PDA

View Full Version : I can't remove 'AltnetBDE' (spyware/adware)



JSF_enthusiast
17-07-2005, 07:44 PM
I have this particular piece of spyware on my computer that I can not remove. ad-aware SE personal tells me its 'altnetBDE' and that it is located in the registry here: 'HKEY_LOCAL_MACHINE:SOFTWARE/ALtNET.
When I attempt to delete it manually it comes up with: 'cannot delete Altnet: Error while deleting Key'.
Norton anti-virus, Spybot-search and destroy and ad-aware SE personal all know that it is there but they can't delete it. I can actually tell this program is slowing my computer down because when I go to download anything the rate is 1KB per second, On my dail up connetion its usually around 5kb's (i connect at 53.2kb/s usually).
I have also tried the trend micro online scanner with little success.
Somebody help me!!!

tweak'e
17-07-2005, 08:03 PM
have you run it in safe mode?

also what vers of adaware and spybot are you running?

have you run through the forums spyware FAQ ?

Speedy Gonzales
17-07-2005, 08:06 PM
See if this http://www.simplysup.com/tremover/ removes it.

Download scan, and see if it detects and removes it.

Its in its database.

JSF_enthusiast
17-07-2005, 08:17 PM
I have run both spyware, ad aware and norton in safe mod. I have also allowed them to do a scan before windows starts, but altnet still survives. I searched the forum and i found nothing that was of assistance or i haven't already tried.

I think altnet when it first put itself on the computer must have altered its permissions and set up a small support network so that if you delete one part of it, the rest of it can rebuild the deleted part.

I am running norton anti-virus 2004, last updates to come through were on the 15/7/2005, when i run live update it says that all of my norton products are up to date.
I am running spybot-search and destroy, version 1.4 with the latest updates according to update on spybot. Ad aware personal, i am running with definitions file 'SE1R54 14.07.2005', its update stuff says no updated components available. The installed core application is '1.06r1`'

Murray P
17-07-2005, 08:21 PM
You may not have permission to alter the registry, what are you logged in as, user? Admin? As Tweak'e syas, try safe mode.

Try a reg clean in safe mode. There may be other bits and pieces to get rif of other than in the registry.

a2 would be my choice for removing trojans.

Speedy Gonzales
17-07-2005, 08:27 PM
Is Kaaza installed??

If so remove / uninstall it.

Its full of spyware, and it may have been how altnet got on your system.

Either try trojan remover from my previous post. Or see if these files/folders are on your system.

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453074383

JSF_enthusiast
17-07-2005, 08:27 PM
I am using windows XP, and I am the only administrator on the computer. I have made changes to the computers registry before (fixing up programs which when i uninstall them don't remove some of their rubbish, mainly Rise of Nations).
All programs say that altnet is only in the registry...

Kazaa was on my computer over a year back, altnet has come in the last few weeks.

Renmoo
17-07-2005, 08:38 PM
... I can actually tell this program is slowing my computer down because when I go to download anything the rate is 1KB per second, On my dail up connetion its usually around 5kb's (i connect at 53.2kb/s usually)....
If this program is slowing down the speed of your Internet connection, I assumed this is because it is allowed to connect to the Internet, right? If so, configure your firewall to prohibit it from connecting to the Internet. I hope this helps.

Cheers :)

JSF_enthusiast
17-07-2005, 08:45 PM
It does not appear in program control in zone alarm. Should i try another firewall?

tweak'e
17-07-2005, 08:51 PM
clean out the temp files. it may have a parent which is locking or reloading it. quite comman for them to hide in system temp folders (ccleaner is handy for this).

check whar prrograms you have listed in ZA. also some spyware will slow your connection IF you block them, they simply try to connect so much your pc slows down.

otherwise try hijackthis and post a log here.

Murray P
17-07-2005, 08:52 PM
Possibly, I use Kero myself, but ZA should be fine. Does it have registry protection settings.

Do you have Spybot set to Advanced mode, are you running the TeaTimer module (Which prevent registry changes and creates a backup. Check The TeaTimer logs).

Speedy Gonzales
17-07-2005, 08:55 PM
It might not have to go thru the net to slow u down.

