Solved "Detekt" found "Ghost"_ MWB removed Babylon from Unlocker

[QuestionGhost]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11.01.2015
Scan Time: 14:00:27
Logfile: MWBytes_2015_01_11_14h.txt
Administrator: No

Version: 2.00.4.1028
Malware Database: v2015.01.11.05
Rootkit Database: v2015.01.07.01
License: Trial
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: P

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 208424
Time Elapsed: 41 min, 10 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Carberp.ED, C:\WINDOWS\Installer\3e28a.msi, Delete-on-Reboot, [1a07956184051521c16e688b778a8f71],

Physical Sectors: 0
(No malicious items detected)


(end)

 

[QuestionGhost]

Again, I'll restart the computer now...

 

[Broni]

Could be false positive.
Next time MBAM finds it do NOT delete it but instead....

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
64-bit users go HERE

• Double-click SystemLook.exe to run it.
• Vista users:: Right click on SystemLook.exe, click Run As Administrator
• Copy the content of the following box and paste it into the main textfield:

:file
C:\WINDOWS\Installer\3e28a.msi

• Click the Look button to start the scan.
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

 

[QuestionGhost]

SystemLook 30.07.11 by jpshortstuff
Log created at 00:40 on 12/01/2015 by Admin
Administrator - Elevation successful

========== file ==========

C:\WINDOWS\Installer\3e28a.msi - File found and opened.
MD5: B0F110D9A7DEE085C3EE1111C41AE666
Created at 05:06 on 25/06/2013
Modified at 05:06 on 25/06/2013
Size: 496640 bytes
Attributes: --a--c-
No version information available.

-= EOF =-

 

[QuestionGhost]

I ran SystemLook but not MBMA before that. I'm running the updated MBAM now.

 

[QuestionGhost]

By the way: MBAM was running not from Admin but from my other (internet) user when it found the second trojan. In case that matters.

 

[Broni]

Upload the file here: https://www.virustotal.com/ for security check.

 

[QuestionGhost]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12.01.2015
Scan Time: 00:43:57
Logfile: MBAM2015_01_12.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.11.11
Rootkit Database: v2015.01.07.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows XP Service Pack 3
CPU: x86
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 383027
Time Elapsed: 49 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

 

[Broni]

No more problems?

 

[QuestionGhost]

Did you mean: upload THIS file to virustotal?
C:\WINDOWS\Installer\3e28a.msi
In that case, I can't, it's not visible to me. I can't choose a file on virustotal that is not displayed.
I tried to make system files visible but all I see are file names that start with $NtUninstall....

 

[QuestionGhost]

I'm still a little worried to connect my new (used) smartphone to my computer.

 

[Broni]

Press F5 key to refresh Windows Explorer view and then you should see "Installer" folder.
I have number of those alphanumeric "msi" files in that folder and your file is two years old so I strongly suspect it's false positive.

 

[QuestionGhost]

Sorry, I tried and I still can't see an "Installer" file. I'll try a different user now.

 

[QuestionGhost]

Still no"installer" files visible (User: Admin).

 

[Broni]

Are you looking for "Installer" folder through Windows Explorer or through "Browse" button at VirusTotal?

 

[QuestionGhost]

I tried both several times, with and without pressing F5, nothing to see

 

[Broni]

It can't be...

Does MBAM still discover same file?

 

[QuestionGhost]

The last time I ran MBAM ( Jan. 12th) it didn't find anything, as I posted somewhere up here. Before (Jan 11th), it did find twice the same Trojan.

 

[Broni]

You should be good to go then.

 

[QuestionGhost]

OK, thank you very much.

I'll see what happens when I connect my Smartphone to my Computer again.

 

[Broni]

You're very welcome