Jump to content


Photo

topotun hijacker (still)


  • Please log in to reply
6 replies to this topic

#1 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 02 June 2004 - 10:22 PM

I actually posted about this before the site moved, and was getting some assistance, but never quite got a resolution.

My browser home page has been hijacked to go to topotun.com. It resets to that homepage several times an hour, not just when I reboot or anything...in addition it does add links to my favorites menu. I've also noticed that whenever I access the internet options panel, my computer really stalls for a while whenever I try to delete the history and when I click "OK."

I've tried Ad-Aware, SpyBot, and CWShredder with no success. SpywareGuard does prevent my homepage from being hijacked, but it gives me an annoying window to click on every few minutes to restore my old homepage. If it helps as a "clue," that message that my homepage has been hijacked always pops ups immediately when I've accessed Internet Options.

I'm showing my log from HijackThis with SpywareGuard turned off, otherwise the homepages would read correctly.

Logfile of HijackThis v1.97.7
Scan saved at 10:18:50 PM, on 6/2/04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\WINMODEM.101\wmexe.exe
C:\PROGRAM FILES\ENCOMPASS\ENCMONTR.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\AHEAD\INCD\INCD.EXE
C:\WINDOWS\SYSTEM\MSWHEEL.EXE
C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE
C:\PROGRAM FILES\AIM95\AIM.EXE
C:\WINDOWS\CVCHOST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\WINDOWS MEDIA COMPONENTS\ENCODER\WMENCAGT.EXE
C:\PROGRAM FILES\WINZIP\WZQKPICK.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGMAIN.EXE
C:\PROGRAM FILES\SPYWAREGUARD\SGBHP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACRORD32.EXE
C:\WINDOWS\EXPLORER.EXE
C:\MY DOCUMENTS\ICONS\JUNK FOLDER\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.samford.edu:8080
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [POINTER] C:\PROGRA~1\MSHARD~1\point32.exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [VsEcomrEXE] C:\Program Files\Network Associates\McAfee VirusScan\vsecomr.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPPS2.EXE"
O4 - HKLM\..\Run: [WebScan] C:\PROGRAM FILES\ACCELERATION SOFTWARE\ANTI-VIRUS\DEFSCANGUI.EXE -k
O4 - HKLM\..\RunServices: [winmodem] WINMODEM.101\wmexe.exe
O4 - HKLM\..\RunServices: [Encompass_ENCMONTR] C:\Program Files\Encompass\ENCMONTR.EXE
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [McAfeeWebScanX] C:\PROGRAM FILES\NETWORK ASSOCIATES\MCAFEE VIRUSSCAN\WebScanX.Exe /RUNSERVICES
O4 - HKCU\..\Run: [AIM] C:\PROGRAM FILES\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cvchost] c:\windows\cvchost.exe
O4 - HKCU\..\Run: [dllhelp] c:\windows
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Startup: Encoder Agent.lnk = C:\Program Files\Windows Media Components\Encoder\WMENCAGT.EXE
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: AIM (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.micr...922/wmv9VCM.CAB
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupd...8118.3495138889


Thanks again for your time and any assistance you could lend.

-James

#2 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 02 June 2004 - 10:28 PM

If this helps speed assistance along, before I was instructed to download a PV zip file, and run a little .bat file that does something to track dll's.

My logfiles when I run "runme9x.bat" (I'm using Window's '98), option 2 for Internet Explorer dll's tells me that "Not matching processes are found" and gives me a blank notepad as the logfile.

Option 1 for Explorer dll's gives the the following logfile: (I know I'm already giving alot to sift through, I'm sorry)


Module information for 'EXPLORER.EXE'
MODULE BASE SIZE PATH
CRYPTEXT.DLL 7ed10000 57344 C:\WINDOWS\SYSTEM\CRYPTEXT.DLL 5.131.1877.3 Crypto Shell Extensions
CRYPTUI.DLL 7ec80000 475136 C:\WINDOWS\SYSTEM\CRYPTUI.DLL 5.131.1877.4 Microsoft Trust UI Provider
DOCPROP.DLL 7dae0000 77824 C:\WINDOWS\SYSTEM\DOCPROP.DLL 5.00.1897.1 OLE DocFile Property Page
SYNCUI.DLL 77630000 167936 C:\WINDOWS\SYSTEM\SYNCUI.DLL 4.10.1998 Windows Briefcase
WZSHLSTB.DLL 16200000 24576 C:\PROGRAM FILES\WINZIP\WZSHLSTB.DLL 4.1 (32-bit) WinZip Shell Extension DLL
INETCPLC.DLL 71950000 118784 C:\WINDOWS\SYSTEM\INETCPLC.DLL 6.00.2800.1106 Internet Control Panel
INETCPL.CPL 3d70000 319488 C:\WINDOWS\SYSTEM\INETCPL.CPL 6.00.2800.1106 Internet Control Panel
DISPEX.DLL 4050000 45056 C:\WINDOWS\SYSTEM\DISPEX.DLL 5.6.0.6626 Microsoft ® DispEx
ACTXPRXY.DLL 703d0000 110592 C:\WINDOWS\SYSTEM\ACTXPRXY.DLL 6.00.2800.1106 ActiveX Interface Marshaling Library
DXTMSFT.DLL 35cb0000 364544 C:\WINDOWS\SYSTEM\DXTMSFT.DLL 6.00.2800.1106 DirectX Media -- Image DirectX Transforms
DDRAWEX.DLL 65000000 36864 C:\WINDOWS\SYSTEM\DDRAWEX.DLL 4.87.00.0700 Microsoft DirectDrawEx
DDRAW.DLL baaa0000 380928 C:\WINDOWS\SYSTEM\DDRAW.DLL 4.07.00.0700 Microsoft DirectDraw
DXTRANS.DLL 35c50000 208896 C:\WINDOWS\SYSTEM\DXTRANS.DLL 6.00.2800.1106 DirectX Media -- DirectX Transform Core
ATL.DLL 5f3e0000 73728 C:\WINDOWS\SYSTEM\ATL.DLL 3.00.8449 ATL Module for Windows (ANSI)
IMGUTIL.DLL 70510000 40960 C:\WINDOWS\SYSTEM\IMGUTIL.DLL 6.00.2800.1106 IE plugin image decoder support DLL
WINTRUST.DLL 2d30000 57344 C:\WINDOWS\SYSTEM\WINTRUST.DLL 5.131.1877.5 Microsoft Trust Verification APIs
MSHTMLED.DLL 70f30000 450560 C:\WINDOWS\SYSTEM\MSHTMLED.DLL 6.00.2800.1106 Microsoft ® HTML Editing Component
IEPEERS.DLL 70fb0000 241664 C:\WINDOWS\SYSTEM\IEPEERS.DLL 6.00.2800.1106 Internet Explorer Peer Objects
DLPROTECT.DLL 11000000 192512 C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL 2.02 SpywareGuard Download Protection
SDHELPER.DLL 2c40000 733184 C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SDHELPER.DLL
OLEPRO32.DLL 5f300000 167936 C:\WINDOWS\SYSTEM\OLEPRO32.DLL 5.0.4518
ACROIEHELPER.DLL 1230000 45056 C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL 6.0.0.2003051500 Adobe Acrobat IE Helper Version 6.0 for ActivieX
RNR20.DLL 783c0000 61440 C:\WINDOWS\SYSTEM\RNR20.DLL 4.10.2222 Windows Socket2 NameSpace DLL
MSAFD.DLL 7b410000 45056 C:\WINDOWS\SYSTEM\MSAFD.DLL 4.10.1998 Microsoft Windows Sockets 2.0 Service Provider
MSONSEXT.DLL 79e60000 544768 C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\MSONSEXT.DLL
BROWSELC.DLL 718e0000 73728 C:\WINDOWS\SYSTEM\BROWSELC.DLL 6.00.2800.1106 Shell Browser UI Library
MSI.DLL 3140000 2015232 C:\WINDOWS\SYSTEM\MSI.DLL 2.0.2600.2 Windows Installer
SPYWAREGUARD.DLL 22200000 126976 C:\PROGRAM FILES\SPYWAREGUARD\SPYWAREGUARD.DLL 2.02 SpywareGuard Protection
MSVBVM60.DLL 66000000 1388544 C:\WINDOWS\SYSTEM\MSVBVM60.DLL 6.00.8964 Visual Basic Virtual Machine
JSCRIPT.DLL 6b700000 589824 C:\WINDOWS\SYSTEM\JSCRIPT.DLL 5.6.0.8513 Microsoft ® JScript
IMM32.DLL bfe20000 16384 C:\WINDOWS\SYSTEM\IMM32.DLL 4.10.1998 Win32 IMM32 core component
