Have tried everything

Please follow the steps below:

- Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

Make sure you check version numbers and get all updates.

- Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

.

 

I'm also assuming you meant PSGuard. So also follow the steps in the below:

Smitfraud and PSGuard Removal

 

Okay! Make sure you post the smitfiles.txt log as requested in that link.

 

As BJ just indicated and as I said before, attach the smitfiles.txt and HJT logs. Do not cut & paste them here.

 

Your OS and IE versions are way out of date and represent a major security risk. Once any current problems have been completely fixed you must get updated.

Okay SmitRem took care of most of your PSGuard and Smitfraud problems. You should notice they are gone now. One item from them still remains. You may or may not still have Virtumonde problems. We will see.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R3 - Default URLSearchHook is missing
O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp3690.tmp
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\pmnoo.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: SecurityToolbar - {736b5468-bdad-41be-92d0-22ae2ddf7bcb} - C:\Program Files\Security Toolbar\Security Toolbar.dll
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: (no name) - {AFC3FA82-AD07-45cd-8B57-983435B9899E} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O20 - Winlogon Notify: pmnoo - C:\WINDOWS\System32\pmnoo.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
C:\Program Files\Security Toolbar <--- the whole folder
C:\WINDOWS\System32\hp3690.tmp

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Please do not quote messages unless it is required for context! It only clutters up the thread.

Why did you post two messages with almost the same info?

The below item is still in your HJT log

O2 - BHO: HomepageBHO - {3bf1f86f-b1a8-489b-8d8b-43781d51411f} - C:\WINDOWS\System32\hp9E18.tmp

Did you fix it using HJT? Are you sure you had ALL BROWSERS closed before clicking fix?

 

Please explain what this means in more detail. We need a HijackThis log from normal boot mode. I'm not sure what you are trying to say about the file type was given you problems and would not attach. It should be no different than what you did in safe mode. Just save the log to a file name with a .log extension (which is the default and upload it). If you cannot upload it, post it inline (copy and paste).

Does the below files exist:

c:\windows\system32\taskmgr.exe

Did you install this: SpyCatcher 2006

 

Please delete this version of HJT and run the proper one like you did in your previous message.

Also please answer questions.

 

Could not open it using what?

Did you get an error message?

 

Then you did not name the file properly. You must just use the default file extension type which is .log

When HijackThis saves a file, the default name is always hijackthis.log

If you change the name to some other extension that is not allowed to be uploaded, you will get that error.

And you still have not answered previous questions.

 

The questions in messages 19 & 20. That you now answered! All but this question:

You also have not posted the proper HJT log yet.

 

Wrong version of HJT as indicated in the message!

Logfile of HijackThis v1.97.7

Your previous logs were from the correct, properly installed version.

 

We do not need a safe mode log! They are not helping.

I would recommend at this point that you uninstall Ewido (I still see a service for it running) and also uninstall SpyCatcher for now because they may actually be blocking fixes.

 

After uninstalling them:

- run SmitRem again and save and attach the log

- run only step 8 from this link: SpySheriff (aka SpywareNo) Removal This will add a patch to the registry.

Then reboot and post the smitfiles.txt log and new HJT log from normal boot mode (hopefully) and give me some status.

 

You need to uninstall those programs. And I would uninstall this too unless you use it: Viewpoint Manager (Only one person in thousands of have talked to even knew what it was but even he never used it.)

Then run the steps in message 32!

 

The same as you did last time in message # 15.