My father's laptop has been infected. He needs assistance.
The HJT log is too long to put into one post, so I will have to use duplicate posts, sorry. I know that this may affect the alert system, but this is the only way I have found to post the log.
HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:46 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\uyivakexuni.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\WebSite\WebSite.exe
C:\Program Files\Esearch\Esearch.exe
C:\Program Files\idisk\qtask.exe
C:\Program Files\EditPlus\epie.exe
C:\Program Files\OverHelptSite\ovsite.exe
C:\Program Files\MediaCenter\bin\soundct.exe
C:\Program Files\APlus\aplus.exe
C:\Program Files\OverHelpSite\osites.exe
C:\Program Files\PExtService\ppext.exe
C:\WINDOWS\system32\ProtMng.exe
C:\Program Files\grapati\bin\cliati.exe
C:\Program Files\clean-url\sendaq.exe
C:\Documents and Settings\Chang Kim\Local Settings\Temp\keskas.exe
C:\Program Files\Common Files\runvaccine.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dpoint\bin\agent.exe
C:\DOCUME~1\CHANGK~1\LOCALS~1\Temp\7montmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\webprotect\IHuk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\artvision\explorer.exe
C:\Program Files\MWGuide\MWGuide.exe
C:\Program Files\Common Files\Microsoft Shared\Livesvc.exe
C:\Program Files\Internet Explorer\PLUGINS\Starmon.exe
C:\Program Files\Internet Explorer\PLUGINS\Starmon.exe
C:\WINDOWS\pchealth\helpctr\fri.exe
C:\WINDOWS\system32\cdme.exe
C:\WINDOWS\system32\MsDtc\Trace\jsn.exe
C:\WINDOWS\1053\fj.exe
C:\WINDOWS\sbsi\per\eg.exe
C:\WINDOWS\system32\inetsrv\fdp.exe
C:\WINDOWS\system32\MsDtc\Trace\dl.exe
C:\WINDOWS\security\templates\qpq.exe
C:\WINDOWS\system32\DirectX\ppi.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: ÆE¾÷Aº ¾ßEA! Aø¹U·I A÷´UCI¼¼¿a. - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {8E488DDC-C9AE-4FBD-AF98-1AFD874B0D71} - (no file)
O2 - BHO: urldoumi - {ABCABD24-FDCA-3478-CAFF-27AB12D357CD} - c:\program files\urldoumi\urldoumi.dll
O2 - BHO: ppext - {CE52C857-01EB-4FA2-996E-52C8D6879632} - C:\PROGRA~1\PEXTSE~1\ppext.dll
O2 - BHO: CleanUrlX Class - {E05EEB29-DEE4-4AFC-AAE8-1D60423F6BA6} - C:\Program Files\clean-url\cleanurl.dll
O3 - Toolbar: urldoumi - {ABCABD24-FDCA-3478-CAFF-27AB12D357CD} - c:\program files\urldoumi\urldoumi.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"
O4 - HKLM\..\Run: [vacpro] C:\Program Files\vacpro\vaccineprogram.exe 1
O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe
O4 - HKLM\..\Run: [ati2evxx] "C:\Program Files\ATI Technologies\ATI HYDRAVISION\ati2evxx.exe"
O4 - HKLM\..\Run: [WebSite.exe] C:\Program Files\WebSite\WebSite.exe
O4 - HKLM\..\Run: [PPService] c:\program files\pextservice\ppextup.exe start
O4 - HKLM\..\Run: [Esearch.exe] C:\Program Files\Esearch\Esearch.exe
O4 - HKLM\..\Run: [windows Webvia] C:\Program Files\Webvia\webviaupt.exe
O4 - HKLM\..\Run: [qtask] "C:\Program Files\idisk\qtask.exe"
O4 - HKLM\..\Run: [epie] "C:\Program Files\EditPlus\epie.exe"
O4 - HKLM\..\Run: [APlus] C:\Program Files\APlus\apinit.exe
O4 - HKLM\..\Run: [clean-url] C:\Program Files\clean-url\cuup.exe
O4 - HKLM\..\Run: [DoctorCode] C:\Program Files\DoctorCode\DoctorCode.exe Icon
O4 - HKLM\..\Run: [OVSiteHelp] C:\Program Files\OverHelptSite\ovsite.exe
O4 - HKLM\..\Run: [soundct] c:\Program Files\MediaCenter\bin\soundct.exe
