8 replies to this topic

[growingcorn]

A few days ago, my computer was infected with the AntivirusXP 2008 problem when I was surfing the internet as its website popped up and I had accidentally clicked on it. I downloaded the Malwarebytes program and followed the instructions in removing the virus. The AVG antivirus program I have in my computer bypassed the detection of the virus. Why's that?

Anyway, I use Chinese in my computer and while the virus remained in my computer, the Chinese characters failed to display correctly. They turn out to be boxes. The Chinese characters revived after the removal of the virus.

Today, the Chinese characters failed again. But the AntivirusXP 2008 didn't pop up. So I returned to Malwarebytes and entered this section of the forum to perform a more thorough check with Spybot, Malwarebytes, and Panda.

Would any moderators be so kind to assist me in reviewing my logs and thoroughly clean out all viruses and threats?

[AdvancedSetup]

Hello growingcorn

Yes, please post the logs from the listed scans and someone will be happy to assist you. It is possible though that something was damaged on the system and that even if your system is now clean it could be impaired from the infection. We can try to assist you but there is no guarantee that we can correct all damage done by infections.

So, please post the logs and someone will take a look.

[growingcorn]

The following are my logs accordingly:

Malwarebytes log

Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 2

9/15/2008 11:59:09 AM
mbam-log-2008-09-15 (11-59-09).txt

Scan type: Quick Scan
Objects scanned: 79260
Time elapsed: 10 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Local Settings\Temp\TDSSe2b4.tmp (Trojan.Multis) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\tdssadw.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssl.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssserf.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssmain.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdsslog.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\tdssservers.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\drivers\tdssserv.sys (Trojan.Agent) -> Delete on reboot.

PandaActive Scan
;*******************************************************************************
********************************************************************************
*
*******************
ANALYSIS: 2008-09-15 14:05:04
PROTECTIONS: 1
MALWARE: 32
SUSPECTS: 0
;*******************************************************************************
********************************************************************************
*
*******************
PROTECTIONS
Description Version Active Updated
;===============================================================================
================================================================================
=
===================
AVG Anti-Virus Free 8.0 Yes Yes
;===============================================================================
================================================================================
=
===================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===============================================================================
================================================================================
=
===================
00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
00046160 adware/searchexe Adware No 0 Yes No HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar
00145345 Cookie/Uproar TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@ads.uproar[1].txt
00145466 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@servedby.advertising[1].txt
00149064 Cookie/Maxserving TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@maxserving[1].txt
00152401 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@belnk[1].txt
00159565 Cookie/Dyfuca TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@0[4].txt
00162730 Cookie/Belnk TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@dist.belnk[2].txt
00167642 Cookie/Com.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@com[1].txt
00167690 Cookie/Rightmedia TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@rightmedia[2].txt
00167733 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@z1.adserver[1].txt
00167776 Cookie/Kount TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@kount[1].txt
00167787 Cookie/Sandboxer TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@0[2].txt
00168101 Cookie/Falkag TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@as-us.falkag[2].txt
00168109 Cookie/Adtech TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@adtech[1].txt
00168110 Cookie/Server.iad.Liveperson TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@server.iad.liveperson[2].txt
00168114 Cookie/onestat.com TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@stat.onestat[2].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@advertising[1].txt
00169287 Cookie/Adrevolver TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@adrevolver[1].txt
00170087 Cookie/Hbmediapro TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@adopt.hbmediapro[2].txt
00191644 Cookie/adultfriendfinder TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@adultfriendfinder[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@go[1].txt
00198936 Cookie/SAHAgent TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@www.shopathomeselect[2].txt
00205915 Adware/404Search Adware No 0 Yes No C:\System Volume Information\_restore{CA3123FE-C74E-4DCD-B01A-7E0D3FC4716E}\RP256\A0024516.exe
00206953 Cookie/Sextracker TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@counter14.sextracker[1].txt
00221182 adware/eshopper Adware No 0 Yes No c:\windows\system32\eshopcamp.xml
00221182 adware/eshopper Adware No 0 Yes No c:\windows\system32\eshopperuninstall.exe
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@atwola[1].txt
00262020 Cookie/Atwola TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@atwola[2].txt
00286739 Cookie/Hitbox TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@ehg-dig.hitbox[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@ads.addynamix[1].txt
00293517 Cookie/AdDynamix TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn\Cookies\wyn@ads.addynamix[1].txt
01196325 Cookie/Enhance TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@enhance[1].txt
01606636 Cookie/Adserver TrackingCookie No 0 Yes No C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Cookies\wyn@adserver.easyad[1].txt
02390696 Adware/Startpage.CTK Adware No 1 Yes No C:\WINDOWS\system32\fullsrbndl.exe
03139586 W32/Downframe.A Virus No 0 Yes No C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_url.html
03139586 W32/Downframe.A Virus No 0 Yes No C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_text.html
;===============================================================================
================================================================================
=
===================
SUSPECTS
Sent Location 
;===============================================================================
================================================================================
=
===================
;===============================================================================
================================================================================
=
===================
VULNERABILITIES
Id Severity Description 
;===============================================================================
================================================================================
=
===================
184380 MEDIUM MS08-002 
184379 MEDIUM MS08-001 
182048 HIGH MS07-069 
182046 HIGH MS07-067 
182043 HIGH MS07-064 
176382 HIGH MS07-057 
176383 HIGH MS07-058 
170906 HIGH MS07-045 
170904 HIGH MS07-043 
164913 HIGH MS07-033 
160623 HIGH MS07-027 
157262 HIGH MS07-022 
157260 HIGH MS07-020 
150253 HIGH MS07-016 
150249 HIGH MS07-013 
141033 MEDIUM MS06-075 
141030 HIGH MS06-072 
137568 HIGH MS06-067 
126083 HIGH MS06-042 
120815 HIGH MS06-022 
120814 HIGH MS06-021 
114666 HIGH MS06-015 
114664 HIGH MS06-013 
;===============================================================================
================================================================================
=
===================

HiJack This scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:17:37 PM, on 9/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\CIA\AFE.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O8 - Extra context menu item: &Download the file(s) in D.S.Code - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_text.html
O8 - Extra context menu item: &Download the file(s) in D.S.Code-File - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_url.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ2006\AddToNetDisk.htm
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\Wyn\My Documents\SmartGet1.43.7\SmartGet1.43.7\dl_text.html
O8 - Extra context menu item: 使用S&martGet下載 - C:\Documents and Settings\Wyn\My Documents\SmartGet1.43.7\SmartGet1.43.7\dl_link.htm
O8 - Extra context menu item: 全部使用Smart&Get下載 - C:\Documents and Settings\Wyn\My Documents\SmartGet1.43.7\SmartGet1.43.7\dl_all.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ2006\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ2006\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ2006\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ2006\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ2006\SendMMS.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\DSLite.exe
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\DSLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{001CD97A-F1BA-4E83-AD32-46D75595420D}: NameServer = 216.58.97.21 216.58.97.20
O17 - HKLM\System\CS3\Services\Tcpip\..\{001CD97A-F1BA-4E83-AD32-46D75595420D}: NameServer = 216.58.97.21 216.58.97.20
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 5974 bytes

[AdvancedSetup]

Okay, please give me some time to review your logs. Have you rebooted as requested by the MB program?
If not please do reboot, then update MB again from the Update tab and do another quick scan.
Then when that is done please run a new HJT scan and post both logs.

[AdvancedSetup]

Well you or someone on your system are playing with cracked applications which often have Malware attached as part of the payload.


Please upload these files to JOTTI to have them scanned and post back the results please: Jotti
C:\WINDOWS\system32\fullsrbndl.exe
C:\WINDOWS\system32\conime.exe
C:\PROGRA~1\CIA\AFE.dll



You should delete these files
C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_url.html
C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_text.html


Are these the proper DNS Name Servers for your location? If you know them then they're okay, if not then you may want to verify what DNS Servers you're supposed to be using.
216.58.97.21
resolves to:
Name: dns2.igs.net
Address: 216.58.97.21

216.58.97.20
Name: dns1.igs.net
Address: 216.58.97.20




Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.

• Go to http://java.sun.com/...loads/index.jsp
  
  
• Go to Java Runtime Environment (JRE) 6 Update 7 and click on Download button.
  
• In Platform box choose Windows.
  
• Check the box to Accept License Agreement and click Continue.
  
• Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.
  
• Go to Start => Control Panel => Add or Remove Programs
  
• Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  
• Install the new version by running the newly-downloaded file with the java icon which will be on your desktop or where ever you dowloaded it to, and follow the on-screen instructions.
  
• Reboot your computer

As in previous post. Update Malwarebytes and run another Quick Scan and then when it's done allow it to fix any issues found. Then reboot if required and then run a new HJT scan and post all the requested logs.

[growingcorn]

1) Firstly, I scanned the computer with Malwarebytes before executing the instructions from your last reply. Here's the resulted log:

Malwarebytes' Anti-Malware 1.28
Database version: 1155
Windows 5.1.2600 Service Pack 2

9/15/2008 12:18:09 PM
mbam-log-2008-09-15 (12-18-09).txt

Scan type: Quick Scan
Objects scanned: 79239
Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Wyn.XXXX-QWKBJE5KB7\Local Settings\Temp\TDSSe2b4.tmp (Trojan.Multis) -> Quarantined and deleted successfully.

