Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan and who know what?


  • This topic is locked This topic is locked
16 replies to this topic

#1 tenno

tenno

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 04 December 2008 - 02:00 AM

Here is what seems to be happening.

The modem is being overrun with hits from my desktop unit so my download speed is anywhere from 5-90 kbs. When I connect my laptop direct and unplug the desktop my download speed is in the 300+ range, what I'm paying for. When they are both plugged in they both run slow. I've even had Excessive Sessions Warnings about my desktop unit from my server.

I've been getting pop-ups on a regular basis and a lot of "____ has encountered a problem and needs to close".

I've run Spybot, Adaware, Regcure, Malwarebytes and my local servers virus protection many times with all the updates and get the odd hit.

Malwarebyts keeps finding Trojan.fakealert under "registry value.........HKEY_LOCAL_ MACHINE\software\microsoft\windows\current version\run\brastk

Each time it removes it but it is there again if I rerun the scan.

Whatever it is it seems to start-up when I choose a user after a restart, the modem starts blazing away again. This is making it very hard to download help ideas from BC as in other peoples posts.

I am posting on my laptop with the desktop unplugged just to make sure it goes through.

I'm running on XP home on both computers.

Where do I start?

BC AdBot (Login to Remove)

 


#2 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:47 PM

Posted 04 December 2008 - 08:26 PM

If you use a router, disconnect from the internet, reset the router, and give it a strong password.
If you use Spybot's Tea Timer, disable it for now
-----------------------------------

Please reboot your computer and update Malwarebytes. This time do a FULL scan and post the new log here
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 04 December 2008 - 09:40 PM

thanks for the contact

Of course the modem is working OK right now but this is the first time in days, maybe any downloads won't take all night.

I'm not sure how to turn off Teatimer before i begin the scan, and I don't know how to set the password on the modem/router.

What do i do?

tim

#4 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 05 December 2008 - 11:36 PM

Sorry for the delay but I can't find how to add a log to my message, where do I look? Is ther a tutorial?

tim

#5 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:47 PM

Posted 08 December 2008 - 07:46 PM

Opem Mbam and click on the logs tab. If there isn't one, reboot and run another scan
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#6 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 09 December 2008 - 11:43 PM

Being new to this blog and log business I'm a little slow understanding. I know where to find the logs after the scan but not how to add them to this fast reply so you can see them. I don't see any explanations on this site either.

Is there a tab that allows me to add a log or am I to use a different method to reply?

Confused?

#7 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:47 PM

Posted 10 December 2008 - 08:31 AM

Copy and paste
http://www.webmasternow.com/copyandpaste.html
Does this help?
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#8 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 12 December 2008 - 09:34 PM

Hey Mark

Lets give this a try.

My scan on the Dec 4th was as follows:

Malwarebytes' Anti-Malware 1.31
Database version: 1456
Windows 5.1.2600 Service Pack 3

04/12/2008 8:54:32 PM
mbam-log-2008-12-04 (20-54-32).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 201185
Time elapsed: 1 hour(s), 44 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\2.tmp (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\4.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

The latest one is as follows
Malwarebytes' Anti-Malware 1.31
Database version: 1475
Windows 5.1.2600 Service Pack 3

12/12/2008 6:02:09 PM
mbam-log-2008-12-12 (18-02-02).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 202992
Time elapsed: 1 hour(s), 46 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> No action taken.


Although It says that no action was taken I did the removal process at the end of the scan.

It seems the infections register during the Heuristics scan at the end of the full scan, not sure if this helps.

Lets do this!

#9 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:47 PM

Posted 12 December 2008 - 10:40 PM

One more time.reboot, update mbam and do a full scan and post back with the log
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#10 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 14 December 2008 - 03:22 AM

OK, latest scan

Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 3

13/12/2008 7:22:11 PM
mbam-log-2008-12-13 (19-22-11).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 203438
Time elapsed: 1 hour(s), 46 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\A.tmp (Trojan.Agent) -> Delete on reboot.



these are the same things that keep coming up even if I rerun a scan.

