Hijacker? help!

Unknown

OK, so in a night of poor judgement, quite possibly induced by alcohol, I visited some questionable websites on my work laptop (hey...it was a long week!). At any rate, I now cannot access the internet because IE gives me a Trojan Virus Warning. In addition, I cannot load my VPN; the computer hangs often when starting up, shutting down, or opening a program; and when I enable my internet connection, it attempts to direct me immediately to a webpage (it has also replaced my designated homepage, and continues to do so even when I reset it). I have ran Adaware; and my Norton Anit-Virus (no comments about how crappy this may be, it's what the company selected). Norton continuously "finds" and "deletes" the two following "Trojan Start Pages": SHLPUI.exe and sehlp.dll. However, these are back again upon start-up. Here is the log of my HijackThis scan; can anyone help? I'd prefer to not lose my job over this...

Logfile of HijackThis v1.99.1
Scan saved at 8:59:25 AM, on 2/26/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\Program Files\ThinkPad\Utilities\TpKmapMn.exe
C:\WINNT\system32\rpcss_pl.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\AGRSMMSG.exe
C:\WINNT\system32\perfcl.exe
C:\WINNT\system32\CSRSSU.EXE
C:\WINNT\system32\CTFMON32.EXE
C:\Program Files\Microsoft Office 97\Office\OSA.EXE
C:\Program Files\CMS Peripherals\ABSplus Backup\ABSLauncher.exe
C:\WINNT\system32\wuactl2.exe
C:\WINNT\system32\LVComsX.exe
C:\Documents and Settings\reasth\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = chfirewall-01.nike.com:9119
O2 - BHO: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINNT\system32\msasmsn5.dll
O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINNT\sehlp.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [DUNProxy] Regedit /S C:\WINNT\Options\CU\DunProxyCorp.reg
O4 - HKLM\..\Run: [Netmeeting] Regedit /S C:\Winnt\Options\CU\Netmeeting.reg
O4 - HKLM\..\Run: [VPNLogon] WScript.exe C:\WINNT\VPNLogon.vbs
O4 - HKLM\..\Run: [SecureSaver] regedit.exe /s C:\WINNT\Options\CU\SSaver.reg
O4 - HKLM\..\Run: [AcrobatRdr6] regedit.exe /s C:\WINNT\Options\CU\ArobatRdr6.reg
O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe
O4 - HKCU\..\Run: [CSRSSU] C:\WINNT\system32\CSRSSU.EXE
O4 - HKCU\..\Run: [CTFMON32] C:\WINNT\system32\CTFMON32.EXE
O4 - Startup: ABSplus Launcher.lnk = C:\Program Files\CMS Peripherals\ABSplus Backup\ABSLauncher.exe
O4 - Global Startup: ColeHaan VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office 97\Office\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {0a454840-7232-11d5-b63d-00c04faedb18} - http://yarmouth-svr-02/jinitiator/jinit11814.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = AD.NIKE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = AD.NIKE.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = nike.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = AD.NIKE.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = nike.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = nike.com
O20 - Winlogon Notify: EFS - C:\WINNT\SYSTEM32\sclgntfy.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: RPC+ Service Provider (RPCSS+) - Unknown owner - C:\WINNT\system32\rpcss_pl.exe

Buckeye_Sam

Please download CWShredder but don't run it yet.
http://cwshredder.net/bin/CWSInstall.exe


Download Ad-aware SE from: http://www.majorgeeks.com/download506.html

Install the program and launch it. First, in the main window, look in the bottom right corner and click on Check for updates now and download the latest reference files. Exit Adaware for now.


Make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://mysearchpage.biz/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://mysearchpage.biz/searchassistant.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://mysearchpage.biz/customizesearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://mysearchpage.biz/local.html
O2 - BHO: {1E1B286C-88FF-11D2-8D96-D7ACAC95951F} - {0E234239-88FF-11D2-8446-D7234234421F} - C:\WINNT\system32\msasmsn5.dll
O2 - BHO: SEDP Class - {3BA765C2-08DB-4fe2-9279-311CA10D582A} - C:\WINNT\sehlp.dll
O4 - HKLM\..\Run: [PerformCl] C:\WINNT\system32\perfcl.exe
O4 - HKCU\..\Run: [CSRSSU] C:\WINNT\system32\CSRSSU.EXE


Reboot your computer into Safe Mode


Now run CWShredder, making sure to click "Fix".


Then delete these files or directories (Do not be concerned if they do not exist)

C:\WINNT\system32\perfcl.exe
C:\WINNT\system32\CSRSSU.EXE
C:\WINNT\sehlp.dll
C:\WINNT\system32\msasmsn5.dll


Run a full scan with Adaware.

Reboot your computer to go back to normal mode and post a new log.