Jump to content


Photo

How To Remove 680180.net Popup


  • Please log in to reply
13 replies to this topic

#1 Skier55d

Skier55d

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 29 July 2004 - 02:07 PM

680180.net/Zamingo Removal
-----------------------------------
Symptoms:
- After IE load, every 30 seconds or so a 680180.net popup will appear followed by a popup ad.
- Some normal sites will cause IE to crash to the desktop, one example, www.csnation.net

Removal works for Windows XP Home/Professional and Windows 2K. Windows ME and 98 not tested.

After encountering the adware myself and scanning through various posts concerning this bug, I think I've figured it out. In order to identify and remove the bug you will need HijackThis. Then follow these instructions...

1. Run HijackThis and scan.
2. Look for an object that looks like one of the following:

O2 - BHO: SDWin32 Class - {YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY} - C:\WINDOWS\System32\XXXXX.dll
O2 - BHO: (no name) - {YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY} - C:\WINDOWS\System32\XXXXX.dll
O2 - BHO: (no name) - {YYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY} - C:\WINDOWS\System32\SWin32.dll


The XXXXX will be 5 random characters. The YYYY will be random letters and numbers.

3. Check the object that looks similar to the one above and click fix.
4. Browse to your C:\Windows\System32\ folder.
5. Look for 7 files as listed below:
- XXXXXa.xml
- XXXXXb.xml
- XXXXXc.exe
- XXXXXd.exe
- XXXXXe.xml
- XXXXXf.exe
- XXXXX.dll

(Extensions may not be the same)

The XXXXX will be the same random 5 characters from step two.
6. Delete all these files.
7. Restart your computer.

That should fix it, let me know if it doesnt work.

Edited by Skier55d, 31 July 2004 - 12:22 AM.


#2 jhj1966

jhj1966

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 July 2004 - 11:10 PM

Does this apply only to WinXP or has anyone tried this on Win2000 or Win98se?

#3 Skier55d

Skier55d

    Member

  • Full Member
  • Pip
  • 10 posts

Posted 30 July 2004 - 09:28 PM

This works for Windows XP Home/Professional and Windows 2K. Not tested with Me or 98. Method is probably the same with system path changes (f.e. winnt instead of WINDOWS). Let me know if it doesn't work for those operating systems.

Edited by Skier55d, 31 July 2004 - 12:22 AM.


#4 Subratam

Subratam

    Silent Assasinator

  • Retired Staff
  • PipPipPipPip
  • 284 posts

Posted 30 July 2004 - 09:50 PM

Zamingo, also known as 680180.net, is an adware that displays popup ads every now and then when you are using Internet Explorer. The adware records urls visited and keywords typed and contacts to its controlling server ( Zamingo.com or 680180.net ) to retrieve related advertisements to display them as popup ads which is very annoying.

ADStartUP.exe AdUpdater.exe Swin32.dll AutoMove.exe adupdmanager.xml data.xml IEEnhancer.dll Trans.exe <-- these are the files to be named related to this crap of which IEEnhancer.dll is one common.

Regards
http://blog.emsisoft.com
www.Emsisoft.com

#5 f3llah1n

f3llah1n

    Member

  • New Member
  • Pip
  • 1 posts

Posted 31 July 2004 - 07:07 AM

well ive tried this on WinME and i have found and removed adstartup.exe, swin32.dll, adupdmanager.xml and trans.exe all in the C:\Windows\System folder and not C:\Windows|System32 as thats only for Win2k and XP I believe :unsure:

Also adupdmanager.xml was in the C:\ folder as well as C:\System

As far as I can tell its now 680180 free as it has been for about 1 hour 30 mins now and after 2 restarts

Edited by f3llah1n, 31 July 2004 - 07:40 AM.


#6 chivers

chivers

    Member

  • New Member
  • Pip
  • 1 posts

Posted 31 July 2004 - 08:02 PM

I just tried this after my virus checker and adaware and spybot and spyware blaster and spywareguard and pest patrol all failed to stop this pest.

