Altnet annoying spyware!

Ok...so i have windows defender beta 2 and this is the only spyware program ive used to detect this pesky thing..but when i hit remove from the window it gives me an error saying file could not be deleted and that one or more actions could not be sucessfully completed...if u need the error #
its 0X0501001


the file loctaion are as followed

file:
c:\windows\system32\config\systemprofile\local settings\temp\asmfiles.cab->altinst1.dll

file:
c:\windows\system32\config\systemprofile\local settings\temp\asmfiles.cab->altinst2.dll

any advice of how to get rid of this? its classified as a trojan...and this is only error on my computer that seems to keep it running horribly slow. i have no viruses and no other malware. please someone shine some light on my problem

 

Welcome to MajorGeeks.com, please follow the steps below:

http://www.majorgeeks.com/images/grenade.gif Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

• Make sure you check version numbers and get all updates.

http://www.majorgeeks.com/images/grenade.gif Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

http://www.majorgeeks.com/images/grenade.gifAfter doing ALL of the above and you still have a problem, make sure you have booted to normal mode and run the steps in the below thread to properly use HijackThis and attach the log:

http://www.majorgeeks.com/images/grenade.gif Downloading, Installing, and Running HijackThis

http://www.majorgeeks.com/images/grenade.gif When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too (these scans are covered in steps 6 & 7 of the READ & RUN ME sticky)

• Bitdefender
• Panda Scan
• HijackThis

 

ok i did all that i was entitled to do. for some reason i couldnt upload the html file from bit defender and when i saved it in text it just gave the width and fonts ect. of the box the writing was in when scan was complete...i couldnt select file save because you had to exit the virus scanner to control the previous page it was on. but i have my panda scan and hjtl

also i noticed

ADINTELLIGENCE.APROPOSTOOLBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[1]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[2]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[3]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[4]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[5]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[6]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[7]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[8]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[9]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[10]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[11]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[12]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[13]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[14]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[15]=Process : C:\WINDOWS\System32\uspsbase.dll
obj[16]=Process : C:\WINDOWS\System32\uspsbase.dll

POSSIBLE BROWSER HIJACK ATTEMPT
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[17]=Regkey : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D}
obj[18]=RegValue : SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B8E71371-F7F7-11D2-A2CE-0060B0FB9D0D} "Installer"

ADINTELLIGENCE.APROPOSTOOLBAR
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=File : C:\Program Files\Supoftex\data.bin



i dono what this is in my adware se but it looks nasty its currently in my quarintine list...should i get rid of this and also...i still wasnt able to delete that altnet even in safe mode

spybot discovered a windows security anti virus override i cleaned that. but when i ran bit defender all it seemed to find was that annoying altnet spyware once again...but couldnt get rid of it. but hope this helps and hope you can help me

 

alright i was able to get my bit defender to upload guess this is it? thanks in advance

 

Please see the below thread on how to install and run Ewido Anti-Malware. Be sure you run CCleaner first!

• Running Ewido Anti-Malware...

 

oki some good news and some bad news

good news is i ran ewido and it found a few things no other scanner did and got rid of them...

bad news is the only way to delete altnet is to delete the whole archiieve which i dono is safe or not...thats why im back here

the archieve is C:\windows\system32\config\system profile\local settings\temp\asmfiles.cab

C:\windows\system32\config\system profile\local settings\temp\asmfiles.cab\asm.exe that is the altnet location but cant be deleted without deleting the whole archieve...is that safe? but yea here is my attachment from the scans


so is it safe to delete the archieve? or would it burn my cpu.

 

Please see the below thread on how to run WinPfind and attach the log. Also attach a fresh HJT log.

• Running WinPfind by OldTimer

 

ok done...but should i delete that archieve i told you about in my last post? or you going to get to that later

heres my log files for my new HJT and winpfind

 

Download Pocket KillBox

• Save it to your desktop or a place easy to find.
• Do not run it yet

Please look in Add/Remove Programs for the following and uninstall them if found:

Ewido

AVG AntiVirus or Norton AntiVirus
( Pick ONE and uninstall the other )

Please make sure the Viewing of Hidden Files & Folders is enabled per the READ ME.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see any of them, try to END them:

regscan.exe

Now scan with HijackThis and check the boxes for the following entries:
( Make sure ALL browser windows are closed when you click FIX )

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yah oo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS10
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yah oo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yah oo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/su/*http://www.yah oo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKCU\..\Run: [duser] C:\WINDOWS\System32\duser.exe
O4 - HKCU\..\Run: [196_150_ni] C:\WINDOWS\System32\196_150_ni.exe
O4 - HKCU\..\Run: [197_150_ni_7] C:\WINDOWS\System32\197_150_ni_7.exe
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [kbdinben] "C:\WINDOWS\system32\kbdinben.exe"
O4 - HKCU\..\Run: [vga] "C:\WINDOWS\system32\vga.exe"
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

O21 - SSODL: EzAnxu - {6C44B701-C6EE-1DAB-DD62-20D27FB85E52} - C:\WINDOWS\System32\eziqx.dll (file missing)

O23 - Service: filemgmt - Unknown owner - C:\WINDOWS\System32\filemgmt.exe (file missing)
O23 - Service: schedsvc - Unknown owner - C:\WINDOWS\System32\schedsvc.exe (file missing)

Again, make sure ALL browser windows are closed when you click FIX.

Next please follow the below instructions.

Click Start > Run > type in the below pressing ENTER after each one.

sc delete filemgmt

sc delete schedsvc

Next, run CCleaner to clean up cookies and temp files.

Next, copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.

Locate PocketKillbox
(Procede with this step even if they do not show in blue)

Next, you will be entering items into Pocket KillBox. Please select the “Delete on Reboot” Option. Copy&Paste each of the file names listed below into the box one by one, making sure Delete on Reboot is Checked for each entry. Click the Red X for each entry, but DO NOT Allow your machine to be rebooted until the last item has been entered:

** Note: For any of the .dll files, check the Unregister .dll Before Deleting box as well. If this option is not enabled, don't worry about it.

• If you get an error message about Pending Operations, just reboot your computer manually.

After you complete the above please follow the below instructions...

Finally, I would like you to flush your System Restore points. Please follow the instructions in the below:

• Disable and Re-enable System Restore
  
  
• Turn OFF System Restore to flush any bad Restore Points.
  
  
• Then, follow the instructions at the bottom of the linked page to Re-enable the Restore Utility which will create a fresh restore point.

After you complete the above reboot once more and then scan with HijackThis and attach the new log.

Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

 

things seem to be running GREAT! thank you soooooo much for ya help

but heres my HJT log file

i dunno how i would have fixed all that without you thank you

yall have donations on this site?

 

errr for some reason...i still have that altnet on my computer...jus ran bit defender and it discovered it again :/

 

sorry i ment windows defender. theres no edit tool?

 

Majorgeeks doesn’t accept donations however donations can be accepted from individual members.

 

Can you tell me exactly what's being detected? File or registry entry?

 

those files up there are the 2 being detected which are altnet files. when i ran ewido it said i would have to delete the whole archieve to get rid of it. i had asked if i should do that but maybe you overlooked it. but thats it

 

Navigate to that directory and delete everything in the folder.

C:\WINDOWS\system32\config\systemprofile\local settings\temp

 

every thing??? theres quit a bit of stuff in there probably well over 500 and a few folders in there also should i just forget about getting rid of altnet? i dont wanna delete something im going to regret

 

It's temp junk, it needs to be cleaned out. It shouldn't even be there to be honest.

 

correction theres 7125 files total in there.


do u want me also to delete the folders in there such as temporary internet file folder? theres an hp photosmart folder and such also. or do u just want me to delete every thing besides the folders. or just dump it all?

 

Just delete all of the files and see if the detection remains.

 

Nope deleted it all problem is gone ^^ thanks.


only problem is a virus i got on my c:\system volume information....which the folder is unacessable so dunno how serious that is :C Trojan Virus generic.QNV

but thanks for all your help up to this point i really appreciate it