MSLS31.DLL 48080000 159744 C:\WINDOWS\SYSTEM\MSLS31.DLL 3.10.349.0 Microsoft Line Services library file
SHDOCLC.DLL 4060000 540672 C:\WINDOWS\SYSTEM\SHDOCLC.DLL 6.00.2800.1106 Shell Doc Object and Control Library
SETUPAPI.DLL 77ea0000 421888 C:\WINDOWS\SYSTEM\SETUPAPI.DLL 5.00.1671.1 Windows NT Setup API
WINSPOOL.DRV 7fe40000 36864 C:\WINDOWS\SYSTEM\WINSPOOL.DRV 4.10.1998 Win32 WINSPOOL core component
COMDLG32.DLL 7fe10000 184320 C:\WINDOWS\SYSTEM\COMDLG32.DLL 4.72.3510.2300 Common Dialogs DLL
LZ32.DLL bfe60000 24576 C:\WINDOWS\SYSTEM\LZ32.DLL 4.10.1998 Win32 LZ32 core component
WEBCHECK.DLL 70340000 266240 C:\WINDOWS\SYSTEM\WEBCHECK.DLL 6.00.2800.1106 Web Site Monitor
MYDOCS.DLL 792f0000 69632 C:\WINDOWS\SYSTEM\MYDOCS.DLL 4.72.3510.2300 My Documents Folder UI
LINKINFO.DLL 7fb80000 36864 C:\WINDOWS\SYSTEM\LINKINFO.DLL 4.10.1998 Windows Volume Tracking
MSSHRUI.DLL 7f920000 94208 C:\WINDOWS\SYSTEM\MSSHRUI.DLL 4.10.1998 Shell extensions for sharing
RASAPI32.DLL 7f880000 217088 C:\WINDOWS\SYSTEM\RASAPI32.DLL 4.10.2222 Dial-Up Networking Dynamic Linked Library
WSOCK32.DLL 75fa0000 40960 C:\WINDOWS\SYSTEM\WSOCK32.DLL 4.10.1998 BSD Socket API for Windows
MSWSOCK.DLL 794d0000 86016 C:\WINDOWS\SYSTEM\MSWSOCK.DLL 4.10.2222 Microsoft WinSock Extension APIs
WS2_32.DLL 76000000 73728 C:\WINDOWS\SYSTEM\WS2_32.DLL 4.10.2222 Windows Socket 2.0 32-Bit DLL
WS2HELP.DLL 75fe0000 24576 C:\WINDOWS\SYSTEM\WS2HELP.DLL 4.10.1998 Windows Socket 2.0 Helper for Windows 98
SECUR32.DLL 7f870000 40960 C:\WINDOWS\SYSTEM\SECUR32.DLL 4.10.2222 Microsoft Win32 Security Services
MSVCRT20.DLL 7fc30000 282624 C:\WINDOWS\SYSTEM\MSVCRT20.DLL 2.11.000 Microsoft® C Runtime Library
SVRAPI.DLL 7f950000 32768 C:\WINDOWS\SYSTEM\SVRAPI.DLL 4.10.1998 32-bit common Server API library
MSNET32.DLL 7f300000 77824 C:\WINDOWS\SYSTEM\MSNET32.DLL 4.10.2224 Microsoft 32-bit Network API Library
NWNET32.DLL 7f940000 40960 C:\WINDOWS\SYSTEM\NWNET32.DLL 4.10.1998 32-bit NW API library
MSPWL32.DLL 7fb40000 40960 C:\WINDOWS\SYSTEM\MSPWL32.DLL 4.10.1998 Password list management library
TAPI32.DLL 7f960000 122880 C:\WINDOWS\SYSTEM\TAPI32.DLL 4.10.2222 Microsoft® Windows™ Telephony API Client DLL
NETAPI32.DLL 7f990000 20480 C:\WINDOWS\SYSTEM\NETAPI32.DLL 4.10.1998 32-bit network API DLL
NETBIOS.DLL 7f840000 32768 C:\WINDOWS\SYSTEM\NETBIOS.DLL
MPR.DLL 7fbf0000 57344 C:\WINDOWS\SYSTEM\MPR.DLL 4.10.1998 WIN32 Network Interface DLL
SHFOLDER.DLL 71930000 32768 C:\WINDOWS\SYSTEM\SHFOLDER.DLL 6.00.2800.1106 Shell Folder Service
WININET.DLL 63000000 614400 C:\WINDOWS\SYSTEM\WININET.DLL 6.00.2800.1400 Internet Extensions for Win32
CRYPT32.DLL 5cf00000 385024 C:\WINDOWS\SYSTEM\CRYPT32.DLL 5.131.1878.12 Crypto API32
MSOSS.DLL 79e00000 151552 C:\WINDOWS\SYSTEM\MSOSS.DLL 5.131.1877.3 Microsoft Trust ASN APIs
OLEAUT32.DLL 65340000 634880 C:\WINDOWS\SYSTEM\OLEAUT32.DLL 2.40.4518
CFGMGR32.DLL 7f810000 45056 C:\WINDOWS\SYSTEM\CFGMGR32.DLL 4.10.1998 Configuration Manager Win32 Interface
NTDLL.DLL bfee0000 20480 C:\WINDOWS\SYSTEM\NTDLL.DLL 4.10.1998 Win32 NTDLL core component
MSHTML.DLL 63580000 2818048 C:\WINDOWS\SYSTEM\MSHTML.DLL 6.00.2800.1400 Microsoft ® HTML Viewer
MLANG.DLL 70440000 585728 C:\WINDOWS\SYSTEM\MLANG.DLL 6.00.2800.1106 Multi Language Support DLL
URLMON.DLL 1a400000 499712 C:\WINDOWS\SYSTEM\URLMON.DLL 6.00.2800.1400 OLE32 Extensions for Win32
RPCRT4.DLL 7fb90000 335872 C:\WINDOWS\SYSTEM\RPCRT4.DLL 4.71.2900 Remote Procedure Call DLL
SHD401LC.DLL 11b0000 61440 C:\WINDOWS\SYSTEM\SHD401LC.DLL 5.50.4914.1400 Shell Doc Object and Control Library - IE 4.01 compat
IDLEMON.DLL 1c000000 24576 C:\PROGRAM FILES\AIM95\IDLEMON.DLL 5.5.3595 Idle Monitor DLL
MSH_ZWF.DLL d2d0000 61440 C:\PROGRAM FILES\MS HARDWARE\MOUSE\MSH_ZWF.DLL
VERSION.DLL bfe70000 24576 C:\WINDOWS\SYSTEM\VERSION.DLL 4.10.1998 Win32 VERSION core component
BROWSEUI.DLL 71500000 1036288 C:\WINDOWS\SYSTEM\BROWSEUI.DLL 6.00.2800.1400 Shell Browser UI Library
ENCMON.DLL 1740000 86016 C:\PROGRAM FILES\ENCOMPASS\ENCMON.DLL 1, 0, 0, 1 EncMon
DPHOOK32.DLL 10000000 65536 C:\PROGRAM FILES\PANICWARE\POP-UP STOPPER\DPHOOK32.DLL
PANIC32.DLL 1250000 49152 C:\WINDOWS\PANIC32.DLL
WINMM.DLL bfdf0000 65536 C:\WINDOWS\SYSTEM\WINMM.DLL 4.03.1998 System APIs for Multimedia
SHDOC401.DLL 50000000 503808 C:\WINDOWS\SYSTEM\SHDOC401.DLL 5.50.4914.1400 Shell Doc Object and Control Library - IE 4.01 compat
OLE32.DLL 7ff20000 790528 C:\WINDOWS\SYSTEM\OLE32.DLL 4.71.2900 Microsoft OLE for Windows and Windows NT
SHDOCVW.DLL 71700000 1347584 C:\WINDOWS\SYSTEM\SHDOCVW.DLL 6.00.2800.1400 Shell Doc Object and Control Library
SHELL32.DLL 66800000 1396736 C:\WINDOWS\SYSTEM\SHELL32.DLL 4.72.3812.600 Windows Shell Common Dll
EXPLORER.EXE 400000 180224 C:\WINDOWS\EXPLORER.EXE 4.72.3110.1 Windows Explorer
COMCTL32.DLL bfb70000 557056 C:\WINDOWS\SYSTEM\COMCTL32.DLL 5.81 Common Controls Library
SHLWAPI.DLL 70a70000 413696 C:\WINDOWS\SYSTEM\SHLWAPI.DLL 6.00.2800.1400 Shell Light-weight Utility Library
MSVCRT.DLL 78000000 286720 C:\WINDOWS\SYSTEM\MSVCRT.DLL 6.10.8637.0 Microsoft ® C Runtime Library
USER32.DLL bff50000 69632 C:\WINDOWS\SYSTEM\USER32.DLL 4.10.2222 Win32 USER32 core component
GDI32.DLL bff20000 155648 C:\WINDOWS\SYSTEM\GDI32.DLL 4.10.1998 Win32 GDI core component
ADVAPI32.DLL bfe80000 65536 C:\WINDOWS\SYSTEM\ADVAPI32.DLL 4.80.1675 Win32 ADVAPI32 core component
KERNEL32.DLL bff70000 471040 C:\WINDOWS\SYSTEM\KERNEL32.DLL 4.10.2222 Win32 Kernel core component


The site change happened, killing my log, before I could tell if this process was any aid whatsoever.

Thanks again,
James

#3 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 June 2004 - 08:39 PM

Bump

#4 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 08 June 2004 - 05:29 PM

Bump again...

#5 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 09 June 2004 - 10:51 PM

Well, I guess it's been about a week. No guesses?

#6 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 June 2004 - 09:42 PM

Any help at all, even wild guesses, would be appreciated, guys. I really don't want to have to just learn to live with this problem...

#7 chiefjames

chiefjames

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 14 June 2004 - 11:39 AM

Bump




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button