I hope my computer can be helped. I followed the instructions at the top for the Superantispyware and malware remover. The pictures really helped to understand what to do. I had it remove everything it found, restarted my computer and this is my HJT log. I can understand basic instructions about my computer but nothing too technical. Thank you to anyone that is willing to help me. Stacey

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:46:32 AM, on 5/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\sstray.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Digital Media Reader\shwiconem.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\NewDotNet\nnrun.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\mrofinu.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ycomp/defaults/sb/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/bin/set?home=ca.yahoo.com&prop=Yahoo!+Canada
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: MSEvents Object - {8DBF02DA-4360-4A7E-BEA1-347B87816327} - C:\WINDOWS\system32\gebyx.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunKistEM] C:\Program Files\Digital Media Reader\shwiconem.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [MNI.UWFX5_0001_MNI] "C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4ZW3K5MT\WinFixer2005ScannerInst all[2].exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu11.exe 61A847B5BBF72813338B2B27128065E9C084320161C4661227 A755E9C2933154389A284662E901F3D2933202228B284662E9 01F3D2933202228B284661A64DB7C8F0287E55E246220D9E72 8F9FC17D446BC57D5773E744AB97
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Registry Cleaner] "C:\Program Files\Registry Cleaner Trial\regclean.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [POSTRBT] C:\Program Files\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [POSTRBT] C:\Program Files\Norton AntiVirus\Navw32.exe /REMEDIATE (User 'Default user')
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TONKA« Construction 2 Registration.lnk = E:\Construction2.exe
O4 - Startup: TONKA« Power Tools Registration.lnk = E:\PowerTools.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.comcastsupport.com/sdcxuser/asp/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/tgctlcm.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/download.html?f=windows/mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast.go.com/v3/setup/activex/DIGHardwareControl.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {528BF874-2681-4CE3-8C62-AA0D3BC0A719} (McciSysSCM Class) - http://supportcenter.verizon.net/euserv/jsp/VOLAWeb.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://aolsvc.aol.com/onlinegames/free-trial-yahtzee/zylomplayer.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.0/installer.exe
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://real.gamehouse.com/real/games/SproutLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - file://E:\games\WebDriverFullInstall.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{E161EB27-1021-4CF1-9EAE-F4FA0CBFA621}: NameServer = 4.2.2.2,4.2.2.6
O20 - Winlogon Notify: gebyx - C:\WINDOWS\system32\gebyx.dll (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NNServ - New.net, Inc. - C:\Program Files\NewDotNet\nnrun.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
--
End of file - 10194 bytes

:eek: What antivirus and antispyware programs are you using? I'd remove what every you are currently using and download and install the evaluation version of Nod32 (good for 30 days) and the free version of Superantispyware (SAS). I would run Nod32 first and then run SAS. Then, it's up to you what AV or Sypware software you want to use. However, after years and years of using other software Nod32 at about $25 (for one year on newegg.com) and about $20 for SAS is super-cheap for the value and protection you'll get. Plus, no more headaches with viruses or spyware.

Stacey,
Are you having a specific problem with your pc or are you just looking to improve your computing experience?

One suggestion I'd have is remove all the toolbars from Internet Explorer- I noticed you have several. They also go under the category of BHO (Browser Helper Object). These toolbars and bho's tend to open the door for malware to get in.

Also, make sure nothing is running at startup except what you know you really need to have running constantly. All you need to have running in most cases is your antivirus and antispyware and perhaps a few other utilities that you know you want running. All other items in startup should be disabled, as you can open them when you need them. This is accomplished by clicking on Start/Run then typing "msconfig" without the quotes and hitting Enter. In the System Configuration Utility that opens, on the far right is a tab labeled Startup. Click on that tab and disable all items except what you know you need. Restart your pc and put a check mark in the warning message that appears, telling the computer not to warn you anymore or run it at startup.

Do this instead of any of the above

Download Lspfix (http://www.cexx.org/lspfix.zip). Extract(unzip) it to its own folder.
DO NOT RUN THIS YET!

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix


Please download Combofix from Bleeping Computer (http://download.bleepingcomputer.com/sUBs/ComboFix.exe).

If you can't download it from there, please try these 2 alternative sites:

Forospyware (http://www.forospyware.com/sUBs/ComboFix.exe)
Geeks to Go (http://subs.geekstogo.com/ComboFix.exe)


Save it to your Desktop.
Disconnect from the Internet.
Click on this LINK (http://www.bleepingcomputer.com/forums/topic114351.html) to see how disable your security programs
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

If you still can't connect to the internet after rebooting please do the following things:
First disconnect the cable from the internet, and close all browser windows.
Double-click LSPFix.
Click Finish. Don't use the "X" in the upper right hand corner to close the window, or the program won't execute.
Reboot Windows normally.


In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

Sotty, Thank you for your assitance. I am having a problem understanding what you mean with this line. Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK. It just doesn't make any sense to me at all. I have a pretty limited knowledge when it is technical. I can't even find a typing box, is it missing? I have a lot of missing or inoperable things on my computer. I'm sorry, I read that no question is stupid or something like that. I hope you guys really mean that, I am feeling pretty stupid right now. :confused: Stacey

Stacy, When you click on the start button you should see on the right near the bottom of the menu "run"
http://i235.photobucket.com/albums/ee216/Tippy1955/computers/run.jpg
If you click on "run" you should see a new little window will open up that looks like this.
http://i235.photobucket.com/albums/ee216/Tippy1955/computers/cmd.jpg

If you do not see the "run" at the bottom, you will have to enable it so that it shows on the start menu. I am assuming you do not see it. I have some more screen shots that will show you how to fithis. One moment, please.:)

yes I mean no, I don't see a run or that little box? Thank you very much.

Hello Stacey

I'm sorry, I read that no question is stupid or something like that. I hope you guys really mean that, I am feeling pretty stupid right now. :confused: Stacey

I think your very smart for asking these questions, its the way we all learn..:) If you dont understand a step or method, please ask your questions, ok...:cool:

No problem, that's why we are here. You need to go to the bottom of your desktop and right click anywhere on the task bar. Select "properties".
http://i235.photobucket.com/albums/ee216/Tippy1955/computers/taskbar.jpg
Click on "start menu" at the top. and then "customize"

http://i235.photobucket.com/albums/ee216/Tippy1955/computers/step2.jpg

Click on the "advanced" tab.

http://i235.photobucket.com/albums/ee216/Tippy1955/computers/step3.jpg

Scroll almost all of the way down until you see Printers and Faxes and under that "run" command. Put a check in the box next to run command.

http://i235.photobucket.com/albums/ee216/Tippy1955/computers/step4.jpg


Click the "OK" button.


http://i235.photobucket.com/albums/ee216/Tippy1955/computers/apply.jpg
Then the same window you began with at the bottom, click on "Apply" and "OK"

Now select start and then run and follow what Scotty told you to do. If you need help, just ask. We don't bite but if we do, it won't be painful! :D

Thank you all for not making me feel ridiculous. I will try the directions right now. Stacey

Stacey,
Take a deep breath and patiently work your way, one step at a time. Do not hesitate to ask for any step to be re-explained. And do not feel silly no matter how simple the question may seem.

Stacey, if you are having a problem, just disable Norton and double-click the Combofix icon.