Jump to content


Photo

Recurrent Topotun hijack


  • Please log in to reply
7 replies to this topic

#1 alenar

alenar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 May 2004 - 08:41 AM

Hi,

My IE browser starts now with topotun.com as the homepage, plus there are four unwanted addresses in my bookmarks. I ran Ad Aware (downloaded today) a couple of times, but it only detects a recurrent Bargain Buddy, which I am guessing it is unrelated to the browser hijack.

I ran Hijack This (downloaded today), and it detects 5 R0s or R1s wih topotun.com addresses, which I marked to fix. Then everything seems to work, but when I log in again after shutting down, the hijack appears anew. After reading the FAQ and the tutorial, I guess I might have to delete some 04 entries. I went to the Pacman's list to compare against my log, but I couldn't make much sense of it.

This is my Hijack This log. Any help would be welcome.

Logfile of HijackThis v1.97.7
Scan saved at 4:34:23 PM, on 5/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Internet Explorer\IEengine.exe
C:\winnt\dllhelp.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\physics\My Documents\Jsimon\HijackThis.exe
C:\Program Files\NetManage\APPS\X\CPANEL.EXE
C:\Program Files\NetManage\APPS\X\x.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www1.weizmann...l/CC/normal.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fastproxy.weizmann.ac.il:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [NetManageImport] "C:\Program Files\NetManage\Setup\nmcpdata.exe" I
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [IEengine] C:\Program Files\Internet Explorer\IEengine.exe
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: winlogin.exe
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7864.3408101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E1113B50-BB6B-4018-97AA-B4FF84152E35} (NetCobro Bבsico) - http://www.netcobro....etCobroBase.cab

#2 alenar

alenar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 25 May 2004 - 12:59 PM

From reading posts similar to mine, I guessed that I should get rid of IEengine.exe and winlogin.exe . Using the task manager I killed the corresponding processes, and then marked them in Hijack This to fix them. However, the problem is still there.

A difference is that before eliminating these two files, if I tried to log out, the computer would complain that Win Min can't close, three times, while now it only complains once. At any rate, my latest Hijack This log is

Logfile of HijackThis v1.97.7
Scan saved at 8:42:58 PM, on 5/25/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\internat.exe
C:\winnt\dllhelp.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NetManage\APPS\X\CPANEL.EXE
C:\Program Files\NetManage\APPS\X\x.exe
C:\Documents and Settings\physics\My Documents\Jsimon\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www1.weizmann...l/CC/normal.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fastproxy.weizmann.ac.il:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [NetManageImport] "C:\Program Files\NetManage\Setup\nmcpdata.exe" I
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7864.3408101852
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E1113B50-BB6B-4018-97AA-B4FF84152E35} (NetCobro Bבsico) - http://www.netcobro....etCobroBase.cab


Many thanks in advance for any help.

#3 alenar

alenar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 26 May 2004 - 10:56 AM

In case this helps you figure out what is going on, I just ran CWShredder on
my computer, but it doesn't detect anything.

Any advice would be greatly appreciated.

#4 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 26 May 2004 - 02:26 PM

Hi,
1) Restart in Safe Mode (see "How To:" below)
2) Enable Hidden Files (see "How To:" below)

Locate and delete the following:

C:\winnt\dllhelp.exe <--this file
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
Note the spelling, this was from your 1st log
C:\Program Files\Internet Explorer\IEengine.exe <--this file

While still in Safe Mode:
Close all open windows, rescan with HijackThis and "Fix checked" the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
O4 - HKCU\..\Run: [dllhelp] c:\winnt\dllhelp.exe


Restart normally and then ...

Reconfigure Ad-Aware for Full Scan:
Please update the reference file following the instructions here:
http://www.lavahelp....dref/index.html

Launch the program, and click on the Gear at the top of the start screen.

Click the "Scanning" button.
Under Drives & Folders, select "Scan within Archives".
Click "Click here to select Drives + folders" and select your installed hard drives.

Under Memory & Registry, select all options.
Click the "Advanced" button.
Under "Log-file detail", select all options.
Click the "Tweaks" button.

Under "Scanning Engine", select the following:
"Include additional Ad-aware settings in logfile" and
"Unload recognized processes during scanning."
Under "Cleaning Engine", select the following:
"Let Windows remove files in use after reboot."
Click on 'Proceed' to save these Preferences.
Please make sure that you activate IN-DEPTH scanning before you proceed.

After the above post a fresh log ...
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#5 alenar

alenar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2004 - 07:56 AM

Hi WinHelp2002, and many many thanks for your help. Actually in the meantime I learned that I should do most of what you recommend me to do. All my problems seem to be gone: no hijack for the startup page, no unwanted bookmarks and no problems with Win Min when I log off.

I ran AdAware twice in the way you described and it still finds the Bargain Buddy, again and again. It also finds a number of tracking cookies. Finally, the first time it found also a possible browser hijack attempt

obj[6]=File : c:\documents and settings\physics\favorites\imported bookmarks\search and directory\looksmart.url

although not the second time I ran it. Finally, here it is my latest HJT log. You guys do a great job. A donation is on the way.

Logfile of HijackThis v1.97.7
Scan saved at 2:38:55 PM, on 5/27/2004
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\Explorer.EXE
C:\WINNT\System32\Smtray.exe
C:\WINNT\System32\dpmw32.exe
C:\WINNT\System32\NWTRAY.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\System32\internat.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\NetManage\APPS\X\CPANEL.EXE
C:\Program Files\NetManage\APPS\X\x.exe
C:\Documents and Settings\physics\My Documents\Jsimon\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://il.arxiv.org/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www1.weizmann...l/CC/normal.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = fastproxy.weizmann.ac.il:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat\Reader\ActiveX\AcroIEHelper.ocx
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Smapp] Smtray.exe
O4 - HKLM\..\Run: [NDPS] C:\WINNT\System32\dpmw32.exe
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe
O4 - HKLM\..\Run: [StoreCleanup] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmconfig.dll,StoreCleanup
O4 - HKLM\..\Run: [NetManage LaunchNow Init] RunDLL32 c:\PROGRA~1\NETMAN~1\common\nmgoinn.dll,VerifyStartMenu
O4 - HKLM\..\Run: [NetManageImport] "C:\Program Files\NetManage\Setup\nmcpdata.exe" I
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.micros...ontent/opuc.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://housecall.tre...all/Xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...7864.3408101852
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {E1113B50-BB6B-4018-97AA-B4FF84152E35} (NetCobro Bבsico) - http://www.netcobro....etCobroBase.cab

#6 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 27 May 2004 - 08:54 AM

Hi,
Your log looks clean now ... good job!

and it still finds the Bargain Buddy, again and again

Where? (folder location)
Note: do not post the entire AWW log, but rather just paste the detection for "BarginBuddy".

It also finds a number of tracking cookies

Reset your Cookie options to "block" 3rd party Cookies.
[more info]
Blocking Unwanted Cookies with IE 6
http://www.mvps.org/...002/cookies.htm
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file

#7 alenar

alenar

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 27 May 2004 - 10:15 AM

Thanks for the quick answer!. This is the relevant portion of the AAW log. I did regedit to see the folder, and there are a bunch of files. One of them is called Bargains, but I am not sure if it is related, so I didn't touch anything.


BARGAINBUDDY
ŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻŻ
obj[0]=RegValue : SOFTWARE\Microsoft\Windows\CurrentVersion\Run

#8 WinHelp2002

WinHelp2002

    Taking back the Internet

  • Global Moderator
  • PipPipPipPipPip
  • 5,365 posts

Posted 27 May 2004 - 11:16 AM

Hi,
Are you having AWW remove that entry?
Remove = place a check in each detected item.

If you still have some lingering Registry entries, you can use the "manual" method in the below article to compare to yours. Remove any\all that still exist.
http://www.pestpatro...argainbuddy.asp
Mike
Former Microsoft MVP Posted Image 1999-2012
"There's no place like 127.0.0.1"
Posted Image
Blocking Malware, Parasites, Hijackers, Trojans, http://www.mvps.org/...p2002/hosts.htm with a HOSTS file




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button