Common Hijacker 66.197.100.83

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

perezfp

Thread Starter
Joined
Sep 30, 2003
Messages
2
I'm a non-techie user needing help. Where do I start? I have a compaq PIII Armada using windows 2000 on NT architecture. I mainly use the machine at work hooked up to the server. However, I also have a dialup ISP for when I use the machine at home to surf the net. last weekend I noticed that the machine was extremely sluggish. When I enter any info in any dialog box, such as in Ebay I have to wait 30-60 seconds for the word I typed to show up. so, I ran both ad-aware and spybot. Got the usual 10-12 spyware. Spybot also found this: "common Highjacker redirected host auto.search.msn.com=66.197.100.83. I had spybot delete it, but it keeps showing updaily. I also noticed that mwhile I wait the usual minute for a typed word to show up, if I move the mouse after waiting 40 secs the typed words suddenly appear.

I did find a previous person on this forum that had a similar problem. I too went ahead and ran Highjack this.log and received a log of the problem areas. My one big fear, however, is that if I take action and clean up the problems, will I screw up any of the software involved with my company server, possibly preventing me from accessing my company email and work? Here is the log; can anyone help and let me know that it is safe to fix these problems? Anything else I need to do?:

Logfile of HijackThis v1.97.2
Scan saved at 12:59:23 PM, on 9/30/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\MS\SMS\CORE\BIN\CLISVCL.EXE
C:\Program Files\MYECM\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe
C:\Program Files\Navnt\defwatch.exe
C:\WINNT\system32\cba\pds.exe
C:\Program Files\Navnt\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\MS\SMS\clicomp\apa\Bin\smsapm32.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
C:\WINNT\MS\SMS\CLICOMP\SWDist32\bin\smsmon32.exe
C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Common Files\System\MAPI\1033\nt\MAPISP32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\WinZip\WINZIP32.EXE
C:\DOCUME~1\perezfp2\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ConocoPhillips or its affiliates
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-houston.conoco.net/autoproxy.pac
O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [MyPrivacy] C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
O9 - Extra button: Omniquad MyPrivacy (HKLM)
O9 - Extra 'Tools' menuitem: Omniquad MyPrivacy (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://hoap01/tfcontrols/outlctlx.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.nilacharal.com/wfplayer/tdserver.cab
O16 - DPF: {1786454A-B4A0-11D2-97C7-000000000000} (Microsoft Outlook 2000 Permissions Control) - http://hoap01/tfcontrols/olTFACL.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://hoap2/dashboard/msddsc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = conoco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = conoco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = conoco.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
O19 - User stylesheet: c:\winnt\system.css

Thanks in advance!!
 
Joined
Mar 9, 2003
Messages
4,699
OK, let's see what we can do to ger your PC cleaned up and back up to speed. Also, to put your mind at ease, any items that are fixed by using HJT are only removed from starting up everytime you start your PC.

It will take about 20 minutes to go thru your log. In the mean time you can download and run CoolWebShredder to remove Cool Web Search. and related components.
http://www.spychecker.com/program/cwshredder.html
 
Joined
Mar 9, 2003
Messages
4,699
In Hijack This, check ALL of the following items. Double check so as to be sure not to miss a single one.
Next, close all browser Windows, and have HT fix all checked.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://ie-search.com/srchasst.html (obfuscated)
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ConocoPhillips or its affiliates

O1 - Hosts: 66.197.100.83 sitefinder.verisign.com

O4 - Startup: PowerReg Scheduler V3.exe

O19 - User stylesheet: c:\winnt\system.css


Altho this one is not bad, because of it's animation, it could slow things down a little. Was it on your PC before all the slow down started, or about the same time?

O4 - Startup: DeskFlag.lnk = C:\Program Files\Tiger Technologies\DeskFlag\deskflag.exe

Reboot into normal mode


Now download Spybot - Search & Destroy (if you haven't got the program installed already)

After installing, first press Online, and search for, put a check mark at, and install all updates.

Next, close all Internet Explorer windows, hit 'Check for Problems', and have SpyBot remove/fix all it finds that are in RED

Reboot

Last, run HJT again and post your log again to see if anything was missed.

Thanks
 

perezfp

Thread Starter
Joined
Sep 30, 2003
Messages
2
Nitehawk--

Thanks for the help.

I folllowed your instructions. For the life of me, I keep getting the "common highjacker redirected host auto.search.msn.com 66.197.100.83" showing up in spybot. I get rid of it, i go back to doing my work, then when I check later in the day, its back. After I deleted the log items, the log looked clean after a reboot and second scan. Then, when I scanned with hijack later in the day, I got the below log. It seems that certain lines you asked me to remove keep coming back. I also ran cwshredder as you suggested. I use startup in order to get into the start commands since msconfig does not work with 2000NT. Do I need to uncheck anything? Hope you can help me permanently get rid of this stuff. Here's the log:

Logfile of HijackThis v1.97.2
Scan saved at 6:47:56 PM, on 10/1/2003
Platform: Windows 2000 SP2 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\System32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\WINNT\System32\ati2evxx.exe
C:\Program Files\MYECM\Installer\EcmComSocketListenerService\EcmComSocketListenerService.exe
C:\Program Files\Navnt\defwatch.exe
C:\WINNT\system32\cba\pds.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\MS\SMS\CLICOMP\RemCtrl\Wuser32.exe
C:\WINNT\system32\cba\xfr.exe
C:\WINNT\System32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Navnt\vptray.exe
C:\WINNT\System32\Atiptaxx.exe
C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
C:\Program Files\Webshots\WebshotsTray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\WINNT\System32\MDM.EXE
C:\Program Files\WinZip\WINZIP32.EXE
C:\DOCUME~1\perezfp2\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://estream.conocophillips.net/home/default.asp
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by ConocoPhillips or its affiliates
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy-houston.conoco.net/autoproxy.pac
O1 - Hosts: 66.197.100.83 sitefinder.verisign.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [vptray] C:\Program Files\Navnt\vptray.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\NeroCheck.exe
O4 - HKLM\..\Run: [SMS Application Launcher] C:\WINNT\MS\SMS\CORE\BIN\LAUNCH32.EXE
O4 - HKLM\..\Run: [MyPrivacy] C:\Program Files\Omniquad MyPrivacy\MyPrivacy.exe
O4 - HKLM\..\RunOnce: [MigrateMMDrivers] rundll32.exe mmsys.cpl,mmseRunOnce
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\WebshotsTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Web Search - c:\winnt\ex.htm
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Omniquad MyPrivacy (HKLM)
O9 - Extra 'Tools' menuitem: Omniquad MyPrivacy (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O14 - IERESET.INF: START_PAGE_URL=http://estream.conocophillips.net/home/default.asp
O16 - DPF: {0006F063-0000-0000-C000-000000000046} (Microsoft Outlook View Control) - http://hoap01/tfcontrols/outlctlx.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.nilacharal.com/wfplayer/tdserver.cab
O16 - DPF: {1786454A-B4A0-11D2-97C7-000000000000} (Microsoft Outlook 2000 Permissions Control) - http://hoap01/tfcontrols/olTFACL.cab
O16 - DPF: {62CEC9E0-3811-4C36-A94E-4F7565DCD23F} (DDSC Class) - http://hoap2/dashboard/msddsc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/0fb5e03023def1/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {928626A3-6B98-11CF-90B4-00AA00A4011F} (SurroundVideoCtrl Object) - http://carpoint.msn.com/Components/Ocx/SurVid/MSSurVid.cab
O16 - DPF: {BB47CA33-8B4D-11D0-9511-00C04FD9152D} (ExteriorSurround Object) - http://carpoint.msn.com/Components/Ocx/Exterior/Outside.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DC765522-D5BE-49C9-AF5F-8C715A44BA28} (MS Investor Ticker) - http://fdl.msn.com/public/investor/v9/ticker.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} (Microsoft Office Tools on the Web Control) - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = conoco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = conoco.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = conoco.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = conoco.net,ppco.com,ak.ppco.com,tosco.com,conocophillips.net,abz.conoco.com,sns.conoco.com,tht.conoco.com,gulf.ca
O19 - User stylesheet: c:\winnt\system.css (file missing)

Thanks, Nitehawk.
 
Joined
Mar 9, 2003
Messages
4,699
As you no doubt know by now 66.197.100.83 is Verisign.com, or more precisely, sitefinder.verisign.com. To learn more about how Verisign, that once highly regarded pillar of Internet and download security fell from grace and became a common web page hijacker for the sake for greed, read this link.

http://forums.techguy.org/t168731/s.html
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
I think that the problem is O4 - HKLM\..\Run: [Windows Shell Library Loader] load shell.dll /c /set -- by windows setup --


I have sen it a few times in the last couple of days and I suspect it might be a new variant of CWS

when it has been fixed in other logs it seems to have "cured " the problem
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
The
O1 - Hosts: 66.197.100.83 sitefinder.verisign.com is also a CWS variant hijacker so nneds fixing along with
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie-search.com/srchasst.html (obfuscated)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top