680180.net pop up problem

yokmeister · 10-05-2005, 04:50 AM

hi guys....

would appreciate it if someone could offer some advise here...

i have a dell optiplex gx270 here, winxp pro, sp2, all updated, ive installed and run the microsoft beta spyware proggy which has cleaned a few bits of spyware up... i havnt really come across anything that the microsoft beta spyware prog cant remove until now... i get small pop ups constantly which are 680180.net pop ups... heres my log, nothing stands out at me, i hope some of you guys can offer some expert opinion :)

cheers if anyone can

Logfile of HijackThis v1.99.1
Scan saved at 11:39:38, on 05/12/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\NETSUP~1\client32.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Automatic Update\AutoUpdate.exe
C:\PROGRA~1\CA\ETRUST~1\realmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avaya\INDeX Taskbar\INDeXTaskBar.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://coop/connect/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://coop/CONNECT/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SDWin32 Class - {44158F2B-170F-4E85-91AB-A002ECD8A731} - C:\WINDOWS\System32\zetmn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe
O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: INDeX Taskbar.lnk = C:\Program Files\Avaya\INDeX Taskbar\INDeXTaskBar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://coop/CONNECT/
O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM)
O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://gb.amadeuscruise.com/Automati...oUpdateATL.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127896464921
O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://gb.amadeuscruise.com/common/cabs/MSIInspect.CAB
O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go6d.wspan.com/secure/DLLs/WSBrowserConfig.cab
O16 - DPF: {9C067552-A98D-11D3-BE8E-0000832BD4E5} (CCCertInfo4 Class) - http://gb.amadeuscruise.com/common/c...ficateinfo.CAB
O16 - DPF: {CE7C3CF0-4B15-11D1-ABED-709549C10000} - https://go2d.wspan.com/secure/DLLs/IEHelper.cab
O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go2d.wspan.com/secure/DLLs/WSFileIO.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC1F47EC-1DE8-4779-9A4F-F7DC92849E53}: NameServer = 172.30.14.100,10.1.14.104
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Client32 - NetSupport Ltd - C:\PROGRA~1\NETSUP~1\client32.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

sUBs · 10-05-2005, 03:42 PM

Uninstall this program, if present, using Add/Remove programs:

Automatic Update

Have HijackThis fix these entries:

O2 - BHO: SDWin32 Class - {44158F2B-170F-4E85-91AB-A002ECD8A731} - C:\WINDOWS\System32\zetmn.dll
O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe

Delete this folder - C:\Program Files\Automatic Update

Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot...

In the popup box that appears, type in C:\WINDOWS\System32\zetmn.dll
Click the Open button.
Click YES when prompted to restart your computer.

After you have rebooted, Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)

Select Drive C: & click the 'OK' button
Select the following options:
- Temporary Internet Files
- Temporary Files
Click the 'OK' button

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

yokmeister · 10-06-2005, 01:58 AM

many thanks for your quick response....

i did everything you suggested and it seems to be fine now, many thanks again for your quick response

kindest regards

yokmeister

sUBs · 10-06-2005, 02:08 AM

May I have a look at the Panda report & the new HJT log?

yokmeister · 10-06-2005, 03:05 AM

damn, sorry... i didnt think about doing that before i sent the pc back to the user, its currently on the way down the motorway im afraid... sorry, i'll make sure i do that next time :)

