PDA

View Full Version : Altnet



cowboy stu
15-07-2006, 03:29 PM
Is Altnet a problem ? Spybot can't get rid of it as it is in use .. safe mode also.
Other progs have same result.
Computer boots to system32 window for whatever reason. Found a trjan lurking there but still persists to open here. Any help appreciated.

FrankS
15-07-2006, 03:49 PM
Suggest Google Altnet

cowboy stu
15-07-2006, 03:54 PM
done.. all freeprograms to rid want money once they tell you how bad it all is..
suspicious ???

Speedy Gonzales
15-07-2006, 04:10 PM
Use Spybot (http://www.spybot.info/en/download/index.html) to remove it.

Download it, download the latest detection updates, install both, then scan.

cowboy stu
15-07-2006, 04:51 PM
Ran Spybot again.. still doesn't like Altnet ??


SpywareBOT: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-375612493-951796526-1614765859-1006\Software\SpywareBot

SpywareBOT: Program directory (Directory, fixed)
C:\Program Files\SpywareBot\

SpywareBOT: Program directory (Directory, fixed)
C:\Program Files\SpywareBot\Log\

SpywareBOT: Program directory (Directory, fixed)
C:\Program Files\SpywareBot\Quarantine\

SpywareBOT: Program directory (Directory, fixed)
C:\Program Files\SpywareBot\Registry Backups\

SpywareBOT: Program directory (Directory, fixed)
C:\Program Files\SpywareBot\Settings\

SpywareBOT: Data (File, fixed)
C:\Program Files\SpywareBot\DataBaseNew.ref

Vcodec.eMedia: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AVZipEnchancer .Chl

Vcodec.eMedia: Root class (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\VSEnchancer.Ch l

Vcodec.eMedia: Uninstall settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\ZipCodec

Vcodec.eMedia: Program directory (Directory, fixed)
C:\Program Files\ZipCodec\

Windows Security Center.FirewallOverride: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallOverride!=dword:0

Altnet: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-07-15 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-07-14 Includes\Cookies.sbi (*)
2006-07-14 Includes\Dialer.sbi (*)
2006-07-14 Includes\Hijackers.sbi (*)
2006-07-14 Includes\Keyloggers.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-07-14 Includes\Malware.sbi (*)
2003-03-16 Includes\plugin-ignore.ini
2006-07-14 Includes\PUPS.sbi (*)
2006-07-14 Includes\Revision.sbi (*)
2006-07-14 Includes\Security.sbi (*)
2006-07-14 Includes\Spybots.sbi (*)
2003-03-16 Includes\Temporary.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-07-14 Includes\Trojans.sbi (*)

cowboy stu
15-07-2006, 09:11 PM
Spybot identifies a line in registry but can't delete it. Is it okay to go in and delete manually? It is in Hkey local_machine\ software\ altnet

Speedy Gonzales
16-07-2006, 09:12 AM
Run spybot in safe mode, with the latest detection updates, and do another scan. See if it removes it.

Also see if there's an Altnet entry in Add/remove programs. If there is, uninstall it.

cowboy stu
16-07-2006, 02:21 PM
Thanks Speedy. Done all that .. it found no issues. Same with CCleaner & AVG & Adaware all updated.
Everything seems okay except it boots to an open system32 window !!

Never used to do this.. any ideas Thanks

Speedy Gonzales
16-07-2006, 02:30 PM
get ccleaner run it, click on tools/startup.

Tell us whats here it'll be in here somewhere take a snapshot of whats here and post it.

Or use msconfig.

FrankS
16-07-2006, 02:51 PM
Fishing around found following

http://www.viruslist.com/en/find?search_mode=full&words=Altnet&x=17&y=10

Suggest on completion of Speedys run have a look in above for alternative names if necessary.

cowboy stu
16-07-2006, 04:21 PM
Had Trouble copy pasting from either of those ... here goes

HTpatch C;\windows\htpatch.exe
AVG7_cc C\:prog| grisoft etc
Coolswitch C:\windows\system32\taskswitch.exe ???
Fastuser ditto\fast.exe
Easyprint C:\ progs.. \canon etc
Ihug ultra ultrasetup.exe
Kernalfaultcheck %systemroot%\system32\dumprep 0 -k ??
MScongig C:\windows\pchealth\helpctr\binaries\mscongig.exe/auto
logitech setpoint ...setpoint.exe
tellique ... isat

hope that makes sense Thanks

Speedy Gonzales
16-07-2006, 06:34 PM
Take a snapshot and post a graphic of whats in startup and post it
here (http://www.imagef1.net.nz/upload/)

cowboy stu
16-07-2006, 08:10 PM
done Speedy... any the wiser

Speedy Gonzales
16-07-2006, 08:18 PM
Ah you're meant to post the link it gives u, back in the forum. So, we can see it.