O4 - HKLM\..\Run: [volumebar] c:\Program Files\Daum\ShareDLL\bin\volumebar.exe
O4 - HKLM\..\Run: [textools] C:\Program Files\textools\textools.exe
O4 - HKLM\..\Run: [searchmanager] "C:\Program Files\searchmanager\searchmanager.exe" /start
O4 - HKLM\..\Run: [pointmanager] "C:\Program Files\pointmanager\pointmanager.exe" /start
O4 - HKLM\..\Run: [total] C:\WINDOWS\system32\total.exe
O4 - HKLM\..\Run: [neouop] C:\WINDOWS\system32\neouop.exe
O4 - HKLM\..\Run: [OSiteHelp] C:\Program Files\OverHelpSite\osites.exe
O4 - HKLM\..\Run: [ivvcc] C:\WINDOWS\system32\ivvcc.exe
O4 - HKLM\..\Run: [vspy] C:\Program Files\Internet Explorer\Custom\vspy.exe
O4 - HKLM\..\Run: [msdtcc] C:\WINDOWS\system32\msdtcc.exe
O4 - HKLM\..\Run: [WebSite] C:\Program Files\WebSite\WebSite.exe
O4 - HKLM\..\Run: [fj1p1ctvs] C:\WINDOWS\system32\wbem\Repository\tjmsmv1ms\fj1p1ctvs.exe
O4 - HKLM\..\Run: [8xtt8xnt] C:\WINDOWS\system32\wbem\Repository\qjtstxnt\8xtt8xnt.exe
O4 - HKLM\..\Run: [x6aax6ba] C:\WINDOWS\system32\wbem\Repository\stava6ba\x6aax6ba.exe
O4 - HKLM\..\Run: [oentn] C:\WINDOWS\system32\1041\onttk\oentn.exe
O4 - HKLM\..\Run: [1uc9r3r] C:\WINDOWS\system32\Setup\19cc932\1uc9r3r.exe
O4 - HKLM\..\Run: [r3pn3] C:\WINDOWS\system32\oobe\html\oemcust\v3mv8\r3pn3.exe
O4 - HKLM\..\Run: [6z3ab] C:\WINDOWS\system32\oobe\html\sconnect\q66z3\6z3ab.exe
O4 - HKLM\..\Run: [WebProtect] C:\WINDOWS\system32\ProtMng.exe
O4 - HKLM\..\Run: [IHUK] C:\Program Files\webprotect\IHUpd.exe -update
O4 - HKLM\..\Run: [UpdateAdImageware] C:\Program Files\AdImageware\UpdateAdImageware.exe
The HJT log is too long to put into one post, so I will have to use duplicate posts, sorry. I know that this may affect the alert system, but this is the only way I have found to post the log.
HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:46 PM, on 10/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Intel\Wireless\Bin\OProtSvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\uyivakexuni.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\WebSite\WebSite.exe
C:\Program Files\Esearch\Esearch.exe
C:\Program Files\idisk\qtask.exe
C:\Program Files\EditPlus\epie.exe
C:\Program Files\OverHelptSite\ovsite.exe
C:\Program Files\MediaCenter\bin\soundct.exe
C:\Program Files\APlus\aplus.exe
C:\Program Files\OverHelpSite\osites.exe
C:\Program Files\PExtService\ppext.exe
C:\WINDOWS\system32\ProtMng.exe
C:\Program Files\grapati\bin\cliati.exe
C:\Program Files\clean-url\sendaq.exe
C:\Documents and Settings\Chang Kim\Local Settings\Temp\keskas.exe
C:\Program Files\Common Files\runvaccine.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Dpoint\bin\agent.exe
C:\DOCUME~1\CHANGK~1\LOCALS~1\Temp\7montmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\webprotect\IHuk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\artvision\explorer.exe
C:\Program Files\MWGuide\MWGuide.exe
C:\Program Files\Common Files\Microsoft Shared\Livesvc.exe
C:\Program Files\Internet Explorer\PLUGINS\Starmon.exe
C:\Program Files\Internet Explorer\PLUGINS\Starmon.exe
C:\WINDOWS\pchealth\helpctr\fri.exe
C:\WINDOWS\system32\cdme.exe
C:\WINDOWS\system32\MsDtc\Trace\jsn.exe
C:\WINDOWS\1053\fj.exe
C:\WINDOWS\sbsi\per\eg.exe
C:\WINDOWS\system32\inetsrv\fdp.exe
C:\WINDOWS\system32\MsDtc\Trace\dl.exe
C:\WINDOWS\security\templates\qpq.exe
