Hello,

I too had the joy of struggling with Virtumonde and Smitfraude, but those seem to have been taken care of by ComboFix. However, I still get many pop-up ads "courtesy of web buying" - some terribly persistent adware called "WebBuying Assistant," which SpyBot detects on every scan and seems to remove, but which obviously remains on my computer.

I'm also getting a Windows Script Host error:
Script: F:\Program Files\func.js
Line: 76
Char: 1
Error: Permission denied
Code: 800A0046
Source: Microsoft JScript runtime error

I don't know if these are related. Finally, I suspect I made the old Windows Firewall error on my first SpyBot scan. If I did delete those files, how can I restore them?

A lot of questions, I know. Sorry. Here's the HiJack This log:

Logfile of HijackThis v1.99.1
Scan saved at 1:59:41 PM, on 6/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Ahead\InCD\InCDsrv.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Ahead\InCD\InCD.exe
F:\PROGRA~1\Grisoft\AVG7\avgcc.exe
F:\WINDOWS\Mixer.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\iTunes\iTunesHelper.exe
F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
F:\Program Files\Google\Google Updater\GoogleUpdater.exe
F:\Palm\HOTSYNC.EXE
F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
F:\Program Files\Common Files\LightScribe\LSSrvc.exe
F:\WINDOWS\system32\svchost.exe
F:\Program Files\iPod\bin\iPodService.exe
F:\Program Files\internet explorer\iexplore.exe
F:\WINDOWS\system32\wscript.exe
F:\Palm\palm.exe
F:\Program Files\WinRAR\WinRAR.exe
F:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Rar$EX00.309\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {36343bc8-af76-4338-8ef0-c38b2f201add} - F:\WINDOWS\system32\bapngsx.dll
O2 - BHO: (no name) - {4B7CE606-D7B1-4A7E-815A-0FA3CEBD64DA} - F:\Program Files\MSN Gaming Zone\wofe83122.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C7293330-85A7-8A55-D90E-8CADAEE023E6} - F:\WINDOWS\system32\kqvf.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [InCD] F:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [AVG7_CC] F:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Salestart] "F:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "F:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Urcc] "F:\DOCUME~1\MICHAE~1\APPLIC~1\SSTEM~1\rundll32.exe" -vt yazb
O4 - HKCU\..\Run: [Atata] "F:\Program Files\?racle\?ti2evxx.exe"
O4 - HKCU\..\Run: [swg] F:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Acrobat Assistant.lnk = F:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HotSync Manager.lnk = F:\Palm\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - F:\Program Files\Yahoo!\common\yinsthelper.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - F:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Sony SPTI Service for DVE (ICDSPTSV) - Sony Corporation - F:\WINDOWS\system32\IcdSptSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - F:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - F:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - F:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - F:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Unknown owner - F:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - F:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

Thanks

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information. "BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

MOMOM, if you still need help, you are still fairly badly infected. I can still see Vundo and PurityScan/OIN. If you want me to try to help, this is what I would like you to do.

1) You are running HJT from an unsafe TEMP folder:
F:\DOCUME~1\MICHAE~1\LOCALS~1\Temp\Rar$EX00.309\HijackThis.exe
Navigate to that HJT.exe and delete it.

2) Follow these instructions to download a newer version:
Download Trend Micro Hijack This™
http://hijack1.trend-braintree.com/hjt/eval/HijackThis.exe
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.

3) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

4) Delete any instance of combofix you have onboard and download it new and follow these instructions:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post that uninstall list, the combofix log and a new HJT log.

Thanks

No response in over ten days, topic is closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks