8 replies to this topic

[masher]

I've been trying to clean up my PC so that I cn get SP2 on but nothing can get rid of ALTNET and HUNTBAR. When I try to delete the registry entries I get teh message that an error occurred and while deleteing. Following is the hijackthis log I just ran, maybe you can help me. Thank you.

Logfile of HijackThis v1.99.1
Scan saved at 10:48:49 AM, on 19/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysask.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ ]
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: palstart.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O20 - Winlogon Notify: ddccd - ddccd.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

[Piatan]

Hi masher,

Please, use only one real time Anti-Virus and one Firewall. Uninstall all others in Add/Remove Programs.

If you need an AV,
Here is a link for a free AVG ANTI-VIRUS:http://free.grisoft....1/lng/us/tpl/v5

And here is a link for a free firewall.
Below you will find a link to Zone Alarm, which has a good free firewall for personal use, another for kerio and a link to sygate. Note that it is not recommended to run two firewalls simultaneously, not even along with the new Microsoft firewall.
http://www.zonelabs....sku_list_za.jsp
http://www.kerio.com/us/kpf_home.html
http://smb.sygate.co...cts/spf_pro.htm


I do not see any entries for ALTNET or Huntbar in your Hijack This log. Could these have been previously removed ?

Reboot into Safe Mode: please see here if you are not sure how to do this.

Then go to Control Panel-->Add/Remove Programs and Uninstall/Remove......
ALTNET
Huntbar or any variants.

Then, please reboot into Normal Mode.

Please download VundoFix.exe to your desktop.[list]
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will shutdown your computer, click OK.
[*]Turn your computer back on.



Please download, install, update and scan your system with the free version of Ewido trojan scanner:[list=1]
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file.
Please save the Ewido report, to be posted here later.

If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates

The trial version of Ewido works like a full featured version for 14 days, after that the only features that will not work are, autoupdate and realtime protection. It will still be able to be used to scan and remove undesirables.

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Next:

Please set your system to show all files; please see here if you're unsure how to do this.

Close all Windows and browsers, leaving only HijackThis running.
Place a check against each of the following.:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)
O4 - Global Startup: palstart.exe
O20 - Winlogon Notify: ddccd - ddccd.dll (file missing)

The following are OPTIONAL fixes:
If you know and trust the following, then keep them.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mysask.com

O14 - IERESET.INF: START_PAGE_URL=http://www.mysask.com

Click on Fix Checked when finished.

Reboot into Safe Mode: please see here if you are not sure how to do this.

Using Windows Explorer, locate the following files/folders shown DARK and delete them:

palstart.exe


Reboot , enable hidden files and post a fresh Hijack This log in this topic, along with the Ewido report and the contents of C:\vundofix.txt .

Please advise if there are any unresolved issues.[/b]

Please use the Post Reply feature to reply, so I will be notified.

Note: Please do not edit the new HJT log. We need to see the entire log, without revisions.

Edited by Piatan, 30 January 2006 - 03:25 PM.

[masher]

Thank you very much for responding, your help is really appreciated. I've done what you instructed me to do.
Altnet and HuntBar/Btiein does not have anything in the programs to be removed anywhere, these things are in the registry and cannot be deleted, (unable to delete using regedit). As you can see from the Ewido log he was unable to get rid of these as well.
No Vundofix text file has been included since one was not produced. When I ran Vundofix he came back saying that no files were infected.
The Ewido log and the new Hijachthis log you requested both follow.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:00:43 AM, 31/01/2006
+ Report-Checksum: 834D2950

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} -> Spyware.ISTBar : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Al\Application Data\Mozilla\Firefox\Profiles\n7nmwkkg.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@adopt.euroclick[2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@ads1.revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@data1.perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@excite[1].txt -> Spyware.Cookie.Excite : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@marthastewart.122.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@server.iad.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@www.adtrak[1].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Al\Cookies\al@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10000.qit -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10006.qit -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10010.qit -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10014.qit -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10015.qit -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10016.qit -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\14-1-2006-15-26-32\ 10018.qit -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10003.qit -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10005.qit -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10006.qit -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10007.qit -> Spyware.Cookie.Excite : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10008.qit -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10009.qit -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10010.qit -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10012.qit -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10013.qit -> Spyware.Cookie.Overture : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10014.qit -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10016.qit -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-6-39-5\ 10017.qit -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\18-1-2006-9-7-0\ 10003.qit -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\19-1-2006-9-0-39\ 10001.qit -> Spyware.Cookie.Excite : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\19-1-2006-9-0-39\ 10002.qit -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Program Files\AdwareAlert\Quarantine\19-1-2006-9-0-39\ 10005.qit -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\WINDOWS\SYSTEM32\atiupdate5.exe -> Spyware.Adtomi : Cleaned with backup
C:\WINDOWS\SYSTEM32\bH.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\msbb321.dll -> Spyware.BargainBuddy : Cleaned with backup


::Report End



Logfile of HijackThis v1.99.1
Scan saved at 9:48:38 AM, on 31/01/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\PROGRA~1\Webshots\webshots.scr
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopOE.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hijackthis\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaskTel
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;http://localhost;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\en-ca\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ ]
O4 - HKCU\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec....trl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec....trl/tgctlsr.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....rl/LSSupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg...v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory....sharingctrl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab27571.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....rl/SymAData.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.c...ebio5_1_6_0.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab27571.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe

[Piatan]

Hi masher,

The report from Vundofix was what we were looking for, so Vundo was removed.

Your Hijack This logfile is also clean.

Microsoft Anti-Spyware (Beta)

Please go here to download and follow all instructions.
http://www.microsoft...&displaylang=en


Next:
First, please update Ewido.

Then, Boot into Safe Mode:
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear. Select the Safe Mode option and press Enter.

Then, start Ewido.

Click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run, so time to go get a drink and a snack....
[*]If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
[*]When the scan finishes, click on "Save Report". This will create a text file.
Please save the Ewido report, to be posted here later.

Then, please post the Ewido report into this topic.

Please use the Post Reply feature to post, so I will be notified.

Edited by Piatan, 31 January 2006 - 06:24 PM.

[masher]

Hi Piatan; I've searched out my PC to find that Vundofix report and found it, for you so I included it here. It did not find any infected files when I ran it that why I didn't bother looking for it to send it out but just in case you need that I am sending it now. VundoFix V4.2.16 Scan started at 7:02:46 AM 31/01/2006 Listing files found while scanning.... No infected files were found. Ok so I updated ewido again as you indicated and ran it in safe mode but he was unable to remove that altnet and Btiein even in safe mode. I have'nt been able to find anything to get rid of that from my registry. Here is the ewido report. Thanks again for your help. -------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 7:11:53 PM, 01/02/2006 + Report-Checksum: D0BF41D5 + Scan result: HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error during cleaning HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning HKLM\SOFTWARE\BTIEIN -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\BTIEIN\BTIEIN -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\BTIEIN\BTIEIN\taskcache -> Spyware.WebSearch : Error during cleaning HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Spyware.WebSearch : Error during cleaning C:\Documents and Settings\Al\Cookies\al@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\Documents and Settings\Al\Cookies\al@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup C:\Documents and Settings\Al\Cookies\al@excite[2].txt -> Spyware.Cookie.Excite : Cleaned with backup C:\Documents and Settings\Al\Cookies\al@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup C:\Documents and Settings\Al\Cookies\al@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup C:\Documents and Settings\Al\Cookies\al@trafficmp[1].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0076662.exe -> Spyware.Adtomi : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0076663.dll -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0076664.dll -> Spyware.BargainBuddy : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0076665.dll -> Spyware.BargainBuddy : Cleaned with backup ::Report End

[Piatan]

Hi masherp;

Sorry to be tardy, but this took some research.

You may want to copy and paste this text into a Notepad file and place it on your desktop, to review as you work.

Indeed, this is a bad one, but there are some solutions available.

This one, you should run twice. Sometimes only once is not successful. No guarantees for this variant though.

From Start -> Control Panel -> Add/Remove Programs, remove anything related to WinTools, Toolbar, or Search Toolbar. Do not reboot until the last application has been uninstalled.

After a reboot, run a full scan with Ad-Aware. If you already have Ad-Aware SE 1.06 installed, you can skip the installation steps. If you don't, please uninstall your old version and install the new one from the links below.

Full Ad-Aware Scan
Please download Ad-Aware SE from here:
http://www.majorgeek...ownload506.html
Install Ad-Aware and run it. In the bottom-right hand corner, click "Check for updates now". Click "Connect" to download the newest reference file.

