This is my girlfriend's PC that had everything on it when I sat down. I ran SpyBot and ComboFix ( found about 12 things ) on it and it's better but it still complains of WebBuying and it's pig slow. Take a look and tell me what you think.

Thankx in advance,
George

=============================================================================
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:44:08 AM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Common Files\AOL\1181314488\ee\AOLSoftware.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Anti-SpyWare\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D6AC231-5329-4BBD-80A7-6CE6256485A9} - C:\Program Files\Windows Media Player\nipyzafi.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7c6cd7eb-ff5c-4ad3-8b9f-f1cf848c1d5b} - C:\WINDOWS\system32\tuvbdbv.dll
O2 - BHO: (no name) - {E7C6937C-3529-41BE-A90B-5F3893136254} - \
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1181314488\ee\AOLSoftware.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cccabs/CleverContent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Microsoft Office Groove Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office12\GrooveAuditService.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\viko.html

--
End of file - 5040 bytes

=================================================================================
ComboFix 07-06-18.2 - C:\public\ComboFix.exe
"sarah" - 2007-06-27 0:23:22 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))


2007-06-26 23:31 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-23 22:36 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2007-06-23 21:56 <DIR> d-------- C:\WINDOWS\VirtualEar
2007-06-23 00:03 <DIR> d-------- C:\Anti-SpyWare
2007-06-12 23:48 <DIR> d-------- C:\Program Files\Panicware
2007-06-12 22:38 <DIR> d-------- C:\Program Files\HP
2007-06-12 22:03 <DIR> d-------- C:\Temp\HP_WebRelease
2007-06-09 00:42 3,407,872 --a------ C:\DOCUME~1\sarah\ntuser.dat
2007-06-08 23:57 786,432 --ah----- C:\DOCUME~1\ADMINI~1\ntuser.dat
2007-06-08 23:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Jasc Software Inc
2007-06-08 22:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-08 22:24 46,592 --a------ C:\WINDOWS\lvboguq.exe
2007-06-08 22:24 172,544 --a------ C:\WINDOWS\system32\tuvbdbv.dll
2007-06-08 22:24 1,051,920 -r-hs---- C:\WINDOWS\lvboguqA.exe
2007-06-08 22:24 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-08 22:24 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-08 22:24 <DIR> d-------- C:\Temp\x2b
2007-06-08 10:55 65,536 --a------ C:\WINDOWS\wanmpsvc.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 03:33:09 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-24 02:35:22 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-24 01:56:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 01:51:36 -------- d-----w C:\Program Files\Analog Devices
2007-06-24 01:47:56 -------- d-----w C:\Program Files\Common Files\Real
2007-06-13 01:38:06 -------- d-----w C:\DOCUME~1\sarah\APPLIC~1\AdobeUM
2007-06-09 04:43:14 -------- d-----w C:\Program Files\MUSICMATCH
2007-06-06 01:33:42 -------- d-----w C:\Program Files\Jasc Software Inc
2007-05-26 17:18:05 -------- d-----w C:\Program Files\Microsoft.NET
2007-05-23 22:43:54 -------- d-----w C:\Program Files\ahead
2007-05-23 22:43:43 106,496 ------w C:\WINDOWS\system32\TwnLib20.dll
2007-05-23 22:43:42 532,480 ------w C:\WINDOWS\system32\imagx5.dll
2007-05-23 22:43:42 507,904 ------w C:\WINDOWS\system32\imagr5.dll
2007-05-23 22:43:42 35,328 ------w C:\WINDOWS\system32\picn20.dll
2007-05-23 22:43:42 275,312 ------w C:\WINDOWS\system32\ImagXpr5.dll
2007-05-23 22:43:36 57,344 ------w C:\WINDOWS\system32\MultiSZ.dll
2007-05-23 22:43:36 155,648 ------w C:\WINDOWS\system32\NeroCheck.exe
2007-05-23 22:43:28 692,224 ------w C:\WINDOWS\UNNERO.exe
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-13 17:31:03 103,984 ----a-w C:\WINDOWS\system32\AOLDial.dll
2007-04-06 19:27:01 139,264 ----a-w C:\TTC.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-11-03 16:17]
{1D6AC231-5329-4BBD-80A7-6CE6256485A9}=C:\Program Files\Windows Media Player\nipyzafi.dll [2007-04-06 15:27]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{7c6cd7eb-ff5c-4ad3-8b9f-f1cf848c1d5b}=C:\WINDOWS\system32\tuvbdbv.dll [2007-06-08 22:24]
{E7C6937C-3529-41BE-A90B-5F3893136254}=\ [2007-06-27 00:24]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 22:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 19:48]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" []
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 10:50]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-02-05 02:06]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1181314488\ee\AOLSoftware.exe" [2006-09-25 20:52]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-02-06 11:30]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\viko.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~4\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 00:25:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 0:25:46
C:\ComboFix-quarantined-files.txt ... 2007-06-27 00:25
C:\ComboFix2.txt ... 2007-06-26 23:38

--- E O F ---

I forgot to insert the installed software listing from HJT.

=============================================================================
ACDSee
Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Uninstaller (Choose which Products to Remove)
Conexant D850 56K V.9x DFVc Modem
Dell Driver Reset Tool
Dell Picture Studio v3.0
DellSupport
Digital Line Detect
EPSON Printer Software
HijackThis 2.0.0
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
Java 2 Runtime Environment, SE v1.4.2_03
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Plus! Photo Story 2 LE
Modem Helper
MSXML 4.0 SP2 (KB927978)
Musicmatch® Jukebox
Nero - Burning Rom (Web installer)
Pop-Up Stopper Free Edition
Qualxserve Service Agreement
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)

Spybot - Search & Destroy 1.4
TurboTax Deluxe 2005

Viewpoint Media Player
WexTech AnswerWorks

WordPerfect Office 12



WexTech and MusicMatch are still in the installed list, but I deleted the directories.

I read the posting on posting and understand that whatever I do is on me.

WebBuying pops a window ever 4 minutes.

Thankx in advance,
George

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Hello George, have a look at the instructions above which are also pinned to the top of the forum. Once you read those, you will see you have posted a lot of information we did request and that may or may not be needed, but sure has increased the size of this topic and has not made things easier.
Had you read this pinned link: http://forums.spybot.info/showthread.php?t=279
you would already know that your Java program is severely out of date and probably the reason you are infected.
C:\Program Files\Java\j2re1.4.2_03\ <<< out of date, download the newest version and uninstall all old versions in Add Remove programs.


Please read and follow these directions:

1) O24 Section
http://www.bleepingcomputer.com/tutorials/tutorial42.html#O24Diag

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: (no name) - {1D6AC231-5329-4BBD-80A7-6CE6256485A9} - C:\Program Files\Windows Media Player\nipyzafi.dll
O2 - BHO: (no name) - {7c6cd7eb-ff5c-4ad3-8b9f-f1cf848c1d5b} - C:\WINDOWS\system32\tuvbdbv.dll
O2 - BHO: (no name) - {E7C6937C-3529-41BE-A90B-5F3893136254} - \
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\viko.html

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Post a new HJT log and give me a report on performance now.

Thanks

No response, topic is closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks