BradBenstin

Okay, I've settled it. I made a System33 folder on several other machines and ran Malwarebytes and they all gave this false-positive. I guess it's something Malwarebytes may look into correcting? Although I imagine most people wouldn't have this folder. Thanks for the help, screen. I didn't even consider it as something Malwarebytes just didn't like.

I'm not sure what you mean by "C:\windows\system33 is a folder that malware has used". It didn't detect the System34 or winsxx I created just to test the theory of whether it was a "what the heck is that folder name doing there?" concept. I made the folder and just kept some personal stuff in there - images, word documents and the such. Just private stuff I didn't want easily accessed via My Documents and the like. None of the files were from the internet, nothing illegal, just private. Most people that use my computer wouldn't know the difference between System32 and System33, and since they'd have no business being in the Windows folder in the first place, it seemed like a decent place to hide it.

http://forums.malwarebytes.org/index.php?showtopic=86928 I forgot to upload the attachments, and I can't seem to find an edit button. I made a new topic with the attachments, sorry!

I scanned my computer this morning with Malwarebytes, database version 6826. It reported that a folder I have hidden in my Windows folder was infected with Trojan.Banker. This folder, and all of its contents (C:\Windows\System33) were considered infected. If you move that infected folder anywhere else and scan it, it reports that it is not infected. I deleted System33 and made a new System33 folder with new contents in it, it scanned as infected. I tried creating a System34 folder and putting files into it as well as renaming the infected System33 folder to System332 to see if they'd be infected, they return not infected. What prompted me to do this scan was because this morning my Gmail account was hijacked and a spam e-mail sent out to anyone I've ever e-mailed. I changed my password about 15 minutes after this occurred. It appears the person logged in twice as far as I can tell from Gmail's account activity logger: POP3 China (115.49.37.228) Jun 9 ~8:45 pm (16 hours ago) Browser China (222.142.181.195) Jun 10 9:45 am (3 hours ago) I haven't done a Malwarebytes scan for a long time (several months I'd say), I keep AVG Free 2011 running in the background always. I also noticed a few files keep updating every few hours in the System32 folder, pictured below: I did some searching on the internet about these, and I came up with mixed results about viruses and whatnot. perfh009.dat and perfc009.dat both have a bunch of random information in them and is typed strangely, like so - "3 T h e S y s t e m p e r f o r m a n c e ...". Does anyone think this might just be a false positive, or is it more likely that someone has targeted my C:\Windows\System33 folder directly to obtain the information I had hidden there? If it's the latter, the issue is still present and I don't know how to fix it. ------ Completed "I'm infected - What do I do now?" Results: DDS.txt The other two files are attached. The only issue I may have had was disabling any script blockers. I did a bit of searching, and as far as I could tell, they were disabled. I run Firefox only, but have IE and Google Chrome installed on my computer (I assume the script blockers relate to my browser?). Attach.zip

Thank you, I have completed the steps and have posted them in the proper section. http://forums.malwarebytes.org/index.php?showtopic=86916

I scanned my computer this morning with Malwarebytes, database version 6826. It reported that a folder I have hidden in my Windows folder was infected with Trojan.Banker. This folder, and all of its contents (C:\Windows\System33) were considered infected. If you move that infected folder anywhere else and scan it, it reports that it is not infected. I deleted System33 and made a new System33 folder with new contents in it, it scanned as infected. I tried creating a System34 folder and putting files into it as well as renaming the infected System33 folder to System332 to see if they'd be infected, they return not infected. What prompted me to do this scan was because this morning my Gmail account was hijacked and a spam e-mail sent out to anyone I've ever e-mailed. I changed my password about 15 minutes after this occurred. It appears the person logged in twice as far as I can tell from Gmail's account activity logger: POP3 China (115.49.37.228) Jun 9 ~8:45 pm (16 hours ago) Browser China (222.142.181.195) Jun 10 9:45 am (3 hours ago) I haven't done a Malwarebytes scan for a long time (several months I'd say), I keep AVG Free 2011 running in the background always. I also noticed a few files keep updating every few hours in the System32 folder, pictured below: I did some searching on the internet about these, and I came up with mixed results about viruses and whatnot. perfh009.dat and perfc009.dat both have a bunch of random information in them and is typed strangely, like so - "3 T h e S y s t e m p e r f o r m a n c e ...". Does anyone think this might just be a false positive, or is it more likely that someone has targeted my C:\Windows\System33 folder directly to obtain the information I had hidden there? If it's the latter, the issue is still present and I don't know how to fix it. ------ Completed "I'm infected - What do I do now?" Results: DDS.txt The other two files are attached. The only issue I may have had was disabling any script blockers. I did a bit of searching, and as far as I could tell, they were disabled. I run Firefox only, but have IE and Google Chrome installed on my computer (I assume the script blockers relate to my browser?).

I scanned my computer this morning with Malwarebytes, database version 6826. It reported that a folder I have hidden in my Windows folder was infected with Trojan.Banker. This folder, and all of its contents (C:\Windows\System33) were considered infected. If you move that infected folder anywhere else and scan it, it reports that it is not infected. I deleted System33 and made a new System33 folder with new contents in it, it scanned as infected. I tried creating a System34 folder and putting files into it as well as renaming the infected System33 folder to System332 to see if they'd be infected, they return not infected. What prompted me to do this scan was because this morning my Gmail account was hijacked and a spam e-mail sent out to anyone I've ever e-mailed. I changed my password about 15 minutes after this occurred. It appears the person logged in twice as far as I can tell from Gmail's account activity logger: POP3 China (115.49.37.228) Jun 9 ~8:45 pm (16 hours ago) Browser China (222.142.181.195) Jun 10 9:45 am (3 hours ago) I haven't done a Malwarebytes scan for a long time (several months I'd say), I keep AVG Free 2011 running in the background always. Does anyone think this might just be a false positive, or is it more likely that someone has targeted my C:\Windows\System33 folder directly to obtain the information I had hidden there? If it's the latter, the issue is still present and I don't know how to fix it.