Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HJT -spiderman_jab


  • Please log in to reply
13 replies to this topic

#1 spiderman_jab

spiderman_jab

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 14 June 2005 - 03:54 PM

Hello, this is my first post. Everytime i would run my Mcaffe Antispyware program it would detect something called Altnet. I would remove it, but it would always keep coming back. Last night I contacted Mcafee and paid a fee for the remote assistance removal of it. They found it and said it was in the registry at the h key local machine software altnet, and tried to delete the key. They were unable so we went into safemode and tried, still no luck. Then, they said we would have to change the permissions to do it, but it would not let us, even though i was logged in as the administrator. So, being unable to remove it they installed the Ad Aware Se and the Hijack This and helped me run them and recommended i come here and post a fresh log. I am about to pull my hair out over this and do not want to Reformat my computer. Any help would be greatly appreciated and i will follow any of your suggestions.

Logfile of HijackThis v1.99.1
Scan saved at 3:43:01 PM, on 6/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 1 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scifi.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

BC AdBot (Login to Remove)

 


#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 14 June 2005 - 11:56 PM

Hello spiderman_jab and welcome to the BC forums. There is currently no reference to altnet in the log file. If it is on the machine or being picked up by yur anti-virus can you give me the exact messagethat you are receiving? Altnet usually is installed by some P2P file-sharing application. What Kazaa or some other P2P program installed on this machine (or still installed on theis machine)?

We will have to do some digging to find this if it is actually there. Better yet, can you give me the specific registry keys you found that pertain to altnet? that might give us a starting point in finding out what direction we have to take from here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 spiderman_jab

spiderman_jab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 15 June 2005 - 12:14 AM

Hello, thank you for the reply. I did have Kazaa and Limewire installed on my computer, but uninstalled them a few weeks ago. Everytime i run Spybot Search and Destroy, Ad Aware Se, and Mcafee Antispyware it picks up a program called Altnet. When i look at the details it says its loacted at hkey_local_machine\software\altnet. There is a folder there named Altnet if you click on the plus sign to the left of it, it drops down with a folder called dashboard, and if you click it again has a folder that says messages. The previous programs give you the option to get rid of it, but even if you do then run another scan it finds it again and doesnt get rid of the key in regedit.

#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 15 June 2005 - 10:58 AM

Hi spiderman_jab. Yeah, we use Kazaa and Limewire to purposely infect machines to test removal methods. Once you have them on your machine they are very difficult to remove.

Let's try the following:

Step #1

WinXP Show Hidden files/delete files

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Find the following files/folders and delete them (don't worry if they are already gone):C:\Program Files\KaZaA\topsearch.dll (may be installed at other locations.)
C:\Program Files\Altnet\Download Manager\asm.exe
C:\Program Files\Altnet\Download Manager\asmps.dll
C:\Program Files\Altnet\Download Manager\altinst1.dll
C:\Program Files\Altnet\Download Manager\altinst2.dll
C:\Program Files\Altnet\My Altnet Shares\ (may contain a number of files)
C:\Program Files\Altnet\DBBackup\Sigfiles.db
C:\Program Files\Altnet\Points Manager\Local Pages (may contain a number of .gif and .html files)
C:\Program Files\Altnet\Points Manager\Skin (may contain a number of .bmp files)
C:\Program Files\Altnet\Points Manager\Temp Internet Shares (may contain a number of files)
C:\Program Files\Altnet\Points Manager\points manager.exe
C:\Program Files\Altnet\Points Manager\Points Manager.exe.Manifest
C:\Program Files\Altnet\Points Manager\settings.cab
C:\Program Files\Altnet\Points Manager\setup.cab
C:\Program Files\Altnet\Points Manager\sysdetect.dll
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\Fonts\acrsec.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\TopSearch.dll

Now perform a search for these files and delete all instances. Windows XP's search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that Search system folders, Search hidden files and folders, and Search subfolders are checked.TopSearch.dll
Note: If you receive any error messages while trying to delete any of the above files/folders then reboot into Safe Mode and try to delete them again. See the instructions below on how to boot into Safe Mode.
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #2

Launch Notepad, and copy/paste the text in the quotebox below into the new document. Save it to your desktop as regfix.reg :