Jen
16-07-2006, 09:03 PM
Ah you're meant to post the link it gives u, back in the forum. So, we can see it.The image file is easy to find anyway, just view the uploaded files ...

cowboy stu's startup screenshot (http://www.imagef1.net.nz/files/pc.bmp)

cowboy stu
16-07-2006, 09:15 PM
Learning all the time !

I uploaded the file then what did I do wrong.. Obviously I pressed the wrong button somewhere

Jen
16-07-2006, 09:21 PM
I uploaded the file then what did I do wrong.. You would of seen a URL for your image given after you uploaded it which you then copy and post back into your post. Alternatively you can view your newly uploaded image and then copy and paste the URL from the address bar of your browser. :)

cowboy stu
16-07-2006, 09:26 PM
http://www.imagef1.net.nz/files/pc.bmp


like that! Thats pretty easy when you know how :waughh:

Speedy Gonzales
16-07-2006, 09:35 PM
The pic looks ok, but u can remove the kernelfaultcheck entry.

I would also look in control panel / admin tools / event viewer.

Look under the system or application. See what entries show a X or an entry saying system. Double on it, highlight the text by pressing ctrl-c together, and paste what it says here.

I thought Ihug Ultra was dead?? Whats it doing in your startup?

cowboy stu
16-07-2006, 09:49 PM
will follow those instructions thanks
When they changed us to bordernet the ultra setup was left on .. same internal card so I assume it is still required. Iwill experiment to see if it is essential .. something else to muck up .. standby

cowboy stu
16-07-2006, 10:00 PM
The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
Not sure if this is what you mean . It relates to Service control manager Red cross with error beside it .

Speedy Gonzales
16-07-2006, 10:02 PM
Hmm that sounds like a scanner or digital camera driver.

cowboy stu
16-07-2006, 10:04 PM
Would a hijack be of any use

Speedy Gonzales
16-07-2006, 10:06 PM
Yer u can post a HJT log if u want.

cowboy stu
16-07-2006, 10:23 PM
An unexpected error has occurred at procedure: modMain_CheckNetscapeMozilla()
Error #5 - Invalid procedure call or argument

Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible

Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1

This message has been copied to your clipboard.
Click OK to continue the rest of the scan.

Logfile of HijackThis v1.99.1
Scan saved at 9:17:36 p.m., on 16/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\taskswitch.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\isat\tc-recv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\isat\tc-recv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\gearsec.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Fast.exe
C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
C:\WINDOWS\system32\ntvdm.exe
C:\PROGRA~1\WinZip8\winzip32.exe
C:\DOCUME~1\Stuart\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bordernet.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stuff.co.nz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.bordernet.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.stuff.co.nz
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = http=localhost:9202;https=localhost:9202;ftp=:0;go pher=:0;socks=localhost:9203
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [FastUser] C:\WINDOWS\system32\fast.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [IHUG Ultra] C:\Program Files\ihug\ultra\UltraSetup.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Tellique.lnk = C:\Program Files\isat\tc-recv.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {1E2941E3-8E63-11D4-9D5A-00902742D6E0} (iNotes Class) - https://extraweb-apac.ey.com/home/extraweb/iNotes.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://hlz1itcd.fonterra.com/Citrix/ICAWEB/en/ica32/ica32t.exe
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/064dac5f81262daaf305/netzip/RdxIE601.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1093683677828
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5DE6BF69-7100-42A8-AF0E-EE45466EC807}: NameServer = 203.109.252.42 203.109.252.43
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: InterBaseGuardian - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\IBGuard.EXE
O23 - Service: InterBaseServer - Inprise Corporation - C:\PROGRA~1\Borland\INTERB~1\Bin\ibserver.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

:thumbs: