Search Engine Redirect virus

December 13, 2009 at 10:34:34
Specs: Windows XP
been hit with the search engine redirect virus and can't get my hands around it. Here is my hijackthis log.

thanks for any help you could provide.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:01 PM, on 12/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ngvpnmgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Connected\AgentSrv.EXE
C:\WINDOWS\etlisrv.exe
C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe
C:\WINDOWS\System32\svchost.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Microsoft Office Communicator\Communicator.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe
C:\Program Files\ACNielsen HADS\9986592\Program\ACN-HADS.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Connected\CBSysTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\etlitr50.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\SwiApiMux.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ngmonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?Lin...
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = file:///Documents and Settings\mark.a.johnson.S3\Application Data\Aventail\Unilever Remote Access.pac
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RoboForm - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [installerkey] regedit /s c:\windows\installerkey.reg
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
O4 - HKCU\..\Run: [COMMUNICATOR] "C:\Program Files\Microsoft Office Communicator\Communicator.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MilShieldSlave] "C:\Program Files\Mil Incorporated\Mil Shield\ShieldWorker.exe" -logon
O4 - HKUS\S-1-5-19\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Communicator] "C:\Program Files\Microsoft Office Communicator\Communicator.exe" (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Global Startup: ACNielsen HADS.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Connected TaskBar Icon.LNK = C:\Program Files\Connected\CBSysTray.exe
O4 - Global Startup: Entrust.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://one.unilever.com
O15 - Trusted Zone: *.unilever.com
O15 - Trusted Zone: *.unilever.com (HKLM)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/get...
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = s3.ms.unilever.com
O17 - HKLM\Software\..\Telephony: DomainName = s3.ms.unilever.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87040A53-560C-4ACA-AF62-061AB73B1EB2}: Domain = s3.ms.unilever.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{87040A53-560C-4ACA-AF62-061AB73B1EB2}: NameServer = 162.87.6.21 162.85.128.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = s3.ms.unilever.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = s3.ms.unilever.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = s3.ms.unilever.com
O18 - Protocol: bwfile-9986592 - {C0D60742-AA20-4A6A-85A7-6AF539E6C798} - C:\Program Files\ACNielsen HADS\9986592\Program\GAPlugProtocol-9986592.dll
O20 - AppInit_DLLs: C:\WINDOWS\system32\curslib.dll
O20 - Winlogon Notify: xxop81 - C:\WINDOWS\SYSTEM32\xxop81.dll
O23 - Service: Connected Agent Service (AgentSrv) - Connected Corporation - C:\Program Files\Connected\AgentSrv.EXE
O23 - Service: Entrust Login Interface (ELIService) - Entrust(R) - C:\WINDOWS\etlisrv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPassPeriodicUpdateApp - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateApp.exe
O23 - Service: iPassPeriodicUpdateService - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPassPeriodicUpdateService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
O23 - Service: MilShieldCleaner - Unknown owner - C:\Program Files\Mil Incorporated\Mil Shield\ShieldService.exe
O23 - Service: Aventail VPN Client (NgVpnMgr) - Aventail Corporation - C:\WINDOWS\system32\ngvpnmgr.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\bin\ONRSD.EXE

--
End of file - 9040 bytes


See More: Search Engine Redirect virus

Report •


#1
December 13, 2009 at 12:36:54
Sorry, but it is against forum rules to post a Hijack This log without being requested to by a helper. The moderator will most likely delete this post so it would be a waste of time to begin the clean up procedure. Maybe if you start a new thread the moderator will be kind enough to only delete this one.

Report •
Related Solutions


Ask Question