608180.net problem - hijackthis logfile help req!

Discussion in 'Computer Support' started by Lord Retsudo, Aug 8, 2004.

  1. Lord Retsudo

    Lord Retsudo Guest

    A PC that I use at work has somehow got this horrible 608180.net thing
    on it, meaning constant pop-ups, windows closing down, etc.

    I've read several articles about removing it, but nothing has yet
    worked. I've also run both Ad-aware and Spybot, both of which find
    things (Seekseek, DSO Exploit and Virtual Bouncer mainly), but after
    I've fixed them, the problems just come back again.

    Below is the Hijackthis log for the PC - if someone could tell me
    whether any of this stuff needs deleting then that would be great as
    it's driving me mad!

    ---------------------------------
    Logfile of HijackThis v1.98.2
    Scan saved at 12:48:19, on 08/08/04
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\WINDOWS\LOGWAT95.EXE
    C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
    C:\WINDOWS\SYSTEM\QTTASK.EXE
    C:\WINDOWS\WOVAX.EXE
    C:\WINDOWS\RunDLL.exe
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\HIJACK\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    http://www.invista.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyServer = webproxy.eur.webdti.com:80
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    Settings,ProxyOverride =
    *.*.webdti.com;*.webdti.com;*.*.dupont.com;*.dupont.com;<local>
    R3 - URLSearchHook: URLSearch Class -
    {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
    O2 - BHO: Yahoo! Companion BHO -
    {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
    FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_17_0.DLL
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: SDWin32 Class - {4693BD20-E209-11D8-9A80-00B0D09A08A3} -
    C:\WINDOWS\SYSTEM\UHMRX.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    O3 - Toolbar: Yahoo! Companion -
    {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
    FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_17_0.DLL
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
    O4 - HKLM\..\Run: [InitSD] C:\SYSMGT\TNGSD\bin\initSD.exe
    O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton
    AntiVirus\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    -atboottime
    O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\cvss.exe
    O4 - HKLM\..\Run: [wovax] C:\WINDOWS\wovax.exe
    O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    O4 - HKLM\..\Run: [uhmrxc] C:\WINDOWS\SYSTEM\uhmrxc.exe
    O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common
    Files\EPSON\EBAPI\SAgent2.exe
    O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton
    AntiVirus\rtvscn95.exe
    O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton
    AntiVirus\defwatch.exe
    O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
    deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL
    deskcp16.dll,QUICKRES_RUNDLLENTRY
    O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program
    Files\Washer\washidx.exe
    O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    - (no file)
    O9 - Extra button: Dell Home - {76BD7EA0-1C3D-11D4-9A2E-00B0D0383BC0}
    - http://www.dellnet.com (file missing) (HKCU)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O12 - Plugin for .pdf&pt=&ac=&qs:
    C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    O14 - IERESET.INF: START_PAGE_URL=http://www1.lvs.dupont.com/welcome/
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
    - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab


    TIA, Tom
     
    Lord Retsudo, Aug 8, 2004
    #1
    1. Advertising

  2. Lord Retsudo

    nota chance Guest

    Lord Retsudo wrote:
    > A PC that I use at work has somehow got this horrible 608180.net thing
    > on it, meaning constant pop-ups, windows closing down, etc.
    >
    > I've read several articles about removing it, but nothing has yet
    > worked. I've also run both Ad-aware and Spybot, both of which find
    > things (Seekseek, DSO Exploit and Virtual Bouncer mainly), but after
    > I've fixed them, the problems just come back again.
    >
    > Below is the Hijackthis log for the PC - if someone could tell me
    > whether any of this stuff needs deleting then that would be great as
    > it's driving me mad!
    >
    > ---------------------------------
    > Logfile of HijackThis v1.98.2
    > Scan saved at 12:48:19, on 08/08/04
    > Platform: Windows 98 SE (Win9x 4.10.2222A)
    > MSIE: Internet Explorer v5.00 (5.00.2919.6304)
    >
    > Running processes:
    > C:\WINDOWS\SYSTEM\KERNEL32.DLL
    > C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    > C:\WINDOWS\SYSTEM\MPREXE.EXE
    > C:\WINDOWS\SYSTEM\mmtask.tsk
    > C:\PROGRAM FILES\COMMON FILES\EPSON\EBAPI\SAGENT2.EXE
    > C:\PROGRAM FILES\NORTON ANTIVIRUS\RTVSCN95.EXE
    > C:\PROGRAM FILES\NORTON ANTIVIRUS\DEFWATCH.EXE
    > C:\WINDOWS\EXPLORER.EXE
    > C:\WINDOWS\SYSTEM\RPCSS.EXE
    > C:\WINDOWS\TASKMON.EXE
    > C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    > C:\WINDOWS\LOGWAT95.EXE
    > C:\PROGRAM FILES\NORTON ANTIVIRUS\VPTRAY.EXE
    > C:\WINDOWS\SYSTEM\QTTASK.EXE
    > C:\WINDOWS\WOVAX.EXE
    > C:\WINDOWS\RunDLL.exe
    > C:\WINDOWS\SYSTEM\DDHELP.EXE
    > C:\WINDOWS\SYSTEM\WMIEXE.EXE
    > C:\HIJACK\HIJACKTHIS.EXE
    >
    > R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    > http://www.invista.com/
    > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > Settings,ProxyServer = webproxy.eur.webdti.com:80
    > R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    > Settings,ProxyOverride =
    > *.*.webdti.com;*.webdti.com;*.*.dupont.com;*.dupont.com;<local>
    > R3 - URLSearchHook: URLSearch Class -
    > {965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL
    > O2 - BHO: Yahoo! Companion BHO -
    > {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRAM
    > FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_17_0.DLL
    > O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    > - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    > O2 - BHO: SDWin32 Class - {4693BD20-E209-11D8-9A80-00B0D09A08A3} -
    > C:\WINDOWS\SYSTEM\UHMRX.DLL
    > O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
    > C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
    > O3 - Toolbar: Yahoo! Companion -
    > {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRAM
    > FILES\YAHOO!\COMPANION\INSTALLS\CPN\YCOMP5_3_17_0.DLL
    > O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    > O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    > O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    > O4 - HKLM\..\Run: [TCASUTIEXE] TCAUDIAG.EXE -off
    > O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe
    > powrprof.dll,LoadCurrentPwrScheme
    > O4 - HKLM\..\Run: [LogWatch] C:\WINDOWS\LogWat95.exe
    > O4 - HKLM\..\Run: [InitSD] C:\SYSMGT\TNGSD\bin\initSD.exe
    > O4 - HKLM\..\Run: [vptray] C:\Program Files\Norton
    > AntiVirus\vptray.exe
    > O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE"
    > -atboottime
    > O4 - HKLM\..\Run: [MSN Manager] C:\WINDOWS\cvss.exe
    > O4 - HKLM\..\Run: [wovax] C:\WINDOWS\wovax.exe
    > O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe
    > O4 - HKLM\..\Run: [uhmrxc] C:\WINDOWS\SYSTEM\uhmrxc.exe
    > O4 - HKLM\..\RunServices: [AutoShutdown] C:\WINDOWS\pssvc.exe
    > O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe
    > powrprof.dll,LoadCurrentPwrScheme
    > O4 - HKLM\..\RunServices: [SAgent2ExePath] C:\Program Files\Common
    > Files\EPSON\EBAPI\SAgent2.exe
    > O4 - HKLM\..\RunServices: [rtvscn95] C:\Program Files\Norton
    > AntiVirus\rtvscn95.exe
    > O4 - HKLM\..\RunServices: [defwatch] C:\Program Files\Norton
    > AntiVirus\defwatch.exe
    > O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL
    > deskcp16.dll,QUICKRES_RUNDLLENTRY
    > O4 - HKCU\..\RunServices: [Taskbar Display Controls] RunDLL
    > deskcp16.dll,QUICKRES_RUNDLLENTRY
    > O4 - HKCU\..\RunServicesOnce: [washindex] C:\Program
    > Files\Washer\washidx.exe
    > O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    > - (no file)
    > O9 - Extra button: Dell Home - {76BD7EA0-1C3D-11D4-9A2E-00B0D0383BC0}
    > - http://www.dellnet.com (file missing) (HKCU)
    > O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    > O12 - Plugin for .pdf&pt=&ac=&qs:
    > C:\PROGRA~1\INTERN~1\PLUGINS\nppdf32.dll
    > O14 - IERESET.INF: START_PAGE_URL=http://www1.lvs.dupont.com/welcome/
    > O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
    > - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst0401.cab
    >
    >
    > TIA, Tom

    waste r1 o2 o9 to start re-boot see if it helps. I would as a general
    rule waste only (noname) or weird web addresses if I were running it on
    mine.
     
