winshow and webbuying

[Mike]

Hi, my mothers computer is infected and she is freaking out without her internet. I have:

1. run spybotSD and AdAware in both regular and safe mode (updated and immunized).
2. run AvastAV in regular and at boot time.
3. run SuperAntiSpyware.

HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:51:44 PM, on 10/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\winshow.exe
C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\hjakThsscanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {01abded4-b194-4401-bead-e526f65a49e5} - C:\WINDOWS\system32\dvgpwht.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O2 - BHO: (no name) - {2DA54036-41EA-48F5-8745-96F6B948D7BD} - C:\Program Files\Windows Media Player\holesuguqC:\WINDOWS\SYSTEM32\cap1\dode83122 .exe.dll (file missing)
O2 - BHO: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\qbsbglmq.dll (file missing)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\rhwgbbjt.dll
O2 - BHO: (no name) - {BACEB7AF-8D88-456E-82D0-7BEB9A4410FE} - C:\WINDOWS\system32\xxyaxut.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: REALBAR - {4E7BD74F-2B8D-469E-C0FF-FD60B590A87D} - C:\PROGRA~1\COMMON~1\Real\Toolbar\RealBar.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0. dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\rhwgbbjt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\bfloxhyn.dll",sitypnow
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [C:_Program Files_WordPerfe3a] C:\Program Files\WordPerfect Office 11\Programs\CorUpd.exe /Watch
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O10 - Unknown file in Winsock LSP: osmim.dll
O16 - DPF: YExplorer1_8US.CAB - http://photos.groups.yahoo.com/ocx/u...lorer1_8us.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/sh...6/mcinsctl.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/sh...19/mcgdmgr.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rhwgbbjt - C:\WINDOWS\SYSTEM32\rhwgbbjt.dll
O20 - Winlogon Notify: xxyaxut - C:\WINDOWS\SYSTEM32\xxyaxut.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O24 - Desktop Component 0: (no name) - http://www.harvardsquarelibrary.org/...background.gif
O24 - Desktop Component 1: (no name) - http://http.earthcache.net/SSVC00518.../chudleigh.jpg
O24 - Desktop Component 2: (no name) - http://www.si.umich.edu/Space/browse...pi/jupiter.gif
O24 - Desktop Component 3: (no name) - http://www.physicsclassroom.com/images/banner_right.gif

--
End of file - 8099 bytes



SUPERANTISPYWARE LOG

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/18/2007 at 12:53 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:34:02

Memory items scanned : 374
Memory threats detected : 2
Registry items scanned : 4633
Registry threats detected : 17
File items scanned : 36704
File threats detected : 37

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\GEEBY.DLL
C:\WINDOWS\SYSTEM32\GEEBY.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{1A5D6559-94B5-4A8C-B050-309573ED9E37}
HKCR\CLSID\{1A5D6559-94B5-4A8C-B050-309573ED9E37}
HKCR\CLSID\{1A5D6559-94B5-4A8C-B050-309573ED9E37}\InprocServer32
HKCR\CLSID\{1A5D6559-94B5-4A8C-B050-309573ED9E37}\InprocServer32#ThreadingModel

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\QBSBGLMQ.DLL
C:\WINDOWS\SYSTEM32\QBSBGLMQ.DLL

Adware.Tracking Cookie
C:\Documents and Settings\jill\cookies\jill@partner2profit[1].txt
C:\Documents and Settings\jill\cookies\jill@2o7[2].txt
C:\Documents and Settings\jill\cookies\jill@advertstream[2].txt
C:\Documents and Settings\jill\cookies\jill@atdmt[2].txt
C:\Documents and Settings\jill\cookies\jill@adbrite[1].txt
C:\Documents and Settings\jill\cookies\jill@anad.tacoda[1].txt
C:\Documents and Settings\jill\cookies\jill@media.adrevolver[2].txt
C:\Documents and Settings\jill\cookies\jill@clicksor[1].txt
C:\Documents and Settings\jill\cookies\jill@sexbuddies[2].txt
C:\Documents and Settings\jill\cookies\jill@xiti[1].txt
C:\Documents and Settings\jill\cookies\jill@adrevolver[1].txt
C:\Documents and Settings\jill\cookies\jill@tacoda[2].txt
C:\Documents and Settings\jill\cookies\jill@trafficmp[1].txt
C:\Documents and Settings\jill\cookies\jill@adsrevenue[2].txt
C:\Documents and Settings\jill\cookies\jill@advertising[1].txt
C:\Documents and Settings\jill\cookies\jill@realmedia[2].txt
C:\Documents and Settings\jill\cookies\jill@adopt.specificclick[1].txt
C:\Documents and Settings\jill\cookies\jill@stats2.reliablestats[2].txt
C:\Documents and Settings\jill\cookies\jill@ads.pointroll[2].txt
C:\Documents and Settings\jill\cookies\jill@zedo[2].txt
C:\Documents and Settings\jill\cookies\jill@atwola[1].txt
C:\Documents and Settings\jill\cookies\jill@revsci[2].txt
C:\Documents and Settings\jill\cookies\jill@ads.adbrite[2].txt
C:\Documents and Settings\jill\cookies\jill@toplist[1].txt
C:\Documents and Settings\jill\cookies\jill@statsgod[2].txt
C:\Documents and Settings\jill\cookies\jill@fastclick[1].txt
C:\Documents and Settings\jill\cookies\jill@serving-sys[2].txt
C:\Documents and Settings\jill\cookies\jill@doubleclick[1].txt
C:\Documents and Settings\jill\cookies\jill@ar.atwola[1].txt
C:\Documents and Settings\jill\cookies\jill@edge.ru4[1].txt
C:\Documents and Settings\jill\cookies\jill@bs.serving-sys[1].txt
C:\Documents and Settings\jill\cookies\jill@precisionclick[1].txt

Trojan.Spyware Stormer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\Contains\Files#C:\WINDOWS\Downloaded Program Files\Install.dll
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{205FF73B-CA67-11D5-99DD-444553540000}\InstalledVersion#LastModified

Adware.Web Buying
HKU\S-1-5-21-19272783-1081834574-1454861426-1007\Software\WebBuying

Trojan.Downloader-Gen/RetAd
HKLM\Software\Microsoft\Windows\CurrentVersion\Run #runner1 [ C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310 ]

Adware.ClickSpring/Yazzle
C:\DOCUMENTS AND SETTINGS\JILL\LOCAL SETTINGS\TEMP\YAZZLEBUNDLE-1549.EXE
C:\WINDOWS\PREFETCH\YAZZLE1549OINADMIN.EXE-0C086C08.PF
C:\WINDOWS\PREFETCH\YAZZLEBUNDLE-1549.EXE-25D96D24.PF



Thanks,
~Mike~

Also, I'm flopping the logs with a memory stick to my laptop as I do not want to hook mom's PC up to my network and compromise my own security.
All scanners are updated as of 2 days ago, with the exception of SAS, which I downloaded last night but have not updated.

I have also enabled hidden files and extensions as well as disabling system restore.

I have not run any online scans, but Avast has been pretty good to me in the past.

I had intended on putting zonealarm on mom's PC as soon as it is clean, ZA runs on all my computers even though people tell me I don't need it with a router.

* I posted this log on bleeping computer as well, but those guys seem to take days to respond, I got quick help last time I was here but had forgotten my log in info. My mother is over here every couple hours to see if I got her up and running.