Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Cant remove altnet spyware!

Started by Luke1988 , Jun 07 2005 10:32 AM

  • Please log in to reply

#1
Luke1988
Posted 07 June 2005 - 10:32 AM

Luke1988

    Member

  • Member
  • PipPip
  • 37 posts
Hey, i wondered if someone could help me. i cant seem to remove altnet spyware from my computers registry. i have used spybot search and destroy which knows its there but cant delete it! i have also tried to remove it by going into safe mode and just hitting delete but that doesnt work either. so i give up! :tazz:

i have also just removed two viruses, one was that anti virus gold desktop hijack and the other was a very untastefull internet explorer home page hijack. could you please check my hi jack this log incase anything still remains.

thankyou in advance for your great work!! ;) keep it up!!

Logfile of HijackThis v1.99.1
Scan saved at 17:17:35, on 07/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Peter\Desktop\Antivirus & Anti spyware & Anti adware\Hi-jack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasear...said=acc0000_ho
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\system32\hookdump.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\Peter\Desktop\APPS\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements

#2
Metallica
Posted 07 June 2005 - 01:21 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Copy the part in bold below into notepad and save it as AVGoldfix.reg
Set Filetype to All Files and save it somewhere easy to find. We will use it later.

REGEDIT4

[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Intel system tool"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\AntivirusGold]

*Click Here to download Killbox by Option^Explicit.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Windows\System32\hookdump.exe
C:\Windows\System32\winnook.exe
C:\Windows\desktop.html
C:\Windows\screen.html
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt if you get one.
*If the computer does not reboot by itself, do it manually.

While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Doubleclick the AVGoldfix.reg we made earlier.
And (still in safe mode) use the DiskCleanup Tool to empty all your Temp folders.

Delete the entire folder C:\Program Files\AntiVirusGold

In the Control Panel click Display > Desktop > Customize desktop > Website > Uncheck "Security Info"

Then boot back to normal, run HijackThis again and post a new log.
  • 0

#3
Luke1988
Posted 10 June 2005 - 01:57 PM

Luke1988

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
hi again. sorry for the late reply but i have been away from my computer for a while! i followed the instructions u gave and encountered a few problems along the way. firstly, and i think this is my fault!, i followed the kill box instruction and rebooted my computer...but not in safe mode! (this might take a while to explain!) ever since then i have been getting those error messages saying 'windows explorer has encountered a problem and needs to restart. sorry for the inconvenience' you know the ones where you can ither click send an error message to microsoft or dont send. well i always click dont send and they usually go away, this one however had other ideas and just wont go away, in fact it comes up every 5 seconds and when you click dont send the desktop goes blank for about 2 seconds and then comes back on. the strange part is you can still do things while the error message is up...as long as you start what you want to do before it comes up. for example i am typing this with the error message on the screen but i had to start internet explorer before it came up. anyway it does the same in safe mode but i have still managed to follow all your instructions...apart from the one that said uncheck the security information box in the customise desktop bit because it wasnt there! i have booted my comp back to normal hoping that the error message wouldnt come up....just my luck it did!!

hope you have understood me!! if you have any ideas what the problem is i would appreciate any help you could give!

Thanks again. (new hi jack this log below)
  • 0

#4
Luke1988
Posted 10 June 2005 - 02:07 PM

Luke1988

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
heres my new log!

Logfile of HijackThis v1.99.1
Scan saved at 21:00:19, on 10/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Peter\Desktop\Antivirus & Anti spyware & Anti adware\Hi-jack This\HijackThis.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\imapi.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasear...said=acc0000_ho
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\Peter\Desktop\APPS\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://84.92.84.127/...sCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O20 - Winlogon Notify: style2 - C:\WINDOWS\q7295140_disk.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#5
Metallica
Posted 11 June 2005 - 02:15 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Run Killbox and choose the "Replace on Reboot option"

Put a checkmark in the "Use Dummy" option.
Paste this in the full path to file to delete box:
C:\WINDOWS\q7295140_disk.dll

Then use the Delete File button.

After the reboot can you try and find:
C:\WINDOWS\winstyle2.dll
I'd like a copy if it exists: pieter(AT)wilderssecurity(DOT)org

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://quickmetasear...said=acc0000_ho
R3 - Default URLSearchHook is missing

O20 - Winlogon Notify: style2 - C:\WINDOWS\q7295140_disk.dll

Then reboot once more and post a new HijackThis log.

Regards,
  • 0

#6
Luke1988
Posted 11 June 2005 - 12:57 PM

Luke1988

    Member

  • Topic Starter
  • Member
  • PipPip
  • 37 posts
Thankyou very much...problem seems to be fixed. sorry but i couldnt find the file C:\windows\winstyle2.dll because it wasnt there. just as a reference what acctually was the problem?

new hi jack this log...

Logfile of HijackThis v1.99.1
Scan saved at 19:53:46, on 11/06/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Peter\Desktop\Antivirus & Anti spyware & Anti adware\Hi-jack This\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aldi.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Download all by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlall.htm
O8 - Extra context menu item: Download by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dllink.htm
O8 - Extra context menu item: Download selected by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlselected.htm
O8 - Extra context menu item: Download web site by Free Download Manager - file://C:\Documents and Settings\Peter\Desktop\APPS\ADC.4\dlpage.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\DOCUME~1\Peter\Desktop\APPS\MICROS~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.aldi.com
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://84.92.84.127/...sCamControl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

#7
Metallica
Posted 11 June 2005 - 02:19 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
No problem. I got a copy of winstyle2.dll in the meantime.

Your log looks good now. ;)

The file we deleted is a badly written piece of spyware that tries to download and install winstyle2.dll
It only succeeds in rare cases, so we were very curious what it was supposed to do.

Turns out to be another browser hijacker for searchmeup.com and coolwebsearch.com :tazz:

Please do have a look at my site about removing and preventing spyware.

Regards,
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP