Trojan.Win32.Dialer

Welcome to Majorgeeks!

I do not see MS Windows Defender install or the CounterSpy subsitute for Windows Defender if it could not be run for some reason. Also the CounterSpy log would have to be attached.

Also you did not complete the instructions in step 6 of the READ ME. You must run both online scanners and attach the logs. This must be done before using HijackThis.

 

You need to run the below and then attach the smitfiles.txt log:

SpywareQuake Removal Procedure

Also, You forgot to empty your Norton Nprotect folder as step 0 indicates. Do this and then continue to the below.

Goto Add/Remove programs and uninstall the below:
Viewpoint Manager

Download - Pocket KillBox

Extract it to its own folder somewhere that you will be able to locate it later to run it.
Run Pocket Killbox by doubleclicking on killbox.exe
Choose Tools > Delete Temp Files and click OK.

Paste the below filenames into KILL BOX one at a time. Check mark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask you to confirm the file for deletion…say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. Note some of the files listed below may not exist but we need to check for them anyway.
c:\winnt\system32\ld70D8.tmp
c:\winnt\system32\1024
C:\WINNT\SYSTEM32\winbjv32.dll

If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself. However BOOT INTO SAFE MODE during this reboot and do not run anything but what I request. DO NOT open any browsers!

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = prosearching.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com
O15 - Trusted Zone: http://www.cdcovers.cc
O20 - Winlogon Notify: winbjv32 - C:\WINNT\SYSTEM32\winbjv32.dll

Now exit HJT
Run Windows Explorer and double check to make sure the below files are all deleted (we already deleted them with killbox but we are double checking):
C:\WINNT\SYSTEM32\winbjv32.dll
c:\winnt\system32\ld70D8.tmp
c:\winnt\system32\1024

Now reboot into normal mode and after reboot double check the same HJT entries I had you fix above and if any still remain, fix them again a second time.

Now attach a new HJT log

Also tell me how things are working!

 

Well first, you still have all the Symantec software installed.
And what I was referring to for your case was the Norton Nprotect feature (not the Quarantine). Norton Nprotect is a feature to protect/backup the Recycle Bin (dumb feature - that winds up being a spyware collection bin). It must be emptied separately from the Recycle Bin. I gave a link to instructions on doing this.

Let's check what is still installed (at least what your PC thinks is still installed)!

Get an installed programs list from HijackThis!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Click Save List (generates uninstall_list.txt)
• Click Save, to save it to a file where you can find it.
• Attach the uninstall_list.txt file to your next message.

 

It is still showing in your HJT logs. That was why I said uninstall it. We will have to fix it manually.

Please note that you never installed the proper version of Ad-Aware SE. You are still using the very old Ad-aware 6 Personal. As the READ ME indicates, you must always click the links to see what we have in them for download to make sure you have the correct versions. Both software version numbers & reference files (detection's databases) must both be current. Uninstall this old version and download, install, update and run the new version.

The same is problem is true for Spybot! Your version is more than a year out of date!

And to top it off, you still never followed the directions in step 7 of the READ & RUN ME to install HJT properly. You installed it exactly where the directions indicate not to install it.

So in essence, you have never actually followed and completed the READ & RUN ME properly.

By the way, you have Morpheus 1.9 installed which comes bundled with malware. You should uninstall this.

Okay.....onto the removal of Symantec and Viewpoint!

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'. On the page that opens, scroll down to Symantec Core LC... then right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, run HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

Symantec Core LC

If you get any error messages while performing the above steps, just ignore them and continue.

Now exit HJT but do not reboot when it tells you it needs to. We will do that further down after running HJT again to fix some other items.


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe <--- this should already be gone after running the above fixes.

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Viewpoint <-- the whole folder
C:\Program Files\Common Files\Symantec Shared <-- the whole folder

Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.
Now run Ccleaner (installed while running the READ ME FIRST).

Now reboot in normal mode and post a new HJT log.

Make sure you tell me how things are working now.

Reminder Note: Once we have determined you are malware free you will need to disable System Restore, reboot, and re-enable system restore per step 1 of the READ & RUN ME. This only applies to if using WinXP or WinMe.

 

Use HijackThis to uninstall a program!

• Run HijackThis, click Open the Misc Tools section
• Click Open Uninstall Manager
• Choose the program you wish to uninstall by selecting it in the window.
• Now Click Delete this entry

Did that help!

No it is not safe! If you need it, perhaps you will need to reinstall it. It still shows in your HijackThis log but it was never installed properly. It should not be running from the Downloaded Program Files folder. But this is not a topic for this forum. My opinion of toolbars is to uninstall them to avoid wasting system resouces.


Your log is clean. If you are not having any other malware problems, it is time to go back to step 1 of the READ & RUN ME to Disable System Restore which will flush your Restore Points. Then reboot and enable System Restore to create a new clean Restore Point.

After that, you should work thru the below link:

How to Protect yourself from malware!

 

You're welcome! Can I assume that you were able to remove Morpheus with those steps?

 

Okay let me know the results.

 

Great! Then I assum we are all done!