The entries in the registry would be enough to slow u down.

Or as I've said, get trojan remover, or go to that site I posted, and see if those files, are on your system. If AltnetBDE, is the same as Altnet.

JSF_enthusiast
17-07-2005, 08:58 PM
this what you wanted

Logfile of HijackThis v1.99.1
Scan saved at 6:45:22 p.m., on 7/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\msnappau.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\Alex.OWNER-5Z4BJ30KX\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {e6bb7ac5-0e3c-4ae6-92bd-af1d243fffc1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {49c015d0-bedb-4275-ae4b-b4cf3788ab51} - (no file)
O3 - Toolbar: xtramsn - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-nz\msntb.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-nz\msnappau.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\ALEX~1.OWN\LOCALS~1\Temp\MsgPlusUninst .bat"
O4 - HKCU\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Subscribe in Desktop Sidebar - {09FE188B-6E85-479e-9411-51FB2220DF80} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .swf: C:\Program Files\Internet Explorer\PLUGINS\NPSWF32.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1121566921687
O17 - HKLM\System\CCS\Services\Tcpip\..\{44349A4C-D51C-4F31-AD1D-BBA5CB52974A}: NameServer = 202.27.158.40 202.27.156.72
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\PACSPT~1.EXE (file missing)
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Unknown owner - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Speedy Gonzales
17-07-2005, 09:04 PM
Go here and paste your log into it and click on analyse.

Theres a few files it picks up as nasty.

Some maybe valid. You'll have to decide on whether to tick them.

http://www.hijackthis.de/index.php

I would still get trojan remover, which isnt hijackthis. See if it detects / removes anything.

That unknown one

O4 - HKLM\..\RunOnce: [MessengerPlusUninstall] C:\WINDOWS\system32\cmd.exe /C "C:\DOCUME~1\ALEX~1.OWN\LOCALS~1\Temp\MsgPlusUninst .bat"

Looks suss.

JSF_enthusiast
17-07-2005, 09:23 PM
I have tried the hijackthis method that you have suggested and trojan remover. Neither actually found altnet in the registry, but spybot, ad aware and norton still said they were there.

tweak'e
17-07-2005, 10:02 PM
get rid of ...

O2 - BHO: (no name) - {45AD732C-2CE2-4666-B366-B2214AD57A49} - (no file)
O2 - BHO: (no name) - {e6bb7ac5-0e3c-4ae6-92bd-af1d243fffc1} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {49c015d0-bedb-4275-ae4b-b4cf3788ab51} - (no file)
O17 - HKLM\System\CCS\Services\Tcpip\..\{44349A4C-D51C-4F31-AD1D-BBA5CB52974A}: NameServer = 202.27.158.40 202.27.156.72

are you running nortons firewall in the sicurity centre ?

Speedy Gonzales
17-07-2005, 10:19 PM
See if this symantec site helps. See if the folders are on your system.

http://securityresponse.symantec.com/avcenter/venc/data/adware.topsearch.html

I think this has something to do with it.

Thats if these folders exist on your PC.

JSF_enthusiast
17-07-2005, 11:57 PM
I do not have norton firewall on my computer, norton anti virus is my only norton product on this computer.
tweak'e i deleted all of those files and entries listed in your last post.
I don't see any of the files that i saw in the link you provided Speedy Gonzales.
trojan remover didn't see any altnet what so ever.
I might just give up because it appears dealing with it is a bit out of league in terms of computing skill.

Renmoo
18-07-2005, 01:12 AM
It might not have to go thru the net to slow u down.

The entries in the registry would be enough to slow u down.
How does the nasty registry entries manage to slow down the connection without connecting to the Internet? I am dead curious.

Cheers :)

Speedy Gonzales
18-07-2005, 12:50 PM
What I meant was, it'll affect u once u connect, but it doesnt mean you'll be able to block access to whatever it is, thats slowing u down.

Until u scan for spyware/adware and manage to remove it.

And depending on what it is u have, it can make the CPU go to 99/100%

And the only way you'll go faster, is to terminate the process thats doing this (if it shows in task manager).

So whatever program u load will work properly without freezing.