Log from:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:34: VIRUS ALERT!, on 2008-9-21
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\360Safebox\SafeBoxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\StormII\stormliv.exe
C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
F:\cl\HiJackThis.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Maxthon2\Maxthon.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
O2 - BHO: Thunder AtOnce - {01443AEC-0FD1-40fd-9C87-E93D1494C233} - C:\Program Files\Thunder Network\Thunder\ComDlls\TDAtOnce_Now.dll
O2 - BHO: ThunderBHO - {889D2FEB-5411-4565-8998-1DD2C5261283} - C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll
O2 - BHO: QXK Olive - {8B93A89B-7332-4B4B-830C-72EB6323D0DB} - C:\WINDOWS\vmgspntbvlw.dll
O3 - Toolbar: fqbewlna - {32678B97-2C98-4D22-A8F6-55C35572E946} - C:\WINDOWS\fqbewlna.dll
O4 - HKLM\..\Run: [kav] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe"
O4 - HKLM\..\Run: [360Safebox] "C:\Program Files\360Safebox\SafeBoxTray.exe" /r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: 使用迅雷下载 - C:\Program Files\Thunder Network\Thunder\Program\geturl.htm
O8 - Extra context menu item: 使用迅雷下载全部链接 - C:\Program Files\Thunder Network\Thunder\Program\getallurl.htm
O17 - HKLM\System\CCS\Services\Tcpip\..\{F80BF475-FC52-4DEC-AEA2-DBD6C485A9E6}: NameServer = 210.22.70.3
O18 - Protocol: ipp - (no CLSID) - (no file)
O18 - Protocol: msdaipp - (no CLSID) - (no file)
O21 - SSODL: mgxfebsq - {CCE60A1B-EB41-4F37-B207-6704E2BEBB05} - C:\WINDOWS\mgxfebsq.dll
O21 - SSODL: dtseqrxk - {E8391A92-FEE7-4DF4-BD7F-D39A31D37AAC} - C:\WINDOWS\dtseqrxk.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: 卡巴斯基反病毒软件6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Contrl Center of Storm Media (ccosm) - 北京暴风网际科技有限公司 - C:\Program Files\StormII\stormliv.exe
O23 - Service: Protexis Licensing V2 (PSI_SVC_2) - Protexis Inc. - C:\Program Files\Common Files\Protexis\License Service\PsiService_2.exe
O23 - Service: WatchData ccb V3.2 (WDMonitorCCB) - Beijing WatchData System Co., Ltd. - C:\WINDOWS\system32\WatchData\Watchdata CCB CSP v3.2\WDKeyMonitorCCB.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm
--
End of file - 3521 bytes
Log from:-
Malwarebytes' Anti-Malware 1.28Database version: 1134
Windows 5.1.2600 Service Pack 2
2008-9-21 14:31:41
mbam-log-2008-09-21 (14-31-36).txt
Scan type: Full Scan (C:\|D:\|E:\|F:\|)
Objects scanned: 102991
Time elapsed: 15 minute(s), 59 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 18
Registry Values Infected: 4
Registry Data Items Infected: 16
Folders Infected: 3
Files Infected: 31
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
C:\WINDOWS\dtseqrxk.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> No action taken.
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{e8391a92-fee7-4df4-bd7f-d39a31d37aac} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{1602adb5-58df-43bd-a3e4-3947a9be174d} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{a86c8f0e-1e00-48d0-b7ba-0167a7b7e003} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{32678b97-2c98-4d22-a8f6-55c35572e946} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{288a8d1d-6cec-4064-ad78-04d31d5b6213} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{b68e00cc-072b-40d5-95a4-b6dff98ab3c2} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{cce60a1b-eb41-4f37-b207-6704e2bebb05} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{cb367c75-6190-4ce0-a255-7c1199f0358e} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2f9b1a90-1e69-41eb-ad33-6202aad9a554} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{3a412635-30fd-42d0-a704-c9493be88b9c} (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{8b93a89b-7332-4b4b-830c-72eb6323d0db} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8b93a89b-7332-4b4b-830c-72eb6323d0db} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\fqbewlna.bemv (Trojan.FakeAlert) -> No action taken.
HKEY_CLASSES_ROOT\fqbewlna.toolbar.1 (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{889d2feb-5411-4565-8998-1dd2c5261283} (Trojan.BHO) -> No action taken.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0\source (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\dtseqrxk (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{32678b97-2c98-4d22-a8f6-55c35572e946} (Trojan.FakeAlert) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\mgxfebsq (Trojan.FakeAlert) -> No action taken.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wm ... Ojg5&lid=2) Good: (http://www.google.com/) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (55661-640-3033732-23029) -> No action taken.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (H:mm:ss) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\WINDOWS\privacy_danger (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images (Trojan.FakeAlert) -> No action taken.
C:\Program Files\PCHealthCenter (Trojan.Fakealert) -> No action taken.
Files Infected:
C:\Program Files\360safe\修复工具.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\privacy_danger\index.htm (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\capt.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\danger.jpg (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\down.gif (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\privacy_danger\images\spacer.gif (Trojan.FakeAlert) -> No action taken.
C:\Program Files\PCHealthCenter\0.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\4.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\5.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\7.exe (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\0.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\3.gif (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\sc.html (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\1.ico (Trojan.Fakealert) -> No action taken.
C:\Program Files\PCHealthCenter\2.ico (Trojan.Fakealert) -> No action taken.
C:\WINDOWS\system32\Dt2hlKaf.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\dtseqrxk.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\fqbewlna.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mgxfebsq.dll (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\mqgldfvo.exe (Trojan.FakeAlert) -> No action taken.
C:\WINDOWS\vmgspntbvlw.dll (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\new\Local Settings\Temp\lwpwer.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\new\桌面\Spyware&Malware Protection.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\new\桌面\Privacy Protector.url (Rogue.Link) -> No action taken.
C:\Documents and Settings\new\桌面\Error Cleaner.url (Rogue.Link) -> No action taken.
C:\Program Files\Thunder Network\Thunder\ComDlls\xunleiBHO_Now.dll (Trojan.BHO) -> No actio