REGEDIT4

[-HKEY_CLASSES_ROOT\CLSID\{3646C2BD-3554-49CA-8125-44DEEFB881DE}]
[-HKEY_CLASSES_ROOT\AppID\{8B0FEF15-54DC-49F5-8377-8172DE975F75}]
[-HKEY_CLASSES_ROOT\CLSID\{3f4d4f88-0198-4921-b630-957f3eb814e0}]
[-HKEY_CLASSES_ROOT\CLSID\{9BBCF06C-DCD7-495D-80DF-CDD5399D0FF8}]
[-HKEY_CLASSES_ROOT\CLSID\{E813099D-5529-47F4-9B37-4AFAFCB00A43}]
[-HKEY_CLASSES_ROOT\Interface\{AD5BC1F0-72D8-44B3-8E3D-8E8FECCE43FB}]
[-HKEY_CLASSES_ROOT\Interface\{E813099D-5529-47F4-9B37-4AFAFCB00A43}]
[-HKEY_CLASSES_ROOT\AppID\Altnet Signing Module.EXE]
[-HKEY_CLASSES_ROOT\SigningModule.SigningModule]
[-HKEY_CLASSES_ROOT\SigningModule.SigningModule.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\AltnetDM]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AltnetDM]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]


Locate regfix.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

Restart your computer.

Step #3

Download and install ewido security suite. Update the program and then click on the Scanner button. On the Scanner page click on My Computer and then click the Start button to begin the scan. Let it run to completion and fix anything that it finds.

Step #4

Ok, reboot your computer normally and run whatever scans you were running before and see what they turn up.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 spiderman_jab

spiderman_jab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 15 June 2005 - 11:00 PM

Hello, thank you for your reply. I followed the instructions very carefully. After i ran the regfix.reg, i rebooted then i ran the Ewido. It found 9 files fixed them then i rebooted again. I ran the antispyware software and they all still found the Altnet. It says its located at the hkey_local_machine\software\altnet.
The one thing i did notice was, when i went back into the regedit the altnet key was still there. When i was troubleshooting with Mcaffe over this they had me to try to change the name of the Altnet key to the word bad. However, whenever i tried to delete it says can not delete error while deleting and when i tried to change the name it said can not change name error while renaming. When i go to regedit now there is a folder named bad a couple down from the Altnet. It has a plus when you click on it, it drops down a folder called dashboard, it's just like the Altnet key. It will allow me to delete the key named bad, but still wont let me delete the Altnet key. After i deleted the bad key, i rebooted and clicked on the regfix.reg and merged it with the registry again, then i rebooted. When i went back to the regedit the key named bad was back again.
I do not know if this is supposed to be here now or if im supposed to delete, so i left it there. I hope some of this makes since. Please dont give up on me, i would really like to get rid of this Altnet without having to wipe my hard drive out. Anymore suggestions would be greatly appreciated.

#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 16 June 2005 - 12:29 AM

Hey spiderman_jab. Ok, let's try tis.

Download and install Registrar Lite
  • Start RegLite
  • Navigate to the hkey_local_machine\software\altnet registry key.
  • Try deleting the key.
Note: If you have trouble deleting the key. Click once on the key name to highlight it and click on the Security menu option and then the Edit Permissions item. Then Uncheck Allow inheritible permissions, click on Everyone in the uppder box and put a checkmark in Full control in the lower box. Click the Apply button and then the Ok button and attempt to delete the key again.

Repeat this for the backup key you mentioned if it is still present also.

Let me know what happened and post a new Hijackthis log file back here.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 spiderman_jab

spiderman_jab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 16 June 2005 - 02:14 AM

Hello. i started the reglite and went to the altnet key and clicked on it to highlight it then clicked on delete. it came up and said access denied. with altnet still highlighted i went to the top and clicked on security then on edit permissions. a window came up with one tab at the top that said security. under that was a white box that had the name everyone in it and it was highlighted blue below that were three boxes i clicked on full control then apply and ok. tried deleting altnet and got access denied. so i went back to edit permissions there was no box that had allow inheritable permissions but it did have a advance button so i clicked on it. there were three tabs at the top permissions, auditing, and owner. on the permissions tab it had an empty white box below that was a box with a green check mark and it said inherit from parent the permission entries that apply to chlid objects. include these with entries explicitly defined here. if i clicked on the check mark it brings up a warning then if you click ok it fills the white box with a list of adminstators, creator owner, system and users. then if you go back and try to delete the key it still says error access denied. Did i do this right?

Logfile of HijackThis v1.99.1
Scan saved at 2:12:46 AM, on 6/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\WINDOWS\system32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Registrar Lite\rl.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Temporary Directory 3 for hijackthis_199.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.scifi.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - http://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab
O16 - DPF: {D1ACD2D8-7312-4D06-BECD-90EB094D2277} - http://mediaplayer.walmart.com/installer/install.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe

#8 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 16 June 2005 - 02:53 AM

Hi spiderman_jab. Ok, I've got one more trick up my sleeve.