Suddenly 680180.net is gone and IE no longer shuts down when I try to access hotmail. :D

Congratulations and thank you. :D

#7 djbilo

djbilo

    Member

  • Full Member
  • Pip
  • 1 posts

Posted 26 August 2004 - 09:30 PM

I have just performed this procedure on a Windows ME system which was infested with 680180.net and it works exactly as documented even on ME, given that you can locate your own machine's Windows System folder.

My one suggestion, for those who understand the potential implications of doing this, would be to remove the Run- key in the system registry for the XXXXX.dll which HijackThis identifies. Locate that key and delete it so the system will not keep trying to run a DLL which is not present (an orphaned Registry entry - no real harm but not a great thing either). Showing you how to edit the registry in this post is beyond the scope.

I have not tested this next idea but it seems logical. I could not quite figure out why 680180.net was so maddenly persistent until I examined the registry and realized this thing had made an entry in the Run section (duh!). I presume that simply by locating and deleting this key, one also would stop the popups but it is much more desireable to remove not only the key but also the files.

THANK YOU for this procedure. I had begun to look at more radical repair options I really did not want to have to do.

#8 tracykwok

tracykwok

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 28 August 2004 - 03:58 AM

on step 7 it says: Look for 7 files as listed below:
- XXXXXa.xml
- XXXXXb.xml
- XXXXXc.exe
- XXXXXd.exe
- XXXXXe.xml
- XXXXXf.exe
- XXXXX.dll

i only found one that said BPMNT.dll. Should i delete that? I can't find any of the other files in WINDOWS so do i just delete this one?

#9 tracykwok

tracykwok

    Member

  • Full Member
  • Pip
  • 16 posts

Posted 28 August 2004 - 04:06 AM

i just followed the steps and now the 680180.net pop up is gone.

Thanks sooo much and now i can check my email =p

#10 DawsonV5

DawsonV5

    The Lurvely

  • Retired Staff - Helper
  • PipPipPip
  • 230 posts

Posted 28 August 2004 - 05:00 AM

Hi Tracykwok,

I replied to your previous thread here: http://forums.spywar...t=0

I'm glad your problem has been resolved. You are missing several Critical Windows Updates. Get these as soon as possible. You can also post a new hijackthis log to make sure you got rid of everything.

Take care :wave:

Edited by DawsonV5, 28 August 2004 - 05:03 AM.


#11 kimota

kimota

    Member

  • New Member
  • Pip
  • 1 posts

Posted 04 September 2004 - 12:15 PM

I followed Skier55d instructions, but I must have missed something. HijackThis finds the BHO and then I can find the 7, System32, files, but I can’t get rid of ‘em – I delete them and they just re-appear. It’s as if the HijackThis ‘fix’ just backs-up the BHO file but doesn’t perform a ‘fix’. I’m new to this so maybe I committing a basic error. Any help would be welcome.
:ugh:

I take it all back. I got it to work (don't know what I did differently).
Thanks for this fix.
:D

Damn if it isn't back again! This time thefiles will not delete - they just keep re-apperaing and I can't find what's re-installing them.
:wtf:

Edited by kimota, 08 September 2004 - 01:40 PM.


#12 gcoach

gcoach

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 September 2004 - 10:58 AM

please help !

i followed the steps, found and deleted the SDWin32class file and the 7 files in the windows/system32 folder and they come back as fast as i delete them..

help...thanks

#13 Roady

Roady

    Member

  • New Member
  • Pip
  • 1 posts

Posted 11 September 2004 - 02:07 PM

cheers Skier55d i have just done what you said to do and so far so good cheers for your help m8y

#14 Gibbo

Gibbo

    Member

  • New Member
  • Pip
  • 1 posts

Posted 17 September 2004 - 05:54 AM

hey Skier55d,

Thanks for the help, i can now identify what is causing this pop up. In my case, the files are called zjwhm, and I can identify all 7 in system32 (xp os). When running hijack this I can see the string relating to this aswel.

However, everytime I restart the PC, the string is there again, as is the files in system32. I have scanne dthe registry and deleted anything associated with zjwhm, but everytime the pc is restarted, its back again!!!

Can you suggest anything else that I should be looking out for?

Your helps much appreicated,

Cheers,
Mark




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button