eros dialer

Discussion in 'adware, spyware & hijack cleaning' started by deliriumtremens, Mar 20, 2004.

Thread Status:
Not open for further replies.
  1. I got the eros dialer! I can't remove it! I have tried Spybot, Hijack This!, CWShredder, Spyware Blaster and Spyware Guard, but nothing worked.

    I got the eros dialer at Mad Thumbs. The url for that adult site (if you are a minor, don't go there) is:

    h**p://www.madthumbs.com/archive/cartoons.shtml

    Are your softwares intended to save users from dialers too?




    disabled potentially dangerous link- snowbound
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    Hi deliriumtremens,

    Could you post your HijackThis log?
    We may be able to spot something you missed. 20.000 eyes see morethen 2 ;)

    Regards,

    Pieter
     
  3. Logfile of HijackThis v1.97.6
    Scan saved at 03:16:51, on 21/3/2004
    Platform: Windows ME (Win9x 4.90.3000)
    MSIE: Internet Explorer v5.50 (5.50.4134.0100)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\SYSTEM\MDM.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\SCVHOST.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGCC32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\RUNDLL32.EXE
    C:\WINDOWS\SYSTEM\ICSMGR.EXE
    C:\WINDOWS\SM56HLPR.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAMAS\SPYWAREGUARD\SGMAIN.EXE
    C:\PROGRAMAS\SPYWAREGUARD\SGBHP.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
    C:\PROGRAMAS\HIJACK THIS!\HIJACKTHIS.EXE

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAMAS\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
    O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
    O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
    O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
    O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARQUIV~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
    O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
    O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
    O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
    O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Programas\MRU-Blaster\mrublaster.exe
    O8 - Extra context menu item: Download with GetRight - C:\Programas\GetRight\GRdownload.htm
    O8 - Extra context menu item: Open with GetRight Browser - C:\Programas\GetRight\GRbrowse.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: ICQ Pro (HKLM)
    O9 - Extra 'Tools' menuitem: ICQ (HKLM)
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1068806402120
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
    O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab
     
  4. My cousin succesfully removed eros.exe from my computer once, but then I visited the site where I got it from again (because I didn't know where I had gotten it from) and then I want to learn how to remove it. I know this dialer has got something to do with regcpm32.exe because when my cousin fixed my computer it would show an error trying to run regcpm (I am not sure if it was .exe, it might have been .dll) and when I searched Google for regcpm, there were so many sites saying it was a dialer. I used msconfig, but even though I unchecked regcpm32.exe on the list, it still loaded on start-up and when I checked msconfig to see what was going on, to see if was regcpm32.exe remained unchecked, IT DID NOT!!! How come? What an annoying dialer...
     
  5. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    Hi deliriumtremens,

    Welcome to Wilders.

    Some of the items are from viruses. I would strongly suggest you do an online virus scan and run a resident AV scanner if you are not already. It appears you have AVG. Be sure you keep it updated and running resident at all times. Some good online scans can be found here.

    Check the following items in HijackThis. Note that some of these may disappear after doing the on-line virus scan.
    Close all windows except HijackThis and click Fix checked:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,

    O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE

    O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE

    O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
    O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE

    Then reboot in Safe Mode and delete the following:

    C:\WINDOWS\SYSTEM\SCVHOST.EXE
    C:\WINDOWS\SYSTEM\REGCPM32.EXE

    Reboot and then post a fresh HijackThis log.

    Regards,
    Kent
     
  6. hi Kent,
    I based the solution to the eros dialer on your comments. Thank you so much!

    I rebooted in safe mode, then I deleted the exe files you told me, then I scanned, then I unchecked the O4s, then I went back to normal mode and deleted eros.exe

    Regards,
    Pedro
     
  7. Correcting errors in the last message. I fixed (not deleted as I said) only the O4s kent told me to fix, not all O4s and by O4, I mean a string of the Hijack This! log starting with O4. By the way, why isn't there an option to edit messages? o_O
     
  8. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,332
    Location:
    Netherlands
    There is. But it is only available for logged in members.

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.