Now we will configure Ad-Aware to perform a full scan. In the Ad-Aware main window, click on the gear icon at the top of the screen to open the preferences window. In the "General" window, make sure the following options are selected:

• Automatically save log-file
• Automatically quarantine objects prior to removal
• Safe Mode (always request confirmation)

Click the "Scanning" button on the left-hand side and make sure the following options are selected:

• Scan within archives
• Scan active processes
• Scan registry
• Deep scan registry
• Scan my IE Favorites for banned URLs
• Scan my Hosts file

Please also click on "Select drives & folders to scan" and select your hard drive(s). Then click the "Advanced" button on the left-hand side and make sure all the options under "Log-file Detail Level" are selected. Next, click the "Tweak" button on the left-hand side. Click on "Scanning Engine" and make sure the following options are selected:

• Unload recognized processes & modules during scanning
• Obtain command line of scanned processes
• Scan registry for all users instead of current user only

Click on "Cleaning Engine" and make sure the following options are selected:

• Always try to unload modules before deletion
• During removal, unload Explorer and IE if necessary
• Let Windows remove files in use at next reboot
• Delete quarantined objects after restoring

Finally, click on "Safety Settings" and make sure the following options are selected:

• Automatically select problematic objects in results lists
• Write-protect system files after repair (Hosts file, etc)

Click on "Proceed" to save the preferences. Then please click the "Start" button on the bottom right side to begin a scan. Select "Use custom scanning options" and then click "Next". Ad-Aware will then scan for malware. When it is finished, make sure any objects listed in RED are selected and click "Next" to remove the objects. Then please restart your computer.

Remember, do the above fix twice.

And here are a couple of links that claim success, if the above doesn't work, but the above is much easier.

http://www.kephyr.co...huntbar.btiein/

http://doxdesk.com/p...te/HuntBar.html


And here is a link for Altnet.

http://www.spywarere...moveAltnet.html

Scroll down the page until you see the "download". It is for Spyhunter.
Read the rest of the page for the manual removal method, if Spyhunter does not work.

Then run Ewido and post the results into this topic.

Please let me know how things turn out, what works and what doesn't.

[masher]

Hi Piatan; Thanks for answering as fast as you have. This last one did it. I tried the asd-aware and ran twice in safe mode but both time the same altnet and btiein stayed where they were. Next I tried the other one at kephyr.com and they talked about doing uninstalls and deleting registry entries so that didn't work since I have nothing for files or programs to uinstall and the registry entries they talked about I did not have so no delteing to be done. Next I went to sypwareremove.com and downloaded syphunter. I also read all instructions they had and they talked about permissions on ALTNET that had to be changed before you could delete it. I ran Syphunter and he found a couple fo things and I got those deleted, then I changed the permissions as they indicated in their instruction for altnet in the registry and then boom when I tried to delete the entry it went away. I figured that was great so I followed the same instruction for btiein and it worked for that too. I then ran ewido and there was still one other registry entry that was hanging around; HKLM\SOFTWARE\Classes\WToolsB.ResProtocol. Tried the same instructions as for altnet and after some messing around I got the permissions changed and boom it was gone too. So now I run ewido and he find nothing. This is so excellent. Looks like my PC is finally cleaned up. That last site you pointed me too is the only place I ever saw anything that had instructions on how to get in there and actually be able to get rid of a registry entry that kept coming up saying there was an error when trying to delete. I thank you so much for all your help. I learnt a lot form this and I know thet without your help I likely would never have found the way to remove this from my machine. Again thank you very much. -------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 12:49:50 PM, 02/02/2006 + Report-Checksum: 7F021DE9 + Scan result: No infected objects found. ::Report End

[Piatan]

Hi masher, you're welcome and thank you very much for the detailed description of the removal process. I'm sure it will help others who see this topic and they will thank you too. We all learn from these topics. Safe surfing.

[Piatan]

Glad we could be of assistance. This topic is now closed. If you wish it reopened, please send us an email (Click for address) with a link to your thread.

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
Make sure you use proper prevention to keep from having problems occur to your computer in the future.

Coyote's Installed programs for prevention:

http://forums.tomcoy...showtopic=31418

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Visit the CoyoteStore http://TomCoyote.org/coyotestore.php