[SevenYears]

Just updated to most recent version and the scan came back clean.

[evilfantasy]

OK wait 24 hours or so then run a new scan. I have no clue why those were found...again!

[SevenYears]

Yeah I know, it's aggravating. I will post new results tomorrow.

[SevenYears]

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600 Service Pack 3

4/18/2009 3:58:35 PM
mbam-log-2009-04-18 (15-58-35).txt

Scan type: Full Scan (C:\|)
Objects scanned: 194626
Time elapsed: 51 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

[evilfantasy]

Well hopefully that is the end of it!

[SevenYears]

Oh...my...god. Why does this keep happening???

Malwarebytes' Anti-Malware 1.36
Database version: 1997
Windows 5.1.2600 Service Pack 3

4/20/2009 3:00:28 PM
mbam-log-2009-04-20 (15-00-28).txt

Scan type: Full Scan (C:\|)
Objects scanned: 195056
Time elapsed: 57 minute(s), 49 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\brastia (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\brastia (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\temp\wpv091240164358.exe (Trojan.Agent) -> Quarantined and deleted successfully.

[evilfantasy]

Download the OTMoveIt3 by OldTimer

Note: If you are running on Vista, right-click on OTMoveIt3.exe and choose Run As Administrator.

* Save it to your Desktop.
* Double-click OTMoveIt3.exe to run it.
* Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy)

Code:

:Processes
explorer.exe

:services

:reg
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastia]
[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastia]

:files
C:\WINDOWS\temp\wpv091240164358.exe

:Commands
[purity]
[emptytemp]
[start explorer]

* Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
* Click the red Moveit! button.
* Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot your computer in order to finish the move process. If asked to reboot, choose Yes. If not, reboot anyway.

[SevenYears]

Is there a way to access the results since I restarted? I can't find any sort of folder or anything.



Never mind just found it.

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\brastia\\ not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\brastia\\ not found.
========== FILES ==========
File/Folder C:\WINDOWS\temp\wpv091240164358.exe not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\KEVINY~1\LOCALS~1\Temp\hsperfdata_Kevi n Young\1296 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\KEVINY~1\LOCALS~1\Temp\etilqs_UveTIsZe RsxYeDe2C2GP scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\S9NVDXUV\google_com[4].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_f18.dat scheduled to be deleted on reboot.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_360.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\url classifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\XUL .mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04202009_153306

Files moved on Reboot...
File C:\DOCUME~1\KEVINY~1\LOCALS~1\Temp\hsperfdata_Kevi n Young\1296 not found!
File C:\DOCUME~1\KEVINY~1\LOCALS~1\Temp\etilqs_UveTIsZe RsxYeDe2C2GP not found!
C:\Documents and Settings\Kevin Young\Local Settings\Temporary Internet Files\Content.IE5\S9NVDXUV\google_com[4].htm moved successfully.
File C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_f18.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_360.dat not found!
C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_001_ moved successfully.
C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_002_ moved successfully.
C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_003_ moved successfully.
C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\Cac he\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\url classifier3.sqlite moved successfully.
C:\Documents and Settings\Kevin Young\Local Settings\Application Data\Mozilla\Firefox\Profiles\mn4a3uh9.default\XUL .mfl moved successfully.

[evilfantasy]

Please download F-Secure Blacklight (fsbl.exe) and save to your C: drive.

• Open a command window by going to Start > Run and typing: cmd
• Copy/paste or type the following in the command window: C:fsbl.exe /expert
• Hit "Enter" to start the program and then close the cmd box.
• Accept the user agreement and click "Next".
• Click "Scan".
• After the scan is complete, click "Next", then "Exit".
• BlackLight will create a log in C: drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
• The log will have a list of all items found. Do not choose to rename any yet!
  I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
• Exit Blacklight and post the contents of the log in your next reply.

[SevenYears]

04/20/09 21:04:16 [Info]: BlackLight Engine 2.2.1092 initialized
04/20/09 21:04:16 [Info]: OS: 5.1 build 2600 (Service Pack 3)
04/20/09 21:04:16 [Note]: 7019 4
04/20/09 21:04:16 [Note]: 7005 0
04/20/09 21:04:23 [Note]: 7006 0
04/20/09 21:04:23 [Note]: 7011 516
04/20/09 21:04:23 [Note]: 7035 0
04/20/09 21:04:23 [Note]: 7026 0
04/20/09 21:04:23 [Note]: 7026 0
04/20/09 21:04:32 [Note]: FSRAW library version 1.7.1024
04/20/09 21:24:40 [Note]: 7007 0



I was unable to run the C:fsbl.exe /expert in CMD, I got the error that it was not recognized as a batch command. I just ran the scan from the normal program when I simply double clicked the icon.