Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring virus problem


  • This topic is locked This topic is locked
6 replies to this topic

#1 biorox

biorox

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 12 May 2011 - 06:14 PM

Had an earlier problem which was seemingly resolved here:
http://www.bleepingcomputer.com/forums/topic394978.html/page__p__2229964__hl__%22problem+with+viruses%22__fromsearch__1#entry2229964

Now when I scan with Hitman Pro it again starts telling me that the file "plustabp.dll" is infected (I cannot find this file anywhere on my computer) and identifies it as "Trojan.Win32.Priminay!IK". It is not able to remove it upon reboot and it keeps reappearing.

Malwarebytes did not detect this, it instead found 9 viruses which I had no idea how they got there. Here is the log I saved before it removed them, just in case.

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6563

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

12/05/2011 8:57:26 AM
mbamlog

Scan type: Quick scan
Objects scanned: 251723
Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 4
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\GHWAUC6NNZ (Trojan.FakeAlert.SA) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\ICS5R7Y0OS (Trojan.FakeAlert.SA) -> No action taken.

Registry Values Infected:
HKEY_CLASSES_ROOT\.exe\shell\open\command\(default) (Hijack.ExeFile) -> Value: (default) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GHWAUC6NNZ (Trojan.FakeAlert.SA) -> Value: GHWAUC6NNZ -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Mike.VANCOUVER-11\Local Settings\Application Data\ykh.exe" -a "iexplore.exe) Good: (iexplore.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (PUM.Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\Tasks\{810401e2-dde0-454e-b0e2-aa89c9e5967c}.job (Trojan.FraudPack) -> No action taken.

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:38 AM

Posted 12 May 2011 - 08:53 PM

Hello, Did you save the log defore seleting "Remove Selected" as this is in the log? No action taken.

Common Path: C:\ Windows\ System32\ dllcache\ plustab.dll


Let's run these now and see how it is after.

Run TFC by OT (Temp File Cleaner)
Please download TFC by Old Timer and save it to your desktop.
alternate download link

Save any unsaved work. TFC will close ALL open programs including your browser!
Double-click on TFC.exe to run it. If you are using Vista, right-click on the file and choose Run As Administrator.
Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.


I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Under scan settings, check Posted Image and check Remove found threats
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image



Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 biorox

biorox
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 14 May 2011 - 07:30 PM

Yes, I did remove the viruses after I made the log.

The file that Hitman Pro was detecting was "plustabp.dll" not "plustab.dll".

I already had ESET Scan on my computer, so I didn't need to install it.
Here's the ESET log:

C:\Documents and Settings\Mike.VANCOUVER-11\My Documents\Downloads\cdbxp_setup_4.3.8.2523.exe Win32/OpenCandy application deleted - quarantined

(Wow pretty small)
MBAM log:

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6580

Windows 5.1.2600 Service Pack 2
Internet Explorer 6.0.2900.2180

14/05/2011 10:20:44 AM
mbam-log-2011-05-14 (10-20-44).txt

Scan type: Quick scan
Objects scanned: 251553
Time elapsed: 5 minute(s), 26 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


I scanned again in Hitman Pro. This time it detected "plustabp.dll" not as a trojan but as malware, and when I expanded it said

Gen:Variant.Vundo.13 (Engine-A)
High Risk Cloaked Malware
Trojan.Win32.Pirminay!IK

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:38 AM

Posted 14 May 2011 - 08:49 PM

I scanned again in Hitman Pro. This time it detected "plustabp.dll" not as a trojan but as malware, and when I expanded it said

Gen:Variant.Vundo.13 (Engine-A)
High Risk Cloaked Malware
Trojan.Win32.Pirminay!IK

It doesn't tell you where it is?? Like the others
C:\Documents and Settings\Mike.VANCOUVER-11\My Documents\Downloads\cdbxp_setup_4.3.8.2523.exe Win32/OpenCandy application deleted
I think its a false positive and if we can find it we can double check it.

ESET would call this a variant of Win32/Kryptik.NDC
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 biorox

biorox
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:38 AM

Posted 15 May 2011 - 12:53 AM

No it doesn't tell me where it is, but it keeps reappearing every time and it isn't able to delete it on reboot.

I also think the one found in ESET was a false positive, that was the installer for a cd burning program, I don't think that was a virus.

I'm not noticing that anything in particular is happening to my computer, except that it was acting slightly erraticly several days ago and I'm also getting a slightly increased number of viruses..

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,176 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:38 AM

Posted 15 May 2011 - 12:12 PM

Hmmm,I think we should get a deeper look as there may be a protected malware here.

Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 hamluis

hamluis

    Moderator


  • Moderator
  • 55,726 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:03:38 AM

Posted 19 May 2011 - 10:31 AM

Closed, new topic created at http://www.bleepingcomputer.com/forums/topic398212.html/page__p__2254083#entry2254083 .

Louis




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users