C:\WINDOWS\system32\DirectX\ppi.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: ÆE¾÷Aº ¾ßEA! Aø¹U·I A÷´UCI¼¼¿a. - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {8E488DDC-C9AE-4FBD-AF98-1AFD874B0D71} - (no file)
O2 - BHO: urldoumi - {ABCABD24-FDCA-3478-CAFF-27AB12D357CD} - c:\program files\urldoumi\urldoumi.dll
O2 - BHO: ppext - {CE52C857-01EB-4FA2-996E-52C8D6879632} - C:\PROGRA~1\PEXTSE~1\ppext.dll
O2 - BHO: CleanUrlX Class - {E05EEB29-DEE4-4AFC-AAE8-1D60423F6BA6} - C:\Program Files\clean-url\cleanurl.dll
O3 - Toolbar: urldoumi - {ABCABD24-FDCA-3478-CAFF-27AB12D357CD} - c:\program files\urldoumi\urldoumi.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [EOUApp] C:\Program Files\Intel\Wireless\Bin\EOUWiz.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Xweb] "C:\Program Files\SoftForum\XecureWeb\ActiveX\Xecureweb.exe"
O4 - HKLM\..\Run: [vacpro] C:\Program Files\vacpro\vaccineprogram.exe 1
O4 - HKLM\..\Run: [asro] C:\WINDOWS\asrotray.exe
O4 - HKLM\..\Run: [ati2evxx] "C:\Program Files\ATI Technologies\ATI HYDRAVISION\ati2evxx.exe"
O4 - HKLM\..\Run: [WebSite.exe] C:\Program Files\WebSite\WebSite.exe
O4 - HKLM\..\Run: [PPService] c:\program files\pextservice\ppextup.exe start
O4 - HKLM\..\Run: [Esearch.exe] C:\Program Files\Esearch\Esearch.exe
O4 - HKLM\..\Run: [windows Webvia] C:\Program Files\Webvia\webviaupt.exe
O4 - HKLM\..\Run: [qtask] "C:\Program Files\idisk\qtask.exe"
O4 - HKLM\..\Run: [epie] "C:\Program Files\EditPlus\epie.exe"
O4 - HKLM\..\Run: [APlus] C:\Program Files\APlus\apinit.exe
O4 - HKLM\..\Run: [clean-url] C:\Program Files\clean-url\cuup.exe
O4 - HKLM\..\Run: [DoctorCode] C:\Program Files\DoctorCode\DoctorCode.exe Icon
O4 - HKLM\..\Run: [OVSiteHelp] C:\Program Files\OverHelptSite\ovsite.exe
O4 - HKLM\..\Run: [soundct] c:\Program Files\MediaCenter\bin\soundct.exe
O4 - HKLM\..\Run: [volumebar] c:\Program Files\Daum\ShareDLL\bin\volumebar.exe
O4 - HKLM\..\Run: [textools] C:\Program Files\textools\textools.exe
O4 - HKLM\..\Run: [searchmanager] "C:\Program Files\searchmanager\searchmanager.exe" /start
O4 - HKLM\..\Run: [pointmanager] "C:\Program Files\pointmanager\pointmanager.exe" /start
O4 - HKLM\..\Run: [total] C:\WINDOWS\system32\total.exe
O4 - HKLM\..\Run: [neouop] C:\WINDOWS\system32\neouop.exe
O4 - HKLM\..\Run: [OSiteHelp] C:\Program Files\OverHelpSite\osites.exe
O4 - HKLM\..\Run: [ivvcc] C:\WINDOWS\system32\ivvcc.exe
O4 - HKLM\..\Run: [vspy] C:\Program Files\Internet Explorer\Custom\vspy.exe
O4 - HKLM\..\Run: [msdtcc] C:\WINDOWS\system32\msdtcc.exe
O4 - HKLM\..\Run: [WebSite] C:\Program Files\WebSite\WebSite.exe
O4 - HKLM\..\Run: [fj1p1ctvs] C:\WINDOWS\system32\wbem\Repository\tjmsmv1ms\fj1p1ctvs.exe
O4 - HKLM\..\Run: [8xtt8xnt] C:\WINDOWS\system32\wbem\Repository\qjtstxnt\8xtt8xnt.exe
O4 - HKLM\..\Run: [x6aax6ba] C:\WINDOWS\system32\wbem\Repository\stava6ba\x6aax6ba.exe
O4 - HKLM\..\Run: [oentn] C:\WINDOWS\system32\1041\onttk\oentn.exe
O4 - HKLM\..\Run: [1uc9r3r] C:\WINDOWS\system32\Setup\19cc932\1uc9r3r.exe
O4 - HKLM\..\Run: [r3pn3] C:\WINDOWS\system32\oobe\html\oemcust\v3mv8\r3pn3.exe
O4 - HKLM\..\Run: [6z3ab] C:\WINDOWS\system32\oobe\html\sconnect\q66z3\6z3ab.exe
O4 - HKLM\..\Run: [WebProtect] C:\WINDOWS\system32\ProtMng.exe
O4 - HKLM\..\Run: [IHUK] C:\Program Files\webprotect\IHUpd.exe -update
O4 - HKLM\..\Run: [UpdateAdImageware] C:\Program Files\AdImageware\UpdateAdImageware.exe
