Jump to content

Several stolen.data entries


Recommended Posts

Hi,

Been a longtime MalwareBytes user and love the program. As far as I know my spyware and antivirus programs are up-to-date and working fine.

Recently I've noticed several Stolen.Data entries in my log but no actual malware found:

Malwarebytes' Anti-Malware 1.51.2.1300

www.malwarebytes.org

Database version: 8097

Windows 6.1.7601 Service Pack 1

Internet Explorer 9.0.8112.16421

11/6/2011 10:52:39 AM

mbam-log-2011-11-06 (10-52-35).txt

Scan type: Full scan (C:\|E:\|)

Objects scanned: 565106

Time elapsed: 37 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 5

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

c:\Users\***\AppData\Roaming\43da908 (Stolen.Data) -> No action taken.

c:\Users\***\AppData\Roaming\6186b83 (Stolen.Data) -> No action taken.

c:\Users\***\AppData\Roaming\7807c14 (Stolen.Data) -> No action taken.

c:\Users\***\AppData\Roaming\83b6588 (Stolen.Data) -> No action taken.

c:\Users\***\AppData\Roaming\875ba80 (Stolen.Data) -> No action taken.

I've attached the DDS and Attach files from DDS.

I'm usually quite careful about what I install so I'm a bit mystified about what the problem is.

Thanks for any help,

Joe

DDS.txt

Attach.txt

Link to post
Share on other sites

  • Staff

Hi and welcome to Malwarbytes.

Stolen.Data detections mean sensitive data may have been stolen.

Please update MBAM, run a Quick Scan, and post its log.

Next, please visit this webpage for instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new DDS log so we may continue cleaning the system.

-screen317

Link to post
Share on other sites

  • Staff

Hi,

Again please do not attach any logs. Just copy and paste them into your reply.

Please delete your copy of ComboFix, download the latest version from here, and save it to your Desktop. Do not run it yet.

Next, please open Notepad - don't use any other text editor than notepad or the script will fail.

Copy/paste the text in the box below into Notepad:

Driver::
MEMSWEEP2
File::
c:\windows\system32\B5A5.tmp
c:\windows\system32\6C26.tmp
c:\windows\system32\3F52.tmp
c:\windows\system32\8527.tmp
c:\windows\system32\250C.tmp

Save this as CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new DDS log.

  • Download the file TDSSKiller.zip and extract it into a folder on the infected PC.
  • Execute the file TDSSKiller.exe by double-clicking on it.
  • Wait for the scan and disinfection process to be over.
  • When its work is over, the utility prompts for a reboot to complete the disinfection.

By default, the utility outputs runtime log into the system disk root directory (the disk where the operating system is installed, C:\ as a rule).

The log is like UtilityName.Version_Date_Time_log.txt.

for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt.

Please post that log here.

-screen317

Link to post
Share on other sites

Hi Screen,

Again thanks for the help.

I appologize for attaching the logs formerly. I didn't understand your instructions.

I fully intend to follow your suggestions above. However I noticed this thread:

http://forums.malwarebytes.org/index.php?showtopic=94488

Which never got resolved because the user dropped out of the thread... but this is the exact same problem I am experiencing.

I acutally restored one of the files that MBAM said was stolen to have a look and it is a file generated by Boilsoft's apps. For some weird reason each time you run the program it saves a file in the C:\Users\xxx\AppData\Roaming folder with a randomly generated name. As far as I can tell it doesn't clean up these files ever.

My guess is that the encoded hex is showing up as something that it isn't to MBAM. Maybe I'm wrong.

Here is an example of the text of the one of the files that MBAM thought was stolen:

[trprofile_r]
appid = 9a31f3ba-add0-4d60-ae4a-7be28c20ab9c,49f7ed894486834818e4e73ecf4f362dcedfd30ac39d4b9219406b68216c0840f6b8a7ae3dd1084d85bcf4a46c7368fd815fb6d470d813a08685d7b91f542977d4cc68f63d65e8dae1e9ec10748e7eedfebe85415a13acf41888eace3e1ebaf2e5b041092f2082776d3a3349b7d488f0f4e0d72e157c84159188cb6702dfb212
logo = Boilsoft,50cafad4926394aac8ffe2ef416d8eddfc8651114a4831a41a71fce9a7faeca27d8baacb50bdeab8a097ea3ff3b3c39c288e08e695b2d9e921834f48772759e1e32709bfd02c68b960bf0d7ce01fccbd89c517519baab4c4657b5adf7f8a6d720528b4764ce0adb6fee7c175659d4f9ec0f7179f70d08b9749965c5c0b742de6
app = Boilsoft Video Splitter,a1988489b6d5140eaf2d38bff29b0d005c9fe56f10ca281c93f575712b1234c52702f15c68ead357aff810e2c13d8e5e736f7496e404f84d4d1a8c64d85b8204bf5512f96a42b375d489c6b8e8e022189d296fed2cf7b8388261d5b42a2afa9cf2dc62eecee8307646a08d8dce92253a6e2fa121e716d8fa3dcbeb3bc628dec5
url = http://www.boilsoft.com,9281bd18b3f37ed530587848a4a248cabb33b37ba845e8563cb53b9fa33404f5c097ed97e5eb8b099b5e93fb33e84ab85c67181ba270fcef9e534dfcc86cab58c7f1406872b5f67de617f45118b98402d91c979cf1cfd87bf7e4e878a85d79304fb23f7897562b47ed4eb4761ffd85a76995dca43bc679b2ff751f0e2976e18b
buyurl = http://www.boilsoft.com/buy.html,a7e17f1c17d724494e4e63847ae49757a7bfbb5a40ae6c98bde005088e86f00e78d19a42d2b45598c8b7074bbbf53075cdc32f908a85dfc58e4c22fc090199c83f5f5a0c26d3e86fa1c3c0d27a46778783cadf00e3390ae75617eb6ff8532ebdc0e14605221a0d31df5bc9bcece2500687ade8e912aab10f832ce11922376e3a
support_email = support@boilsoft.com,aab18e6b1b2ad6618bfe203be44e807964dbd9c02e18df1c801f0d81d5e3788ca0b7c72b1a2dc193660215cf4e68a44cef290ddf0c92051385bb7d5428bc51949f781ccf2ec4148e5433ee8c5567cbfebb3567662f37b06265a88b179ac4cba4ab1f00a18e0521511f1cf58356b1c3d46ba6dd3d0069d25db54370892df0bdc9
company=Boilsoft,50cafad4926394aac8ffe2ef416d8eddfc8651114a4831a41a71fce9a7faeca27d8baacb50bdeab8a097ea3ff3b3c39c288e08e695b2d9e921834f48772759e1e32709bfd02c68b960bf0d7ce01fccbd89c517519baab4c4657b5adf7f8a6d720528b4764ce0adb6fee7c175659d4f9ec0f7179f70d08b9749965c5c0b742de6
#keyfeature = 3gp|mp4,a3a07ff39eceee3ac2624fd92e94cf873529550aace67d30e2bdb52369458c4dc2cd417c501cd9288719cc6e549c669f75daa401017ba269b1f329fb37e2cab5330c1c816a213a06f051f970712e478583cd2b81339ff7f1e82725d6337e97371ec8d6a044e8eb74ca22ddea98e25c92d74d719679b42ba974e7ead7bbb073ea

Before I go doing more ComboFixnig to my system, just wanted to confirm that this isn't a false positive.

Thanks Again.

Joe

Link to post
Share on other sites

  • 2 weeks later...
  • Staff

Glad we could help. :)

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.