Zlob thing?.. pls help

[Blade81]

This is the reason why you should always ask if you aren't sure of something.

Where did you save the registry you backuped with ERUNT earlier? You have to navigate into that location and run ERDNT.exe file there to restore backuped registry.

Can't say for sure what was that error you meantioned related to.

 

[wackz23]

:sad:

i know.. i know..
i was really havin problem with the net connection so i decided to just do it..
momentary lapse of judgement..
i'm really sorry..

anyway, should i run MBAM and Registry Search tool for the word Altnet again?

 

[Blade81]

Hi

You may run those again.

 

[wackz23]

i'm really sorry again..

here they are..

mbam log..

--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.20
Database version: 948
Windows 5.1.2600 Service Pack 2

10:14:04 AM 7/14/2008
mbam-log-7-14-2008 (10-14-04).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 122885
Time elapsed: 21 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

--------------------------------------------------------------------------

registry search for altnet

--------------------------------------------------------------------------

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "altnet" 7/14/2008 10:14:58 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\McAfeeToDel]
"c:\\program files\\Altnet"="TOCLEAN"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File2"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\mht]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"

--------------------------------------------------------------------------

i don't know if it's important, but this folder wasn't there anymore...

[-HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]

when as far as i can remember, i backed up my registry before running the fix for this one... or not... anyway, just a thought...

sorry again... thanks!

 

[Blade81]

Hi

No need to worry about these:

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List]
"File2"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\mht]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\txt]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\registry search altnet.txt"


I've attached registry fix (extract from zip to your desktop) that I want you to run in safe mode. After done so, reboot into normal mode and do a registry search with altnet.

Attention: Following registry fix is meant to be use only in this case. Using it on some other case may cause system malfunction!

 

[wackz23]

hmm... still there...


--------------------------------------------------------------------------

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "altnet" 7/15/2008 8:32:15 AM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Altnet\\Dashboard"

 

[Blade81]

• Download The Avenger by Swandog46 from here.
• Unzip/extract it to a folder on your desktop.
• Double click on avenger.exe to run The Avenger.
• Click OK.
• Make sure that the box next to Scan for rootkits has a tick in it and that the box next to Automatically disable any rootkits found does not have a tick in it.
• Copy all of the text in the below textbox to the clibpboard by highlighting it and then pressing Ctrl+C.
  

  Registry keys to delete:
  HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

• In the avenger window, click the Paste Script from Clipboard,
  
  button.
• Click the Execute button.
• You will be asked Are you sure you want to execute the current script?.
• Click Yes.
• You will now be asked First step completed --- The Avenger has been successfully set up to run on next boot. Reboot now?.
• Click Yes.
• Your PC will now be rebooted.
• Note: If the above script contains Drivers to delete: or Drivers to disable:, then The Avenger will require two reboots to complete its operation.
• If that is the case, it will force a BSOD on the first reboot. This is normal & expected behaviour.
• After your PC has completed the necessary reboots, a log should automatically open. If it does not automatically open, then the log can be found at %systemdrive%\avenger.txt (typically C:\avenger.txt).
• Please post this log, along with a new HijackThis log in your next reply.

 

[wackz23]

here they are... =) the Altnet folder's not there anymore... =)

but, if you don't mind, what's this one exactly? =)

THANKS! :

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit]
"LastKey"="My Computer\\HKEY_LOCAL_MACHINE\\SOFTWARE\\Altnet\\Dashboard"


--------------------------------------------------------------------------

avenger

--------------------------------------------------------------------------

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Altnet" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


--------------------------------------------------------------------------

HiJackThis log

--------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:30:06 PM, on 7/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = https://login.yahoo.com/config/login_verify2?&.src=ym
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 4461 bytes

--------------------------------------------------------------------------

 

[Blade81]

Hi

That registry value just shows what has been last viewed with regedit. That's not harmful

Now it's time to get rid of tools we used.

Please download OTMoveIt2 and save it to desktop.

• Double-click OTMoveIt2.exe.
• Click the CleanUp! button.
• Select Yes when the
  Begin cleanup Process?
  prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• The tool will delete itself once it finishes, if not delete it by yourself.

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

 

[wackz23]

hi..

just have a few questions about the hosts file.. =)

-why is the "disabled" option for the DNS client recommended and not "manual"?
-and-
-do i need a hosts file manager like HostsMan or HostsXpert?

anyway, is it done? PCs clean now? =) =)

 

[Blade81]

-why is the "disabled" option for the DNS client recommended and not "manual"?

"change the setting from automatic to manual" <- I don't think I meantioned disabled there

-do i need a hosts file manager like HostsMan or HostsXpert?

Not necessarily. Mvps hosts file is enough (remember to update it occasionally though).

anyway, is it done? PCs clean now? =) =)

Yep. I think we're ready.

 

[wackz23]

:laugh:

i meant from the page that i got the hosts file. it mentioned there that "disabled" option is recommended. of course i followed your instructions, but, was just wondering what's the diff. : :

anyway, please bear with me. just a few more questions and i'll be done. :

i can't seem to find the exact instructions on the FAQs of the page for the hosts file, so..

-how do i actually update it?
-if for one reason or another, i have/want to remove/disable the hosts file for a while. how do i do it?
-how do i "add" an address that i usually go to, to the list? it might not actually be recommendable, but just if i wanted to... :
-and last but not least, uhm.. which of the two would you be inclined to use more as firewall, COMODO or ZoneAlarm? in terms of user friendliness.. for the "technologically challenged" individual.. : : :laugh:

 

[Blade81]

Hi

-how do i actually update it?

You have to visit the hosts site again for an update.

-if for one reason or another, i have/want to remove/disable the hosts file for a while. how do i do it?

You can get HostsXpert and use its 'Restore MS Hosts' feature to restore the hosts file to Microsoft's original hosts file that blocks nothing.

-how do i "add" an address that i usually go to, to the list? it might not actually be recommendable, but just if i wanted to...

That can be done with HostsXpert too. It can be done manually by inserting new line with following format into c:\windows\system32\drivers\etc\HOSTS file:
127.0.0.1 badSiteDomain

-and last but not least, uhm.. which of the two would you be inclined to use more as firewall, COMODO or ZoneAlarm? in terms of user friendliness.. for the "technologically challenged" individual..

I think both would do. I'd probably choose COMODO. Remember though to not install SafeSurf toolbar.

 

[wackz23]

at last!!!

:yahoo: :beerbeerb:

you're the best! :bigthumb: :2thumb: :bow:

i don't know what else to say except for what has already been said.. :
[to avoid repetition of cheesiness, still can't believe i said it, but.. please refer to post 20 of this thread in page 2] :laugh:

seriously though, thanks for everything man! you've been a very big help!

i guess you can archive this now. :

take it easy! keep up the good work.. 'till next time? :

 

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.