2) I restarted the computer. Next, I scanned the 3 files you requested in Jotti. Here's the log:

Log from Jotti

C:\WINDOWS\system32\fullsrbndl.exe
Scanner results
Scan taken on 16 Sep 2008 01:04:08 (GMT)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found Win32:Adware-gen
AVG Antivirus Found nothing
BitDefender Found Dropped:Trojan.Startpage.AGS
ClamAV Found nothing
CPsecure Found Troj.Downloader.W32.Small.axy
Dr.Web Found Trojan.Click.17167, Trojan.StartPage.20387, Adware.Eshop, Adware.SaveNow
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.StartPage.ags, Trojan.Win32.StartPage.ame, not-a-virus:WebToolbar.Win32.MyWebSearch.ak (6, 2, 615), not-a-virus:AdWare.Win32.EShoper.a (4, 1, 400), not-a-virus:AdWare.Win32.SaveNow.bw (4, 1, 400)

Ikarus Found not-a-virus:Client-IRC.Win32.mIRC.603
Kaspersky Anti-Virus Found Trojan.Win32.StartPage.ags, Trojan.Win32.StartPage.ame, not-a-virus:WebToolbar.Win32.MyWebSearch.ak, not-a-virus:AdWare.Win32.EShoper.a, not-a-virus:AdWare.Win32.SaveNow.bw

NOD32 Found nothing
Norman Virus Control Found Startpage.GIV
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\WINDOWS\system32\conime.exe
Scanner results
Scan taken on 16 Sep 2008 01:11:31 (GMT)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

C:\PROGRA~1\CIA\AFE.dll
Scanner results
Scan taken on 16 Sep 2008 01:14:26 (GMT)

A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

3) I deleted these 2 files:

C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_url.html
C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_text.html

4) I checked my DNS servers and these two are indeed my servers.

216.58.97.21
resolves to:
Name: dns2.igs.net
Address: 216.58.97.21

216.58.97.20
Name: dns1.igs.net
Address: 216.58.97.20

5) I completed your instruction on Java removal and update.

6) I ran Malwarebytes again and here's the log:

Malwarebytes' Anti-Malware 1.28
Database version: 1159
Windows 5.1.2600 Service Pack 2

9/15/2008 9:51:44 PM
mbam-log-2008-09-15 (21-51-44).txt

Scan type: Quick Scan
Objects scanned: 79706
Time elapsed: 15 minute(s), 57 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[AdvancedSetup]

Well based on about 1/3 of the scanners finding something wrong with the file I would either delete it or if you're absolutely certain what the file is and YOU trust it you could leave it, but based on the scans I would at least rename and move it for now to some location out of the path.
C:\WINDOWS\system32\fullsrbndl.exe


Please run one more HJT scan so that I can see if there is anything else showing up.

Thanks.

[growingcorn]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:19:04 AM, on 9/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Documents and Settings\Wyn\My Documents\FreeGrab\FreeGrab.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {933E7167-F302-48C8-A4E9-19C4D4C15B3B} - C:\PROGRA~1\CIA\AFE.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O8 - Extra context menu item: &Download the file(s) in D.S.Code - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_text.html
O8 - Extra context menu item: &Download the file(s) in D.S.Code-File - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\dl_url.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: 上傳到QQ網路硬碟 - C:\Program Files\Tencent\QQ2006\AddToNetDisk.htm
O8 - Extra context menu item: 下載編碼內容(S&martGet) - C:\Documents and Settings\Wyn\My Documents\SmartGet1.43.7\SmartGet1.43.7\dl_text.html
O8 - Extra context menu item: 使用S&martGet下載 - C:\Documents and Settings\Wyn\My Documents\SmartGet1.43.7\SmartGet1.43.7\dl_link.htm
O8 - Extra context menu item: 全部使用Smart&Get下載 - C:\Documents and Settings\Wyn\My Documents\SmartGet1.43.7\SmartGet1.43.7\dl_all.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\Tencent\QQ2006\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\Tencent\QQ2006\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\Tencent\QQ2006\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\Tencent\QQ\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\Tencent\QQ2006\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\Tencent\QQ2006\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\DSLite.exe (file missing)
O9 - Extra 'Tools' menuitem: &D.S.Lite - {F8475519-8412-4D40-A46E-692D9D04DF7F} - C:\Documents and Settings\Wyn\My Documents\DSLite 2.07.45\DSLite 2.07.45\DSLite.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{001CD97A-F1BA-4E83-AD32-46D75595420D}: NameServer = 216.58.97.21 216.58.97.20
O17 - HKLM\System\CS3\Services\Tcpip\..\{001CD97A-F1BA-4E83-AD32-46D75595420D}: NameServer = 216.58.97.21 216.58.97.20
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

--
End of file - 6433 bytes

[AdvancedSetup]

[indent]At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Then when ready start a NEW topic in the regular PC Help forum for the Chinese character issue.

Disable and Enable System Restore-WINDOWS XP
This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster.
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
You can find a tutorial here : http://www.mvps.org/...p2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note 1: You are running Windows XP SP2, you should upgrade to SP3.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must. I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.



Since this issue is resolved I will close this thread to prevent others from posting into it and we can continue in the regular PC Help forum for the Chinese character issues you're having. For all others, if you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions


Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help
If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org[/indent]

.