Win32.bettlnet

kanso 2006-04-24 13:53:01 UTC #1

hi new to this but done a hijackthis scan on the computer as I cant get rid of this win32.bettlnet virus as I am running Zonealarm antivirus and its telling me there are 4 of these virus on my computer the log I got from hijackthis is

Logfile of HijackThis v1.99.1
Scan saved at 21:32:29, on 24/04/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Dan\My Documents\SET UPS\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O4 - HKLM..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM..\Run: [MimBoot] C:\Program Files\Musicmatch\Musicmatch Jukebox\mimboot.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
anyone out there help me to get rid of this please

Arachne 2006-04-24 13:58:23 UTC #2

Sounds possibly like BetterInternet...try downloading Spybot S&D, update it, then run a spyware check.

kanso 2006-04-24 15:53:35 UTC #3

hi tryed spybot, virus's still there, any more help please

Arachne 2006-04-24 16:03:48 UTC #4

OK, it's a pain to remove manually, so I won't post that info unless you specifically ask for it.

Have you tried an online virus scan?

http://housecall.trendmicro.com/
http://www.bitdefender.com/scan8/ie.html

Above are two online virus scanners. Hope they help.

haveacigar 2006-04-24 16:09:45 UTC #5

Another thread;

http://club.cdfreaks.com/showthread.php?t=144100

Arachne 2006-04-24 16:19:21 UTC #6

I found that whilst Googling...good catch :bigsmile:

haveacigar 2006-04-24 16:46:55 UTC #7

i also found it by googling ^__^

kanso 2006-04-25 14:53:22 UTC #8

hi ARACHNE would it be possable to give me the slow way to remove this as I have tryed everythig with no joy

Arachne 2006-04-25 14:57:56 UTC #9

OK, it's very detailed, and involves dipping into the Registry...only try it if you are sure - a reinstall of Windows might be easier.

Here is the link to removal instructions: http://www.spywaredb.com/remove-abetterinternet/

Be warned (again)...only edit the Registry if you're sure of what you're doing...and make a backup first.

zebadee 2006-04-25 15:02:18 UTC #10

Hi
Have you tried this. + it's free.

kanso 2006-04-26 15:50:11 UTC #11

hi all still have this virus ,I now have tryed to reinstall xp but because there is a recovery partition on my hard drive the virus keeps coming back ,the computer is a Packard Bell and I dont know how to delete this as when you try to install xp its its only giving me the option to install on to the C drive and wont let me detete the recovery partition,there is nothing on this computer so there is no files I need so can anyone tell me how to restore this and delete the recovery file thanks

haveacigar 2006-04-26 16:00:57 UTC #12

have you formatted your hd? unless you do this the virus will stay. From what i have read on the net, it isnt a very common virus, but it is supposed to infect alot of files, meaning anything you leave on the disk is likely to continue the spread, so even backed up files of photos my contain mallicious script. The only way to do this is to start from scratch and format your hd, or try to find an anti virus that is able to sort out the problem.

Arachne 2006-04-26 16:12:32 UTC #13

Yeah...I'm sorry, kanso, I'd love to help you further, but my installation of Windows doesn't have a recovery partition (or recovery disc), so I have no experience of how to do things with those

kanso 2006-04-29 11:22:54 UTC #14

hi all found a program call (killdisk) this deleted my windows and reformatted the hard drive and so far it looks like this virus has been deleted thanks all