Be careful about Viruses!

[badam]

So i did a scan too and i have none of your infections, so you should be more than sure that your infection has nothing to do with shrooms wallet. You got infected by something else.

Code:

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.MSIL.Dropper, C:\Users\x\Downloads\papercoin-qt.rar, , [6f04657dcebc61d56d45655a3ac730d0], 

Physical Sectors: 0
(No malicious items detected)


(end)

I am having an infected wallet but i know about that lol, i was just lazy to delete it

[8-bit-Party]

First of all you should make sure you have same versions of wallet. Second, comparing scans proofs nothing since malware might be not activated yet.
Third, even if your PC is infected it does not mean that infection has been made by mentioned wallet nor mentioned wallet contains malware nor mentioned wallet did not make your coins disappear. Like I said stealing coins from running wallet is prettty easy if user is not smart one and there's no way to detect it using non-cryptocurrencies-aware antivirus.

[trader19]

First of all you should make sure you have same versions of wallet. Second, comparing scans proofs nothing since malware might be not activated yet.
Third, even if your PC is infected it does not mean that infection has been made by mentioned wallet nor mentioned wallet contains malware nor mentioned wallet did not make your coins disappear. Like I said stealing coins from running wallet is prettty easy if user is not smart one and there's no way to detect it using non-cryptocurrencies-aware antivirus.

thanks, still trying to find source but is not easy as i already deleted infection.

[8-bit-Party]

If you still have original suspected binary run it within virtual enviroment (I don't think sandbox will give enough safety), get Process Explorer, find wallet process, go its properties, find "Strings/Memory" and publish it.

[jc12345]

I compared the binary at release and the one now and they have the same hashes. Can you post the hashes of the binary that you installed?

[bathrobehero]

You can track what (file/registry) changes a wallet does with Sandboxie using SandboxDiff. To avoid a wallet link switcheroo which seems to be usual, if you send me your downloaded wallet in pm I can post a log tomorrow as I have to run now.

[badam]

Don't you have EA wallet installed? It was just confirmed that it has wallet stealer virus

[trader19]

looks like i had RAT spyware installed long before yesterday. from logs i find it's refog keylogger, don't ask me how av didn't block it. idk
https://www.raymond.cc/blog/how-to-uninstall-refog-keylogger-without-knowing-master-password/
still investigating, so be paranoid about new wallets.

[trader19]

Don't you have EA wallet installed? It was just confirmed that it has wallet stealer virus

EA? no i don't think so. i have a bunch of wallet installed, hard to say which one installed spyware.

[Woody20285]

dclog in roaming is a keylogger
you need - an anti-keylogger

Key scrambler was created specifially to counter
crypto wallet unlocks. Very cheap.

Vegas has a theft and approached this security company to create it
(he has no interest) but, did post on another coin after finding a keylogger on
his system that was unsuccessful due to KeyScrambler.

[andyatcrux]

dclog in roaming is a keylogger
you need - an anti-keylogger

Key scrambler was created specifially to counter
crypto wallet unlocks. Very cheap.

Vegas has a theft and approached this security company to create it
(he has no interest) but, did post on another coin after finding a keylogger on
his system that was unsuccessful due to KeyScrambler.

Piriform's free anti-logger is good too. Everyone should at least be using that lightweight client.

[powerfull]

today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Code:

Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], 
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], 
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9], 

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], 
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24], 

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], 
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], 
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], 
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], 
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], 
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], 
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], 
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], 
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], 
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], 
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], 
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], 
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], 
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], 
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], 
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], 
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], 
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], 
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], 
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], 
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], 
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], 
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], 
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], 
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], 
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], 
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], 
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], 
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], 
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], 
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], 
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], 
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], 
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], 
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], 
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], 
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], 
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], 
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], 
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], 
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e], 

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

thank you for warning.

[bathrobehero]

https://mega.co.nz/#!sUIQhCrZ!ZpHNYTqjkg7hzehHiWaNzAXZky6Acb6xUev19AWoYYk

File changes:

> <sandbox>\user\all\boost_interprocess\SHROOMSURI
3122a3124,3136
> <sandbox>\user\current\AppData\Roaming\SHROOMS\.lock
> <sandbox>\user\current\AppData\Roaming\SHROOMS\blk0001.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\db.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\debug.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\peers.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\wallet.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\database\log.0000000001
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000004.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000005.sst
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\CURRENT
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOCK
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOG
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\MANIFEST-000002

Registry changes:

Windows Registry Editor Version 5.00

[user\current\software\SHROOMS]

[user\current\software\SHROOMS\SHROOMS-Qt]

[user\current\software\SHROOMS\SHROOMS-Qt\settings]
"rootpath"="<path>"
"port"="5566"
"username"="admin"
"password"="qt"
"anonymous"="false"
"readonly"="false"
"oneip"="false"

[user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"<path>\shroom.exe"="SHROOMS-Qt (OSS GUI client for SHROOMS)"

Not sure what is the username/password part is about but these were all the changes the walelt created.

Edit: Looks like those reg keys are for an FTP server? https://code.google.com/p/qt-ftp-server/source/browse/mainwindow.cpp#120

[trader19]

https://mega.co.nz/#!sUIQhCrZ!ZpHNYTqjkg7hzehHiWaNzAXZky6Acb6xUev19AWoYYk

File changes:

> <sandbox>\user\all\boost_interprocess\SHROOMSURI
3122a3124,3136
> <sandbox>\user\current\AppData\Roaming\SHROOMS\.lock
> <sandbox>\user\current\AppData\Roaming\SHROOMS\blk0001.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\db.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\debug.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\peers.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\wallet.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\database\log.0000000001
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000004.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000005.sst
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\CURRENT
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOCK
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOG
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\MANIFEST-000002

Registry changes:

Windows Registry Editor Version 5.00

[user\current\software\SHROOMS]

[user\current\software\SHROOMS\SHROOMS-Qt]

[user\current\software\SHROOMS\SHROOMS-Qt\settings]
"rootpath"="<path>"
"port"="5566"
"username"="admin"
"password"="qt"
"anonymous"="false"
"readonly"="false"
"oneip"="false"

[user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"<path>\shroom.exe"="SHROOMS-Qt (OSS GUI client for SHROOMS)"

Not sure what is the username/password part is about but these were all the changes the walelt created.

Edit: Looks like those reg keys are for an FTP server? https://code.google.com/p/qt-ftp-server/source/browse/mainwindow.cpp#120

ty for looking into it, looks like i was infected for some time now so wallets look clean. i am closing this case, don't be naive like i am and download any shit wallet just because everybody are mining and hyping. thanks for your time.