sUBs · 10-06-2005, 03:07 AM

It's alright. Just wanna make sure it's 100% okay

10-05-2005, 04:50 AM	#1 (permalink)
yokmeister Registered User Join Date: Oct 2005 Posts: 3 OS: multiple	680180.net pop up problem hi guys.... would appreciate it if someone could offer some advise here... i have a dell optiplex gx270 here, winxp pro, sp2, all updated, ive installed and run the microsoft beta spyware proggy which has cleaned a few bits of spyware up... i havnt really come across anything that the microsoft beta spyware prog cant remove until now... i get small pop ups constantly which are 680180.net pop ups... heres my log, nothing stands out at me, i hope some of you guys can offer some expert opinion :) cheers if anyone can Logfile of HijackThis v1.99.1 Scan saved at 11:39:38, on 05/12/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\ASF Agent\ASFAgent.exe C:\PROGRA~1\NETSUP~1\client32.exe C:\Program Files\Dell\OpenManage\Client\Iap.exe C:\Program Files\CA\eTrust Antivirus\InoRpc.exe C:\Program Files\CA\eTrust Antivirus\InoRT.exe C:\Program Files\CA\eTrust Antivirus\InoTask.exe C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Automatic Update\AutoUpdate.exe C:\PROGRA~1\CA\ETRUST~1\realmon.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Avaya\INDeX Taskbar\INDeXTaskBar.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/u...en/default.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://coop/connect/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://coop/CONNECT/ O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: SDWin32 Class - {44158F2B-170F-4E85-91AB-A002ECD8A731} - C:\WINDOWS\System32\zetmn.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe O4 - HKLM\..\Run: [Realtime Monitor] C:\PROGRA~1\CA\ETRUST~1\realmon.exe -s O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: INDeX Taskbar.lnk = C:\Program Files\Avaya\INDeX Taskbar\INDeXTaskBar.exe O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O14 - IERESET.INF: START_PAGE_URL=http://coop/CONNECT/ O15 - Trusted Zone: http://*.amadeuscruise.com (HKLM) O16 - DPF: {051FE707-9706-11D5-A836-000102A7C938} (Amadeus Automatic Update) - http://gb.amadeuscruise.com/Automati...oUpdateATL.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1127896464921 O16 - DPF: {665C05C1-517D-11D3-BE4A-00008322ED5D} (MSIInspect.Inspector) - http://gb.amadeuscruise.com/common/cabs/MSIInspect.CAB O16 - DPF: {9145A52A-9B22-4858-AEE7-74D6C7D3F366} (BrowserConfig Class) - https://go6d.wspan.com/secure/DLLs/WSBrowserConfig.cab O16 - DPF: {9C067552-A98D-11D3-BE8E-0000832BD4E5} (CCCertInfo4 Class) - http://gb.amadeuscruise.com/common/c...ficateinfo.CAB O16 - DPF: {CE7C3CF0-4B15-11D1-ABED-709549C10000} - https://go2d.wspan.com/secure/DLLs/IEHelper.cab O16 - DPF: {E99BF99C-5D95-11D4-A0EC-00500489A32D} (WSFileIO Class) - https://go2d.wspan.com/secure/DLLs/WSFileIO.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{AC1F47EC-1DE8-4779-9A4F-F7DC92849E53}: NameServer = 172.30.14.100,10.1.14.104 O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe O23 - Service: Client32 - NetSupport Ltd - C:\PROGRA~1\NETSUP~1\client32.exe O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe

10-05-2005, 03:42 PM	#2 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,489 OS: N/A	Uninstall this program, if present, using Add/Remove programs: Automatic Update Have HijackThis fix these entries: O2 - BHO: SDWin32 Class - {44158F2B-170F-4E85-91AB-A002ECD8A731} - C:\WINDOWS\System32\zetmn.dll O4 - HKLM\..\Run: [AutoUpdate] C:\Program Files\Automatic Update\AutoUpdate.exe Delete this folder - C:\Program Files\Automatic Update Start HiJackThis & go to Config>Misc.Tools> Delete a file on reboot... In the popup box that appears, type in C:\WINDOWS\System32\zetmn.dll Click the Open button. Click YES when prompted to restart your computer. After you have rebooted, Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup) Select Drive C: & click the 'OK' button Select the following options: Temporary Internet Files Recycle Bin Temporary Files Click the 'OK' button Perform an online scan with Internet Explorer with Panda ActiveScan Click Scan your PC & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it will offer you a report. Click on see report. Then click Save report Post the contents of the report in your next reply along with a new HJT log You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. Turn off the real time scanner of any existing antivirus program while performing the online scan __________________ Question - what have you done for the community today?

10-06-2005, 02:08 AM	#4 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,489 OS: N/A	May I have a look at the Panda report & the new HJT log? __________________ Question - what have you done for the community today?

10-06-2005, 03:07 AM	#6 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,489 OS: N/A	It's alright. Just wanna make sure it's 100% okay __________________ Question - what have you done for the community today?

10-06-2005, 01:58 AM	#3 (permalink)
yokmeister Registered User Join Date: Oct 2005 Posts: 3 OS: multiple	many thanks for your quick response.... i did everything you suggested and it seems to be fine now, many thanks again for your quick response kindest regards yokmeister

10-06-2005, 03:05 AM	#5 (permalink)
yokmeister Registered User Join Date: Oct 2005 Posts: 3 OS: multiple	damn, sorry... i didnt think about doing that before i sent the pc back to the user, its currently on the way down the motorway im afraid... sorry, i'll make sure i do that next time :)