#11 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:47 PM

Posted 14 December 2008 - 09:42 AM

Are you using XP?


http://www.bleepingcomputer.com/forums/t/131299/how-to-use-sdfix/


Please print out and follow these instructions: "How to use SDFix". <- for Windows 2000/XP ONLY.
When using this tool, you must use the Administrator's account or an account with "Administrative rights"
  • Disconnect from the Internet and temporarily disable your anti-virus, script blocking and any real time protection programs before performing a scan.
  • Please be patient as the scan may take up to 20 minutes to complete.
  • When the process is complete, the SDFix report log will open in Notepad and automatically be saved in the SDFix folder as Report.txt.
  • If SDFix is unable to run after rebooting from Safe Mode, run SDFix in either Mode, and type F, then press Enter for it to finish the final stage and produce the report.
  • The SDFix report log (Report.txt) will open in Notepad and automatically be saved in the SDFix folder.
  • Please copy and paste the contents of Report.txt in your next reply.
  • Be sure to re-enable you anti-virus and and other security programs before connecting to the Internet.

Edited by garmanma, 14 December 2008 - 09:43 AM.

Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#12 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 15 December 2008 - 02:21 AM

SDFix: Version 1.240
Run by Administrator on Sun 12/14/2008 at 10:25 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\FTPUPD.EXE - Deleted





Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by

Gmer, http://www.gmer.net
Rootkit scan 2008-12-14 22:49:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedacces

s\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*

:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Kodak\\KODAK Software

Updater\\7288971\\Program\\Kodak Software Updater.exe"="C:\\Program

Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak

Software Updater.exe:*:Disabled:Kodak Software Updater"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program

Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program

Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Microsoft Games\\Age of Empires

III\\age3.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires

III\\age3.exe:*:Enabled:Age of Empires 3"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program

Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\America's

Army\\System\\ArmyOps.exe"="C:\\Program Files\\America's

Army\\System\\ArmyOps.exe:*:Enabled:ArmyOps"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program

Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0

(Phone)"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program

Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program

Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program

Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire

swarmed installer"
"C:\\Documents and Settings\\Timothy\\My Documents\\My

Games\\LimeWire\\LimeWire.exe"="C:\\Documents and

Settings\\Timothy\\My Documents\\My

Games\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Documents and Settings\\Timothy\\My

Documents\\LimeWire\\LimeWire\\LimeWire.exe"="C:\\Documents and

Settings\\Timothy\\My

Documents\\LimeWire\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Electronic Arts\\The Battle for Middle-earth ™

II\\game.dat"="C:\\Program Files\\Electronic Arts\\The Battle for

Middle-earth ™ II\\game.dat:*:Enabled:The Battle for Middle-earth™

II"
"C:\\Program Files\\Microsoft Games\\Halo Trial\\halo.exe"="C:\\Program

Files\\Microsoft Games\\Halo Trial\\halo.exe:*:Enabled:Halo"
"C:\\Documents and Settings\\Timothy\\My Documents\\New

Folder\\LimeWire\\LimeWire.exe"="C:\\Documents and

Settings\\Timothy\\My Documents\\New

Folder\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Steam\\Steam.exe"="C:\\Program

Files\\Steam\\Steam.exe:*:Enabled:Steam"
"C:\\Program

Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"="C:\\Program

Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe:*:Enabled:LaunchPad"
"C:\\Program

Files\\Sony\\Station\\LaunchPad\\_aunchPad.exe"="C:\\Program

Files\\Sony\\Station\\LaunchPad\\_aunchPad.exe:*:Enabled:_aunchPad"
"C:\\Documents and Settings\\Timothy\\Local Settings\\Temporary

Internet

Files\\Content.IE5\\CYM165WO\\installer-22999-19-Counter-Strike-1-6-

English[1].exe"="C:\\Documents and Settings\\Timothy\\Local

Settings\\Temporary Internet

Files\\Content.IE5\\CYM165WO\\installer-22999-19-Counter-Strike-1-6-

English[1].exe:*:Enabled:installer-22999-19-Counter-Strike-1-6-English[1]"
"C:\\Program Files\\Nero\\Nero8\\Nero

Home\\NeroHome.exe"="C:\\Program Files\\Nero\\Nero8\\Nero

Home\\NeroHome.exe:*:Enabled:Nero Home"
"C:\\Program Files\\Nero\\Nero8\\Nero

ShowTime\\ShowTime.exe"="C:\\Program Files\\Nero\\Nero8\\Nero

ShowTime\\ShowTime.exe:*:Enabled:Nero ShowTime"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program

Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\THQ\\Dawn of War - Dark

Crusade\\DarkCrusade.exe"="C:\\Program Files\\THQ\\Dawn of War -

Dark Crusade\\DarkCrusade.exe:*:Enabled:DarkCrusade"
"C:\\Program Files\\CCP\\EVE\\bin\\ExeFile.exe"="C:\\Program

Files\\CCP\\EVE\\bin\\ExeFile.exe:*:Disabled:CCP ExeFile"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program

Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Microsoft Games\\Age of Empires

III\\age3y.exe"="C:\\Program Files\\Microsoft Games\\Age of Empires

III\\age3y.exe:*:Enabled:Age of Empires III - The Asian Dynasties"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program

Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger

8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program

Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1

(Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedacces

s\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*

:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program

Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0

(Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network

Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program

Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger

8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program

Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1

(Phone)"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Wed 22 Oct 2008 949,072 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\advcheck.dll"
Mon 7 Jul 2008 1,429,840 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\SDUpdate.exe"
Mon 7 Jul 2008 4,891,472 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\SpybotSD.exe"
Tue 16 Sep 2008 1,833,296 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\TeaTimer.exe"
Wed 22 Oct 2008 962,896 A.SHR --- "C:\Program Files\Spybot -

Search & Destroy\Tools.dll"
Fri 28 Nov 2008 373,248 A.SH. ---

"C:\WINDOWS\system32\32.tmp"
Sun 30 Jan 2005 4,348 A.SH. --- "C:\Documents and Settings\All

Users\DRM\DRMv1.bak"
Tue 23 Dec 2003 22,016 ...H. --- "C:\Documents and Settings\Ann\My

Documents\~WRL0001.tmp"
Fri 30 Apr 2004 24,576 ...H. --- "C:\Documents and Settings\Ann\My

Documents\~WRL0896.tmp"
Fri 30 Apr 2004 24,064 ...H. --- "C:\Documents and Settings\Ann\My

Documents\~WRL1875.tmp"
Mon 20 Oct 2003 20,480 ...H. --- "C:\Documents and Settings\Ann\My

Documents\~WRL3534.tmp"
Wed 23 Mar 2005 19,968 ...H. --- "C:\Documents and

Settings\Melissa\My Documents\~WRL3668.tmp"
Sat 6 Sep 2003 41,984 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL0003.tmp"
Thu 15 Jun 2006 188,416 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL0699.tmp"
Fri 30 Sep 2005 21,504 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL1153.tmp"
Sat 17 Sep 2005 21,504 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL1181.tmp"
Wed 31 May 2006 40,960 ...H. --- "C:\Documents and

Settings\Tim\My Documents\~WRL1746.tmp"
Fri 30 Sep 2005 21,504 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL2999.tmp"
Wed 13 Sep 2006 26,624 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL3682.tmp"
Fri 28 Apr 2006 28,160 ...H. --- "C:\Documents and Settings\Tim\My

Documents\~WRL3688.tmp"
Tue 4 Dec 2007 25,600 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL0741.tmp"
Wed 5 Dec 2007 27,136 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL0975.tmp"
Sun 11 Nov 2007 26,112 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL0978.tmp"
Thu 26 May 2005 62,976 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1040.tmp"
Sat 18 Feb 2006 19,968 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1069.tmp"
Sun 11 Nov 2007 26,112 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1193.tmp"
Thu 26 May 2005 46,080 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1242.tmp"
Fri 27 May 2005 24,064 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1389.tmp"
Wed 5 Dec 2007 26,112 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1405.tmp"
Mon 23 May 2005 45,568 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1487.tmp"
Wed 5 Dec 2007 25,600 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1602.tmp"
Tue 4 Dec 2007 25,600 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1629.tmp"
Wed 5 Dec 2007 27,136 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL1923.tmp"
Tue 4 Dec 2007 34,816 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL2700.tmp"
Fri 17 Feb 2006 20,992 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3067.tmp"
Wed 5 Dec 2007 27,648 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3169.tmp"
Tue 4 Dec 2007 25,600 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3329.tmp"
Sun 11 Nov 2007 26,112 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3504.tmp"
Wed 8 Feb 2006 19,968 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3745.tmp"
Thu 26 May 2005 65,536 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3905.tmp"
Tue 4 Dec 2007 25,600 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3973.tmp"
Thu 26 May 2005 45,568 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL3984.tmp"
Tue 4 Dec 2007 27,648 ...H. --- "C:\Documents and

