Altnet

[Clive Cowan \(CCR\)]

Hi,

This thread relates also to the one on 21/Jan/05 "Antispy
Freezes At Altnet".

On a client's machine running Windows XP (Home Edition)
SP2 and AntiSpy Beta, we discovered Altnet amongst other
spyware. We have been able to remove all reported files
and registry entries except HKLM\Software\Altnet and its
child directories.

If we attempt to remove it manually, even in safe mode
with all services and startup items disabled, it reports
it cannot be removed. There appears to be no corruption
of the registry.

When the computer commects to the internet, it very much
appears to then download the necessary install files
again.

This appears to be a new non-reported derivitive behavior
for Altnet, has anyone any experience of how to clean it
out? My guess is it is patching into the boot files
perhaps.

I believe this spyware and its associated bundle was
installed by KaZaA.

Many Thanks,


Clive
Principal
CCR Computer Systems

 

[tgs]

First of all, I don't understand most of what I see
posted on here! BUT, two of the postings caught my eye.
I run AntiSpyware Beta every day and it detects Alnet and
Hijacker Browser EVERY day! I click on Remove, it says
it does, it's there again the next day. Are other
Spyware programs also unable to take care of these two?

 

[Ron Chamberlin]

Hi Clive,

Boot into Safe Mode (F8) at startup;
Empty your temporary files AND your Temporary Internet Files C:\Documents
and Settings\Username\Local Settings\Temporary Internet Files folder ;
Run the scan while in safe mode;
If you are running SP2, open IE--->Tools--->Manage Add-ons, and uncheck any
BHO's that you don't recognize.

Ron Chamberlin
MS-MVP

 

[Clive Cowan \(CCR\)]

Hi Ron and 'TGS',

Thank you for your replies.

TGS - The behaviour you describe is the same as I am
enquiring about.

Ron - We have already done as you describe, additionally
disabling all Services and Start Up processes. However,
HKLM\Software\Altnet (& child directories) reappear. As
already mentioned, manual deletion from the registry
doesn't work either, as the Altnet directory will not
delete.

There are no unexpected BHO' showing in 'Manage Add-Ons'.

I suspect we may be dealing with a new varient of Altnet
here, as we have not ourselves seen this behaviour
before - previous infections on other machines we have
successfully eliminated.

Any other thoughts please?

Kind Regards,


Clive
CCR

 

[Bill Sanderson]

Check all the locations you can via the System Explorers. Try to satisify
yourself about the bona fides of each item shown--especially any you find in
OS-related folders or temp folders, rather than locations of know
application software.

Also look over the drive, using a command prompt and the attrib
command--looking for executables or .dll files which are set as System,
Hidden, Read only.

You could grab a copy of HijackThis, and post your log to one of the spyware
forums--that's the standard way to handle something new and unexpected.

 

[Guest]

-----Original Message-----
Hi,

This thread relates also to the one on 21/Jan/05 "Antispy
Freezes At Altnet".

On a client's machine running Windows XP (Home Edition)
SP2 and AntiSpy Beta, we discovered Altnet amongst other
spyware. We have been able to remove all reported files
and registry entries except HKLM\Software\Altnet and its
child directories.

Hi Clive,

Can you tell me if this is a multi-user computer? I've been
researching the Altnet problem and it seems to work
differently on XP home with a multi-user setup.


Thanks
Ceegee

 

[Clive Cowan \(CCR\)]

Hi Ceegee,


Sorry for the delay in responding.

Yes, it is XP Home SP2, running two accounts - both with
administrator privaleges (not ideal but that is what the
owner/user wants).

Good luck with your research - why do so many use Altnet
and cause themselves all this grief?!

Kind Regards,


Clive

 

[Clive Cowan \(CCR\)]

Thanks Bill!

-----Original Message-----
Check all the locations you can via the System Explorers. Try to satisify
yourself about the bona fides of each item shown-- especially any you find in
OS-related folders or temp folders, rather than locations of know
application software.

Also look over the drive, using a command prompt and the attrib
command--looking for executables or .dll files which are set as System,
Hidden, Read only.

You could grab a copy of HijackThis, and post your log to one of the spyware
forums--that's the standard way to handle something new and unexpected.
--
FAQ for Microsoft Antispyware:
http://www.geocities.com/marfer_mvp/FAQ_MSantispy.htm

"Clive Cowan (CCR)"


.

 

[ceegee]

Hi Ceegee,


Sorry for the delay in responding.

Yes, it is XP Home SP2, running two accounts - both with
administrator privaleges (not ideal but that is what the
owner/user wants).

Good luck with your research - why do so many use Altnet
and cause themselves all this grief?!

At one time, it was possible to delete the Altnet registry entries as
long as you went into the account from which they were installed or
from which Kazaa (in this and many other cases) was installed. Trying
to delete from within any other account was fruitless, at least on XP
Home.

On XP Pro, it was possible to change the permissions and delete from
within any account.

However, as you noted, Altnet and other spyware is continuously
adapting, and as soon as you figure out a way to defeat them, they
figure out a way around it, but this is at least worth a try.

Ceegee