    nota chance, Aug 8, 2004
    #2
    1. Advertising

  3. Lord Retsudo

    deez Guest

    (Lord Retsudo) wrote message
    news::

    > A PC that I use at work has somehow got this horrible
    > 608180.net thing on it, meaning constant pop-ups, windows
    > closing down, etc.
    >
    > I've read several articles about removing it, but nothing has
    > yet worked. I've also run both Ad-aware and Spybot, both of
    > which find things (Seekseek, DSO Exploit and Virtual Bouncer
    > mainly), but after I've fixed them, the problems just come
    > back again.
    >
    > Below is the Hijackthis log for the PC - if someone could tell
    > me whether any of this stuff needs deleting then that would be
    > great as it's driving me mad!
    >
    > ---------------------------------
    > Logfile of HijackThis v1.98.2
    > Scan saved at 12:48:19, on 08/08/04
    > Platform: Windows 98 SE (Win9x 4.10.2222A)
    > MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    cut

    Post your log here
    http://forums.spywareinfo.com/

    Good luck
     
    deez, Aug 8, 2004
    #3
  4. Lord Retsudo

    nota chance Guest

    deez wrote:

    > (Lord Retsudo) wrote message
    > news::
    >
    >
    >>A PC that I use at work has somehow got this horrible
    >>608180.net thing on it, meaning constant pop-ups, windows
    >>closing down, etc.
    >>
    >>I've read several articles about removing it, but nothing has
    >>yet worked. I've also run both Ad-aware and Spybot, both of
    >>which find things (Seekseek, DSO Exploit and Virtual Bouncer
    >>mainly), but after I've fixed them, the problems just come
    >>back again.
    >>
    >>Below is the Hijackthis log for the PC - if someone could tell
    >>me whether any of this stuff needs deleting then that would be
    >>great as it's driving me mad!
    >>
    >>---------------------------------
    >>Logfile of HijackThis v1.98.2
    >>Scan saved at 12:48:19, on 08/08/04
    >>Platform: Windows 98 SE (Win9x 4.10.2222A)
    >>MSIE: Internet Explorer v5.00 (5.00.2919.6304)

    >
    > cut
    >
    > Post your log here
    > http://forums.spywareinfo.com/
    >
    > Good luck

    another thing try to update you ie browser to 6.01 at least 5 is full of
    holes as well
     
    nota chance, Aug 8, 2004
    #4
  5. Lord Retsudo

    °Mike° Guest

    Before you proceed, make sure that you have
    SpyBot S&D and Ad-Aware updated.

    Be sure to download and install the Ad-Aware
    VX2 cleaner plug-in
    http://www.lavasoftusa.com/software/plugins/vx2cleaner.shtml

    Download SpHjfix fix.
    http://www.trojaner-info.de/cgi-bin/download.cgi?file=sphjfix

    Download AboutBuster
    http://tools.zerosrealm.com/AboutBuster.zip

    Download CWShredder
    http://www.spywareinfo.com/~merijn/cwschronicles.html


    Boot into Safe Mode once that's done. As soon as you
    have booted into Safe Mode, empty your TEMP folder,
    your Temporary Internet Files (including Offline Content),
    and your IE History.

    Continued inline....


    On 8 Aug 2004 05:03:52 -0700, in
    <>
    Lord Retsudo scrawled:

    >A PC that I use at work has somehow got this horrible 608180.net thing
    >on it, meaning constant pop-ups, windows closing down, etc.
    >
    >I've read several articles about removing it, but nothing has yet
    >worked. I've also run both Ad-aware and Spybot, both of which find
    >things (Seekseek, DSO Exploit and Virtual Bouncer mainly), but after
    >I've fixed them, the problems just come back again.
    >
    >Below is the Hijackthis log for the PC - if someone could tell me
    >whether any of this stuff needs deleting then that would be great as
    >it's driving me mad!



