A Second Case of ssearch.biz redirect

Discussion in 'adware, spyware & hijack cleaning' started by Strick, Jul 19, 2004.

Thread Status:
Not open for further replies.
  1. Strick

    Strick Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    2
    As in the other case, my IE is getting goes to my homepage OK, but is automatically redirected to http://ssearch.biz/?wmid=1010. It's also disabling my back and forward buttons to be consistent. I've tried the latest updates to Adaware, Spybot, and CWSShredder. Nasty fellow. If you notice backweb, it's OK. My employer uses it to support distributing updates and such.

    My HijackThis log:

    Logfile of HijackThis v1.97.7
    Scan saved at 4:46:19 PM, on 7/19/2004
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v5.51 SP2 (5.51.4807.2300)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\Ati2evxx.exe
    C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
    C:\Program Files\Navnt\DefWatch.exe
    C:\Program Files\Navnt\Rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\System32\SCardSvr.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\system32\SecMaint.exe
    C:\WINNT\System32\snmp.exe
    C:\WINNT\System32\vnxserv.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\wltrysvc.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\System32\bcmwltry.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\NWTRAY.EXE
    C:\PROGRA~1\Navnt\vptray.exe
    C:\WINNT\system32\PRPCUI.exe
    D:\The Connection\8086459\Program\backweb-8086459.exe
    C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    C:\WINNT\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\vsclient\vsc32w.exe
    C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    D:\Documents and Settings\sstrickland\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.metacrawler.com/index_power.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file://c:\progra~1\launch~1\launchpad.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://c:\progra~1\launch~1\launchpad.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by BearingPoint
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://kciins.us.kworld.kpmg.com/kci/kpmg_ie55.ins
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://kpmgproxy.com/kpmgproxy.pac:80
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = file://c:\progra~1\launch~1\launchpad.html
    O2 - BHO: (no name) - {275636E4-A535-4668-9FF1-86DC0C62D446} - C:\WINNT\msopt.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [TrackPointSrv] tp4mon.exe
    O4 - HKLM\..\Run: [KPMG Profile Manager] C:\Program Files\KPMG\Global Desktop\Utilities\kpmg profile manager.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
    O4 - HKLM\..\Run: [Live Update Check] C:\Program Files\NAVNT\vpdn_lu.exe /s
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Navnt\vptray.exe
    O4 - HKLM\..\Run: [PwrMgmSvc] c:\winnt\system32\PwrMngSvc.exe
    O4 - HKLM\..\Run: [outlook security tool] wscript.exe "c:\Program Files\BearingPoint\Global Desktop\Utilities\Outlook Security Tool.vbs"
    O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
    O4 - HKLM\..\Run: [PRPCMonitor] PRPCUI.exe
    O4 - HKLM\..\Run: [Npsman] C:\Winnt\System32\NpsMan.exe /Full
    O4 - HKLM\..\Run: [BearingPointTV] D:\The Connection\8086459\Program\backweb-8086459.exe -startup
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [WG511WLU] C:\Program Files\NETGEAR\WG511\Utility\WG511WLU.exe
    O4 - HKLM\..\Run: [rjpphoibia] C:\Program Files\Symantec\wddv07gssp.exe
    O4 - HKLM\..\Run: [WindUpdates] C:\Program Files\WindUpdates\WinUpdt.exe
    O4 - HKLM\..\Run: [NetLimiter] C:\Program Files\NetLimiter\NetLimiter.exe /s
    O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
    O4 - HKCU\..\Run: [NoAds] "C:\Program Files\NoAds\NoAds.exe"
    O4 - HKLM\..\RunOnce: [Register OCX] regsvr32.exe /s msdxm.ocx
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: The Connection.lnk = D:\The Connection\8086459\Program\backWeb-8086459.exe
    O4 - Global Startup: VPN Dialer (OnStartup).lnk = C:\Program Files\Cisco Systems\VPN Client\ipsecdialer.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O9 - Extra button: Microsoft® VBScript® Console (HKLM)
    O9 - Extra 'Tools' menuitem: VBScript Terminal (HKLM)
    O9 - Extra button: Microsoft® VBScript® Terminal (HKCU)
    O9 - Extra 'Tools' menuitem: VBScript Terminal (HKCU)
    O14 - IERESET.INF: START_PAGE_URL=file://c:\progra~1\launch~1\launchpad.html
    O15 - Trusted Zone: http://*.corp.bearingpoint.com
    O15 - Trusted Zone: http://abcv.kworld.kpmg.com
    O15 - Trusted Zone: http://conf.kworld.kpmg.com
    O15 - Trusted Zone: http://cvsearch.kworld.kpmg.com
    O15 - Trusted Zone: http://maint.kworld.kpmg.com
    O15 - Trusted Zone: http://search.kworld.kpmg.com
    O15 - Trusted Zone: http://suggestions.kworld.kpmg.com
    O15 - Trusted Zone: http://training1.us.kworld.kpmg.com
    O15 - Trusted Zone: http://www.kworld.kpmg.com
    O15 - Trusted Zone: http://*.meomweb14
    O15 - Trusted Zone: http://kworld2.newsedge-web.com
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = clients.us.kworld.kpmg.com
     
  2. Strick

    Strick Registered Member

    Joined:
    Jul 19, 2004
    Posts:
    2
    bump.
     
Thread Status:
Not open for further replies.