New User? Need help? Click here to register for free! Registering removes the advertisements.

Computer Cops
image image image image image image image image
Donations
If you found this site helpful, please donate to help keep it online
Don't want to use PayPal? Try our physical address
image
Prime Choice
· Head Lines
· Advisories (All)
· Dnld of the Week!
· CCSP News Ltrs
· Find a Cure!

· Ian T's (AR 23)
· Marcia's (CO8)
· Bill G's (CO11)
· Paul's (AR 5)
· Robin's (AR 2)

· Ian T's Archive
· Marcia's Archive
· Bill G's Archive
· Paul's Archive
· Robin's Archive
image
Security Central
· Home
· Wireless
· Bookmarks
· CLSID
· Columbia
· Community
· Downloads
· Encyclopedia
· Feedback (send)
· Forums
· Gallery
· Giveaways
· HijackThis
· Journal
· Members List
· My Downloads
· PremChat
· Premium
· Private Messages
· Proxomitron
· Quizz
· RegChat
· Reviews
· Google Search
· Sections
· Software
· Statistics
· Stories Archive
· Submit News
· Surveys
· Top
· Topics
· Web Links
· Your Account
image
CCSP Toolkit
· Email Virus Scan
· UDP Port Scanner
· TCP Port Scanner
· Trojan TCP Scan
· Reveal Your IP
· Algorithms
· Whois
· nmap port scanner
· IPs Banned [?]
image
Survey
How much can you give to keep Computer Cops online?

$10 up to $25 per year?
$25 up to $50 per year?
$10 up to $25 per month?
$25 up to $50 per month?
More than $50 per year?
More than $50 per month?
One time only?
Other (please comment)



Results
Polls

Votes: 1048
Comments: 21
image
Translate
English German French
Italian Portuguese Spanish
Chinese Greek Russian
image
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Login to check your private messagesLogin to check your private messages   LoginLogin 

http://www.680180.net/ popups!! PLEASE HELP!

 
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My!
View previous topic :: View next topic  
Author Message
mystupidcomputer

Cadet
Cadet



Joined: May 29, 2004
Posts: 3
Location: USA

PostPosted: Sat May 29, 2004 4:14 pm    Post subject: http://www.680180.net/ popups!! PLEASE HELP!
Reply with quote

Everytime I surf the net, a popup overtakes my screen. I cannot go one minute without an ad from the website http://www.680180.net/ popping up. This is a problem I encountered recently, and I am at a lost as to how to stop these really annoying popups! Please help if you can. I ran a HijackThis Scan, and this is what I got:

Logfile of HijackThis v1.97.7
Scan saved at 1:11:36 PM, on 5/29/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL Companion\companion.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\NavNT\VPC32.EXE
C:\WINDOWS\System32\MsgSys.EXE
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Norton Personal Firewall\ATRACK.EXE
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Documents and Settings\helen\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEENHA~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BED220-FBC7-4392-93A2-3A50B056F78E} - http://down.plaxo.com/down/release/instub.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/clas...,3,2,20802
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/C...9171296296
O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.c..._0_2_7.cab

I've already downloaded and ran Ad-ware 6.0, CW Shredder, and SpyBot, but they havent solved the problem. Any help would be greatly appreciated! Thanks, Sarah
Back to top
View users profile Send private message
bluedog

Security Expert
Security Expert



Joined: Dec 22, 2003
Posts: 360
Location: Australia

PostPosted: Sat May 29, 2004 6:58 pm    Post subject:
Reply with quote

Hi Sarah,

Move HijackThis.exe , into its own folder..... eg:
C:\Documents and Settings\helen\Desktop\HijackThis\HijackThis.exe

Try CWShredder in Safe Mode.( check the Update button, to be sure of latest version).
It should remove some of the below entries.

Close ALL browser Windows, only have HijackThis running.
Use HiJackThis to Check the boxes beside the below entries, then click on "Fix checked" .

