Kill Topotun
(very difficult)
- 1. Use your firewall program to block IP Address: 69.50.184.50
- These are the offending URLs
- www.topotun.com
- www.web-cams-chat.com
- www.free-spy-cam.net
- www.hcworld.com
- free.hcworld.com
- terra.hcworld.com
- 2. Use Regedit to remove all references to Topotun
- The most important entries are in HKEY_CURRENT_USER
- HKEY_CURRENT_USER
- Software
- Microsoft
- Internet Explorer
- Main
- Default_Search_URL
- Local Page
- Search Bar
- Search Page
- SearchAssistant
- Start Page
<= especially this one
- There are also entries in Search
& SearchURL which will be found with a "find"
- 3. Delete the unwanted bookmarks from your favorites directory (in
C:\"Documents and Settings"\your username\favorites).
- 4. You must turn off your system restore option in
the "control panel".
- Open Control Panel
- Open "system"
- Select the "system restore" tab
- Check the box which says "turn off system restore on
all drives"
- Click "apply"
- Click "OK"
- Close Control Panel
- You can uncheck the box later after the parasite is gone.
- Obviously, you must reboot & make sure this thing is
gone.
- 5. The persistence is due to a program running in the following directory:
- C:\"Documents and Settings"
- 6. This program will very likely have a random string of
letters for its name. On my machine it was
called "zYpBGti.exe" and will be found
in the above Temp directory. Use Regedit to
navigate to the following location:
- 7. You will see a long list of programs listed under the
"Run" key. You want to search for ANY program which
is running out of "Documents and Settings" - AND
DELETE IT (THEM). Record the names for later use.
- 8. Now search the registry for ALL occurrences of those names AND
DELETE THEM. I found an occurrence in the following location
(which you may want to check):
- 9. You must reboot to verify that it is gone - which can
be done by checking your favorites to see that the garbage is
absent.
- 10. It has taken me a
full week to kill this damn thing. A further suggestion is to
remove cookies and all local content before you shut down your machine
each day.
Kill
regsvrac32.dll (very difficult)
- 1. The persistence is due to an entry in the Registry under
Windows/Current Version/Runonce
- 2. Use your firewall program to block IP Addresses: 81.211.105.0
- 81.211.105.255
- These are the offending URLs
- bjvvhk.t.muxa.cc
- margo.cafreedom.com
- 3. This parasite seems to be a problem on Internet Explorer
5 not Internet Explorer 6. Try to install IE 6 and see if
that makes it go away.
- 4. This parasite may not be a problem on XP but it is on
Windows ME. Here is what is does:
- It inserts an entry into the the Registry under
Windows/Current Version/Runonce
- This entry is a random string of letters & numbers +
".exe"
- This program is loaded into C:\Windows\system32\
- The program starts on machine startup and runs always.
- The problem for me was that it HUNG my machine and I had to
kill it to get out of startup.
- 5. Use Regedit to remove all entries under Runonce (find "Runonce",
fix, repeat) which consist of a random sequence
of letters & digits followed by ".exe"
- 6. First solution - Install Windows XP if you
can (I couldn't due to HP software) and IE 6.
- 7. Second solution
- Download and install Mozilla (its FREE)
from http://www.mozilla.org/
or Netscape
- Remove Internet Explorer from your system.
- Use Regedit to remove all entries under
Microsoft/Internet Explorer/
- Use Windows Explorer to search for and delete any file or
directory called Internet Explorer.
- Run with Mozilla or Netscape instead of Internet Explorer.
Kill Lycos Sidesearch:
- 1. Use your firewall program to block IP Addresses:
216.74.27.20
- 216.74.27.24
- 2. Delete the Lycos Sidesearch icon from your desktop
- 3. Go to C:\program files\Lycos\Sidesearch\
and run the Uninstall program.
- 4. Go to C:\Windows\System32\
and delete the following files:
- biN.exe
- im64.dll
- in10b6s.dll
- Lycos.dll
- msbb321.dll
- msbb.exe
- ncase.ini
- sahagent1019.exe
- setup_incred_1.exe
- ss_msi1_setup.exe
- 5. Use Regedit to remove all references to Lycos or
Sidesearch or ncase
- 6. Use Windows Explorer to search for and delete any file or
directory which is called Lycos or Sidesearch.
Kill Incredifind - nasty annoying
search program
- 1. Use your firewall program to block IP Address: 12.129.205.105
- 2. Go to C:\program files\Incredifind\ and delete it.
- 3. Use Regedit to remove all references to Incredifind
- 4. Use Windows Explorer to search for and delete any file or
directory which is called Incredifind.
