Find great computer deals at Staples
Computer help: Prunnet.exe, popups, Spybot S&D won't run, other problems..
Prunnet.exe, popups, Spybot S&D won't run, other problems..
by patogracho - 11/28/08 6:29 PMSo I've had quite a few problems with my computer recently, it started when random ads would pop up using iexplorer, even though I always use firefox and never had iexplorer opened, when this was going on, iexplorer.exe would still run in my task manager even though I had closed all the windows, and would be running in the background on startup. Then my computer starting freezing a lot, not restarting, not starting at all...etc
I also found 3 foreign .exe files in my task manager, one of which was prunnet.exe (can't remember the other 2) and found them in C:/WINDOWS/system32 and deleted all three, this seemed to stop the freezing but the pop ups still happened (along with random sound clips), I then found 'RON ads by agadoo' in my control panel and uninstalled that which stopped the ads.
This was all in the last week and ever since then my internet is extremely slow, and whenever I do a search on google or yahoo, when I click on a normal result link I always get redirected to random pages (and this happens for any link result, i could search for google and click on the link for google.com and end up on some church site...), this doesn't happen if I copy paste the URL from the search results and just go to the site. (Also if I do a search after just restarting my computer I can get to the correct page, but after a minute or two the redirecting starts)
One more thing is that ever since this started my spybot S&D will not run, if I click on it, it runs in my tast manager but does nothing, and Mcafee can't find anything else wrong.
I know this is a lot but if anyone has any ideas on how to fix my problems that would be greatly appreciated!!!
This might work for you. It worked for me
by quocdo2005 - 11/29/08 6:43 AM In reply to: Prunnet.exe, popups, Spybot S&D won't run, other problems.. by patograchoI had the same problem. Been searching forever for a solution. Apparently I found one and miraculously it worked. Refer to the link below for more info. Hope it helps.
http://forums.cnet.com/5208-10149_102-0.html?forumID=7&threadID=95901&messageID=1087631
Removal of prunnet.exe
by jm01516 - 12/25/08 10:20 PM In reply to: Prunnet.exe, popups, Spybot S&D won't run, other problems.. by patograchoI just got hit with this one. Fortunately I was able to completely remove it. First of all, I immediately stopped what I was doing when the very first pop up hit. I checked the task manager and noticed the prunnet.exe, along with several .tmp processes. A search revealed the exe file in system32, and I notied the created date was within minuets. Just killing it won't work, as it starts right up again, even if you delete its entries in the "Run" key in the registry. I noticed several other things to, it installs itself in the add/remove programs list as "advertisement service" There is also an accompanying "gadcom.exe" in the users profile under either local settings or application data. Finally, it puts several dlls in the system32 folder. Here is the method I used to remove it.
I used a tool called BartPE to remove everything. You can find more info at http://www.nu2.nu/pebuilder/ It allows you to boot from a CD and access the file system. First step: Start>Run and type regedit to get to the registry. Be very careful. you can do alot of damage to your computer here. I recommend backing up the registry. Then, go to hkey_local_machine>software>microsoft>windows>current_version>run. Under this key delete the strings that contain prunnet, gadcom and any rundlls. Second step: search in explorer for prunnet. it should be in system32. There are several accompanying dlls, so sort by date created, and look for the ones created at the same time as prunnet. For me there were 6 of them with names consisting of completely random characters. Write these down. There was also a batch file associated with one of the dlls. Third Step: restart and boot to the BartPE cd (I did a cold shutdown to make sure all the files I was going after were frozen.) Now I did several things. 1) Using the file manager search for the dlls from before. Delete them all, along with any .bat files of the same name, if any. 2) Search for prunnet, and delete it. 3) delete all of the contents in the folder c:\windows\prefetch 4) go to the users profile in Documents and settings. Search for gadcom, and delete it. 5) In the users profile, delete all of the contents of Local Settings\Temp.
This should be enough to kill it. When you reboot, go back into the registry and search for prunnet, and gadcom, deleting any instances of them. Also in add/remove programs, remove advertising service if it is still there, and confirm that you want to remove it from the list. This was enough to completely remove it for me.
Jim - I also have Prunnet.exe but I can't run PE Builder
by lhousesoccer - 1/2/09 7:26 AM In reply to: Removal of prunnet.exe by jm01516Jim: I just got hit as well by the Prunnet.exe virus, and found your post by searching Google. I'm having a problem following your solution using PE Builder, and here's why.
