Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected - prunnet.exe among others - Please Help


  • Please log in to reply
1 reply to this topic

#1 300ZX_Fan

300ZX_Fan

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:04:16 AM

Posted 22 December 2008 - 04:38 AM

I was surfing the net tonight and picked up something bad. I was using Firefox and noticed that there were a lot of IE explorer screens open. Firefox informed me that the site was a known malware site and I pressed the "get me out of here" button and I also shut down IE using the task manager. I immediately disconnected the ENET cable from my PC. I don't remember the site name, but I remember it said something about Virus Alert, AntiVirus or something like that. There were about 4-5 IE explorer pop-ups open.

My first experience with malware came a couple of years ago when I picked up a nasty Vundo something trojan/rootkit. I ended up re-installing windows after I got a false charge on one of my credit cards. I thought I would ask for help this time before I resort to reloading the OS again. In attempting to rid my computer of my 1st infection, I became familiar with utilities like HiJack This, Autoruns etc.

History:
1) I was logged on to an adminstrator account when I was infected. Since I rebooted, I have only logged onto windows using one of my limited access accounts I had already set up on the PC.
2) When the OS loads on the limited access account, I get a "error opening service manager" notification. Also, I have a cable modem and something is trying to "phone home" because I am getting a "Work Offline, no internet connection available..." dialog box.
3) I am running Windows XP Pro, SP2.
4) I ran HiJack this and Autoruns and I noticed a few entries that are not good:

O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\vtUomjIX.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O20 - Winlogon Notify: vtUomjIX - C:\WINDOWS\SYSTEM32\vtUomjIX.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll (Maybe legit, MS Genuine Advantage?)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

5) I had MS Windows Messenger disabled, so I'm not sure if those messenger entries are legit.


I wasn't sure where to go or what to do to get help. I wanted to run SDFix and Malwarebytes' Anti-Malware, but I didn't because I don't want to log in as Administrator and allow the trojan/virus create additional problems. I have not ran any antispyware/malware software yet. If someone can help, please let me know how I should proceed.

Thanks in Advance,
300ZX_Fan

BC AdBot (Login to Remove)

 


#2 rigel

rigel

    FD-BC


  • Members
  • 12,944 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:South Carolina - USA
  • Local time:06:16 AM

Posted 22 December 2008 - 04:52 PM

Well the first thing recommended would be Malware scans using the tools you mentioned. If you would like more advanced help using HJT, we need to refer you to the HJT forums.

Please follow this guide completing as many steps as you can and then post a HJT log to the HJT forum. A helper will be with you as soon as possible, but they are currently backed up. If you want to continue here I will be glad to help.

Edited by rigel, 22 December 2008 - 05:43 PM.

"In a world where you can be anything, be yourself." ~ unknown

"Fall in love with someone who deserves your heart. Not someone who plays with it. Will Smith





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users