Irritated with dialers, how to remove for good??

I got a dialer program on my machine, and it's bugging the hell outta me, not to mention it might end up costing me a BUNDLE of money, cause it dials without me knowing to god knows where, and pulls up some website called adslim. I have installed spywareblaster and it still pops up, so I'm not doing something right. (some webmaster I am) anyway.. I have a HJT log file ready to post whenever asked. Thanks geeks!

 

Hi Spamdango,

Please start with the Cleanup Tutorial HERE:

READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan and Virus Removal

There are only a few of us Volunteers who regularly offer advice in this forum. Running through the above Tutorial will remove a lot of stuff that would otherwise clog a HijackThis Log and will save us valuable time.

Please let us know the steps that you are able to complete and the ones that give you problems. Note that you need to be in Safe Mode with System Restore OFF (if you have it) and have the Viewing of Hidden Files ENABLED as per the instructions in the link. Make sure to do the Online Scans.

Post back and let us know how you fared. Also, send us a HijackThis Log. Please be sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99.1) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis ! Should you need a Fresh Download of HJT, get it HERE: HijackThis v1.99.1

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Somebody will review you log as time permits!

PP

 

okay, thanks phillie phan! system restore is off, has been since before the dialer became installed.. I never liked system restore, and most of the machines I work on I turn that off right away.

Inclosed is my hijack this log.

I cannot get this machine online, as it has no network card and if I try to get on the modem, it will only disconnect from my ISP and try to connect to the porn site again, and cost me more money, so I have not completed the online scan at Trend Micro's Free Online Virus Scan or the online scan at Symantec Security Check.

I have however, done the spyblaster thang, and the adaware scan, and cleaned up all the temp files... is there still hope?

 

Hi Spamdango,

Your XP is way out of date! AFTER your machine is clean, you must go to Windows Updates and get updated!

It looks like you have a TROJ_SPYWAD.A problem!

I have some work I need to finish, but will try to post first steps of a fix as soon as I get some free time!

Hang in there
PP

 

Hi Spamdango,

Some notes before we start:
In addition to your XP being out of date, it looks like you have no AV app or Firewall. I suggest you read this and try one of the AV and Firewall mentioned in the below link. They are FREE, so no excuse not to run them!!

How to Protect yourself from malware!

I have never heard of this - Yumgo's Homepage Protector V1. Suggest you Uninstall it and use the Free Tools in Read Me Tutorial and the link I just gave you instead!

Also, do you know what this is --> Lexar SG20 ??


Anyhoo, on to the problem at hand . . . .

Please download this tool Pocket KillBox and have it handy.

Please print out these instructions so that you can operate with All Browser Windows CLOSED.
Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

Sof.exe
YumgoHomepageProtector.exe

Now scan with HijackThis and Check the Boxes for the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank

O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: (no name) - {8F72F1A6-2244-4C25-ABFF-0E12DDCC85F4} - C:\WINDOWS\System32\hnjefda.dll (file missing)
O4 - HKLM\..\Run: [Geo] C:\WINDOWS\System32\Orm.exe
O4 - HKLM\..\Run: [Orh] C:\WINDOWS\System32\Sof.exe
O4 - HKLM\..\Run: [Ljh] C:\WINDOWS\Kiq.exe
O4 - HKLM\..\Run: [Vrn] C:\WINDOWS\Nop.exe
O4 - HKLM\..\Run: [Mor] C:\WINDOWS\System32\Vcu.exe
O4 - HKLM\..\Run: [Qcs] C:\WINDOWS\Drk.exe
O4 - HKLM\..\Run: [Bsv] C:\WINDOWS\System32\Dne.exe
O4 - HKLM\..\Run: [Sno] C:\WINDOWS\Reg.exe
O4 - HKLM\..\Run: [Htm] C:\WINDOWS\Ihl.exe
O4 - HKLM\..\Run: [Mot] C:\WINDOWS\System32\Kja.exe
O4 - HKLM\..\Run: [Bvp] C:\WINDOWS\System32\Tns.exe
O4 - HKLM\..\Run: [Rcg] C:\WINDOWS\Jdh.exe
O4 - HKLM\..\Run: [Ubs] C:\WINDOWS\System32\Ghr.exe
O4 - HKLM\..\Run: [Kvn] C:\WINDOWS\Kbu.exe
O4 - HKCU\..\Run: [Yumgo's Homepage Protector V1] YumgoHomepageProtector.exe
O4 - HKCU\..\Run: [Geo] C:\WINDOWS\System32\Orm.exe
O4 - HKCU\..\Run: [Orh] C:\WINDOWS\System32\Sof.exe
O4 - HKCU\..\Run: [Ljh] C:\WINDOWS\Kiq.exe
O4 - HKCU\..\Run: [Vrn] C:\WINDOWS\Nop.exe
O4 - HKCU\..\Run: [Mor] C:\WINDOWS\System32\Vcu.exe
O4 - HKCU\..\Run: [Qcs] C:\WINDOWS\Drk.exe
O4 - HKCU\..\Run: [Bsv] C:\WINDOWS\System32\Dne.exe
O4 - HKCU\..\Run: [Sno] C:\WINDOWS\Reg.exe
O4 - HKCU\..\Run: [Htm] C:\WINDOWS\Ihl.exe
O4 - HKCU\..\Run: [Mot] C:\WINDOWS\System32\Kja.exe
O4 - HKCU\..\Run: [Bvp] C:\WINDOWS\System32\Tns.exe
O4 - HKCU\..\Run: [Rcg] C:\WINDOWS\Jdh.exe
O4 - HKCU\..\Run: [Ubs] C:\WINDOWS\System32\Ghr.exe
O4 - HKCU\..\Run: [Kvn] C:\WINDOWS\Kbu.exe

O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 66.197.161.149

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Please boot into Safe Mode with the Viewing of Hidden Files Enabled and Please run Pocket Killbox that you downloaded earlier.
Select the option to DELETE on Reboot.

Now, Enter or Copy and Paste C:\WINDOWS\System32\Orm.exe into the box and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, do the same for the following. Enter or Copy and Paste each of the following into the box, making sure Delete on Reboot is Checked for each entry. Click the Red X to Delete each one, but DO NOT Allow your machine to Reboot until the last item has been entered:

C:\WINDOWS\System32\hnjefda.dll (file missing)
C:\WINDOWS\System32\Orm.exe
C:\WINDOWS\System32\Sof.exe
C:\WINDOWS\Kiq.exe
C:\WINDOWS\Nop.exe
C:\WINDOWS\System32\Vcu.exe
C:\WINDOWS\Drk.exe
C:\WINDOWS\System32\Dne.exe
C:\WINDOWS\Reg.exe
C:\WINDOWS\Ihl.exe
C:\WINDOWS\System32\Kja.exe
C:\WINDOWS\System32\Tns.exe
C:\WINDOWS\Jdh.exe
C:\WINDOWS\System32\Ghr.exe
C:\WINDOWS\Kbu.exe]
C:\WINDOWS\System32\Orm.exe
C:\WINDOWS\System32\Sof.exe
C:\WINDOWS\Kiq.exe
C:\WINDOWS\Nop.exe
C:\WINDOWS\System32\Vcu.exe
C:\WINDOWS\Drk.exe
C:\WINDOWS\System32\Dne.exe
C:\WINDOWS\Reg.exe
C:\WINDOWS\Ihl.exe
C:\WINDOWS\System32\Kja.exe
C:\WINDOWS\System32\Tns.exe
C:\WINDOWS\Jdh.exe
C:\WINDOWS\System32\Ghr.exe
C:\WINDOWS\Kbu.exe

When the last item has been entered and you are prompted to reboot, allow Pocket KillBox to Reboot your computer.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Scan with HijackThis and attach that log.
Let me know of any problems you may have encountered with the above instructions and how your computer is running now. I will try to check back when time permits - Likely Tuesday night.

Best luck
PP

 

yumgo homepage protector didn't work. it was a pseudo homepage anchor that was supposed to keep my homepage from being hijacked and it didn't work, I wouldn't suggest using that program to anyone.
And the Lexar SG20 is my jump drive.

thanks a lot Phillie Phan, I will download these programs tonight and follow your instructions and let you know, hopefully my lappy will get better, cuz he's really sick right now.

 

AllRightyThen!

Make sure to get a good AV and Firewall up and running! One each from the link I gave you!

PP