trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 12:01:52 PM Last edit: July 16, 2015, 01:50:38 PM by trader19 |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected. Registrierungsschlüssel: 3 Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],
Registrierungswerte: 1 PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Ordner: 6 Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],
Dateien: 41 Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],
Physische Sektoren: 0 (keine bösartigen Elemente erkannt)
(end)
|
|
|
|
|
|
|
"If you don't want people to know you're a scumbag then don't be a scumbag." -- margaritahuyan
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
LordCoder
|
|
July 16, 2015, 12:02:42 PM |
|
NOC seems legit, dunno if it's a virus or not but it's working fine.
|
|
|
|
trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 12:04:06 PM |
|
NOC seems legit, dunno if it's a virus or not but it's working fine.
yea i think also NOC is fine, SHRM is funky wallet i bet is infected.
|
|
|
|
badam
|
|
July 16, 2015, 12:07:06 PM |
|
I don't have crave wallet but i've been using shrooms wallet without problems, also i am having an antivirus that detects any suspicious behavior not only by virus detects and it is not showing anything wrong. I guess the problem is somewhere else
|
|
|
|
bathrobehero
Legendary
Offline
Activity: 2002
Merit: 1051
ICO? Not even once.
|
|
July 16, 2015, 12:09:15 PM |
|
Never ever run wallets outside of a controlled sandbox or VM. Or run them on a throwaway OS, otherwise you're asking to get your coins and even browser data stolen.
Virustotal can't detect everything either.
|
Not your keys, not your coins!
|
|
|
B-MoneyXcan
|
|
July 16, 2015, 12:13:06 PM |
|
The Dev seems like a pro scam artist. I took notice when his math on his coin total was wrong.
|
|
|
|
TheInfidel
|
|
July 16, 2015, 12:32:51 PM |
|
The Dev seems like a pro scam artist. I took notice when his math on his coin total was wrong.
How is the coin total wrong? 200 * 3000= 600,000 that's what was posted. Have run 2 separate anti virus scans, both are clean.
|
|
|
|
trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 12:39:15 PM |
|
don't know witch wallet and if but i got screwed. so be extra careful!!!
|
|
|
|
jc12345
Legendary
Offline
Activity: 1638
Merit: 1013
|
|
July 16, 2015, 12:48:55 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
|
|
|
|
rocoloko
|
|
July 16, 2015, 12:52:30 PM |
|
It happened to me too. But it was last month. (atacker downloaded my whole harddrive and then he deleted everything) I lost around 1.2 BTC..... Now i use only Exchange wallets.
I´m sending virtual hug to you.... How much did you lost?
|
|
|
|
trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 12:57:16 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful
|
|
|
|
trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 12:57:58 PM |
|
It happened to me too. But it was last month. (atacker downloaded my whole harddrive and then he deleted everything) I lost around 1.2 BTC..... Now i use only Exchange wallets.
I´m sending virtual hug to you.... How much did you lost?
around 6btc worth of Crave at current market price..
|
|
|
|
8-bit-Party
Legendary
Offline
Activity: 1036
Merit: 1000
8b 16b DEMOSCENE FTW
|
|
July 16, 2015, 01:01:49 PM |
|
I wonder how naive evil dev would have to be to add evil code detectable by antivirus software. Sorry folks.
|
8-BIT PARTY 16-BIT PARTY DEMOSCENE FTW
|
|
|
EmilioMann
Legendary
Offline
Activity: 2184
Merit: 1028
#mitandopelomundo
|
|
July 16, 2015, 01:04:00 PM |
|
The more suspect in shrooms is that the dev deleted all trader19 posts talking about it without answering anything
|
|
|
|
jc12345
Legendary
Offline
Activity: 1638
Merit: 1013
|
|
July 16, 2015, 01:08:46 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev? Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
|
|
|
|
trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 01:12:42 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev? Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet. checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway. here is the malwarebyte analysis of my pc: Registrierungsschlüssel: 3 Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],
Registrierungswerte: 1 PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Ordner: 6 Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],
Dateien: 41 Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],
Physische Sektoren: 0 (keine bösartigen Elemente erkannt)
(end)
|
|
|
|
jc12345
Legendary
Offline
Activity: 1638
Merit: 1013
|
|
July 16, 2015, 01:19:07 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev? Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet. checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway. here is the malwarebyte analysis of my pc: Registrierungsschlüssel: 3 Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],
Registrierungswerte: 1 PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Ordner: 6 Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],
Dateien: 41 Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],
Physische Sektoren: 0 (keine bösartigen Elemente erkannt)
(end) Well then, let others who have installed the shroom wallet see if they have the same registry keys and files. That would sort the debate.
|
|
|
|
badam
|
|
July 16, 2015, 01:22:00 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev? Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet. checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway. here is the malwarebyte analysis of my pc: Registrierungsschlüssel: 3 Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],
Registrierungswerte: 1 PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Ordner: 6 Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],
Dateien: 41 Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],
Physische Sektoren: 0 (keine bösartigen Elemente erkannt)
(end) You are clearly infected, out of curiosity i am running now a malwarebytes scan too
|
|
|
|
jc12345
Legendary
Offline
Activity: 1638
Merit: 1013
|
|
July 16, 2015, 01:32:58 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev? Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet. checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway. here is the malwarebyte analysis of my pc: Registrierungsschlüssel: 3 Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],
Registrierungswerte: 1 PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Ordner: 6 Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],
Dateien: 41 Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],
Physische Sektoren: 0 (keine bösartigen Elemente erkannt)
(end) Before just trashing the reputation of a coin, how sure are you that those files and registry entries come from the shroom wallet? None of the items you quoted appear on a test machine I installed the shroom wallet on. Can you post some better evidence that the above come from the shroom wallet apart from circumstantial? eg. the person holding the knife in the hand next to a dead body is not automatically guilty of murder, or worse, a passerby gets arrested for murder because he walked past a dead body at the same time when the police officer sees the dead body.
|
|
|
|
trader19 (OP)
Legendary
Offline
Activity: 1232
Merit: 1001
|
|
July 16, 2015, 01:48:19 PM |
|
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins. After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.
Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now? well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction.. anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev? Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet. checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway. here is the malwarebyte analysis of my pc: Registrierungsschlüssel: 3 Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],
Registrierungswerte: 1 PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]
Registrierungsdaten: 0 (keine bösartigen Elemente erkannt)
Ordner: 6 Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],
Dateien: 41 Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],
Physische Sektoren: 0 (keine bösartigen Elemente erkannt)
(end) Before just trashing the reputation of a coin, how sure are you that those files and registry entries come from the shroom wallet? None of the items you quoted appear on a test machine I installed the shroom wallet on. Can you post some better evidence that the above come from the shroom wallet apart from circumstantial? eg. the person holding the knife in the hand next to a dead body is not automatically guilty of murder, or worse, a passerby gets arrested for murder because he walked past a dead body at the same time when the police officer sees the dead body. it's not my intention to trash any coin as i invested in both of them. you are totaly right, without any evidence i am just trolling and wanted to give fair warnings. after investigating it was RAT (keylogger) that was installed locally on pc. still searching for source of that dclogs folder in appdata. i changed title.
|
|
|
|
|