Hi,

unfortunately my computer got infected by a Troian lately. I'm not sure if I got entirely rid of it yet. To my knowledge, the viciousness of most Troians lies in the fact that they get into your registry to get restarted with every Windows start.

Do you know the following services that get started every time Windows starts? I suspect them to be created by the Troian.


prun.exe / prunnet. Resided in username/Lokale Einstellungen/Temp/prun.exe
P17Helper. Command from Registry: Rundll32 P17.dll, P17Helper It's still in the recycle bin, because I'm not entirely sure, I think it might be a little program of Creative Soundblaster
BM215d2bec. Command: Rundll32.exe "C:\windows\system32\ojpfkatv.dll", s
226e1870. Command: Rundll32.exe "C:\windows\system32\dheikmmn.dll", b
Also, I suspect a process called CTSVCCDA.exe. It's in system32 and I'm not sure about it...

I encountered these in the registry. Unfortunately I did not write down the name of each infected file, but no. 4 was definitely detected as infected. I noticed these "prun" thing in the manager and I have never seen it before.

Of course there is always a danger in deleting entries from the registry. The ones left now I definetely know. What do you think? Anything else I should / should not delete?

Thank you very much for your help.

PS: My PC showed definitely very erratic behaviour. Killing these entries stopped it, but now my RTW won't start, and I'm afraid that it's not entirely deleted or that I deleted too much. Thx.

prun.exe / prunnet. Resided in username/Lokale Einstellungen/Temp/prun.exe
Probable trojan.

P17Helper. Command from Registry: Rundll32 P17.dll, P17Helper It's still in the recycle bin, because
I'm not entirely sure, I think it might be a little program of Creative Soundblaster
Sound related.

BM215d2bec. Command: Rundll32.exe "C:\windows\system32\ojpfkatv.dll", s
Probable critical process.

226e1870. Command: Rundll32.exe "C:\windows\system32\dheikmmn.dll", b
Probable critical process.

Also, I suspect a process called CTSVCCDA.exe. It's in system32 and I'm not sure about it...
Sound related.

What did you delete???

What protection are you using? Nevermind. Download and use the following: Ad-Aware (http://lavasoft.com/single/trialpay.php), AVG (http://free.avg.com/ww.download?prd=afe), and Spybot S+D (http://www.safer-networking.org/index2.html). I recommend getting your country's version, but whatever.

Depending on what you deleted, you may have screwed up your registry. It would help to know what it was.

So I couldn't start another game and it said "something with sound". So I restored that P17 thing (not in the registry though). Game worked then, but so far I didn't try RTW.

I have nothing to restore now anymore. I know that "dheikmmn.dll" was detected as Trojan. I'm quite sure "ojpfkatv.dll" was too.

I have deleted these four entries in the registry. I wrote the command down so I might restore it. But I have searched my harddrive and deleted those files. But it told me they were Trojan! ~:0

Couple of things. You need a quality virus scanner. Symantec corporate is what I use, but that's probably not available to the average Joe. I've heard good things about the free version of AVG, might give that a go. After you get several clean runs from a virus scanner, you'll want to install all of Microsoft Defender (antispyware), Adaware, and Spybot, run each until they show clean. If your system is still unstable, then you'll need to consider backing up your critical files and reinstalling/reimaging. The problem with modern virii is that quite a few of them are based on rootkits, which are damn near impossible to dislodge without the right tools and expertise. I am a IT security professional, my mantra is once a system's been hit with a rootkit, it gets wiped out and reinstalled after it's been cleaned and backed up.

Couple of things. You need a quality virus scanner. Symantec corporate is what I use, but that's probably not available to the average Joe. I've heard good things about the free version of AVG, might give that a go. After you get several clean runs from a virus scanner, you'll want to install all of Microsoft Defender (antispyware), Adaware, and Spybot, run each until they show clean. If your system is still unstable, then you'll need to consider backing up your critical files and reinstalling/reimaging. The problem with modern virii is that quite a few of them are based on rootkits, which are damn near impossible to dislodge without the right tools and expertise. I am a IT security professional, my mantra is once a system's been hit with a rootkit, it gets wiped out and reinstalled after it's been cleaned and backed up.

What he said. Also, download the latest definitions for all of these, disconnect your computer from the interweb, reboot into safe mode, and then run the scans.

I use Avast! and it's pretty good. I am not sure how AVG compares to Avast, though. Haven't used both of them. If wish for a better general anti-virus program you might consider buying Kaspersky, which I have read about and heard from my fellow computer geeks/nerds that it is very good. Nevertheless, Spybot Search & Destroy is a must-have for ANY computer. It has detected and removed more infections than any other anti-virus program I had ever had. Also I would recommend getting Windows Defender as well as Ad-Ware. All of the abovementioned programs are free and can be downloaded off Internet. I have my own computer and I can say with certainty that it is virus, worm and Trojan free. However, I am not so sure about spyware, since it is often harder to detect and does not usually do direct harm to your OS.

EDIT: for any unfamiliar process, you might want to go to the ProcessLibrary which identifies most of the normal processes, here:
http://www.processlibrary.com/directory/files/

PRUN.EXE:
"If you have a program called prun.exe running on your pc, your computer has potentially been infected with a trojan known as 'irc.critical'.
prun.exe is considered to be a security risk, not only because antivirus programs flag irc.critical trojan as a trojan, but also because other sites consider it a Trojan as well.
irc.critical trojan is likely a Trojan and as such, presents a serious vulnerability which should be fixed immediately! Delaying the removal of prun.exe may cause serious harm to your system and will likely cause a number of problems, loss of data, loss of control or leaking private information."

CTSVCCDA.EXE:
"ctsvccda.exe this process was authored by Creative Labs, and is usually installed alongside Soundblaster card drivers or some Creative Labs applications. It assists Windows manage the CD-ROM on Windows 9x and Me systems, however it has no use on faster CD-ROM drives."

Sorry for not posting some days! I installed Spybot and Windows Defender. The processes that I suspected were all created by this Virtumonde trojan, except for P17 Helper which is from Creative. Thank god you get really really professional help on the Spybot forums! And that for free. With their help I (hope I) have already wiped the darn thing out.

Thank you very much for your help guys. :2thumbsup: