Author Topic: [Resolved] Cmd,Regedit don't work AND Internet Explorer redirected  (Read 14829 times)

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #15 on: April 09, 2009, 01:10:48 PM »
Do you know how to use Regedit? If you do you can check to see if anyone of these three entries are there.

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\prunnet<System>\prunnet.exe

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\prunnet<System>\prunnet.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet

If none of them are there, then I wouldn't worry about it. Spybot does a good job of removing malware. If it can't uninstall something, it will tell you.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #16 on: April 09, 2009, 08:17:42 PM »
I found

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\prunnet<System>\prunnet.exe

Do I just remove it?  Can I still run SP3?

ADF

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #17 on: April 09, 2009, 08:52:18 PM »
Delete it, and go ahead and do the update.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #18 on: April 09, 2009, 10:44:09 PM »
Almost there.

I ran the SP3 update as well as the one for the Genuine Authentication.  Went well.

I ran Spybot a few times but the prunnet still hangs around.  If I run it in Safe Mode, it deletes it fine.  No registry entries whatsoever . . BUT when I go back to Normal Mode, it still shows up.

It's the only problem left.  Thanks to ComboFix, everything else is pretty much back to normal.

If possible, I'd really like some advice on getting rid of prunnet since I hear it can be pretty nasty.

ADF

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #19 on: April 10, 2009, 10:00:33 AM »
DO you have Teatimer running? If so try the following instructions.

To reset TeaTimer so that it does not remember any previous entries:

   1. Edit the entries that TeaTimer uses to automatically "Allow" or "Deny" changes that were based on the use of "Remember this decision" as follows:

          * Right click on the TeaTimer system tray icon and select Settings. This will bring up TeaTimer's "White & Black List". There are four (4) Buttons across the top of the "White & Black List":
                o Allowed processes
                o Blocked processes
                o Allowed registry changes
                o Blocked registry changes

                  Note: If you don't see all four buttons, try expanding the window to the right.

          * The entries that you should review are in "Allowed registry changes" and "Blocked registry changes". You can delete entries by clicking on the scripted black "X" to the right of the entry that you want to delete and then clicking the "OK" button when you're done. This will in effect make TeaTimer forget what you told it to remember so that during future changes to these items TeaTimer will issue a pop-up dialog rather then just a notification pop-up.

   2. Reset TeaTimers snapshot files:

          * TeaTimer takes snapshots of Registry entries and compares these with the Registry at startup. Until these snapshots are updated you are likely to get pop-ups (at startup) of changes you made in the past. In other words, TeaTimer attempts to return the Registry to the state it was in when the snapshot was taken. This happens primarily when you reboot the system. To refresh TeaTimer's snapshot files:
                o Right click Spybot's TeaTimer System Tray Icon > click Exit Spybot-S&D Resident.
                      + TeaTimer closes.
                      + TeaTimer's snapshot files are refreshed at this time.
                o Restart TeaTimer:
                      + Using Windows Explorer, navigate to C:\Program Files\Spybot - Search & Destroy.
                      + Double click TeaTimer.exe to start it.

Before you restart Teatimer, run a full scan with Spybot and remove the infections. Then restart TeaTimer, After that, reboot windows and then run a full scan again. See if the prunnet entry comes back.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #20 on: April 10, 2009, 10:40:01 AM »
I do have TeaTimer.

In the Allow Registry Changes I have MRT.exe.

In the Block Registry Changes I have the following:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\prunnet=
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\prunnet=

I'm assuming you don't want me to click the "X" for the Blocked Registry Changes since you do want them blocked.  Correct?

I will disable TeaTimer and run a full scan.

ADf

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #21 on: April 10, 2009, 10:41:27 AM »
You are correct. It is restoring the registry entries after you delete them.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #22 on: April 10, 2009, 11:27:49 AM »
didn't work.

the copy of prunnet giving us problems is in


HKEY_USERS\S-1-5-21-3860373334-2885350956-181780697-1006\Software\Microsoft\Windows\CurrentVersion\Run

even after i've deleted it from registry it comes back.

how can i add this to teatimer?

ADF

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #23 on: April 10, 2009, 03:34:07 PM »
Do a search on your entire harddrive for Prunnet with no extension. Delete anything that is named prunnet that is found.  Then turn off your computer, not just reboot it. Then start it back up again and run a full scan with Malwarebytes' Anti-Malware after updating it, and then with Spybot. Post the log up from Malwarebytes' Anti-Malware and let me know how Spybot ran. Then reboot and see if the registry entry comes back.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #24 on: April 10, 2009, 07:08:21 PM »
I know exactly where the prun.exe is located.  In a Temp folder under Local Settings.  This is according the Registry as well as Spybot.

However, when I go looking for it, it's not there.  My folders say to show hidden files but that doesn't help.

Whether I go in through Safe Mode or Safe Mode with Prompt, nothing can see this file. 

Should I be running MBAM and Spybot in Safe Mode.  Do I need to disable Symantec when these are running?

Anything else I should try?


Here is the log from Malware.


