Zlob thing?.. pls help

[Blade81]

You're welcome. Some answers below

-to begin with, what actually happened? is it mainly because of the Zlob? Virtumonde? was the kdvkp.exe only a part of the bigger problem?

Your problems may have started when you run that XiliSoft video converter program.

-the xilisoft avi to dvd converter program, can i still use it? or do i have to completely uninstall it? 'cause i saw in one of the actions that the installer was infected and had to be deleted.

Looking at the name of D:\wiL\downloads\installers\Xilisoft AVI To DVD Converter v3.0.34.Build.0124 Serial Incl folder we deleted it seems you don't have legal version installed. I ask you to remove the program.

-and i guess in the same breath, the mirc617.exe installer?

The Mirc finding is a false positive.

-and the last is which one of the two installers of comodo will i use? 32bit or 64bit?

32bit is right version for your system

 

[wackz23]

addendum...

i totally forgot.. what about the altnet registry that spybot could not delete or fix? =)

 

[wackz23]

i didn't see you already replied..

figures it started like that.. got that from a friend.. anyway, since you asked, i will remove it then.. =)

and about the altnet registry? or is it okay to leave it?

 

[Blade81]

Hi

Could you post Spybot findings regarding altnet so that we can try to remove it too?

 

[wackz23]

at last, i thought this thread got erased. =) anyway..

is this it?

Altnet: [SBI $2F41B249] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

this one says nothing done because i already know here that spybot couldn't delete it, even when spybot does the fixing on startup.

i don't know what else to post. on spybot's definition, it's a tracker? or something that memorizes? logs? my habits.. something like that..

 

[Blade81]

Hi

Yes, that's what I was after


Download ERUNT
Save it to your desktop. Run and install this program.

In the box that opens ONLY choose
System registry.

Then click OK.

Click save and then go to File > Exit.
This is so the registry can be restored to this point if we need it. It may take a minute. Just let it go until it's done.


Save text below as fix.reg on Notepad (save it as all files (*.*)) on the Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Reboot and run Spybot again.

 

[wackz23]

still there..

is it a problem? or a potential big problem? this altnet thing?

spybot usually gives this message for it...


some problems couldn't be fixed; the reason could be that the associated files are still in use (in memory).
this could be fixed after a restart.
may spybot-s&d run on your next system startup?

[but it still can't, i tried again before replying]


Altnet: [SBI $2F41B249] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Altnet

Right Media: Tracking cookie (Internet Explorer: Admin) (Cookie, nothing done)

the second one, i've seen it before, several times actually but it does get fixed by spybot. [just thought i'd include it] =)

anyway, i don't really know what it is. so, i don't know what else to say.
btw, do firewalls like CFP take up bandwidth? my download speed slowed ever since i installed it.

Thanks for the help again! seems insufficient but.. all i can do is reiterate, i guess... =)

 

[Blade81]

Hi

Try to run that fix.reg in safe mode. It's also recommended to install that mvps hosts file. Makes surfing safer and reduces amount of cookies. Firewall shouldn't affect to download speeds (not much at least) when it's configured right.

 

[wackz23]

hi..

just to satisfy my curiosity? and naivity? =)

It's also recommended to install that mvps hosts file. Makes surfing safer and reduces amount of cookies.

you've said before that it might cause my PC to slow down. how actually? 'cause i run on a very old system? or hardware? still P3 733mghz, 384 RAM. would love to upgrade it soon but money's hard to come by these days [according to my mom and our country's economic standing]. =)

Firewall shouldn't affect to download speeds (not much at least) when it's configured right.

little advice on what configuration's right? please and thank you.. :clown::euro::laugh:

 

[Blade81]

Hi

Mvps hosts file causes slowness only on seldom cases. I'm using it on four machines myself and haven't noticed any kind of side effects

For Comodo adjusting you can find tutorials here. If you have a question that existing tutorials don't cover you can ask it on their forums.

 

[wackz23]

i'll do some reading on the mvp hosts file first then i'll definitely install it and try to see if there would be any slow down problems. and for the comodo firewall, i'll go read up on that too. thanks for pointing me to the right direction. =)

as for the altnet registry, i did the fix.reg on safe mode but when i check for problems again using spybot, it would still be there. i can see it on the recovery section of spybot, and my guess is that it gets fixed but just comes back again. just a guess.. =)

hmm.. what now? :banghead::trample::sad: [no crying smily] =)

 

[Blade81]

Hi

Do you think you could be able to follow this set of Altnet removal instructions?

 

[wackz23]

i'm sorry i'm not really sure how to follow it. on step 1, found the folder but there weren't any files in it [hidden files are checked on folder options]. on step 2, no altnet process/es like the ones listed on the page. on step 3, i don't know if i did it right, i used the "Find" option on registry editor for the listed supposed entries and nothing. on step 4, i'm a bit dumbfounded. hehe.. BUT i did find something on the registry..

and alas, i don't know how to attach an image.. doi.. when i click on the dropdown cap, it displays at the bottom, "error on page", sorry...

i have a snapshot of it but i don't know how to show it to you. so anyway, i found a folder containing some DLL's listed on step 4 including one having the word altnet in it. but i don't know what to do next.

hmm...

 

[Blade81]

Hi

Please delete that altnet folder you found if you haven't done so already.

After that please download the Registry Search tool by clicking on the
hard drive
icon halfway down this page:
http://www.billsway.com/vbspage/
Save it to the desktop and run it. If you get an alert from your antivirus about scripting, choose to allow the script to run. Search for altnet and click OK. Post the logfile from the tool here for me.

