ie browser hijacked and email I think?

Hi Deckard, Thanks for replying.

Here's the new log. The email seems to working againg. Not sure why?? The browser problem still exists.

Cheers

Logfile of HijackThis v1.99.1
Scan saved at 5:07:50 PM, on 16/01/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\brsvc01a.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\System32\brss01a.exe
E:\WINDOWS\system32\acs.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
E:\WINDOWS\system32\Brmfrmps.exe
E:\WINDOWS\System32\CTsvcCDA.EXE
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\System32\wdfmgr.exe
E:\WINDOWS\system32\ZoneLabs\vsmon.exe
E:\Program Files\Canon\CAL\CALMAIN.exe
E:\WINDOWS\Explorer.EXE
E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
E:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
E:\Program Files\QuickTime\qttask.exe
E:\Program Files\iTunes\iTunesHelper.exe
E:\WINDOWS\SOUNDMAN.EXE
E:\WINDOWS\ALCWZRD.EXE
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Sonique\sqstart.exe
E:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
E:\Program Files\iPod\bin\iPodService.exe
E:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
E:\Program Files\Webshots\webshots.scr
E:\WINDOWS\System32\wuauclt.exe
E:\Program Files\Opera\Opera.exe
E:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

C:\WINDOWS\System32\blank.htm
R3 - URLSearchHook: ClickBank Product News Toolbar -

{5437803f-513d-4ae3-a88d-0cdeafaa9a63} - E:\Program

Files\ClickBank_Product_News\tbClic.dll
O2 - BHO: ClickBank Product News Toolbar - {5437803f-513d-4ae3-a88d-0cdeafaa9a63} -

E:\Program Files\ClickBank_Product_News\tbClic.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

e:\program files\google\googletoolbar3.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper -

{AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -

E:\WINDOWS\System32\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program

files\google\googletoolbar3.dll
O3 - Toolbar: ClickBank Product News Toolbar - {5437803f-513d-4ae3-a88d-0cdeafaa9a63} -

E:\Program Files\ClickBank_Product_News\tbClic.dll
O4 - HKLM\..\Run: [Zone Labs Client] E:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SSBkgdUpdate] "E:\Program Files\Common Files\Scansoft

Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] E:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] E:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] E:\Program Files\Brother\ControlCenter2\brctrcen.exe

/autorun
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe
O4 - HKLM\..\Run: [QuickTime Task] "E:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat

7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [SoniqueQuickStart] e:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [updateMgr] "E:\Program Files\Adobe\Acrobat

7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_8 -reboot 1
O4 - HKCU\..\Run: [swg] E:\Program

Files\Google\GoogleToolbarNotifier\1.2.1128.2480\GoogleToolbarNotifier.exe
O4 - Startup: ERUNT AutoBackup.lnk = ERUNT\AUTOBACK.EXE
O4 - Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Startup: Webshots.lnk = E:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NETGEAR WG311T Wireless Assistant.lnk = E:\Program

Files\NETGEAR\WG311T\wlancfg5.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Clean Traces - E:\Program Files\DAP\Privacy

Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - E:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Search -

http://bar.mywebsearch.com/menusearch.html?p=ZUxdm080YYAU
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat

7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download &all with DAP - E:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://D:\PROGRA~2\MICROS~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Translate Page with Worldlingo.com -

http://www.worldlingo.com/UP60581/P5001/l/scripts/btool.js?btool=s&uname=btool29&pword=li

ngowinsite
O8 - Extra context menu item: Translate Selection with Worldlingo.com -

http://www.worldlingo.com/UP60581/P5001/l/scripts/btool.js?btool=s&uname=btool29&pword=li

ngowinsite
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program

Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Casino-on-Net - {3015DB92-158E-4b77-9020-85C8E311FBB5} -

E:\PROGRA~1\CASINO~1\Casino.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?11529

62722068
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1153

475461061
O17 - HKLM\System\CCS\Services\Tcpip\..\{C7DFCE39-A84F-4E65-8C06-772AAEB3D8D5}:

NameServer = 85.255.115.102,85.255.112.120
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.102

85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.102

85.255.112.120
O20 - Winlogon Notify: WgaLogon - E:\WINDOWS\
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner -

E:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

E:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown

owner - E:\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd -

E:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - E:\Program

Files\Canon\CAL\CALMAIN.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd -

E:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Computer, Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - E:\Program Files\Common

Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. -

E:\WINDOWS\system32\ZoneLabs\vsmon.exe

Hello gnosis123, welcome to TSF and thanks for your patience.


Turn off Word Wrap
Please turn off Word Wrap in Notepad, which you can do under the Tools menu, as your logs are difficult to read with it turned on. Thanks.


Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. If there is anything you don't understand, please ask BEFORE proceeding with the fixes. Please do these steps in order and do not skip any.


Unhide Files
Go to My Computer > Tools > Folder Options > View tab and select "Show hidden files and folders". Uncheck the "Hide protected operating system files (Recommended)" option. Also make sure there is no checkmark beside "Hide file extensions for known file types". Click OK.