Malwarebytes' Anti-Malware 1.36
Database version: 1963
Windows 5.1.2600 Service Pack 3

4/10/2009 8:33:15 PM
mbam-log-2009-04-10 (20-33-08).txt

Scan type: Full Scan (C:\|F:\|H:\|)
Objects scanned: 242383
Time elapsed: 1 hour(s), 8 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Software\ErrorNukerInstaller.exe (Rogue.Installer) -> No action taken.
F:\Software\ErrorNukerInstaller.exe (Rogue.Installer) -> No action taken.
H:\ErrorNukerInstaller.exe (Rogue.Installer) -> No action taken.





ADF
« Last Edit: April 10, 2009, 07:11:49 PM by adf1962 »

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #25 on: April 10, 2009, 07:59:55 PM »
Go ahead and reboot to safe mode and try running both scans.

Also IO have a question, ErrorNukerInstaller.exe? Can I ask why you didn't uninstall this? The company that wrote it has a less than stellar reputation.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #26 on: April 11, 2009, 01:07:43 AM »
Almost.

It looked promising.  I shut down completely and rebooted in Safe Mode.  Did an MBAM and Spybot scan which cleaned prun.exe.

I rebooted in Normal Mode and Spybot started automatically.  It said I was clean.

Shut down and rebooted again and it showed up again.

Will repeat again tomorrow.

ErrorNukerInstaller.exe?  Yeah, that was a mistake.  Knew nothing of the company but was desperate for a solution.  Fortunately, I uninstalled it just as soon as I had installed it.  The downloaded exe files were sitting around in a few places though

Anything else I should try?

ADF

Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #27 on: April 11, 2009, 05:43:06 PM »
After you run both scans again then run ccleaner.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section except Cookies if you want to keep those.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.[/COLOR]
In the Applications Tab:
  • Clean all except cookies in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.[/COLOR]
4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

Then do the same thing as before. If it comes back then

Please download RunScanner
  • Save it to a folder you create such as C:\Runscanner (this assumes Windows is installed on your C: drive).
  • Launch Runscanner by double-clicking runscanner.exe within the C:\Runscanner folder.
  • Vista users must also click Continue to open Runscanner when prompted by User Account Control (UAC)
  • Check Beginner Mode
  • Click Scan computer
  • Your will see a "Runscanner scan in progress" window displayed while Runscanner scans your system
  • At the conclusion of the scan, save the run file called runscanner.run to your documents folder or directly to the Runscanner folder. This is the file you will need to upload.
  • A runscanner.log file will automatically open in Notepad. Just close the Notepad window because, it is ONLY the runscanner.run file that we are interested in.
  • Next, zip up the runscanner.run file that you just saved.
  • I want you to upload the zipped runscanner.run file as an attachment in your next reply
  • To do that choose "Additional Options" under "Post Reply"
  • Browse to the zipped RUN file location and then click the "Post" button to attach the file.
  • I will review the run file, and then upload it back to you with items marked for deletion.
  • Please await my directions and the returned RUN file, and do not delete anything in the interim

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!

Offline adf1962

  • Bronze Member
  • Posts: 67
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #28 on: April 12, 2009, 12:15:17 AM »
IRC.crt still infecting.

In Safe Mode

1. Ran CCleaner.  No change.

2. Ran Spybot twice.  Second time confirmed clean.

3. Downloaded and ran CCleaner again.

4.  Logged in Normal Mode. Ran Spybot, confirmed clean.

5.  Checked Registry.  Prun.exe is back.

6. Ran Spybot.  prun.exe confirmed is back.

7.  Downloaded and ran Runscanner.  See attached zipped file for runscanner.run as requested.


Offline Hoov

  • Malware Removal Mentors
  • Administrator
  • Diamond Member
  • Posts: 27147
  • Unwilling part owner of Gov't. Motors and Chrysler
    • Hoov's Personal Site
Re: [In Progress] Cmd,Regedit don't work AND Internet Explorer redirected
« Reply #29 on: April 12, 2009, 10:31:49 AM »
OK, from that file it is apparent that the file no longer exists, its just the registry entry. From your hijackthis log you are using Symantec. I need you to disable it from starting. Then run the instructions below. Reboot and see if the registry entry comes back. If it doesn't, set Symantec to start, and reboot and see if the registry entry is back. Let me know what happens.

Now, I want you to fix some autostart items by using the RUN file that I have attached with items marked for deletion:
  • Please download and extract the attached Zip file called runscanner<user name>.zip to your Runscanner folder
  • Open Runscanner in Expert Mode by double-clicking runscanner.exe, checking "Expert" and clicking OK.
  • Click the "Open Run File" button
  • Browse to "runscanner<user name>.run" (the run file you just unzipped) located in the Runscaner folder, and click Open
  • The screen will refresh after the run file loads
  • Click the "Item Fixer" button
  • The items selected to be fixed will be displayed and checked for removal
  • Click "Fix Selected items"
  • Confirm that you want to fix these items by clicking OK in the confirmation dialog box.
  • You will receive a "Done fixing items" message when removal is complete.
  • Reboot
  • Launch Runscanner again, save another .RUN File called runscanner<user name2>.run
  • Zip up runscanner<user name2>.run and attach it to your next reply please.

Former Consumer Security MVP
2011-2014

If I am helping you and you don't hear from me for 24Hrs, send me a PM Please!