    DO THIS IN SAFE MODE
    =================

    DISCONNECT FROM THE NET
    =====================

    CLOSE ALL OTHER APPLICATIONS EXCEPT HJT
    ==================================

    >---------------------------------
    >Logfile of HijackThis v1.98.2
    >Scan saved at 12:48:19, on 08/08/04
    >Platform: Windows 98 SE (Win9x 4.10.2222A)
    >MSIE: Internet Explorer v5.00 (5.00.2919.6304)
    >
    >Running processes:


    >C:\WINDOWS\WOVAX.EXE


    End task the above process (CTRL+ALT+DEL).


    >R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
    >http://www.invista.com/


    Have HijackThis fix the above, unless it's your preferred start page.


    >R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    >Settings,ProxyServer = webproxy.eur.webdti.com:80


    Have HijackThis fix the above.


    >R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
    >Settings,ProxyOverride = *.*.webdti.com;*.webdti.com;*.*.dupont.com;*.dupont.com;<local>


    Have HijackThis fix the above.


    >R3 - URLSearchHook: URLSearch Class -
    >{965A592F-8EFA-4250-8630-7960230792F1} - C:\WINDOWS\SYSTEM\CDSM32.DLL


    Have HijackThis fix the above and delete the cdsm32.dll
    file. Empty the recycle bin.


    >O2 - BHO: SDWin32 Class - {4693BD20-E209-11D8-9A80-00B0D09A08A3} -
    >C:\WINDOWS\SYSTEM\UHMRX.DLL


    Have HijackThis fix the above and delete the uhmrx.dll
    file. Empty the recycle bin.


    >O4 - HKLM\..\Run: [wovax] C:\WINDOWS\wovax.exe


    Have HijackThis fix the above. Delete the wovax.exe
    file, and empty the recycle bin.


    >O4 - HKLM\..\Run: [aqadcup] C:\WINDOWS\aqadcup.exe


    Have HijackThis fix the above. Delete the aqadcup.exe
    file, and empty the recycle bin.


    >O4 - HKLM\..\Run: [uhmrxc] C:\WINDOWS\SYSTEM\uhmrxc.exe


    Have HijackThis fix the above. Delete the uhmrxc.exe
    file, and empty the recycle bin.


    >O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
    >- (no file)


    Have HijackThis fix the above.


    >O9 - Extra button: Dell Home - {76BD7EA0-1C3D-11D4-9A2E-00B0D0383BC0}
    >- http://www.dellnet.com (file missing) (HKCU)


    Have HijackThis fix the above.


    >O14 - IERESET.INF: START_PAGE_URL=http://www1.lvs.dupont.com/welcome/


    Have HijackThis fix the above. Delete the IERESET.INF file.
    Empty the recycle bin.



    Open your registry editor (Start / Run / Regedit) to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services
    If you see an entry named '__NS_Service_3' delete it.

    Still in the registry, navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root
    If you see an entry named 'LEGACY___NS_Service_3' delete it.

    Close your registry editor.

    Do NOT reconnect; do NOT reboot into normal mode, yet.

    Run SpyBot S&D (full scan)

    Run Ad-Aware (full scan)

    Run the Ad-Aware VX2 cleaner plug-in.

    Run the SpHjfix.

    Run CWShredder

    Run AboutBuster

    Re-run HijackThis and rescan.


    If SpyBot S&D and/or Ad-Aware do not run in Safe
    Mode, leave those steps until last and run them
    in normal mode, BEFORE YOU CONNECT.


    --
    Basic computer maintenance
    http://uk.geocities.com/personel44/maintenance.html
     
    °Mike°, Aug 9, 2004
    #5
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Cynthia K.

    Help analyze HijackThis logfile, Please

    Cynthia K., Jul 12, 2004, in forum: Computer Support
    Replies:
    7
    Views:
    545
    °Mike°
    Jul 15, 2004
  2. Bob D

    Hijackthis logfile help

    Bob D, Aug 12, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    451
    °Mike°
    Aug 12, 2004
  3. CHUNTY

    Hijackthis logfile.

    CHUNTY, Oct 14, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    495
    The Tech Guy
    Oct 15, 2004
  4. Hachabarata

    Please Help - HijackThis Logfile!

    Hachabarata, Dec 11, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    581
    Spoonman
    Feb 22, 2005
  5. Rik Vosters VUB

    Help would be appreciated... (Logfile of HijackThis)

    Rik Vosters VUB, Dec 30, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    522
    Rik Vosters VUB
    Dec 30, 2003
Loading...

Share This Page