Help! Insidious Spyware Problem

Factual Questions
1

This may be a simple problem, but I’m at a loss and I need the help of the SDMB’s computer gurus. Computer level of expertise: Knows what a mouse is, would not like to be responsible for coding space shuttle software. Fiddling about with the registry makes me nervous, and something like partitioning a disk makes me very nervous. That sorta level.

A few months ago, I picked up the dreaded “PerfectNav” browser hijacker. I got this from a free java games site my son was using. It was a pain in the arse, but I was able to Google up “perfectnav spyware removal”, and one of the tech forums or antivirus sites had step by step removal instructions. I managed to get rid of it with ten minutes or so of fiddling about in the registry.

That was kid stuff compared to what I’ve got now - a thing called “Topotun”. It’s another browser hijacking piece of scumware, similar to PerfectNav. It hijacks the homepage to its own site which is a search engine that, naturally, specialises in such wholesome topics as hardcore porn, online gambling, webcams, cheap pharmaceuticals, how to spy on your neighbours, etc. Not sure where I got the spyware this time. The sleaziest site I go to is this one :smiley: , and my son hasn’t been downloading anything lately (I do get lots of spam though).

This. Bastard. Shitware. Is. Impossible. To. Get. Rid. Of.

I Googled it, and came up with the usual range of tech support forums and Symantec-type pages. I did what I could. I cleared my browser cache, cookies, history, etc. I deleted the four sleazy sites Topotun had added to my favourites, and attempted to reset the search button to the default option (it has taken over that as well).

Homepage, Search, and favourites still hijacked.

I opened regedit and deleted all the relevant registry keys I could find (this is a problem I’ll come back to in a minute).

Homepage, Search, and favourites still hijacked.

I had an up-to-date Norton’s, Adaware, and SpyBot Search and Destroy. I ran all three and cleaned out my system.

Homepage, Search, and favourites still hijacked.

I downloaded HiJackThis, CWShredder, and The Cleaner (a pay product with a thirty day fully operational evaluation - supposedly a Rolls Royce of a program according to the techies). I ran all three.

Homepage, Search, and favourites still hijacked.

I downloaded a freakin’ HUGE update file from Microsoft (recommended from the tech forums). I went to Jason’s somewhereorother site which has a series of browser security diagnostic tests. As a result of these, I have tightened up security a bit more (no cookies, etc). I have turned off the Windows Restore function at the suggestion of the techies.

Homepage, Search, and favourites still hijacked.

At various points throughout these procedures (as prompted by the various programs and tech forums), I have rebooted, closed my browser, and manually cleaned out my browser settings (probably five or six times yesterday). Then I ran Nortons again. I also manually deleted some other spyware called MyWebsearch and ABetterInternet, or somesuch.

10pm and homepage, Search, and favourites still hijacked. Keys reappearing in the registry. I gave up and had a beer.
Now then…

I’m running IE6 on Win XP on an HP Pavilion machine. The Topotun hijack of my homepage, search and favourites will reappear within one to five minutes of my deleting them, regardless of whether I subsequently close and reopen the browser or not. The registry keys similarly reappear.

The problem I alluded to before with the registry is this:
“olehelp”="%System%\olehelp.exe"
Judging by the importance placed on this by the tech sites, this seems to be the main offender, and its removal is of paramount importance. It is supposed to reside at: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Trouble is, it doesn’t. It wasn’t there even at the beginning. I can’t delete it if it doesn’t exist. I have run a registry search and a general windows search, and this bugger seems not to be on my machine at all. I wonder whether I have an ultra-recent version of this spyware.

Other symptoms: Win Min will not close properly on shutdown, and I can’t copy files to CD: (“E:/ Not Accessible!”) although I can read data from CD (this last problem might be unrelated).

