STOLEN FILES folder on desktop

Well I had a rather unpleasant occurance half an hour ago. I was playing a game (in full screen) for about an hour. When I came back to my desktop, I had that STOLEN FILES folder (in capitals) appeared from nowhere! The folder contained a copy of contents of my default FireFox download folder which included some pics, Look'n'Stop trial version, GreenBorder trial (installations), RVM integrator, some XLS, and other pretty harmless stuff (no cracks and nothing illegal or of adult nature).
Now, as I use Outpost Firewall Pro and as I know that it has that entertainment mode in which it blocks "mostly all" traffic and processes by default when you are using application in full screen, my surprise is even bigger. Isn't Outpost supposed to stop that kind of actions? Or if not Outpost than at least SSM free which I alsp use. I don't scan my system for malware every day, but it so happened that last night I did, with SAS and with Avira (both free versions). SAS found some usual tracking cookies, but nothing more. This is so strange to me, cause I've NEVER been infected with any malware in 10 years of my internet experience. Or maybe just this whole mishappen doesn't have to do anything with security software or malware at all. The thing is, I just wanna know how the hack that happened?! I've seen nothing even remotely similar. The only thing I changed recently (in a few months) on my system is installing BitComet 0.84 (latest) torrent client yesterday. Maybe I am posting at the wrong forum as this may not even be a security issue, but I stumbled upon Wilders a couple of weeks ago, and I found plenty of answers here already without even having the need to post a thread, so I was thinking that maybe someone of you good people around here might have some logical answer. So ladies and gentlemen, anyone with any clue? Thanks in advance...

 

Hi Ron.

Thanks again for reply. As a matter of fact now that I'm reading that thread you sent me I remember that I somehow stumbled upon it a week or two ago (the Dror Shalev's name rings a bell). I remember that I read it very briefly so I might have missed the mention of stolen files (and I did). Anyhow, now that you cleared this up for me, my lesson is that if I start to read something that I should also finish reading it.
Nevertheless I'm still puzzled though, because I didn't even install greenborder, hell I didn't even touched the installlation file I downloaded; like I said in my previous post, the only new app on my system was BitComet. Hm...
BTW, that thread was relatively recent. Is GreenBorder still in beta? Doesn't say so on the site...

Cheers!

 

Hello again Ron.

Obviously BitComet is not the culprit, I've been using it for over a year now, and works flawles with me. As for that GreenBorder.com tests... strange stuff indeed. I didn't expect the test to write on my desktop. And it didn't at first, that stolen files folder appeared 15-20 mins after the test. Well I thought that I could just dl their sandbox app and play with it on my test box for a while. Which I think I'll do anyway. Thanks for help Ron, I will not bother you with this anymore. See ya...

 

The SEER:
- GreenBorder creates a STOLEN FILES folder on your desktop if you elect to have them scan your machine from their website, regardless of whether you install GreenBorder software. How long it takes depends on a number of things, not the least of which is how many files fit that category!
- I also seem to recall that the scan works only with IE, not with FireFox...

 

I can give the definitive answer to this question, as I submitted a ticket to Greenborder, regarding this matter and their reply (and I quote) "you can safely delete this file it is a copy of your my documents folder, and is created to show the files that can be read from your browser" Hope this helps.
Regards.
Slightlyoffcentre.

 

mshta.exe is a part of Microsoft Windows Operating System which is needed to execute .HTA files in much the same way as wscript.exe fires up .VBS files, both of which are easily opened up in notepad to review or set code/instructions. (including copying files/directory).

You could use Script Sentry to ALERT & BLOCK actions these attempt. At least it gives the end-user a fighting chance to see what's launching and why.

There are other script blockers too which might be suggested but this the one i used for years with no problems. Pro XP (SP1)

 

Out of curiosity I also ran this test - which requires you to download and then run the .hta file. I used my download manager to run it (GetRight) at which point SSM prompted advising that it was trying to start mshta.exe. If you just doubleclick the file (causing explorer.exe to run it) then you will probably have an SSM rule allowing this (see below).

SSM then prompted that mshta.exe was attempting network access (first to loopback, 127.0.0.1, then to my DNS server) which I chose to block (had I allowed this, Outpost should then have intervened - I have tightened its rules considerably from the default though). Outpost then gave an AntiLeak prompt for mshta attempting to run Opera (my default browser) which I blocked.

Net result - a STOLEN FILES folder on my desktop with nothing in it.

Mshta is not something that can be blocked completely since Control Panel's Add/Remove Programs option uses it and this also means having to allow Windows Explorer to run it. However you can limit its (ab)use by setting the "Check command line parameters" option in SSM for it as detailed here (Add/Remove Programs uses mshta with the res://sp3res.dll/default.hta on my system so allowing this only should suffice - with this set, doubleclicking on GreenBorder's .hta script or anyone else's will result in a new SSM prompt).

This test does highlight the obstacles that Microsoft seem to throw up in the way of those wishing to secure their systems (this problem stemming from their integration of Internet Explorer with the Windows shell and the subsequent desire to "HTML"-ise everything) and it also shows that mshta.exe needs to be treated with the same caution as the likes of rundll32, cmd, etc. My own settings for mshta were too lax in this regard so they have now been tightened.

 

I couldn't be happier after reading that review AND results, thanks Paranoid2000 for giving it attention.

Seems i ran into an issue once where the Mshta file was either corrupted or otherwise disabled and like a chain of events disabled those other features explorer usually opened like you just explained.

Scripts have always been just as powerful as applications from what i seen of them. I used to tinker quite a bit with .vbs files till at one point i had almost fully automated all kind of tasks AND ON A SCHEDULE strictly thru the use of windows scripting host. I found on XP you still can to a point.