 

[wackz23]

here it is...

--------------------------------------------------------------------------

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "altnet" 7/9/2008 11:34:13 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\McAfeeToDel]
"c:\\program files\\Altnet"="TOCLEAN"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"001"="altnetuninstall.exe"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]
"013"="altnet"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\*]
"h"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"

[HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU\mht]
"a"="C:\\Documents and Settings\\Admin\\Desktop\\SUPPORT\\reports\\Altnet Altnet Removal Instructions.mht"

--------------------------------------------------------------------------

under the folder Software\Microsoft\Search Assistant\ACMru\5603 of HKEY_USERS, is where i found the DLL's i was talkin about. i'll try to give it here..

NAME DATA
(Default) (value not set)
000 adm25.dll
001 adm4.dll
002 admdata.dll
003 admdloader.dll
004 admfdi.dll
005 admprog.dll
006 atl.dll
007 altnet

all are TYPE = REG_SZ

--------------------------------------------------------------------------

hope that kinda helps...

=)

 

[wackz23]

whoa.. wait..

they weren't like that when i first saw it... there were only 9 then.. now they're 15.. let me make some adjustments..

NAME DATA
(Default) (value not set)
000 ACMru
001 altnetuninstall.exe
002 adm.exe
003 adm4005.exe
004 asm.exe
005 asmend.exe
006 adm25.dll
007 adm4.dll
008 admdata.dll
009 admdloader.dll
010 admfdi.dll
011 admprog.dll
012 atl.dll
013 altnet

all still are type REG_SZ [i think you already know this, but i just don't want to leave anything out]..

anyway, i'll be searching "My Computer" again for ACMru.. i think i've seen that folder before in one of my Mom's.. under "Back ups"..

this is getting insane i think.. :clown::laugh:
never thought it would be this complicated..

still.. havin' fun though.. as crazy as it may sound.. :

 

[Blade81]

Hi

This indeed looks quite tricky.


Disable Spybot's TeaTimer

• Run Spybot-S&D in Advanced Mode
• If it is not already set to do this, go to the Mode menu
  select
  Advanced Mode
  
• On the left hand side, click on Tools
• Then click on the Resident icon in the list
• Uncheck
  Resident TeaTimer
  and OK any prompts.
• Restart your computer

Turn McAfee off to make sure it won't prevent following registry fix.


Save text below as fix.reg (overwrite previous one) on Notepad (save it as all files (*.*)) on the Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\McAfeeToDel]
"c:\\program files\\Altnet"=-

[-HKEY_USERS\S-1-5-21-1644491937-706699826-1202660629-1007\Software\Microsoft\Search Assistant\ACMru\5603]

It should look like this ->

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)


Please download Malwarebytes' Anti-Malware to your desktop.

• Double-click mbam-setup.exe and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
• Please post contents of that file in your next reply.

 

[wackz23]

is it supposed be very quick? i've read in some threads it took them hours to do a full scan.. well, anyway, here it is..

--------------------------------------------------------------------------

Malwarebytes' Anti-Malware 1.20
Database version: 935
Windows 5.1.2600 Service Pack 2

9:04:27 AM 7/10/2008
mbam-log-7-10-2008 (09-04-27).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 113595
Time elapsed: 18 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\flor\Backups\ActiveWallpaper\23663.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\msupdte.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\SETUP.EXE (Rogue.Installer) -> Quarantined and deleted successfully.

--------------------------------------------------------------------------

btw, i had to remove comodo. it was interfering with the update of mbam even though i already exited the application in my quick launch bar. just thought i'd say it.

and also i took the liberty of searching the registry again for the word altnet, and it showed the first two from before again.. namely,

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet]

[HKEY_LOCAL_MACHINE\SOFTWARE\Altnet\Dashboard]

there were other four but they were just files i recently created with altnet in the file name. but the folder Software\Microsoft\Search Assistant\ACMru\5603 of HKEY_USERS is no longer there.

hmm.. while replying here (literally), something happened. an error appeared something to do with system32, i can't remember all the words, then my desktop and taskbar suddenly changed into an old classic view of windows like in 98 or something, but it changed back to normal again almost instantaneously. well, again.. just thought i'd say it..

 

[Blade81]

Hi

Let's try to remove the key manually.

Click Start then Run
Type in regedit
Click Ok.

In left pane of registry editor, Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Altnet
If Altnet exists then right click on it and choose Delete from the menu.

If you have trouble deleting a key, click once on the key name to highlight it and click on the Permission menu option under Edit. Uncheck Allow inheritible permissions and press copy. Click on everyone and put a checkmark in full control, press apply and ok and attempt to delete the key again.

 

[wackz23]

hi..

sorry for the late reply, i've been having problem with my network connection lately. anyway, how can i restore the backup registry made by ERUNT from before? i think i did something wrong, because everytime i click on the Altnet folder, it displays this error message "Cannot Open Altnet: Error while opening key." and when i click again on Permissions, it just says "You do not have permission to view the current permission settings for Altnet, but you can make permission changes."

because i couldn't find this..

Uncheck Allow inheritible permissions and press copy.

i clicked on the advanced settings found below when i clicked on Permissions, and unchecked "Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here." after which, the previously errors I mentioned first then begun.

btw, off topic.. what does "Generic Host Process for Win32 Services" usually mean? that was the error message i mentioned before before with the whole desktop and taskbar changing into classic view or something.

thanks!