eros dialer

I got the eros dialer! I can't remove it! I have tried Spybot, Hijack This!, CWShredder, Spyware Blaster and Spyware Guard, but nothing worked.

I got the eros dialer at Mad Thumbs. The url for that adult site (if you are a minor, don't go there) is:

h**p://www.madthumbs.com/archive/cartoons.shtml

Are your softwares intended to save users from dialers too?




disabled potentially dangerous link- snowbound

 

Hi deliriumtremens,

Could you post your HijackThis log?
We may be able to spot something you missed. 20.000 eyes see morethen 2

Regards,

Pieter

 

Logfile of HijackThis v1.97.6
Scan saved at 03:16:51, on 21/3/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v5.50 (5.50.4134.0100)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SCVHOST.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\ARQUIVOS DE PROGRAMAS\GRISOFT\AVG6\AVGCC32.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\WINDOWS\SYSTEM\ICSMGR.EXE
C:\WINDOWS\SM56HLPR.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAMAS\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAMAS\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\ARQUIVOS DE PROGRAMAS\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAMAS\HIJACK THIS!\HIJACKTHIS.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\ARQUIVOS DE PROGRAMAS\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARQUIV~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAMAS\SPYWAREGUARD\DLPROTECT.DLL
O2 - BHO: G-Buster Browser Defense - {C41A1C0E-EA6C-11D4-B1B8-444553540000} - C:\WINDOWS\DOWNLOADED PROGRAM FILES\GBIEH.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1046,&Rádio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [AVG_CC] C:\ARQUIV~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SiSAudio] C:\WINDOWS\SYSTEM\MP_S3.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [ICSMGR] ICSMGR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
O4 - HKLM\..\Run: [MSConfigReminder] C:\WINDOWS\SYSTEM\msconfig.exe /reminder
O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\ARQUIV~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakLogon
O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE
O4 - Startup: SpywareGuard.lnk = C:\Programas\SpywareGuard\sgmain.exe
O4 - Startup: MRU-Blaster Silent Clean.lnk = C:\Programas\MRU-Blaster\mrublaster.exe
O8 - Extra context menu item: Download with GetRight - C:\Programas\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Programas\GetRight\GRbrowse.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?1068806402120
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {E37CB5F0-51F5-4395-A808-5FA49E399F83} (GbPluginObj Class) - https://www14.bancobrasil.com.br/plugin/GbPluginBb.cab

 

My cousin succesfully removed eros.exe from my computer once, but then I visited the site where I got it from again (because I didn't know where I had gotten it from) and then I want to learn how to remove it. I know this dialer has got something to do with regcpm32.exe because when my cousin fixed my computer it would show an error trying to run regcpm (I am not sure if it was .exe, it might have been .dll) and when I searched Google for regcpm, there were so many sites saying it was a dialer. I used msconfig, but even though I unchecked regcpm32.exe on the list, it still loaded on start-up and when I checked msconfig to see what was going on, to see if was regcpm32.exe remained unchecked, IT DID NOT!!! How come? What an annoying dialer...

 

Hi deliriumtremens,

Welcome to Wilders.

Some of the items are from viruses. I would strongly suggest you do an online virus scan and run a resident AV scanner if you are not already. It appears you have AVG. Be sure you keep it updated and running resident at all times. Some good online scans can be found here.

Check the following items in HijackThis. Note that some of these may disappear after doing the on-line virus scan.
Close all windows except HijackThis and click Fix checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Search,(Default) = ,

O4 - HKLM\..\Run: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE

O4 - HKLM\..\Run: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE

O4 - HKLM\..\RunServices: [MSStartOptimizer] C:\WINDOWS\SYSTEM\SCVHOST.EXE
O4 - HKLM\..\RunServices: [RegCompres] C:\WINDOWS\SYSTEM\REGCPM32.EXE

Then reboot in Safe Mode and delete the following:

C:\WINDOWS\SYSTEM\SCVHOST.EXE
C:\WINDOWS\SYSTEM\REGCPM32.EXE

Reboot and then post a fresh HijackThis log.

Regards,
Kent

 

hi Kent,
I based the solution to the eros dialer on your comments. Thank you so much!

I rebooted in safe mode, then I deleted the exe files you told me, then I scanned, then I unchecked the O4s, then I went back to normal mode and deleted eros.exe

Regards,
Pedro

 

Correcting errors in the last message. I fixed (not deleted as I said) only the O4s kent told me to fix, not all O4s and by O4, I mean a string of the Hijack This! log starting with O4. By the way, why isn't there an option to edit messages?

 

There is. But it is only available for logged in members.

Regards,

Pieter