Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cleaning up after Prunnet.exe


  • This topic is locked This topic is locked
1 reply to this topic

#1 IT newb

IT newb

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:41 AM

Posted 05 December 2008 - 12:57 AM

I Googled up the keyword "prunnet.exe" and learned from this community (and one other) that MalwareBytes takes care of this problem pretty efficiently.

So I ran MalwareBytes a few times between rebooting in safe mode. It reports me as being clean.
I also ran AVG and SpyBot a until nothing shows up.

I don't have any unwanted windows appearing out of the blue with links that don't work (I think I have to thank AVG and/or spybot, or maybe the links were just broken). Does malware become active only when I'm online? I would assume it would try to open the browser even if I'm phyiscally DISconnected.

I just want to confirm that my computer is indeed clean.

Unfortunately RSIT doesn't want to run on the (previously?) infected computer... it works on my not infected Vista... so maybe something still broken on it.

The error message is:

AutoIt Error
Line-1:

Error: Error parsing function call.

I downloaded HJT from download.com and compared it to the partial log RSIT created. RSIT still provides more information... but only a few lines more.

Perhaps it would be better if I did a Kaspersky Online Scan? I will post the incomplete RSIT log for now and do the scan when I return from work tomorrow. I apologize in advance if the log ends up being useless. I also thank you in advance for spending your time with my troubles.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, December 5, 2008
Operating System: Microsoft Windows XP Professional x64 Edition Service Pack 2 (build 3790)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, December 05, 2008 17:18:49
Records in database: 1438933
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 144311
Threat name: 2
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 01:43:31


File name / Threat name / Threats count
C:\System Volume Information\_restore{7AC48389-AB1F-4DCE-8CD9-57A5DDBE432C}\RP278\A0030572.exe Infected: Trojan.Win32.Agent.asmf 1
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03880000.VBN Infected: Trojan.Win32.Agent.asus 1
D:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\054C0000.VBN Infected: Trojan.Win32.Agent.asus 1

The selected area was scanned.



Logfile of random's system information tool 1.04 (written by random/random)
Run by Administrator at 2008-12-05 00:39:11
Microsoft® Windows® XP Professional x64 Edition
System drive C: has 196 GB (46%) free of 427 GB
Total RAM: 4094 MB (73% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:39:19 AM, on 12/5/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\PROGRA~2\AVG\AVG8\avgemc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\SysWOW64\ctfmon.exe
C:\WINDOWS\SysWOW64\rundll32.exe
C:\Program Files (x86)\Portrait Displays\Pivot Software\wpctrl.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files (x86)\iTunes\iTunesHelper.exe
C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files (x86)\Portrait Displays\Pivot Software\floater.exe
C:\Program Files (x86)\iPod\bin\iPodService.exe
C:\Program Files\Logitech\SetPoint\x86\SetPoint32.exe
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator\Desktop\RSIT.exe
C:\Program Files (x86)\trend micro\HijackThis\Administrator.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files (x86)\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files (x86)\Portrait Displays\Pivot Software\wpctrl.exe"
O4 - HKLM\..\Run: [DT GWY] "C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe" -GWY
O4 - HKLM\..\Run: [WMI Helper] "C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\AM\dtWMIHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~2\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files (x86)\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Name of App] C:\Program Files (x86)\SAMSUNG\FW LiveUpdate\FWManager.exe r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files (x86)\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Bar] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xcsnewramo.tmp
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~2\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1205452258444
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205452906000
O17 - HKLM\System\CCS\Services\Tcpip\..\{D4DACBA2-6059-4159-B7F3-9298E355FD49}: NameServer = 68.87.73.242,68.87.71.226,68.87.64.196
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files (x86)\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: nnnljgDV - nnnljgDV.dll (file missing)
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\AM\dtsslsrv.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~2\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files (x86)\Common Files\Portrait Displays\Shared\dtsrvc.exe
O23 - Service: Event Log (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: HTTP SSL (HTTPFilter) - Unknown owner - C:\WINDOWS\System32\lsass.exe (file missing)
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files (x86)\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Distributed Transaction Coordinator (MSDTC) - Unknown owner - C:\WINDOWS\system32\msdtc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files (x86)\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Net Logon (Netlogon) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files (x86)\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NT LM Security Support Provider (NtLmSsp) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\WINDOWS\system32\nvsvc64.exe (file missing)
O23 - Service: Portrait Displays SDK Service (PdiService) - Portrait Displays, Inc. - C:\Program Files (x86)\Common Files\Portrait Displays\Drivers\pdisrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe (file missing)
O23 - Service: IPSEC Services (PolicyAgent) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Protected Storage (ProtectedStorage) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe (file missing)
O23 - Service: Security Accounts Manager (SamSs) - Unknown owner - C:\WINDOWS\system32\lsass.exe (file missing)
O23 - Service: Virtual Disk Service (vds) - Unknown owner - C:\WINDOWS\System32\vds.exe (file missing)
O23 - Service: Volume Shadow Copy (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe (file missing)
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe (file missing)

--
End of file - 8634 bytes

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}]
AVG Safe Search - C:\Program Files (x86)\AVG\AVG8\avgssie.dll [2008-08-30 455960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"Adobe Reader Speed Launcher"=C:\Program Files (x86)\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"PivotSoftware"=C:\Program Files (x86)\Portrait Displays\Pivot Software\wpctrl.exe [2007-02-09 694008]
"DT GWY"=C:\Program Files (x86)\Common Files\Portrait Displays\Shared\DT_startup.exe [2008-06-25 81920]
"WMI Helper"=C:\Program Files (x86)\Common Files\Portrait Displays\Plugins\AM\dtWMIHelper.exe [2008-06-25 176128]
"IMJPMIG8.1"=C:\WINDOWS\IME (x86)\imjp8_1\IMJPMIG.EXE [2007-02-18 107520]
"PHIME2002ASync"=C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE [2007-02-18 455168]
"PHIME2002A"=C:\WINDOWS\SysWow64\IME\TINTLGNT\TINTSETP.EXE [2007-02-18 455168]
"AVG8_TRAY"=C:\PROGRA~2\AVG\AVG8\avgtray.exe [2008-11-27 1261336]
"iTunesHelper"=C:\Program Files (x86)\iTunes\iTunesHelper.exe [2008-03-30 267048]
"Name of App"=C:\Program Files (x86)\SAMSUNG\FW LiveUpdate\FWManager.exe [2008-07-07 675935]
"QuickTime Task"=C:\Program Files (x86)\QuickTime\qttask.exe [2008-03-28 413696]
"Bar"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\xcsnewramo.tmp []

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"=C:\Program Files (x86)\Common Files\Ahead\Lib\NMBgMonitor.exe [2007-06-01 153136]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2007-02-18 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\nnnljgDV]
nnnljgDV.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\EFS]
C:\WINDOWS\system32\sclgntfy.dll [2007-02-18 19968]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

Edited by IT newb, 05 December 2008 - 08:15 PM.


BC AdBot (Login to Remove)

 


#2 sundavis

sundavis

  • Malware Response Team
  • 2,708 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:10:41 AM

Posted 15 December 2008 - 11:28 PM

Hi,

Welcome to BleepingComputer HijackThis Logs and Malware Removal, IT newb. :thumbsup:
My name is sundavis, I will be helping you to deal with your Malware problems today.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times. and we are trying our best to keep up.
If you have since resolved the original problem you were having, we would appreciate you letting us know. If not, then please do the following.
The log you presented had been a few days away. It may not show what it is. In the meantime, please refrain from making any changes to your computer. and please do in the following:
You should delete the old RSIT version and download a new one since it updates quickly. Before running RSIT, please delete the folder C:\rsit. Thanks.
  • Download random's system information tool (RSIT) by random/random from here and save it to your desktop.
  • Double click on RSIT.exe to run RSIT.
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)
If no joy whatsoever, please try this instead:

Please go to Here and Download System Repair Engine by smallfrogs
  • Extract it to Desktop & double click SREng.exe to run it
  • Select 'Smart Scan' & tick "Verify the digital signature of process modules"
  • Click on the Scan button
  • Before scanning the computer, Close all browsers and other programs except SREng.
  • When finished, click on the Save Reports button & save the log to Desktop
You can refer to this thread for your reference.


In your next reply, please post back

1.RSIT log.txt and info.txt. Thanks.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users