Stop
your Explorer home page from being changed to Porn
How is this done to
you? Somebody has changed some settings in your Internet Explorer
registry. How do I fix this? Obviously you must
delete the trash from your registry. Here is how to do it:
1. Click Start button (bottom left corner of screen)
2. Select "Run"
3. Type in "Regedit" and OK.
4. Select the following levels:
- HKEY_CURRENT_USER
- Software
- Microsoft
- Internet Explorer
- Main
- Default_Search_URL
- Local Page
- Search Bar
- Search Page
- SearchAssistant
- Start Page
<= especially this one
5. Make sure all of the 6 labels have "good"
values such as http://www.google.com/
or about:blank but NO garbage links - especially ones filled with %
signs. The % signs are simply a way to HIDE what the
hijacker has put in place of your good stuff. The % is an
escape character which says that the next two hex characters after the %
are the ASCII character. For example: %2E =
"." %5C = "\" %41 =
"A" %61 = "a"
6. Repeat for HKEY_LOCAL_MACHINE
- HKEY_LOCAL_MACHINE
- Software
- Microsoft
- Internet Explorer
- Main
- Default_Search_URL
- Local Page
- Search Bar
- Search Page
- SearchAssistant
- Start Page
<= especially this one
7. Fix these values - which is done by
right-clicking, select Modify and entering the new desired value.
I suggest that you find a good string
and do a "copy" then go to the bad one and "paste"
over it. Save your changes.
What I do to protect my computer
1. Anti-Virus program - McAfee VirusScan This
is obviously a must for everybody or your machine will be
destroyed someday.
2. Firewall - Very Important - McAfee Firewall This
program protects against unauthorized entry from the
outside. You would be stunned if you knew how many program
are running around just trying to find unprotected machines.
This is the only way I have found to block the Lycos Sidesearch program
and the Incredifind program which are extremely hard to stop. Here
is how to do it:
Attack them on two
fronts:
First: Block the key
programs from accessing the internet by adding them to the list of
programs blocked by your Firewall. Block all .exe & .dll
programs in the list above (#4 in Lycos Sidesearch section). They are usually found in
C:\windows\system32\
Second: Block the IP
addresses from which the parasites are being downloaded. To wit - add the following IP addresses to your
list of IP addresses to block:
- www.f1organizer.com at IP address:
207.182.241.228
- www.lycos.com
at IP address: 209.202.216.27
- www.incredifind.com at IP address:
12.129.205.105
- www.180solutions.com at IP address:
216.74.27.20
-
IP address: 216.74.27.21
-
IP address: 216.74.27.22
-
IP address: 216.74.27.23
- bis.180solutions.com
at IP address: 216.74.27.24
- www.topotun.com
at IP address: 69.50.184.50
- bjvvhk.t.muxa.cc
at IP address: 81.211.105.0 - 81.211.105.255
You
can lookup any URL using this FREE service.
3. Anti-Spam - Very Important - McAfee SpamKiller Scans
incoming email and kills most of the spam. Allows you to define
your own filters - I have about 1000. Only problem is that it
doesn't automatically throw away the killed messages. You still
have to remove them, but it only takes a few minutes a day to delete
1000 killed messages.
4. Popup Blocker - I now use AdsGone 2004 - very nice Popup
blocker. Their website is
http://www.adsgone.com/
5. Task monitor - WinTask Pro Gives you
documentation on most of the processes running on your machine so you
can decide which ones to kill. Allows you to block automatic
startup of those programs which are eating up your CPU time and
memory space. The worst one is "wsbb.exe". It gets put into your auto-start list and
runs actively ALL THE TIME. If you delete it with WinTask, it will re-insert itself in your
auto-start list (until it is blocked by #2 above).
http://www.liutilities.com/products/wintaskspro/
6. Anti - Adware program NoAdware Scans
your machine for Adware and then removes it for you. You will be amazed
at how much adware gets on your machine. It found 150 items the
first time it scanned. And that was on my machine
which is pretty well protected! After #2 above, I have NO adware.
http://www.noadware.net/
7. Anti - Adware program SpySweeper Scans
your machine for Spyware and then removes it for you. You will be amazed
at how much spyware gets on your machine. This program even finds
"traces" of stuff. When I ran it, it found like 20 files
& 2000 traces.
http://www.spysweeper.com/
8. Internet Explorer - This is the source of MOST of the
trouble.
- Open Internet Explorer
- Select Tools
- Select Internet Options
- Select Security tab
- Select Custom level
- Disable nearly everything especially scripts
- You may leave Java at high security level.
- You may allow file download (enable)
General Information: crwillis@androidworld.com
|