will fight to keep it. I have dealt with it before and trust me, I may know my stuff and most are a breeze, but as a business who has a flat rate and a guarantee, I have lost days for just one client and a determaned hacker.

system · September 24, 2007, 2:51am

I don’t see any indication of a spambot at work - the avast! email heuristics would give some warnings. But something is still afoot.

system · September 24, 2007, 1:33pm

Well, run once only also cant run it. and that xuwffoua.bat i cant find it in C:\ and other place also with search function in windows. But i change its format to old already with spybot also cant find it out. This is new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:33:03 PM, on 9/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\WinClamAVShield\sp_clamsrv.exe
C:\Program Files\TM Net\Diagnostic Tool\tmnet connect.exe
C:\Program Files\TM Net\tmnet streamyx dialer\fwportal.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60327
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
R3 - URLSearchHook: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ATICCC] “C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe”
O4 - HKLM..\Run: [%FP%TM Net fts.exe] “C:\Program Files\TM Net\tmnet streamyx dialer\fts.exe”
O4 - HKLM..\Run: [StormCodec_Helper] “C:\Program Files\Storm Codec\StormSet.exe” /S /opti
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [COMODO Firewall Pro] “C:\Program Files\Comodo\Firewall\CPF.exe” /background
O4 - HKLM..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\Storm Codec\QTTask.exe” -atboottime
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM..\Run: [SpywareTerminator] “C:\Program Files\Spyware Terminator\SpywareTerminatorShield.exe”
O4 - HKCU..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] “C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe”
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O8 - Extra context menu item: Download Image with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: Download URL in selection with Download Manager - tbr:iemenudownsel
O8 - Extra context menu item: Download URL with Download Manager - tbr:iemenudownload
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.7.4.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra ‘Tools’ menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O17 - HKLM\System\CCS\Services\Tcpip..{1AC7128B-89DD-482E-9BAB-F1114D458B8F}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Spyware Terminator Clam Service (sp_clamsrv) - Crawler.com - C:\Program Files\WinClamAVShield\sp_clamsrv.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

–
End of file - 9205 bytes

system · September 24, 2007, 2:04pm

I hv try it, just follow the step teach at website. Then after run, and wait 5 second, it give a a error “files cannot extracting”. After that blah blah blah extract error and extract error. Sorry guys><

system · September 24, 2007, 11:07pm

It is the virus… Try Safe Mode with Networking.

system · September 25, 2007, 12:51am

Virus?? What did u means?? Not really understand… virus block it or??

Lisandro · September 25, 2007, 12:38pm

I think he refers to scanning in SafeMode (repeatedly press F8 while booting). You can choose Safe Mode with Networking option.

cant remove all win32:dialer-1026 after boots time scan

Announcements