Download the attached zip file (altnet.zip) and extract the contents to its own folder. Double-click on the altnmet.bat file and then reboot your machine and try a scan again and see if the warning comes up again.

Cheers.

OT

Oh, I should have mentioned, you must be logged on with Administrator rights to run this file.

Attached Files


Edited by OldTimer, 16 June 2005 - 02:55 AM.

I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#9 spiderman_jab

spiderman_jab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 16 June 2005 - 03:13 AM

Hello, i ran it then rebooted. antispyware still picked it up. so i tried to use regedit and reglite to delete the altnet key and it still would not let me. also i went to start, the search, and did a search for altnet. it found altnet.zip, altnet1.zip, and altnet2.zip at c:\docucments and settings\all users\application data\spybot search and destroy\recovery. do i need to delete these and run that file you told me to again? also did i change the permissions correctly a while ago?

#10 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 16 June 2005 - 03:54 AM

Ok, were those files you dound in the Spybot folder or the registry. If they wre in the folder those are the items that Spybot has removed and put in it's quarantine. To remove them atart Spybot, go to the Recovery option, select all items and then click the button to delete (or remove them). If that is where hey are then it isn't a problem because Spybot will not let any programs to touch them anyway.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#11 spiderman_jab

spiderman_jab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 16 June 2005 - 04:05 AM

Ok, i went to spybot then the recovery and deleted the files. i ran spybot again and it picked up the altnet again. i went back and looked and the altnet key is still there at hkey_local_machine\software\altnet. I really really need to delete the altnet key, i am getting desperate. i will try anything, please help!!!!!!!!!!

#12 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 16 June 2005 - 02:04 PM

Alright, let's try this:

Open the registry (Start->Run->regedit) and select the keys

[HKEY_LOCAL_MACHINE\\Software\\Altnet]
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Altnet\\Dashboard]
[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache\\AltnetDM]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs]
\"C:\WINDOWS\Temp\Altnet\msvcirt.dll\"=dword:00000001
[HKEY_USERS\S-1-5-21-14627781-1401277002-153983898-1006\Software\Microsoft\\Search Assistant\ACMru\5603]
\"000\"=\"altnet\"
[HKEY_USERS\S-1-5-21-14627781-1401277002-153983898-1006\Software\Microsoft\Windows\CurrentVersion\\Explorer\MenuOrder\\Start Menu2\Programs\Altnet]

Start with the top folder which is Altnet and work down and follow these instruction to change the permission for all folders.

Right click on Altnet then click on permission, click on add, click on advanced, click on find now, and look for your log on name and click on okay twice to get back to permissions for Altnet. Now, put a check mark in the boxes for allow after click on advanced, click on the tab for owner and highligt your log under \'change owner to\' and check the box that say\'s : \'Replace permission entries on all child objects with entries shown here that apply to child objects\\' and click on ok, click on apply and click ok. Continue the same for the rest of the folders listed.


OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#13 spiderman_jab

spiderman_jab
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:00 AM

Posted 16 June 2005 - 11:51 PM

thank you for all of your help, i feel i have learned a lot over the last couple of days. i was not changing the permissions correctly, that was why i could not delete it. after troubleshooting with mcafee they suggested i call microsoft so i did and they said they would have someone call me back. this mourning they did, and i thought i had changed the permissions but i did not. so he showed me what i did wrong, then i was able to delete the key. you gave very good advice and it should have worked, it was that i did not do it right. i greatly appreciate all of your help. i love this site because the people here are really patient especially with us begginers. i have recommend this site to all of my friends. so keep up the good work and once again thank you for helping me.

#14 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:07:00 AM

Posted 17 June 2005 - 01:08 AM

Hi spiderman_jab. Glad to hear that that problem has been taken care of. How are things running? Any other problems? If not, then let's finish things up.

We have a couple of last steps to perform and then you're all set.

First, let's reset your hidden/system files and folders. System files are hidden for a reason and we don't want to have them openly available and susceptible to accidental deletion.* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View tab.
* Under the Hidden files and folders heading UNSELECT Show hidden files and folders.
* CHECK the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
Next, let's clean your restore points and set a new one:

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:
  • SpywareBlaster to help prevent spyware from installing in the first place.
  • SpywareGuard to catch and block spyware before it can execute.
  • IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.
You should also have a good firewall and a good antivirus application like the ones you are currently using. It is critical to have both a firewall and antivirus to protect your system and to keep them updated.

To keep your operating system up to date visit monthly. And to keep your system clean run these free malware scanners
weekly, and be aware of what emails you open and websites you visit.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Have a safe and happy computing day!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users