1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Common Hijacker 66.197.100.83

Discussion in 'Virus & Other Malware Removal' started by perezfp, Sep 30, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. perezfp

    perezfp Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    2
    I'm a non-techie user needing help. Where do I start? I have a compaq PIII Armada using windows 2000 on NT architecture. I mainly use the machine at work hooked up to the server. However, I also have a dialup ISP for when I use the machine at home to surf the net. last weekend I noticed that the machine was extremely sluggish. When I enter any info in any dialog box, such as in Ebay I have to wait 30-60 seconds for the word I typed to show up. so, I ran both ad-aware and spybot. Got the usual 10-12 spyware. Spybot also found this: "common Highjacker redirected host auto.search.msn.com=66.197.100.83. I had spybot delete it, but it keeps showing updaily. I also noticed that mwhile I wait the usual minute for a typed word to show up, if I move the mouse after waiting 40 secs the typed words suddenly appear.

    I did find a previous person on this forum that had a similar problem. I too went ahead and ran Highjack this.log and received a log of the problem areas. My one big fear, however, is that if I take action and clean up the problems, will I screw up any of the software involved with my company server, possibly preventing me from accessing my company email and work? Here is the log; can anyone help and let me know that it is safe to fix these problems? Anything else I need to do?:

    Logfile of HijackThis v1.97.2
    Scan saved at 12:59:23 PM, on 9/30/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 (6.00.2600.0000)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\System32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\ati2evxx.exe
    C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
    C:\Program Files\MYECM\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe
    C:\Program Files\Navnt\defwatch.exe
    C:\WINNT\system32\cba\pds.exe
    C:\Program Files\Navnt\rtvscan.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\cba\xfr.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\Navnt\vptray.exe
    C:\WINNT\System32\Atiptaxx.exe
    C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
    C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
    C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
    C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office\WINWORD.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\DOCUME~1\perezfp2\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ConocoPhillips or its affiliates
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-houston.conoco.net/autoproxy.pac
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    O4 - HKLM\..\Run: [MyPrivacy] C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
    O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
    O4 - Startup: PowerReg Scheduler V3.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
    O9 - Extra button: Omniquad MyPrivacy (HKLM)
    O9 - Extra 'Tools' menuitem: Omniquad MyPrivacy (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://hoap01/tfcontrols/outlctlx.CAB
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.nilacharal.com/wfplayer/tdserver.cab
    O16 - DPF: {1786454A-B4A0-11D2-97C7-000000000000} (Microsoft Outlook 2000 Permissions Control) - http://hoap01/tfcontrols/olTFACL.cab
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://hoap2/dashboard/msddsc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = conoco.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = conoco.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = conoco.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
    O19 - User stylesheet: c:\winnt\system.css

    Thanks in advance!!
     
  2. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    OK, let's see what we can do to ger your PC cleaned up and back up to speed. Also, to put your mind at ease, any items that are fixed by using HJT are only removed from starting up everytime you start your PC.

    It will take about 20 minutes to go thru your log. In the mean time you can download and run CoolWebShredder to remove Cool Web Search. and related components.
    http://www.spychecker.com/program/cwshredder.html
     
  3. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
    Next, close all browser Windows, and have HT fix all checked.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ConocoPhillips or its affiliates

    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com

    O4 - Startup: PowerReg Scheduler V3.exe

    O19 - User stylesheet: c:\winnt\system.css


    Altho this one is not bad, because of it's animation, it could slow things down a little. Was it on your PC before all the slow down started, or about the same time?

    O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe

    Reboot into normal mode


    Now download Spybot - Search & Destroy (if you haven't got the program installed already)

    After installing, first press Online, and search for, put a check mark at, and install all updates.

    Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

    Reboot

    Last, run HJT again and post your log again to see if anything was missed.

    Thanks
     
  4. perezfp

    perezfp Thread Starter

    Joined:
    Sep 30, 2003
    Messages:
    2
    Nitehawk--

    Thanks for the help.

    I folllowed your instructions. For the life of me, I keep getting the "common highjacker redirected host auto.search.msn.com 66.197.100.83" showing up in spybot. I get rid of it, i go back to doing my work, then when I check later in the day, its back. After I deleted the log items, the log looked clean after a reboot and second scan. Then, when I scanned with hijack later in the day, I got the below log. It seems that certain lines you asked me to remove keep coming back. I also ran cwshredder as you suggested. I use startup in order to get into the start commands since msconfig does not work with 2000NT. Do I need to uncheck anything? Hope you can help me permanently get rid of this stuff. Here's the log:

    Logfile of HijackThis v1.97.2
    Scan saved at 6:47:56 PM, on 10/1/2003
    Platform: Windows 2000 SP2 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\System32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\System32\svchost.exe
    C:\WINNT\system32\LEXBCES.EXE
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\system32\LEXPPS.EXE
    C:\WINNT\System32\ati2evxx.exe
    C:\Program Files\MYECM\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe
    C:\Program Files\Navnt\defwatch.exe
    C:\WINNT\system32\cba\pds.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
    C:\WINNT\system32\cba\xfr.exe
    C:\WINNT\System32\MsgSys.EXE
    C:\WINNT\Explorer.EXE
    C:\Program Files\Navnt\vptray.exe
    C:\WINNT\System32\Atiptaxx.exe
    C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
    C:\Program Files\Webshots\WebshotsTray.exe
    C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
    C:\WINNT\System32\MDM.EXE
    C:\Program Files\WinZip\WINZIP32.EXE
    C:\DOCUME~1\perezfp2\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://estream.conocophillips.net/home/default.asp
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ConocoPhillips or its affiliates
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-houston.conoco.net/autoproxy.pac
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
    O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
    O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
    O4 - HKLM\..\Run: [MyPrivacy] C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
    O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: Omniquad MyPrivacy (HKLM)
    O9 - Extra 'Tools' menuitem: Omniquad MyPrivacy (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O14 - IERESET.INF: START_PAGE_URL=http://estream.conocophillips.net/home/default.asp
    O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://hoap01/tfcontrols/outlctlx.CAB
    O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.nilacharal.com/wfplayer/tdserver.cab
    O16 - DPF: {1786454A-B4A0-11D2-97C7-000000000000} (Microsoft Outlook 2000 Permissions Control) - http://hoap01/tfcontrols/olTFACL.cab
    O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://hoap2/dashboard/msddsc.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
    O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
    O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = conoco.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = conoco.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = conoco.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
    O19 - User stylesheet: c:\winnt\system.css (file missing)

    Thanks, Nitehawk.
     
  5. NiteHawk

    NiteHawk

    Joined:
    Mar 9, 2003
    Messages:
    4,699
    As you no doubt know by now 66.197.100.83 is Verisign.com, or more precisely, sitefinder.verisign.com. To learn more about how Verisign, that once highly regarded pillar of Internet and download security fell from grace and became a common web page hijacker for the sake for greed, read this link.

    http://forums.techguy.org/t168731/s.html
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    I think that the problem is O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --


    I have sen it a few times in the last couple of days and I suspect it might be a new variant of CWS

    when it has been fixed in other logs it seems to have "cured " the problem
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,196
    First Name:
    Derek
    The
    O1 - Hosts: 66.197.100.83 sitefinder.verisign.com is also a CWS variant hijacker so nneds fixing along with
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/168643

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice