Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

PROBLEMS with BHO(Browser Helper Objects) aka Zamingo aka 680180.net

Status
Not open for further replies.
Dekwan

Dekwan

Technical User
Nov 1, 2004
3
GB
Can anyone provide assistance with annoying popups from 680180.net? I unfortunately cannot find anywhere how to eradicate this problem. I cannot access any Hotmail accounts as the window disappears when the account details are entered, and I cannot access any other sites that have popups that I need to access their sites.

I have run Ad-aware, PestPatrol, TDS-3 but apparently this is not a virus or adware so it cannot be located in the scans.

Can anyone provide any workable solutions as I have looked at so many webpages and even though people have tried different methods, the problems persist.
 
Sort by date Sort by votes
Sounds like malware to me ...

I can't visit the site right now to see what's going on with it as I'm using IE, but in the meantime, have you tried Hijackthis?


Yeah, I'd say it is malware. As I mentioned above, try Hijackthis and also try Spybot. Also, what OS are you running with which Service Pack?

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
Very interesting. The source code for 680180.net is:

Code: 
<html>
	<head>
	<title>-</title>
		<script language="javascript">
//			document.write("<IFRAME SRC='[URL unfurl="true"]http://www.waytofind.com/realtraffic/?tsreal=9'[/URL] WIDTH='0' HIEGHT='0' FRAMEBORDER='0'></IFRAME>");
			
//disable right mouse click
			function clickIE4(){
				if (event.button==2){
					return false;
				}
			}
			function clickNS4(e){
				if (document.layers||document.getElementById&&!document.all){
					if (e.which==2||e.which==3){
						return false;
					}
				}
			}
			if (document.layers){
				document.captureEvents(Event.MOUSEDOWN);
				document.onmousedown=clickNS4;
			}
			else if (document.all&&!document.getElementById){
				document.onmousedown=clickIE4;
			}
			document.oncontextmenu=new Function("return false")
		</script>
	</head>
	
	<body>
		<script language="javascript">
			self.moveTo( 10000, 10000 );  

		</script>
		<script language="javascript" src="[URL unfurl="true"]http://server.trafficaces.com/display.php?pub=146&type=9"></script>[/URL]

	
	</body>
</html>

takes you to this source code:
Code: 
w = window.open("[URL unfurl="true"]http://server.trafficaces.com/show_pop.php?media_id=201","poppy","width=800,height=600,top=10000,left=10000");[/URL] w.blur(); window.focus(); setTimeout( "w.close()", 25000 );

and goes to which in turn loads a page with dynamic "search results."

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
Thank you TM for such a detailed response.

I am using XP Home edition SP2.

I haven't used Hijackthis as I have seen that quite a few people have been warned on their use of it and others seem to say that their problems still persist.

Could you perhaps provide a some assistance on how to use HijackThis correctly?

Would it work if I got exactly the same pc, but clean, and copied the registry from it and opened it in the infected system as a registry backup and reinstalled IE??

p.s. Does 680180.net stop popups from other sites displaying?
 
Upvote 0 Downvote
You are welcome and I'd be happy to give you assistance on using Hijackthis. :) The thing to remember about Hijackthis is that like anything else, it won't necessarily get you completely clean, but it does help. I'm curious how you found out it was Zamingo, because I couldn't find anything about it until I searched for Zamingo. :(

As for cleaning it up and putting it on the other pc's, it might work, couldn't hurt to try, but don't hold your breath.

As for 680180.net, somewhere along the line, I guess an ActiveX control was installed, so it is possible.

provides some removal instructions as well. :)

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
TM, I've finally run HijackThis and here is the log. I have my suspicions about a few of them but unsure.

Anything that should definately not be on here???


Logfile of HijackThis v1.98.2
Scan saved at 22:39:27, on 03/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\Grisoft\AVG6\AVGCC32.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 64.91.255.87 O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hriwegc.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SDWin32 Class - {E237BAE8-05CD-4A13-8318-4D2694A3BB69} - C:\WINDOWS\System32\wqsee.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [PP8 Reminder] "C:\Program Files\Scansoft\PaperPort\WebEreg\NAVBrowser.exe" -r "C:\Program Files\Scansoft\PaperPort\WebEreg\navLoad.ini"
O4 - HKLM\..\Run: [OneTouch Monitor] "C:\Program Files\Xerox One Touch\OneTouchMon.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - O17 - HKLM\System\CCS\Services\Tcpip\..\{5107E724-9E4B-4830-BC10-F5EBA3A9CBF8}: NameServer = 213.1.119.97 213.1.119.98
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC68C384-F99C-4CD0-9CB6-F08C473246EC}: NameServer = 213.1.119.100 213.1.119.99
 
Upvote 0 Downvote
Hi there,

after reading your HiJackThis Log, I noticed the following, which could cause or are the Problems:


O1 - Hosts: 64.91.255.87 --- this should be either deleted or changed to IP address 127.0.0.1, deleting would remove it from your Host file, where as changing the IP adress would render future contact to said webpage straight to your PC, in other words no outside contact possible (this is only if you protect the HOST file against changes afterwards)....

the following can be deleted:

O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hriwegc.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SDWin32 Class - {E237BAE8-05CD-4A13-8318-4D2694A3BB69} - C:\WINDOWS\System32\wqsee.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)

then I would also check your AutoStart progies, as to what is loading at BOOT... you can use HiJackThis aswell to do this...

PS - suggestions from others are welcome, aswell as to your LOG and to my Fixes...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
This appears to be part of Zamingo:

O2 - BHO: adlog Class - {22B9A67D-E689-44B6-B775-0E8FE84B4F9B} - C:\WINDOWS\system32\hriwegc.dll
O2 - BHO: SDWin32 Class - {E237BAE8-05CD-4A13-8318-4D2694A3BB69} - C:\WINDOWS\System32\wqsee.dll
------------------------
Definitely remove:

O16 - DPF: {3F2705D0-C9D8-4020-A15C-E495A0050EC6} (Easywebinstaller Control) - R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = ------------------------
I don't see anything else that immediately jumps out at me, but I'm not sure about the following.

------------
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - (no file)
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
-------------------------------------
Now, the reason I say I'm not sure about these is either because the files are missing, or I'm not sure if you purposelly installed them (ie, set these pages in IE)

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
BigBadBen: I did some research, and O1 - Hosts: 64.91.255.87 is perfectly fine. Go to that IP address, it takes you to the correct website. I'm guessing their DNS hasn't gone through correctly yet or something.

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
@TechieMichael - it shouldn't be in the HOST file though... if I enter the IP adress I get to DiamondCS's ( website,I guess that it is a redirection... on my browser (FireFox) gets blocked (either due to the SpyBot or IESpyAd Hostfile/Registry entries) it comes up as (landing.domainsponsor.com) and I get no entry... this is why I mentioned it... but thanx nevertheless...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...
 
Upvote 0 Downvote
Sorry, my fault. I was referring to the software that the person installed (from that company, an anti-trojan scanner), and that software made the change. At least that is what the google groups discussions seem to point to. :) I agree though, it shouldn't have been added to the hosts file.

----------------------------
"Security is like an onion" - Unknown
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Curious network activity over port 445
Replies
8
Views
346
DrB0b
DrB0b
1DMF
  • Locked
  • Question
AVAST latest free version causing nothing but problems 2
2
Replies
20
Views
478
1DMF
1DMF
2ffat
  • Locked
  • News
Lenovo isn't the only one with bad certificates 5
Replies
6
Views
429
2ffat
2ffat
DrB0b
  • Locked
  • Question
Crytowall 3.0 and How I dealt with it 2
Replies
7
Views
214
DrB0b
DrB0b
RichinMN
  • Locked
  • Question
Problems with Iobit Advanced SystemCare v. 6.0 update??
Replies
9
Views
165
BadBigBen
BadBigBen

Part and Inventory Search

Sponsor

Back
Top