1. I live in the US and purchased my computer new in 2002 from Gateway. Windows XP came pre-installed, and I did not get the original Windows XP CD with the computer. Instead, they sent a Gateway CD that says "Operating System (Windows XP - Home Edition)". However, this apparently is not what PE Builder requires to create a bootable CD, since PE Builder says it finds 0 valid source locations, even though this Gateway CD is in the drive. When I insert this CD into a drive, however, it autoruns, and a window comes up that says Welcome to Microsoft Windows XP, with the following choices: 1) Install Windows XP, 2) Install Optional Windows Components, 3) Perform Additional Tasks, 4) Check System Compatibility. So, it SEEMS that it has Windows XP on it, but PE Builder is not recognizing it as a valid source.
2. Just for fun, I clicked on the Install Windows XP option on the Gateway CD, and I get a message that says "Setup cannot continue because the version of Windows on your computer is newer than the version on the CD". This is because I bought the computer 6 years ago, and several updates to the XP service packs have been done over the years. So, even if I were able to create a bootable CD with PE Builder, it would be an outdated version of what my computer is running right now.
Do you have any suggestions on how I can proceed, if at all, to get rid of this pain in the *ss virus? I have Avast Anti-Virus installed, and it was running when I picked up the virus, so I don't know why it didn't prevent it. I've also run a full Avast can (as well as a full Ad-Aware scan) since getting it, and even though they found find and "delete" the virus, I'm still finding prunnet.exe and the dll's running in my task manager.
Thank you.
Shawn Good
I had it and killed it...
by VundoKiller - 1/2/09 12:11 PM In reply to: Jim - I also have Prunnet.exe but I can't run PE Builder by lhousesoccerVundo aka virtumonde... running windows xp sp3
I used a combination of Jim's info and some innovation. I had a BartPE cd handy, did what Jim said to do -- this killed the popups, but my auto updates (windows, symantec, etc) were still being blocked by the virus. I asked an IT guy from my company about it, and he said to download malwarebytes. I did so, but I installed it to a THUMBDRIVE, instead of my system (C) drive. This made all the difference in the world - I could run the anti-malware from the thumbdrive without the virus detecting my connection to definition updates and so on - it ran, found something like 64 infected files, and quarantined them. I rebooted and found that I COULD update my symantec antivirus software, and ran it and the anti-malware one more time to make sure.
Here's the logfile hoping it helps.
Malwarebytes' Anti-Malware 1.31
Database version: 1597
Windows 5.1.2600 Service Pack 3
1/2/2009 2:39:16 PM
mbam-log-2009-01-02 (14-39-14).txt
Scan type: Quick Scan
Objects scanned: 57214
Time elapsed: 3 minute(s), 10 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 42
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 20
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\c:/windows/downloaded program files/popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\TypeLib\{c9c5deaf-0a1f-4660-8279-9edfad6fefe1} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{e4e3e0f8-cd30-4380-8ce9-b96904bdefca} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{fe8a736f-4124-4d9c-b4b1-3b12381efabe} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{80a6ce6c-090b-4906-a069-493ab2f3aedf} (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{80a6ce6c-090b-4906-a069-493ab2f3aedf} (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs\C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> No action taken.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\gevimasi.dll (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\system32\isamiveg.ini (Trojan.Vundo.H) -> No action taken.
C:\WINDOWS\Downloaded Program Files\popcaploader.dll (Adware.PopCap) -> No action taken.
C:\WINDOWS\system32\hizidaku.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\luzilufe.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\senekaqgxulmcj.dll (Trojan.Seneka) -> No action taken.
C:\WINDOWS\system32\bosurezo.dll (Trojan.Vundo) -> No action taken.
C:\RECYCLER\S-1-5-18\Dc3.dll (Trojan.Vundo) -> No action taken.
C:\RECYCLER\S-1-5-18\Dc4.dll (Trojan.Vundo) -> No action taken.
C:\RECYCLER\S-1-5-18\Dc162.tmp (Trojan.Downloader) -> No action taken.
C:\RECYCLER\S-1-5-18\Dc164.tmp (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-18\Dc2.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\senekaodkjwspv.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekasmydjjjk.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drivers\senekauvptdwya.sys (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\msiconf.exe (Trojan.Downloader) -> No action taken.
Lost 2 hours to this yesterday, but...
by elbruelsio - 1/16/09 11:32 AM In reply to: I had it and killed it... by VundoKillerI got prunnet.exe at work yesterday and spent the first hour investigating all the processes running in Task Manager while also running a full scan with Symantec Antivirus. I aborted that scan when I came upon this post and immediately downloaded Malwarebytes. In only one more hour and two quick scans with Malwarebytes 43 trojans were detected and removed.
Thank you SO MUCH, cnet community!
Chadwick ~avid Buzz Out Loud listener
Saving Data from prunnet.exe
by 2-can - 2/6/09 1:06 AM In reply to: I had it and killed it... by VundoKillerGot prunnet.exe on 4 yr old Gatway Laptop (Win XP Home).
Classic symptoms. Bogus links in browser. Can't update Symantec AV. etc.
Postings here very helpful.
Currently running Malwarebytes on infected machine, though I'm running from C drive. Tic, tic, tic... running for 54 mins. Has found 23 infected objects already. Will later try to run from thumb drive as recommended on posts here.
We have two questions:
1. Can anyone tell us if between scans we can *safely* copy data files (MS-Word files we're most concerned about, though jpg and mp3 also would be nice) to a flash drive?
2. This is the first time we've ever been hit with this type of thing. We run Symantec and ZoneAlarm. Does anyone know how we might have gotten this thing? We only surf to professional sites, Netflix, and news sites for the most part, we don't open unknown e-mail attachments etc. How is this thing getting through?
yes
by batman823 - 2/14/09 1:41 PM In reply to: Saving Data from prunnet.exe by 2-canYou should have no problem making a backup, just as long as you manually copy. Do not use a backup utility because it will bring Prunnet with everything else.
You can save anything that you wish, just consider the flash drive infected until you do a scan on a machine that is not infected. Repeat the process as much as you like and fix the Gateway knowing your files are safe.
other issues with prunnet
by apboi - 1/5/09 7:01 AM In reply to: Removal of prunnet.exe by jm01516When you were infected with prunnet.exe, were you still able to visit any anti-viral sites such as Trend Micro or symantec? It seems whenever I try to go to a site that contains any brand named anti-viral programs I am redirected somewhere else, either towards an ad site or simply the page doesn't load.
Can anyone help me with this? =/ I got the prunnet.exe like 3 hours ago.. and have been racking my wracking my brain over what to do.
Prunnet issue
by explorer0326 - 1/4/09 1:16 PM In reply to: Prunnet.exe, popups, Spybot S&D won't run, other problems.. by patograchoI am sorry to says this but if you have had this issue for a few days already you system may have already be too far gone for the regular pc user to fix. I would suggest going to a computer shop but they would more than likely just ghost your machine which would ultumately mean all or some of your work inforamtion on your computer would be lost. I took the other raod and went to Cyber defender and for a nominal fee they remote access my machine and fixed the issue. I would strongly suggest this route because the longer you wait is the more corrupt your machine will ultimately get until it no longer works and THEN you will need a whole new hard drive.
I seem to have killed it with malwarebytes
by lhousesoccer - 1/4/09 2:45 PM In reply to: Prunnet issue by explorer0326Actually, two days ago I downloaded and ran Malwarebytes as Vundokiller suggested. It found 27 trojans and viruses, quarantined and/or deleted most of them, then deleted the rest of them upon reboot, and everything seems to be fine. I've done 2 full scans since (with malwarebytes and Avast), each of which took more than 6 hours apiece, and no problems have been encountered. Seems to be cleared up.
Thanks !
awesome
by VundoKiller - 1/5/09 5:57 AM In reply to: I seem to have killed it with malwarebytes by lhousesoccerI'm glad we can kill these things. I have had no issues since I ran the malwarebytes as well. Everything updates like normal. I know the trojan came from OKCupid as a drive-by infection they have had for a while. Thanks for reposting the result!
Vundo Trojan/Prunnet/ bunch of crazy dlls
by Raln_00 - 1/5/09 11:54 AM In reply to: awesome by VundoKillerI just got rid of it, really annoying I used Malwarebytes recommended on here ( which was amazing as Norton internet securty & antivirus didn't detect at all, even tho it had the latest update) - last time I use NAV gona switch to just a firewall & malwarebytes.
I used a full system malwarebytes scan cleaned everything restarted - ran a second scan there was quite alot of stuff still existing as it reboots on start up - so i Turned System Restore OFF than ran a scan again and malwarebytes said it would delete infected files on boot up as these files are ment to reboot themselves on start up - pretty nifty
and so far so good!
Trojan
by Raln_00 - 1/5/09 11:58 AM In reply to: Vundo Trojan/Prunnet/ bunch of crazy dlls by Raln_00Also had it not been for Forum discussion like this I would have not resolved the problem - its great that things threads like this exist - Please contribute your experiences and help others
(i just created an account rite now to post my experience hope it
helps)
Additional tools
by klaypigeon - 1/14/09 7:43 AM In reply to: Trojan by Raln_00I am working on this virus now, what a pain in my arse. I would like to offer that a lot of this can be done by booting into safe mode rather than using bartPE. Press F8 during boot up and select safe mode with networking. This lets you do web research while working on the issue. Also, I find the sysinternal tool "autoruns" extremely valuable. The first thing to do is look for entries that have no publisher. Search any suspicious entries on the web (thats how I found this forum about prunnet)From autoruns you can either disable or delete entries. Prunnet showed up with 3 different entries in my various run locations. Thanks for the tip about malware. when I am all done with my current process I will spin that as well.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