Settings\Timothy\My Documents\~WRL4067.tmp"
Thu 8 Jun 2006 525 A..H. --- "C:\Program

Files\InterActual\InterActual Player\itiD.tmp"
Thu 22 May 2008 0 A.SH. --- "C:\Documents and Settings\All

Users\DRM\Cache\Indiv02.tmp"
Sun 21 Nov 2004 1,409 ...H. --- "C:\Documents and Settings\Ann\Local

Settings\Temp\FOR5.tmp"
Sun 21 Nov 2004 1,409 ...H. --- "C:\Documents and Settings\Ann\Local

Settings\Temp\FOR6.tmp"
Sun 21 Nov 2004 1,409 ...H. --- "C:\Documents and Settings\Ann\Local

Settings\Temp\FOR7.tmp"
Sun 21 Nov 2004 1,409 ...H. --- "C:\Documents and Settings\Ann\Local

Settings\Temp\FOR8.tmp"
Sun 21 Nov 2004 41,456 ...H. --- "C:\Documents and

Settings\Ann\Local Settings\Temp\ZTR4.tmp"
Sun 21 Nov 2004 40,644 ...H. --- "C:\Documents and

Settings\Ann\Local Settings\Temp\ZTR5.tmp"
Sun 21 Nov 2004 41,012 ...H. --- "C:\Documents and

Settings\Ann\Local Settings\Temp\ZTR6.tmp"
Sun 21 Nov 2004 42,816 ...H. --- "C:\Documents and

Settings\Ann\Local Settings\Temp\ZTR7.tmp"
Wed 14 Jun 2006 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Templates\~WRL0370.tmp"
Mon 12 Jun 2006 31,232 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Templates\~WRL2777.tmp"
Mon 3 Oct 2005 31,232 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Templates\~WRL3206.tmp"
Sat 26 Mar 2005 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL0003.tmp"
Mon 1 Nov 2004 0 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL0005.tmp"
Wed 5 May 2004 0 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL0707.tmp"
Fri 27 Apr 2007 0 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL1344.tmp"
Tue 26 Apr 2005 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL1422.tmp"
Fri 15 Jul 2005 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL1706.tmp"
Fri 30 Sep 2005 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL2205.tmp"
Fri 1 Apr 2005 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL2780.tmp"
Sat 2 Apr 2005 29,696 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL3104.tmp"
Wed 5 May 2004 0 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL3637.tmp"
Mon 1 Nov 2004 0 ...H. --- "C:\Documents and

Settings\Tim\Application Data\Microsoft\Word\~WRL4054.tmp"

Finished!

#13 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 15 December 2008 - 12:29 PM

I reran mbam and still have this
Malwarebytes' Anti-Malware 1.31
Database version: 1497
Windows 5.1.2600 Service Pack 3

15/12/2008 9:25:36 AM
mbam-log-2008-12-15 (09-25-35).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 203851
Time elapsed: 1 hour(s), 52 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 tenno

tenno
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:05:47 PM

Posted 15 December 2008 - 03:28 PM

new run with update 1501



Malwarebytes' Anti-Malware 1.31
Database version: 1501
Windows 5.1.2600 Service Pack 3

15/12/2008 11:22:53 AM
mbam-log-2008-12-15 (11-22-53).txt

Scan type: Full Scan (C:\|G:\|)
Objects scanned: 205247
Time elapsed: 1 hour(s), 47 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\brastk (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#15 garmanma

garmanma

    Computer Masochist


  • Members
  • 27,809 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:47 PM

Posted 15 December 2008 - 05:08 PM

I did my best to keep you out of HJT, but it seems that's the wa to go
You're pretty much did all of the preparation, but read through this:
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Then post a log in the proper forum here:
http://www.bleepingcomputer.com/forums/f/22/virus-trojan-spyware-and-malware-removal-logs/

Add a link to this thread so the HJT team member can see what you have done so far and good luck
Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users