Download CleanUp!
Download and install CleanUp! but do not run it yet. (alternate link if main link isn't working: http://www.greyknight17.com/spy/CleanUp.exe)

WARNING: CleanUp! deletes EVERYTHING out of temporary folders and does not make backups. If you have any documents or programs that are saved in any temporary folders, please make a backup of these before running CleanUp!

WARNING: Do not run cleanup under Windows XP x64 Edition. If you're not sure if you have the 64-bit version of Windows then you probably do not; however, you can check by using IE to download the whichcpu tool and then running it.


Download AVG Anti-Spyware
Please download, install, and update AVG Anti-Spyware.

1. Load AVG Anti-Spyware and then click the Shield tab at the top
   • Click on the word active to change it to inactive.
2. Click the Update tab at the top:
   • Under Manual update, click Start update. After the update finishes, the status bar at the bottom will display "Update successful". If you are having trouble updating, you can also download and run the manual updater.
   • Under Automatic update, change the Update interval to something more reasonable like 12 or 24 hours.
3. Click the Scanner tab at the top and then the Settings sub-tab:
   • Under How to act?, click Recommended actions and select Quarantine.
   • Under Reports, select Automatically generate report after every scan
4. Close AVG Anti-Spyware. Do not run a scan with it yet.

Download FixWareout
Please download FixWareout from one of these sites and save it to your Desktop:

1. http://downloads.subratam.org/Fixwareout.exe
2. http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Now double-click on Fixwareout.exe to run it.

• Click Next, then Install. Make sure Run fixit is checked and click Finish.
• The fix will begin. Please follow the prompts.
• You will be asked to reboot your computer. Please do so.
• Your system may take longer than usual to load. This is normal.

Once the desktop loads, a text file will open (report.txt). You can close it -- the file has already been saved. However, please include the contents of that report with your next post.


Reboot
Reboot your system to Safe Mode by repeatedly tapping the F8 key until the menu appears and choosing Safe Mode from the list. On some systems, this may be the F5 key so try that if F8 doesn't work. Login on with your usual account. Make sure to close any open windows.


HijackThis Fixes
Open HijackThis and click on 'Do a System Scan Only'. Check the following entries if they still exist (make sure you do not miss any):
Please remember to close all other windows, including browsers then click Fix checked. Close HijackThis.


Run CleanUp!
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:

• Click "Options..."
• Move the arrow down to "Custom CleanUp!"
• Put a check next to the following:
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
  • Click on the "Temporary Files" and make sure the box for "Scan drives for file matching" is unchecked.
  Click OK.
• Press the CleanUp! button to start the program.

Once it's finished CleanUp! will ask you to logoff/reboot. Please select NO as we will do this later.


Run AVG Anti-Spyware

• Run AVG Anti-Spyware and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
• AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
  
• If Set all elements to is not set to Quarantine (1), please click Recommended Action and choose Quarantine from the popup menu (2).
• At the bottom of the window, click on the Apply all actions button (3).
• When it has finished, click the Save Scan Report button (4), then click Save Report As and save the report it to your desktop.
• Close AVG Anti-Spyware.

Reboot
Reboot your system to Normal Mode.


Online Scan
Perform an online scan using Internet Explorer with Kaspersky WebScanner. Click on Launch Kaspersky Anti-Virus Web Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files.
• Once the files have been downloaded, click on NEXT.
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database: extended
  • Scan Options: Scan Archives and Scan Mail Bases
• Click OK
• Turn off the real time scanner of any existing antivirus program before performing the online scan. You can turn it back on after the scan is done.
• Now under select a target to scan, select My Computer
• The program will start and scan your system.
• The scan will take a while so be patient and let it run all the way.
• Once the scan is complete it will display if your system has been infected.
• Click on the Save as Text button and save the file to your desktop.
• Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.


Unpatched Operating System
It is very important that you get all of the critical updates for your Operating System and Internet Explorer. Keeping your OS and browser up to date will help make you less susceptible to attacks by Trojans and viruses. This is IMPORTANT! Before we can proceed any further, please visit the Microsoft's Windows Update Page and install ALL Critical Updates for your system except Service Pack 2 (SP2). SP2 should only be installed on a fully disinfected system. At the minimum install at least Service Pack 1a for both XP and IE6. Without these updates your system is wide open to re-infection and we are both wasting our efforts to clean your system. After we have completed your clean-up, we will have you return to the Windows Update page and install SP2. We will also then advise you on how to better protect yourself online.


Download Autoruns

• Please download Autoruns and AutoCmd.
• Extract the contents of Autoruns into a new folder.
• Now extract the contents of AutoCmd into the same folder as Autoruns. This is important!
• Double-click on AutoCmd.cmd & select option '1'.
• Please be patient, as the process may take upwards of 10 minutes.
• It will produce a log called autoruns_X_Y.txt (where X and Y are the date and time respectively). Please attach the log in your next reply.

With Your Next Post...
Please paste the following with your next reply (in this order please):

1. The contents of report.txt (from FixWareout),
2. AVG Anti-Spyware scan report,
3. Kaspersky scan report,
4. your Autoruns log, and
5. a new HiJackThis log taken after Kaspersky finishes.