Here is the HJT log file:



Logfile of HijackThis v1.97.7
Scan saved at 9:06:06 AM, on 28/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTSVCCDA.EXE
C:\Program Files\Norton AntiVirus
avapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32
vsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\dla	fswctrl.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINDOWS\System32\P2P Networking\P2P Networking.exe
C:\windows	emp\QebuqK.exe
C:\Program Files\Creative\ShareDLL\MediaDet.exe
C:\Program Files\The Cleaner	ca.exe
C:\Program Files\The Cleaner	cm.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe
C:\Program Files\GetRight\getright.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Qualcomm\Eudora\Eudora.exe
C:\Downloads\hijackthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O2 - BHO: (no name) - {2F2FBF0D-254F-11D5-B1E5-0050DAD7AF62} - C:\Program Files\ANONYMIZER\CORE\Anonymizer.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: Anonymizer Toolbar - {C14DC52F-B4D9-11D5-B1E6-0050DAD7AF62} - C:\Program Files\ANONYMIZER\TOOLBAR\AnonymizerBar.dll
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla	fswctrl.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [IAI] c:\hp\bin\IcoSet /M
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner	ca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner	cm.exe
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: officejet 6100.lnk = ?
O4 - Global Startup: winlogin.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: ICQ (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/SmileyCentralInitialSetup1.0.0.8.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) - 
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38133.9101157407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{19E9F611-63AB-4D01-B684-57788A3BAE95}: NameServer = 203.12.160.35 203.12.160.36
O17 - HKLM\System\CS1\Services\Tcpip\..\{19E9F611-63AB-4D01-B684-57788A3BAE95}: NameServer = 203.12.160.35 203.12.160.36

Am I missing something glaringly obvious here? Thanks in advance.

2
3

Thanks astro. Trouble is I’ve been there (and pretty much every page Google gave me - there are surprisingly few), and it tells me to delete ole.exe. This file doesn’t appear to exist on my machine, so I need to find some workaround as I think it is the thing responsible for restoring all the other subsidiary files Topotun has installed, every time I delete them. Other than removing ole.exe I’ve done all the other stuff, but that’s like trying to chop the heads off Hydra so long as ole.exe isn’t taken care of.

4

OK. Try this. Close Internet Explorer and run hijackthis again. Click on scan and put a check by the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://topotun.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://topotun.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://topotun.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://topotun.com/index.htm
O2 - BHO: (no name) - {00000EF1-0786-4633-87C6-1AA7A44296DA} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - (no file)
O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL (file missing)
O3 - Toolbar: My &Web Search - {07B18EA9-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL (file missing)
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O16 - DPF: {00000EF1-0786-4633-87C6-1AA7A44296DA} - http://www.addictivetechnologies.net/DM0/cab/fr03tp.cab
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

Click on “Fix checked” and delete the items.

Restart the computer and delete the following, if present:

MyWebSearch (entire folder)

See if that helps.

5

Good on you RC. Gotta say that your post timing is awful :smiley: , as I’m running out the door for work, and won’t be back for another twelve hours, but I’ll definitely do what you’ve mentioned upon my return. Yours are the sort of instructions aimed at the semi-moron which I was looking for. Thanks. You’re a champ. I’ll let you know how it goes.

6

For what it’s worth I’ve had this problem in the past and have beaten my head against my computer trying to solve it. Thankfully one of the recent updates for McAfee VirusScan now recognizes at least some of those spywares and will delete them for me. Have you tried updating your security programs?

7

Make sure you run AdAware in Safe Mode because I don’t think it can delete a currently running file. Make sure that you have the latest reference file because they update pretty often.
I would also check the Startup Files under MSCONFIG and see and disable the offending .exe if it is there. To get to MSCONFIG. Go to Run>type MSCONFIG>click the Startup tab and run through the files there and see if it is running on startup.
Google Search for Online Spyware Scans it might be worth a try. There are a few to choose from.

8

I think the file you need to delete is called **olehelp.exe **? According to Symantec …

Click Start, and then click Run. (The Run dialog box appears.)
Type regedit
Then click OK. (The Registry Editor opens.)
Navigate to the key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:
“olehelp”="%System%\olehelp.exe"
Exit the Registry Editor.
Restart the computer.

9

Every so often I have to work on friends’ computers where crappy spyware has ended up on their systems (they never know why or how it happens. Except in one case, where they liked the funny smilies in Smiley Central).

Would removing any sign of such programs using Add/Remove in the Control Panel assist, or is this beastie purely a registry resident?

10

Some spyware has an unistaller. And, in some cases, this actually works.

Usually, though, you need to use spyware cleaning software, or need to have someone analyze your hijackthis log.

To help prevent spyware, use Spyware Blaster

11

I have an extremely similar problem, without an easy solution – and I’ve done much of what The Loaded Dog did already – CWShredder, registry edits, etc.

My browser opens up to what claims itself to be the “about: blank” page – but displays a selection of search options which hoverage claims are javascript commands, and which open stuff at searchx.cc Running McAfee’s free on-line checker resulted in the information that I had a virus whose name I do not recall but which purported to be a homepage hijacker, and that it was in a file named ODMB.HTA – but insofar as I can tell, there is no such file, either in the directory it stated (Win32) or anywhere else on the system.

Any bright ideas from experienced virus fighters?

12

Thanks, RealityChuck.

13

Congratulations! You probably have the infamous CoolWebSearch about:blank hijacker, which cannot be removed by standard means. :eek:

There is no cleaning tool yet, though there is a cleaning process (with tools to help out with it). Your best course of action is to download Hijackthis and post the log at http://www.spywareinfo.com. They will guide you through the process, which takes several iterations.

14

[hijack]

file:///C:/spad/start.html is kicking my ass. It keeps changing my homepage to some porn thing. I ran Hijack This, got rid of everything shady, I ran Ad-Aware, go rid of everything, ran Sweeper and Spybot, both found nothing. Sweeper’s homepage protector keeps coming up and I keep putting not to change homepage, but that does nothing. After I get rid of everything with Hijack This, it just comes back next time I click Scan, same thing with Ad-Aware, after I get rid of the stuff, it all comes back. Any help?

[/hijack]

15

This web site has downloads and instruction for removing cool web search.

16

Aaaarrgghhh.

When I got home from work, I noticed that MSIE was starting to act a bit screwy. The address bar had disappeared, and refused to come back despite being checked on the list. This morning, I opened MSIE and it crashed bigtime. It opened to a blank page and promptly froze. At the top of the screen, on the blue title bar, was the topotun address, so it was still trying to go there as a homepage.

This morning, I ran most of the suggestions given in this thread. RealityChuck, I ran another HJT scan, and some of the stuff you mentioned that was in yesterday’s was not in today’s. I removed what was there.

I ran MSCONFIG, but still no sign of that bloody olehelp.exe there or anywhere else.

I rebooted to Safe Mode and ran Adaware, but found nothing.

Current Status three days after first removal attempts made: MSIE completely trashed and unusable. Topotun scumware still apparently present on my system.

Wouldn’t I love to find out who wrote this filth code and smash their heads.

As for the rest of you, thanks for your efforts to help. It’s appreciated. I will keep trying.

17

TheLoadedDog
Did you see Astro’s link?

There’s quite a few steps to go through.

18

Oops…hit submit too quickly.
One more for you TheLoadedDog

19

Bottom of this page for you teemingONE. Hope it rids it for you.

20

Thanks Daizy. I appreciate your efforts, but I’d already been to both of those before I even started this thred. The problem with those two sites is the same as with the various others I’ve been to, and that is my situation doesn’t exactly (or sometimes even closely) match the ones they illustrate. Files they mention often aren’t on my machine. So far my efforts have been a bit of a mix and match affair, trying to glean what relevent info I can from each site, and somehow merge it all into something effective. Thanks though. :slight_smile: