Sorry..another smitfraud issue!

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixsmit.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Double-click on the fixsmit.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to add to the registry say yes.

If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).
Look in Add/Remove Programs for the below and uninstall if found:
SecurityIGuard or Security IGuard

Please bring up Task Manager by hitting CTRL-ALT-DEL and click the Processes tab. Look for the below process(es) and if found, End them:
c:\wp.exe

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe

Do you recognize the below? Is this something you use? If not, fix it to.
O4 - Startup: deflogon.bat


After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete:
c:\wp.exe
c:\wp.bmp


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now reboot in normal mode and post a new HJT log. And tell me how things are working.

 

You still have some problems. First you must pick which antivirus application you wish to have and uninstall the other. You have both AVG and Symantec. You must only use one.

There are a bunch of issues still related to smitfraud. I'll post a fix in a few minutes.

I just noticed that you never ran the READ ME FIRST sticky. You should do that.

 

Look in Add/Remove programs for PIB Toolbar and uninstall if found.


If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

Please run HijackThis and click on the "Open the Misc Tools Section" button on the open page. Then select "Open process manager" on the left-hand side. Look for the following process (or processes) and one at a time kill them by selecting it and then click "Kill process". Then click yes.
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmon.exe
C:\bsw.exe
C:\PROGRA~1\Toolbar\PIB.exe

After killing all the above processes, click "Back".

Then please click "Scan" and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.seekerbar.com/ie.aspx?tb_id=50154
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = res://C:\PROGRA~1\Toolbar\toolbar.dll/sa
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://qfind.net/bar/index.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.qfind.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - C:\PROGRA~1\Toolbar\toolbar.dll
F2 - REG:system.ini: Shell=explorer.exe, msmsgs.exe
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpD167.tmp
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: (no name) - {D6223CBC-A263-4CB1-B35E-1AE40FEF3B3B} - (no file)
O3 - Toolbar: &Search Toolbar - {339BB23F-A864-48C0-A59F-29EA915965EC} - C:\PROGRA~1\Toolbar\toolbar.dll
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKCU\..\Run: [WindowsFY] c:\bsw.exe

Do you really want this below reminder to bug you all the time? If you don't want it, fix the next line too.
O4 - Startup: Registration The Political Machine.LNK = C:\Downloads\PolMachine\Ubisoft\RegistrationReminder.exe


O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\My Downloads\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\My Downloads\IEExtension.dll
O9 - Extra button: Microsoft AntiSpyware helper - {B955318B-1646-4983-87BF-4624F96BA40A} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {B955318B-1646-4983-87BF-4624F96BA40A} - (no file) (HKCU)
O15 - Trusted Zone: *.sony-europe.com
O15 - Trusted Zone: *.sonystyle-europe.com
O15 - Trusted Zone: *.vaio-link.com
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/gba1865.exe
O18 - Protocol: tpro - {FF76A5DA-6158-4439-99FF-EDC1B3FE100C} - C:\PROGRA~1\Toolbar\toolbar.dll


After clicking Fix, exit HJT.

Boot into safe mode and use Windows Explorer to delete (I'm repeating some from last time to double check):
C:\WINDOWS\system32\msmsgs.exe
C:\WINDOWS\system32\shnlog.exe
C:\WINDOWS\system32\intmon.exe
C:\Windows\System32\helper.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\WINDOWS\system32\hpD167.tmp
C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Program Files\Toolbar <--- the whole folder

If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.


Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

Now we need to Reset Web Settings:
1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.


Now reboot in normal mode and post a new HJT log. And tell us how things are working.

 

Did you find and delete all the files I asked you to delete? It is a lot easier for us if you provide some feedback on the steps. Just saying you still have problems afterwards makes us wonder if you did the steps properly. So it is better if you would tell us what happened along the way.

Re run the steps again, because the below still appears in your log. Run all of the steps over including the file deletion part (double check to make sure they are gone). Also this time do them while you are physically unplugged (disconnect cable) from the internet and make sure no browsers (including this one) are opened.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.quicknavigate.com/bar.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.football365.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.club-vaio.sony-europe.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.quicknavigate.com/search.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.quicknavigate.com/search.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.quicknavigate.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.btbroadbandstart.com/
O2 - BHO: (no name) - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFF} - C:\WINDOWS\system32\hpA6AF.tmp
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_5_7_0.dll (file missing)
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\My Downloads\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\My Downloads\IEExtension.dll

 

You should not be having problems uploading your log as an attachment. Did you try just renaming the file? I attached it for you this time.


We need to stop, disable and delete the below service:
O23 - Service: WebSeach Toolbar support NT service (TBPSSvc) - Unknown owner - C:\PROGRA~1\Toolbar\TBPSSvc.exe (file missing)

Click on Start, then Run ... type services.msc into the box that opens up, and press 'OK'.
On the page that opens, scroll down to WebSeach Toolbar support NT service or maybe it will just be called TBPSSvc ... right click the entry, select 'Properties' and press 'Stop Service'. When it shows that it is stopped, next please set the 'Start-up Type' to 'Disabled'. Press 'OK' until you get back to Windows.

Next, open up HJT, but instead of scanning, click on the "None of the above, just start the program" button at the bottom of the choices. At the lower right, click on the 'Config" button, and then the Misc tools' button ... select 'Delete an NT Service" ... copy/paste the following into the box that opens, and press "OK":

WebSeach Toolbar support NT service

or possible use the short name: TBPSSvc

After the above reboot your system into safe mode and make sure the below folder is deleted:
C:\Program Files\Toolbar

Then reboot in normal mode and check your HijackThis log to make sure the O23 Service entry is gone. Let me know how all this works.

 

If everything is working okay, we should be done with the cleaning. Now to help keep you clean, you should run the steps in the below thread:

How to Protect yourself from malware!

 

You're welcome! Surf Safely.