Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

stolen.data infection


  • This topic is locked This topic is locked
2 replies to this topic

#1 beatit

beatit

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:58 PM

Posted 04 October 2013 - 02:42 AM

After updating FoxIt Reader, all of a sudden a page appeared telling me I was fined 100 euros by Maltese Police for probably downloading forbidden material,and computer would be unlocked after payment. CTRL+ALT+CANC did still work, I selected Task Manager but didn't work.Tried again,selected Disconnect and this worked. Entered as a Guest,no problem but network was not enabled. Rebooted PC,entered with my account Franz,same problem(with Guest no problem instead).If I disconnected internet,the page would still appear (and machine was blocked) but remain blank. Using Guest account and running programs as administrator, I discovered a service BECKVB pointing to a non-existing file c:\users\franz\appdata\local\temp\beckvb.exe Removed all its references in registry with RegEdit Compressed all files in c:\users\franz\appdata\local\temp into an archive,rebooted machine but problem still there. Rebooted machine with puppylinux,downloaded from interner Malware Bytes' Anti-Malware,rebooted with windows,accessed as guest and installed it. As internet didn't work,I couldn't update and kept April 2013 definitions. A scan found Stolen.data malware, the file being c:\users\franz\appdata\roaming\data.dat I successfully removed it,rebooted machine and now the problem was gone. As now the internet was working,I updated MBAM definitions. Scanned again, and it found (I think in the same file) Trojan.Ransom Deleted this too,rebooted,scanned again,this time there was nothing. I launched Malware Bytes' anti-rootkit,it found nothing. The system seems to work fine.Do you think it's really clean?

Many thanks in advance

 

 

DDS log follows:

 

 

 

 

 

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 8.0.7601.17514
Run by Franz at 9:35:25 on 2013-10-04
Microsoft Windows 7 Starter 6.1.7601.1.1252.39.1040.18.1013.137 [GMT 2:00]
.
SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Windows\system32\taskhost.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Windows\Explorer.EXE
C:\Program Files\FSP\FspUip.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\explorer.exe
C:\Windows\explorer.exe
C:\Programmi\Java\jre6\bin\javaw.exe
C:\Progs\Internet\FTrader\FTrader.exe
C:\Windows\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\System32\svchost.exe -k secsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = about:blank
uDefault_Page_URL = hxxp://nmd.msn.com
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre6\bin\ssv.dll
BHO: Guida per l'accesso a Windows Live: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: DVDVideoSoft WebPageAdjuster Class: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - c:\program files\common files\dvdvideosoft\bin\IEDownloadMenuAndBtns.dll
mRun: [fspuip] c:\program files\fsp\fspuip.exe
uPolicies-Explorer: NoDriveTypeAutoRun = dword:221
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: Free YouTube Download - c:\program files\common files\dvdvideosoft\plugins\freeytvdownloader.htm
IE: Free YouTube to MP3 Converter - c:\program files\common files\dvdvideosoft\plugins\freeytmp3downloader.htm
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - {EE932B49-D5C0-4D19-A3DA-CE0849258DE6} - c:\program files\common files\dvdvideosoft\bin\IEDownloadMenuAndBtns.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0045-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_45-windows-i586.cab
TCP: NameServer = 212.56.128.132 192.168.1.1
TCP: Interfaces\{FFA0EBCF-9D5C-4999-BF42-0074E21DBE6C} : DHCPNameServer = 212.56.128.132 192.168.1.1
TCP: Interfaces\{FFA0EBCF-9D5C-4999-BF42-0074E21DBE6C}\143707961676027457563747 : DHCPNameServer = 152.1.8.4 152.1.8.12
TCP: Interfaces\{FFA0EBCF-9D5C-4999-BF42-0074E21DBE6C}\2454E46554E4554594023584F4050594E4744554E4 : DHCPNameServer = 192.168.1.1 151.99.125.2 151.99.0.100
TCP: Interfaces\{FFA0EBCF-9D5C-4999-BF42-0074E21DBE6C}\75966496049407562736964797 : DHCPNameServer = 8.8.8.8 4.2.2.2
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll
Notify: igfxcui - igfxdev.dll
SSODL: WebCheck - <orphaned>
.
============= SERVICES / DRIVERS ===============
.
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-10-4 418376]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-10-4 701512]
R3 Cam3820;Cam3820 PC Camera Driver;c:\windows\system32\drivers\cam3820a.sys [2010-2-10 308480]
R3 fspad_wlh32;Finger Sensing Pad Driver for Windows 2000/XP/Vista/Win7_wlh32;c:\windows\system32\drivers\fspad_wlh32.sys [2010-7-20 44032]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-10-4 22856]
R3 rtl8192se;Realtek Wireless LAN 802.11n PCI-E NIC NT Driver;c:\windows\system32\drivers\rtl8192se.sys [2013-6-6 1118312]
S2 gafwload;D-Link DSL-200 USB ADSL Loader;c:\windows\system32\drivers\gafwload.sys [2012-11-11 26987]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-14 229888]
S3 Brndis;External USB Cable Modem;c:\windows\system32\drivers\Brndis.sys [2013-8-1 16512]
S3 fssfltr;fssfltr;c:\windows\system32\drivers\fssfltr.sys [2010-8-16 54632]
S3 fsssvc;Servizio Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2010-4-28 704872]
S3 JMCR;JMCR;c:\windows\system32\drivers\jmcr.sys [2010-7-20 126064]
S3 JME;JMicron Ethernet Adapter NDIS6.20 Driver;c:\windows\system32\drivers\JME.sys [2010-7-20 92272]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2012-1-9 137600]
S3 PowerBiosServer;PowerBiosServer;c:\program files\hotkey\PowerBiosServer.exe [2010-3-3 32256]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2012-11-30 14848]
S3 SIVDRIVER;SIV Kernel Driver;c:\windows\system32\drivers\SIVX32.sys [2013-7-2 65600]
S3 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-6-21 162408]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2012-11-30 49664]
S3 WiseBootAssistant;Wise Boot Assistant;c:\program files\wise\wise care 365\BootTime.exe [2013-4-18 580232]
.
=============== Created Last 30 ================
.
2013-10-04 04:39:09 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable)
2013-10-04 04:04:55 22856 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-10-04 04:04:55 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-10-04 04:04:37 -------- d-----w- c:\users\franz\appdata\local\Programs
2013-10-04 03:34:27 4425448 ----a-w- C:\avg_free_stb_all_2014_4116_cnet.exe
2013-10-04 03:33:08 131918888 ----a-w- C:\avast_free_antivirus_setup.exe
2013-10-04 03:31:36 80456 ----a-w- C:\mbam-clean-1.60.2.0003.exe
2013-10-04 03:29:51 65232 ----a-w- C:\regassassin-setup-1.03.exe
2013-10-04 03:29:19 204496 ----a-w- C:\startuplite-setup-1.07.exe
2013-10-04 03:28:56 12907592 ----a-w- C:\mbar-1.07.0.1005.exe
2013-10-04 03:27:15 10285040 ----a-w- C:\mbam-setup-1.75.0.1300.exe
2013-10-04 03:25:15 131606136 ----a-w- C:\cureit.exe
2013-10-04 01:36:38 216064 ----a-w- c:\windows\system32\gcapi_dll.dll
2013-10-04 01:36:17 -------- d-----w- c:\program files\Foxit Software
2013-10-01 14:13:42 7328304 ----a-w- c:\programdata\microsoft\windows defender\definition updates\{77c24e77-27c7-4b38-a240-0cda5fe4a5d3}\mpengine.dll
2013-09-11 15:39:22 2348544 ----a-w- c:\windows\system32\win32k.sys
.
==================== Find3M ====================
.
2013-08-07 02:22:04 238872 ------w- c:\windows\system32\MpSigStub.exe
2013-08-05 01:56:47 133056 ----a-w- c:\windows\system32\drivers\ataport.sys
2013-08-02 01:50:36 169984 ----a-w- c:\windows\system32\winsrv.dll
2013-08-02 01:49:19 293376 ----a-w- c:\windows\system32\KernelBase.dll
2013-08-02 00:52:57 271360 ----a-w- c:\windows\system32\conhost.exe
2013-08-02 00:43:05 6144 ---ha-w- c:\windows\system32\api-ms-win-security-base-l1-1-0.dll
2013-08-02 00:43:05 4608 ---ha-w- c:\windows\system32\api-ms-win-core-threadpool-l1-1-0.dll
2013-08-02 00:43:05 3584 ---ha-w- c:\windows\system32\api-ms-win-core-xstate-l1-1-0.dll
2013-08-02 00:43:05 3072 ---ha-w- c:\windows\system32\api-ms-win-core-util-l1-1-0.dll
2013-08-01 08:40:17 981504 ----a-w- c:\windows\system32\wininet.dll
2013-08-01 07:50:07 1638912 ----a-w- c:\windows\system32\mshtml.tlb
2013-07-25 08:57:27 1620992 ----a-w- c:\windows\system32\WMVDECOD.DLL
2013-07-19 01:41:01 2048 ----a-w- c:\windows\system32\tzres.dll
2013-07-09 05:03:34 3968960 ----a-w- c:\windows\system32\ntkrnlpa.exe
2013-07-09 05:03:34 3913664 ----a-w- c:\windows\system32\ntoskrnl.exe
2013-07-09 04:53:46 1289096 ----a-w- c:\windows\system32\ntdll.dll
2013-07-09 04:52:10 175104 ----a-w- c:\windows\system32\wintrust.dll
2013-07-09 04:50:42 652800 ----a-w- c:\windows\system32\rpcrt4.dll
2013-07-09 04:46:31 140288 ----a-w- c:\windows\system32\cryptsvc.dll
2013-07-09 04:46:31 1166848 ----a-w- c:\windows\system32\crypt32.dll
2013-07-09 04:46:31 103936 ----a-w- c:\windows\system32\cryptnet.dll
.
============= FINISH: 9:36:24,07 ===============

Attached Files


Edited by beatit, 04 October 2013 - 02:45 AM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:58 AM

Posted 04 October 2013 - 12:52 PM

Since you are being helped at Malwarebytes this topic will be closed.

http://forums.malwarebytes.org/index.php?showtopic=134367

#3 nasdaq

nasdaq

  • Malware Response Team
  • 39,955 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:06:58 AM

Posted 04 October 2013 - 12:52 PM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users