[modestmouse736]

One day i got home from work and the desktop of my computer was blue and said something along the lines of "IE has caused a fatal error and your system cannot operate normally". There was also a new program on my desktop called PCGuard. PCGuard opened when i got on my computer and said it had run a spyware scan and found all this spyware and that if i bought the program it could fix it all. I uninstalled PCGuard and did a system restore. To no avail a few hours later i had the same problem with a different message for my background and a different program on my desktop. I tried a system restore one more time to an even earlier date and everything seemed fine. A few hours later I had a new message and a new program. This time i just uninstalled the program "SpySheriff" which was telling me i have all this spyware that it can fix if i buy the program. I ran a MS Spyware beta scan and it found some stuff, but nothing changerd when i deleted it. Also iy has effected my Norton, i cannot run a scan it says "Norton could not access the scan engine, please check security settings". I have tried to change my background bnack to normal, but it has locked it and i cannot change it. this is my HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 4:57:35 PM, on 6/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\windows\system32\wscntfy.exe
C:\windows\system32\Ati2evxx.exe
C:\windows\Explorer.EXE
C:\windows\SOUNDMAN.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\windows\system32\Rgbzmz.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\program files\steam\steam.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\SpySheriff\SpySheriff.exe
C:\Documents and Settings\Clay Manwaring\Desktop\hijackthis\HijackThis.exe

R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [version] C:\windows\system32\Lhvkkm.exe
O4 - HKLM\..\Run: [qxsretif] C:\WINDOWS\qxsretif.exe
O4 - HKLM\..\Run: [secure] C:\windows\system32\Rgbzmz.exe
O4 - HKLM\..\Run: [DFFLn] C:\windows\stblpi.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\inetrepl.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1103247359795
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\windows\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


Please help me if you can, i need my computer for work and this is really setting me back. I would appreciate it if you could e-mail me at [email protected] with a response ASAP.
Thanks,
Clay

[Advertisements]

Hello, modestmouse736 lets get you cleaned up.

Please download CleanUp!and install it. Do not run it yet. We will do that later.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Do not do anything with this yet either.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible. Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files.

Now open Hijack This (once in Safe Mode). Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [version] C:\windows\system32\Lhvkkm.exe
O4 - HKLM\..\Run: [qxsretif] C:\WINDOWS\qxsretif.exe
O4 - HKLM\..\Run: [secure] C:\windows\system32\Rgbzmz.exe
O4 - HKLM\..\Run: [DFFLn] C:\windows\stblpi.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

Now using Window Explorer please locate and delete the following files/folders in bold if found:

C:\Program Files\Viewpoint
C:\Program Files\Daily Weather Forecast
C:\windows\system32\Rgbzmz.exe
C:\Program Files\SpySheriff
C:\windows\system32\Lhvkkm.exe
C:\WINDOWS\qxsretif.exe
C:\windows\stblpi.exe
C:\winstall.exe

Now click "Start, All Programs, CleanUp!". Click the CleanUp! button and when it asks you to logoff to finish, click NO.

Now locate DelDomain on your desktop that you downloaded earlier. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

Now reboot into normal mode and post a fresh Hijack This log.

-=jonnyrotten=-

~listening to old skool Modest Mouse (Teeth like God's Shoeshine) while I do this ~

[-=jonnyrotten=-]

Hello, modestmouse736 lets get you cleaned up.

Please download CleanUp!and install it. Do not run it yet. We will do that later.

Please download "Del Domain" from here:

http://www.geekstogo...=download&id=40

Download it to your desktop or somewhere you will find it. Extract the .inf file from the .zip file you just downloaded. Do not do anything with this yet either.

You may wish to print out a copy of these instructions to follow while you complete this procedure.
Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible. Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu). Be sure you're able to view hidden files.

Now open Hijack This (once in Safe Mode). Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.

R3 - Default URLSearchHook is missing
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [version] C:\windows\system32\Lhvkkm.exe
O4 - HKLM\..\Run: [qxsretif] C:\WINDOWS\qxsretif.exe
O4 - HKLM\..\Run: [secure] C:\windows\system32\Rgbzmz.exe
O4 - HKLM\..\Run: [DFFLn] C:\windows\stblpi.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe

Now using Window Explorer please locate and delete the following files/folders in bold if found:

C:\Program Files\Viewpoint
C:\Program Files\Daily Weather Forecast
C:\windows\system32\Rgbzmz.exe
C:\Program Files\SpySheriff
C:\windows\system32\Lhvkkm.exe
C:\WINDOWS\qxsretif.exe
C:\windows\stblpi.exe
C:\winstall.exe

Now click "Start, All Programs, CleanUp!". Click the CleanUp! button and when it asks you to logoff to finish, click NO.

Now locate DelDomain on your desktop that you downloaded earlier. Extract the .inf file from the .zip file you just downloaded. Now right click "Deldomains.inf" and click "Install". It will not appear to have done anything, thats ok. Next step.

Now reboot into normal mode and post a fresh Hijack This log.

-=jonnyrotten=-

~listening to old skool Modest Mouse (Teeth like God's Shoeshine) while I do this ~