Jump to content

stolen.data 17/12-17/01


Raoul_

Recommended Posts

i would like to refer to this topic: http://forums.malwar...howtopic=115288

My problem really looks like this.

I didn't know i had a virus before yesterday. Because i couldn't get the " on the e like ë with the correct keyboard settings, i searched for a solution. Soon i saw a few responses to an topic from another one with the same problems it was propably a keylogger. Off course no one likes keyloggers, so i didn't :)

So i scanned my PC with the always helpfull MBAM and got the following log:


Geheugenprocessen gedetecteerd: 1
C:\Users\Raoul\AppData\Local\Temp\svchost.exe (Trojan.Agent.Gen) -> 4200 -> Zal worden verwijderd tijdens het herstarten.
Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Registersleutels gedetecteerd: 1
HKCU\Software\DC3_FEXEC (Malware.Trace) -> Succesvol in quarantaine geplaatst en verwijderd.
Registerwaarden gedetecteerd: 2
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Java.exe (Trojan.Agent) -> Data: C:\Users\Raoul\AppData\Roaming\Java.exe -> Succesvol in quarantaine geplaatst en verwijderd.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|WinDefender (Trojan.Agent) -> Data: C:\Users\Raoul\AppData\Local\Temp\WinDefender.Exe -> Succesvol in quarantaine geplaatst en verwijderd.
Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)
Mappen gedetecteerd: 2
C:\Users\Raoul\AppData\Roaming\dclogs (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\WinDefender (Rogue.WinDefender) -> Succesvol in quarantaine geplaatst en verwijderd.
Bestanden gedetecteerd: 28
C:\Users\Raoul\AppData\Roaming\Java.exe (Trojan.Agent) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Local\Temp\WinDefender.Exe (Trojan.Agent) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-17-2.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-18-3.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-19-4.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-20-5.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-21-6.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-22-7.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-23-1.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-24-2.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-25-3.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2012-12-26-4.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-01-3.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-04-6.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-05-7.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-06-1.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-07-2.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-08-3.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-09-4.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-10-5.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-11-6.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-12-7.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-13-1.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-14-2.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-15-3.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-16-4.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Roaming\dclogs\2013-01-17-5.dc (Stolen.Data) -> Succesvol in quarantaine geplaatst en verwijderd.
C:\Users\Raoul\AppData\Local\Temp\svchost.exe (Trojan.Agent.Gen) -> Zal worden verwijderd tijdens het herstarten.

So i guess the numbers are the days (17 december till 17 january)

I noticed is lost some paypall money in this period, so it really was a keylogger.

As my problem looks like the one i linked to, i've completed all the steps Maurice Naggar Told to do.

The ESET online scanner only found some infected Visual Basic projects. All of them were "a variant of MSIL/PSW.Agent.NFX trojan"

I can't find the MS safety scanner log, but it found like 50 threaths. Could someone tell me where i can find this log?

This is the log from the security checker:


Results of screen317's Security Check version 0.99.57
Windows 7 x64 (UAC is enabled)
[url=http://windows.microsoft.com/en-US/windows7/install-windows-7-service-pack-1][color=red][b]Out of date service pack!![/color][/url][/b]
Internet Explorer 9
[b][u]``````````````Antivirus/Firewall Check:``````````````[/b][/u]
McAfee Anti-Virus and Anti-Spyware
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
[b][u]`````````Anti-malware/Other Utilities Check:`````````[/b][/u]
Malwarebytes Anti-Malware versie 1.70.0.1100
Java 7 Update 9
[color=red][b]Java version out of Date![/b][/color]
Adobe Reader 9 [color=red][b]Adobe Reader out of Date![/b][/color]
Google Chrome 23.0.1271.97
Google Chrome 24.0.1312.52
[b][u]````````Process Check: objlist.exe by Laurent````````[/b][/u]
Malwarebytes Anti-Malware mbamservice.exe
Malwarebytes Anti-Malware mbamgui.exe
Malwarebytes' Anti-Malware mbamscheduler.exe
[b][u]`````````````````System Health check`````````````````[/b][/u]
Total Fragmentation on Drive C: 5%
[b][u]````````````````````End of Log``````````````````````[/b][/u]

Link to post
Share on other sites

Hello Raoul_ and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

Link to post
Share on other sites

Hello Raoul_ and :welcome:! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

  • If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  • I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  • Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  • Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  • Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  • Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.

BACKDOOR WARNING

One or more of the identified infections is known to use a backdoor.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

Help: I Got Hacked. Now What Do I Do?

Help: I Got Hacked. Now What Do I Do? Part II

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do. If you decide to go through with the cleanup, please let me know.

I just bumped this topic at the same time you typed this.

First of all, thanks for your help so far.

I am not yet paying for MBAM, but because it works so well, i'm gonna pay for it, just not today. It's a single payment for 1 pc for $25 right? Is it possible to just install it on an other pc and delete it from the old one (for example by reinstalling windows)?

I want to be 100% sure to get rid from this virus, so if reinstalling the whole OS is the best way to do so, i will do it that way, if you could give me instructions for that.

Thanks

Raoul

Link to post
Share on other sites

  • 2 weeks later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.