TechSpot

Need Help

By Biklar
Dec 31, 2008
  1. OK, I am not sure what's going on with my system but in the last day both IE and Firefox have been bombarded by constant and intermittent popups that contain the address Sagipsul.com. I am a Firefox user by the way.

    -I've noticed that I can no longer go to an earlier restore point

    -I am not able to visit some websites through Google searches as the websites turn up blank

    -My McAfee won't "fix" properly or update itself when it is prompted to do so

    -I now notice that in text online, random words are highly and underlined and when I hover over them, they reveal floater popups for advertisements related to that word.

    -I've done a lot of searching around online for any possible NAME to what this virus or infection might be and I don't think I have Vundo because I've searched for the related virus files and nothing shows up. Also tried Vundofix. So it must be something else which prompts this sagipsul.com popup and the other stuff that is going on.

    -I've downloaded Hijackthis, I have Spybot - Search & Destroy, I am currently running an a manual scan from my McAfee security center (one without any current updated definitions due to what I mentioned above) ansd a scan from Malwarebytes.

    Last night, I had to restart my computer several times because it kept crashing at the windows user login screen. Finally it rebotted and this is what's been going on since then. Before all of this, something tried to download itself earlier last night from rapidshare and then I saw a popup for a virus remover which I was careful to not click on by removing the popup through task manager. But the problems I mentioned above began anyway after this happened.

    What I am curious about is what exactly it is that's infecting my computer this way? I've tried to find a name to put this by doing my own research online but haven't come up with anything that seems to fit yet. However I am noticing a lot of complaints from people in the last couple of days on various forums I've visited pertaining to this issue so it must be some virus that was released recently.

    I am not able to follow the 8 steps completely because some things I am blocked from doing. I've updated Java, gotten and ran hijackthis, malwarebytes and cleaner however. I've also disabled third party cookies..

    I would very much appreciate if anyone has a clue about what's going on and what I can do to solve this maddening problem.

    I'll attach a .txt file as I am having problems copying and pasting my log here due to character limitations and misreading certain log info as links

    Log attached

    Well I seem to have found a name for this virus I have: Prunnet.exe

    it installs various .dll files and just deleting the .exe file and all of its .dlls won't get rid of it. It reinstalls itself. I also found some odd programs located in my add/remove list...first one spotted was "Advertisement Services".

    I am looking at ways I can completely remove this problem off of my computer.
     
  2. BlkHeartWolf

    BlkHeartWolf TS Rookie Posts: 160

    you have it bad, i am checking the log

    Right Click on MyComputer icon and go to properties
    Turn Off system restore
    open IE and go to TOOLS OPTIONS delete temporary internet files and cookies
    do a disk cleanup in your Start/accessories/system tools/ Menu

    After the reboot
    download malwarebytes and install
    run hijackthis and malwarebytes at the same time
    select / CHECK any files and or keys I posted in hijackthis
    but on both maiwarebytes and hijackthis click fix / repair at the same time.
    then reboot immediatly.
    if you forget to turn off system restore it will return no matter

    reboot once complete, run hijack this and post your log here again


    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Documents and Settings\Allyson Nicole Jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070822

    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\geBtUoOI.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: (no name) - {c6c58a5c-c5fd-43ce-a75d-665cad4518a8} - C:\WINDOWS\system32\botabedu.dll
    O2 - BHO: {de2c7b8e-e9fc-8e2a-e224-7c20caf79f6c} - {c6f97fac-02c7-422e-a2e8-cf9ee8b7c2ed} - C:\WINDOWS\system32\vtgrga.dll
    O2 - BHO: (no name) - {E4EB51B4-8E1F-449C-ADDB-AB17D10BA180} - C:\WINDOWS\system32\opnlJdbc.dll

    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll

    O4 - HKLM\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
    O4 - HKLM\..\Run: [Dwitupij] rundll32.exe "C:\WINDOWS\Czoxuwa.dll",e
    O4 - HKLM\..\Run: [mituvukezo] Rundll32.exe "C:\WINDOWS\system32\bimedufo.dll",s
    O4 - HKLM\..\Run: [7c6aa1a7] rundll32.exe "C:\WINDOWS\system32\kazuvuye.dll",b
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Allyson Nicole Jason\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
    O4 - HKCU\..\Run: [prunnet] "C:\WINDOWS\system32\prunnet.exe"
    O4 - HKUS\S-1-5-20\..\Run: [mituvukezo] Rundll32.exe "C:\WINDOWS\system32\bimedufo.dll",s (User 'NETWORK SERVICE')

    O8 - Extra context menu item: Copy to Semagic - C:\Program Files\Semagic\copy.htm
    O8 - Extra context menu item: Semagic - C:\Program Files\Semagic\link.htm

    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL vtgrga.dll,C:\WINDOWS\system32\gejiwuvu.dll
    O20 - Winlogon Notify: geBtUoOI - C:\WINDOWS\SYSTEM32\geBtUoOI.dll

    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
     
  3. Biklar

    Biklar TS Rookie Topic Starter

    Yesterday was a very long day...but I think the virus/trojan is gone. No more pop up and i had to run Malwarebytes several times. One scan took around 10 hours at first because what turned out to be Vundo, slowed down my computer immensely.

    I am curious about one file that McAfee keeps on identifying as a trojan. It is under System Volume Information and the file extension is A0000032.exe. I don't want to restore this file if it's actually a trojan. Sometimes I am not sure about what Mcafee labels because a week ago during an update with new virus definitions, the program incorrectly labeled all of my Big Fish Games as trojans and quarantined them as a result. They were inoperable until I restored them. However there is one Big Fish Game that is now connected to that A0000032.exe file I mentioned above, which is weird.

    Is this a legit system restore file or a trojan trying to get back onto my computer and install itself?

    Also thanks for your suggestions earlier. They definitely helped a great deal.
     
  4. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    -> No action taken on MBAM scan, for found issues
    Please re-run Malwarebytes
    Confirm updated (third tab)
    Then do the above quoted message, but this time "Remove all found issues"

    By the way, you will need to then restart, and run (and attach) a new HJT log
     
  5. Biklar

    Biklar TS Rookie Topic Starter

    I'd like to mention if it helps that Malwarebytes has defined some of my Popcap game files as spyware. I left those notifications unchecked and did not remove them because I knew what the files were for.

    I will be running Mbam again and attaching a new log later today. It should take awhile for the scan to complete.
     
  6. kimsland

    kimsland Ex-TechSpotter Posts: 18,353

    Biklar remove all found malicious software, or we cannot help you
    There is no good, or needed malware to keep ever.
     
  7. Biklar

    Biklar TS Rookie Topic Starter

    New logs are attached
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.