[greenlite202]

Hello,

My computer is infected w/ the "Antivirus Soft" virus (see pics below). I run Malwarebytes' Anti-Malware and it seems to remove the infection, but then it returns.

Also noticed that sometimes the Java icon becomes visible in the system tray right before the virus becomes active again.




***

Logs:

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 02/21/2010 at 05:08 PM

Application Version : 4.34.1000

Core Rules Database Version : 4605
Trace Rules Database Version: 2417

Scan type : Complete Scan
Total Scan Time : 00:40:16

Memory items scanned : 360
Memory threats detected : 0
Registry items scanned : 4123
Registry threats detected : 6
File items scanned : 26902
File threats detected : 13

Rogue.SmartProtector
C:\WINDOWS\system32\srcr.dat

Trojan.Agent/Gen-Alureon
HKU\.DEFAULT\Software\h8srt
HKU\S-1-5-19\Software\h8srt
HKU\S-1-5-20\Software\h8srt
HKU\S-1-5-21-1177238915-1958367476-839522115-1008\Software\h8srt
HKU\S-1-5-18\Software\h8srt

Rogue.AntivirusSoft
HKU\S-1-5-21-1177238915-1958367476-839522115-1008\Software\avsoft
C:\DOCUMENTS AND SETTINGS\COMPUTER\LOCAL SETTINGS\APPLICATION DATA\DHFAAO\GWCQSFTAV.EXE
C:\WINDOWS\Prefetch\GWCQSFTAV.EXE-0982425D.pf

Adware.Tracking Cookie
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@a1.interclick[1].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@ads.ookla[2].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@ads.undertone[2].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@at.atwola[2].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@content.yieldmanager[1].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@eyewonder[1].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@interclick[2].txt
C:\Documents and Settings\Toad's Magic LilyPad\Cookies\toad's magic lilypad@yieldmanager[1].txt

Rogue.Agent/Gen-Nullo[DLL]
C:\WINDOWS\SYSTEM32\SRPBLKCOO.DLL
C:\WINDOWS\SYSTEM32\SRPIMMDATA.DLL

***

Malwarebytes' Anti-Malware 1.44
Database version: 3772
Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

2/21/2010 5:43:01 PM
mbam-log-2010-02-21 (17-43-01).txt

Scan type: Quick Scan
Objects scanned: 128834
Time elapsed: 4 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

***

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:00:59 PM, on 2/21/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\K-Lite Codec Pack\Media Player Classic\mplayerc.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\HijackThis\sniper.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=127.0.0.1:5555
O1 - Hosts: 91.200.164.10 stomaid.ru
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunServicesOnce: [washindex] c:\Program Files\Washer\washidx.exe "Computer"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - http://ccfiles.creative.com/Web/soft...5106/CTPID.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 3259 bytes

***

Any help with this problem would be greatly appreciated.

Thank you,

M

[greenlite202]

Is the board still active?

[Albert Lionheart]

Yes - sort of. I see you have posted this elsewhere so will only comment on your hijackthis file - this is OK except for 1 line which you need to fix

O1 - Hosts: 91.200.164.10 stomaid.ru

hope this helps!

[inspectorweb]

My suggestion. Download and install AnVir Task Manager. It also has free version. AnVir shows you all startup programs and Windows processes, so you’ll find harmful file within one minute. I always use it when I clean my PC. Sorry for the offtopic