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hkcu

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://default-homepage-network.com/start.cgi?new-hklm

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://server224.smartbotpro.net/7search/?new-hklm


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

O2 - BHO: (no name) - {0B90AA1B-F649-44C3-9FD3-736C332CBBCF} - C:\WINDOWS\System32\IEENHA~1.DLL

O4 - HKLM\..\Run: [Antivirus] C:\WINDOWS\b.exe

O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe

O16 - DPF: {AD7FAFB0-16D6-40C3-AF27-585D6E6453FD} -

Reboot into Safe Mode.....( tap F8 key during reboot, until the boot menu appears...use the arrow keys to choose "Safe Mode" from the menu......,then press the "Enter" key)

Make sure you can see Hidden files and Folders:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Then delete the below files and Folders:

C:\WINDOWS\b.exe <--- delete the file

C:\WINDOWS\System32\Adstartup.exe <--- delete the file

And look for and can you confirm if the below 4 files are present:

C:\WINDOWS\System32\AdUpdater.exe

C:\WINDOWS\System32\adupdmanager.xml

C:\WINDOWS\System32\data.xml

C:\WINDOWS\System32\IEEnhancer.dll

Right-click each file and choose "Properties"--"Version".
If they are all from the same maker, etc, as is "Adstartup.exe", it should be safe to move them out to a backup folder....and delete later.

Reboot computer and post back a new HJT log to this thread, please.

Run Adaware to finish cleaning up:
It is critical that you UPDATE Ad-aware, before scanning.
Ad-aware
and please read :
HOW TO PERFORM A FULL SYSTEM SCAN With ...Build 181

Remove all that Ad-aware finds.

Cheers.


So how did I get infected in the first place?
http://www.computercops.biz/postt7736.html

If you found this site helpful, please consider a small donation via Paypal link in top LH corner.


.
Back to top
View users profile Send private message
mystupidcomputer

Cadet
Cadet



Joined: May 29, 2004
Posts: 3
Location: USA

PostPosted: Mon May 31, 2004 1:15 am    Post subject: new hijack this log
Reply with quote

I have done as told, but I was unable to locate and delete b.exe and adstartup.exe. Here is my new hijackthis log:

Scan saved at 10:14:52 PM, on 5/30/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLACSD.EXE
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Norton Personal Firewall\NISSERV.EXE
C:\Program Files\Norton Personal Firewall\SymProxySvc.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\AOL COMPANION\COMPANION.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
C:\Documents and Settings\helen\Desktop\HijackThis.exe
C:\WINDOWS\SYSTEM32\notepad.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Personal Firewall\IAMAPP.EXE
O4 - HKLM\..\Run: [monitr32] C:\Program Files\Canon\MultiPASS4\monitr32.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZingSpooler] C:\Program Files\Common Files\Zing\ZingSpooler.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar (HKLM)
O9 - Extra 'Tools' menuitem: AOL Toolbar (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shoc...tor/sw.cab
O16 - DPF: {5E943D9C-F8DC-4258-8E3F-A61BB3405A33} (ZingBatchAXDwnl Class) - http://www.imagestation.com/common/clas...,3,2,20802
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shoc...wflash.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.c..._0_2_7.cab

Thanks a bunch, Sarah
Back to top
View users profile Send private message
bluedog

Security Expert
Security Expert



Joined: Dec 22, 2003
Posts: 360
Location: Australia

PostPosted: Mon May 31, 2004 4:09 am    Post subject:
Reply with quote

Hi Sarah,

Only 1 to fix.
Close all windows, and have HJT FIX the below:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

Reboot computer.

Do you still get 680180.net popups?

If b.exe and adstartup.exe are not there, OK.

Did you find any of the below files:

Quote:
And look for and can you confirm if the below 4 files are present:

C:\WINDOWS\System32\AdUpdater.exe

C:\WINDOWS\System32\adupdmanager.xml

C:\WINDOWS\System32\data.xml

C:\WINDOWS\System32\IEEnhancer.dll

Right-click each file and choose "Properties"--"Version".
If they are all from the same maker, etc, as is "Adstartup.exe", it should be safe to move them out to a backup folder....and delete later.


And it would be a good move to update to XP SP1 and IE6 SP1, as well as all the other Microsoft Critical updates from http://windowsupdate.microsoft.com.

Cheers.
Back to top
View users profile Send private message
mystupidcomputer

Cadet
Cadet



Joined: May 29, 2004
Posts: 3
Location: USA

PostPosted: Mon May 31, 2004 1:35 pm    Post subject: yay!
Reply with quote

I deleted
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

C:\WINDOWS\System32\adupdmanager.xml

C:\WINDOWS\System32\data.xml

C:\WINDOWS\System32\IEEnhancer.dll

And the popups have stopped! Thank you SO VERY MUCH!! Web browsing is not so aggravating anymore!
Laughing Very Happy Razz
Back to top
View users profile Send private message
bluedog

Security Expert
Security Expert



Joined: Dec 22, 2003
Posts: 360
Location: Australia

PostPosted: Mon May 31, 2004 2:56 pm    Post subject:
Reply with quote

Thanks for the feedback, Smile

Thanks for shopping at Computer Cops Smile

Cheers
Back to top
View users profile Send private message
jella_webdiva_popqueen

Cadet
Cadet



Joined: Jun 09, 2004
Posts: 2
Location: USA

PostPosted: Wed Jun 09, 2004 9:11 pm    Post subject: HOW TO COMPLETELY DELETE www.680180.net IN YOUR SYSTEM
Reply with quote

Razz [b]CHEERS!!!!! [/b]i mined the internet for this solution for all you peeps out there having trouble with this nasty pop-up! here goes:

680180.net fix - Negafox on Wednesday, May 26 2004

For the victims of the 680180.net <A TITLE="Click for more information about <A TITLE="Click for more information about adware" STYLE="text-decoration: none; border-bottom: medium solid green;" HREF="http://messagebroadcaster.net/bannerfarm/link/sw/sw.htm">adware</A>" STYLE="text-decoration: none; border-bottom: medium solid green;" HREF="http://messagebroadcaster.net/bannerfarm/link/sw/sw.htm">adware</A>, there is information on what system changes were made in the setupapi.log in the Windows directory. Here are some of the files that need to be deleted to resolve the popup issues:

Click START & go to MY COMPUTER, right-click then click EXPLORE & click the WINDOWS folder then click SYSTEM 32 folder then find the following below & delete it. Just delete ADStartUP.exe, all the files names listed below(delete AdUpdater.exe, adupmanager.xml, data.xml, IEEnhancer.dll) & not the full links here. Also u might not be able to delete ADStartUP.exe right away but follow the instructions here below on the registry edit & u can go back & delete the ADStartUP.exe & the rest... it works coz my zamingo.com & 680180.net pop-ups disappeared. any questions send me a PM.

%Windir%\System32\ADStartUP.exe
%Windir%\System32\AdUpdater.exe
%Windir%\System32\adupdmanager.xml
%Windir%\System32\data.xml
%Windir%\System32\IEEnhancer.dll

After deleting these files from your system you will need to delete a registry entry:


Click the "Start" button on the taskbar

Click "Run..."

Type "regedit" and click the "OK" button

Click the "Start" button on the taskbar

Open the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry key

Right-click "Adstartup" and click "Delete"


This should resolve the issue. Special thanks to Vincent Deneve for his contribution on the issue.



12.jpg
 Description:
 Filesize:  2.98 KB
 Viewed:  6047 Time(s)

12.jpg


Back to top
View users profile Send private message
GaryJ123

Cadet
Cadet



Joined: Jun 17, 2004
Posts: 1
Location: UK

PostPosted: Thu Jun 17, 2004 11:24 am    Post subject:
Reply with quote

Thanks jella_webdiva_popqueen your posted fix helped me remove this frustrating adware/spyware. However there was an additional file I needed to remove from my computer

%windir%\system32\retpdat32.xml

cheers
Gary
Back to top
View users profile Send private message
Jimi_Hendrix

Cadet
Cadet



Joined: Jun 16, 2004
Posts: 8
Location: UK

PostPosted: Thu Jun 17, 2004 2:09 pm    Post subject:
Reply with quote

i deleted another one too called "sp32.xml" from the same directory u listed above.


still having trouble with them - everytime i run regedit - it shows:

Adstartup
REG_SZ
c:\windows\system32\automove.exe

and i can't find that file in that folder anywhere - not even in safe mode with view all files turned on!! Sad

i delete it from the registry and it puts itself back when i open an IE window Sad

any help? thanks

my post here: http://computercops.us/postt50901.html
Back to top
View users profile Send private message
Jimi_Hendrix

Cadet
Cadet



Joined: Jun 16, 2004
Posts: 8
Location: UK

PostPosted: Thu Jun 17, 2004 3:19 pm    Post subject:
Reply with quote

nevermind - sorted it!

delete %windir\system32\swin32.dll

was the answer! Very Happy
Back to top
View users profile Send private message
Display posts from previous:   
Post new topic   Reply to topic       Computer Cops Forum Index -> Hijackthis - Spyware, Viruses, Worms, Trojans Oh My! All times are GMT - 5 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB 2.0.8a © 2001 phpBB Group

Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops