Trojan Horse Dialer.BOM - HELP TRIED EVERYTHING

Welcome to Majorgeeks Ashley!

It is very important that you follow the directions exactly as written. Failure to do so will make problems difficult to impossible to remove. Not booting in safe mode to run the tools is a big mistake. Many problems can only be removed in safe mode. You do not need to redo the steps but you need to learn (if you do not know) how to boot in safe mode and you MUST do it when we have it in our instructions.

Please also go back to step 7 of the READ ME and click the link for downloading and installing HijackThis. You did not follow the directions and as a result, you installed HijackThis exactly where we specify not to install it. You have it here:
C:\Documents and Settings\Ashley\My Documents\hijack this\hijackthis\HijackThis.exe

Get HJT installed correctly before you continue to the next steps.

I also see some signs of Symantec antivirus still installed and you are using AVG. Only one must be installed. Double check in Add/Remove programs for Norton/Symantec and make sure all of it is uninstalled. If it does not appear there or will not uninstall, you must tell me. We will remove it manually at some point.

Is there a reason you did not run Windows Defender?

How many full antispyware applications did you purchase? I see Spy Catcher, Spyware Doctor, and Spy Sweeper. Are any of these trial/free versions? You should only have installed one of these as a long term solution.

 

Your logs show left over signs from SpyFalcon and from Virtumonde. To be safe we really need to run the steps below to see if they find any other hidden items from these infections. Even if some parts of the steps seem to not apply (like maybe you do not find the files mentioned or the programs in Add/Remove programs) just continue through all the steps and attach the requested logs. Note: You MUST boot in safe mode as instructed.

SpyFalcon Removal Procedure
Virtumonde aka Trojan Vundo Removal


After attaching these two logs, we will be able to complete fixing your remaining problems

 

To keep you moving along, follow these instructions AFTER completing those in message numbers 3 & 4.


Let's download two tools we will need:

- Process Explorer

- Pocket KillBox

Extract them to their own folder somewhere that you will be able to locate them later.

IMPORTANT: You should print or save the below locally, so you can refer to them while offline. You must exit all browsers before running the below steps and it would be best if you actually physically unplug your cable to the internet, reboot, and do not run anything but what I give you to do. Also it would be good to exit all processes and items in your System tray.

Do the above before continuing! Okay unplug your cable now.

Make sure you have rebooted in Normal Mode (do not open any other processes)

- Run Process Explorer

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of winbfi32.dll once and then click the kill button. After you have killed all of the winbfi32.dll under winlogon click ok. (If you do not find the dll, just continue on.)

Next double click on explorer.exe and again click once on each instance of winbfi32.dll and kill it.

Now just exit Process Explorer.

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O3 - Toolbar: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.18.27/ttinst.cab
O20 - Winlogon Notify: winbfi32 - C:\WINDOWS\SYSTEM32\winbfi32.dll

Copy the bold text below to notepad. Save it as fixme.reg to your desktop.
Be sure the "Save as" type is set to "all files"
Once you have saved it double click it and allow it to merge with the registry.

Now run Pocket Killbox:
Choose Tools > Delete Temp Files and click OK.

Run Killbox.exe. Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\YazzleActiveX.ocx
C:\WINDOWS\Downloaded Program Files\YazzleActiveX.ocx

C:\WINDOWS\SYSTEM32\winbfi32.dll
C:\WINDOWS\system32\1024\ld32DB.tmp
C:\WINDOWS\system32\ldC459.tmp
C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\interf.tlb
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\vtsts.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.

After reboot don't run anything else until you do the below.

Locate the below with Windows Explorer and delete them (most/all of them should already be gone but we need to double check)
C:\WINDOWS\SYSTEM32\winbfi32.dll
C:\WINDOWS\system32\1024\ld32DB.tmp
C:\WINDOWS\system32\ldC459.tmp
C:\WINDOWS\SYSTEM32\dfrgsrv.exe
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\interf.tlb
C:\WINDOWS\system32\jkhhe.dll
C:\WINDOWS\system32\mljgf.dll
C:\WINDOWS\system32\vtsts.dll


Now attach a new HJT log here in your next message and tell me how the steps went.

Also make sure you tell me how things are working now!

 

That's Spyware Doctor!

Then uninstall SpySweeper and SpyCatcher because they will not help you in the long run because they are trials and they will slow your system down having too many programs like this. Also uninstall Windows Defender since you have Spyware Doctor. I did not see Windows Defender in you log. I only saw MS Antispyware. are you sure you ran Windows Defender. You should uninstall MS Antispyware too.

 

Yes and no! It depends on the type program! Having too many full function antispyware applications like MS Antispyware, MS Windows Defender (which is the replacement for MS Antispyware), Spy Sweeper, Ewido, Spyware Doctor, CounterSpy (to name just a few) can cause problems with over use of system resources because the all need quite a bit. And because they can also conflict with each other. They can block things that the other are trying to fix/change because it looks like malware. Using multiple programs like this would be OK for a temporary fix up like right now when trying to resolve major malware issues where you need to try a bunch of tools to fix something. But we always windup having people remove them to avoid the resource crunch which will slow your PC down and because they can make it impossible to fix the malware problems since our manual changes are viewed as malware actions.

The layered tools you want are:

• One Antivirus application
• SpywareBlaster (uses no resources)
• Spybot with SDHelper (and use the Immunize feature) requires very little resource and you still can use the scanner for on demand scanning and fixing
• Ad-Aware SE for on demand scanning
• One full blown antispyware blocker,scanner, removal tool (like the one previously mentioned in bold print above)
• One firewall

This should be sufficient especially when you also follow all the tips in:

How to Protect yourself from malware!

Did you uninstall Spy Sweeper? It seems to have left something hanging around:
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

This could be due to as I mentioned above the conflicts from multiple antispyware apps all running. For another example the below two line still need to be fixed. The applications you had before and still have now are more than likely blocking the changes to the R0 line and you are not telling them to go ahead and make the change. But even if you do, with multiple tools running, your change will probably get blocked. Fix the two below lines with HJT:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O20 - Winlogon Notify: winbfi32 - winbfi32.dll (file missing)

You will notice I already had you fix them before but here they are again. All because of what I'm telling you. Also if you do not exit browsers befroe fixing, many lines cannot be fixed because the registry keys are in use by the browsers.

Right now you still have MS Antispyware (not supported anymore) and Spyware Doctor which you bought.

The best tool on the market right now (my opinion and a few other people here agree) is Spy Sweeper. But since you aleady bought Spyware Doctor, stick with it.

 

If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome. Surf safely!