Be careful about Viruses!

badam

Hero Member

Offline

Activity: 770
Merit: 500

Re: Be careful about Viruses! [SHROOMS]

July 16, 2015, 01:49:39 PM

#21

So i did a scan too and i have none of your infections, so you should be more than sure that your infection has nothing to do with shrooms wallet. You got infected by something else.

Code:

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.MSIL.Dropper, C:\Users\x\Downloads\papercoin-qt.rar, , [6f04657dcebc61d56d45655a3ac730d0], 

Physical Sectors: 0
(No malicious items detected)


(end)

I am having an infected wallet but i know about that lol, i was just lazy to delete it

8-bit-Party

Legendary

Offline

Activity: 1036
Merit: 1000

8b 16b DEMOSCENE FTW

Re: Be careful about Viruses!

July 16, 2015, 01:57:40 PM

#22

First of all you should make sure you have same versions of wallet. Second, comparing scans proofs nothing since malware might be not activated yet.
Third, even if your PC is infected it does not mean that infection has been made by mentioned wallet nor mentioned wallet contains malware nor mentioned wallet did not make your coins disappear. Like I said stealing coins from running wallet is prettty easy if user is not smart one and there's no way to detect it using non-cryptocurrencies-aware antivirus.

8-BIT PARTY 16-BIT PARTY DEMOSCENE FTW

trader19 (OP)

Legendary

Offline

Activity: 1232
Merit: 1001

Re: Be careful about Viruses!

July 16, 2015, 02:02:07 PM

#23

Quote from: 8-bit-Party on July 16, 2015, 01:57:40 PM

First of all you should make sure you have same versions of wallet. Second, comparing scans proofs nothing since malware might be not activated yet.
Third, even if your PC is infected it does not mean that infection has been made by mentioned wallet nor mentioned wallet contains malware nor mentioned wallet did not make your coins disappear. Like I said stealing coins from running wallet is prettty easy if user is not smart one and there's no way to detect it using non-cryptocurrencies-aware antivirus.

thanks, still trying to find source but is not easy as i already deleted infection.

Join the Elastic revolution!

Elastic - The Decentralized Supercomputer
ELASTIC WEBSITE | NEW ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM

8-bit-Party

Legendary

Offline

Activity: 1036
Merit: 1000

8b 16b DEMOSCENE FTW

Re: Be careful about Viruses!

July 16, 2015, 02:11:35 PM

#24

If you still have original suspected binary run it within virtual enviroment (I don't think sandbox will give enough safety), get Process Explorer, find wallet process, go its properties, find "Strings/Memory" and publish it.

8-BIT PARTY 16-BIT PARTY DEMOSCENE FTW

jc12345

Legendary

Offline

Activity: 1638
Merit: 1013

Re: Be careful about Viruses!

July 16, 2015, 02:16:33 PM

#25

I compared the binary at release and the one now and they have the same hashes. Can you post the hashes of the binary that you installed?

bathrobehero

Legendary

Offline

Activity: 2002
Merit: 1051

ICO? Not even once.

Re: Be careful about Viruses!

July 16, 2015, 02:19:58 PM

#26

You can track what (file/registry) changes a wallet does with Sandboxie using SandboxDiff. To avoid a wallet link switcheroo which seems to be usual, if you send me your downloaded wallet in pm I can post a log tomorrow as I have to run now.

Not your keys, not your coins!

badam

Hero Member

Offline

Activity: 770
Merit: 500

Re: Be careful about Viruses!

July 16, 2015, 03:18:20 PM

#27

Don't you have EA wallet installed? It was just confirmed that it has wallet stealer virus

trader19 (OP)

Legendary

Offline

Activity: 1232
Merit: 1001

Re: Be careful about Viruses!

July 16, 2015, 04:37:17 PM

#28

looks like i had RAT spyware installed long before yesterday. from logs i find it's refog keylogger, don't ask me how av didn't block it. idk
https://www.raymond.cc/blog/how-to-uninstall-refog-keylogger-without-knowing-master-password/
still investigating, so be paranoid about new wallets.

Join the Elastic revolution!

Elastic - The Decentralized Supercomputer
ELASTIC WEBSITE | NEW ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM

trader19 (OP)

Legendary

Offline

Activity: 1232
Merit: 1001

Re: Be careful about Viruses!

July 16, 2015, 04:41:09 PM

#29

Quote from: badam on July 16, 2015, 03:18:20 PM

Don't you have EA wallet installed? It was just confirmed that it has wallet stealer virus

EA? no i don't think so. i have a bunch of wallet installed, hard to say which one installed spyware.

Join the Elastic revolution!

Elastic - The Decentralized Supercomputer
ELASTIC WEBSITE | NEW ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM

Woody20285

Legendary

Offline

Activity: 1218
Merit: 1002

Supporting DMD, ERC & PIO

Re: Be careful about Viruses!

July 16, 2015, 11:55:11 PM

#30

dclog in roaming is a keylogger
you need - an anti-keylogger

Key scrambler was created specifially to counter
crypto wallet unlocks. Very cheap.

Vegas has a theft and approached this security company to create it
(he has no interest) but, did post on another coin after finding a keylogger on
his system that was unsuccessful due to KeyScrambler.

andyatcrux

Legendary

Offline

Activity: 938
Merit: 1000

Re: Be careful about Viruses!

July 17, 2015, 12:28:58 AM

#31

Quote from: Woody20285 on July 16, 2015, 11:55:11 PM

dclog in roaming is a keylogger
you need - an anti-keylogger

Key scrambler was created specifially to counter
crypto wallet unlocks. Very cheap.

Vegas has a theft and approached this security company to create it
(he has no interest) but, did post on another coin after finding a keylogger on
his system that was unsuccessful due to KeyScrambler.

Piriform's free anti-logger is good too. Everyone should at least be using that lightweight client.

powerfull

Sr. Member

Offline

Activity: 249
Merit: 250

Re: Be careful about Viruses!

July 17, 2015, 09:26:08 AM

#32

Quote from: trader19 on July 16, 2015, 12:01:52 PM

today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Code:

Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], 
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81], 
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9], 

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e], 
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24], 
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24], 

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0], 
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9], 
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b], 
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad], 
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a], 
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729], 
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe], 
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4], 
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6], 
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33], 
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2], 
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b], 
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5], 
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb], 
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d], 
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917], 
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2], 
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f], 
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46], 
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62], 
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f], 
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0], 
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3], 
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080], 
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9], 
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8], 
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91], 
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12], 
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967], 
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84], 
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9], 
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84], 
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be], 
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74], 
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e], 
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d], 
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6], 
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1], 
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789], 
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81], 
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e], 

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

thank you for warning.

bathrobehero

Legendary

Offline

Activity: 2002
Merit: 1051

ICO? Not even once.

Re: Be careful about Viruses!

July 17, 2015, 04:36:49 PM

#33

Quote from: trader19 on July 16, 2015, 04:55:53 PM

https://mega.co.nz/#!sUIQhCrZ!ZpHNYTqjkg7hzehHiWaNzAXZky6Acb6xUev19AWoYYk

File changes:

Quote

> <sandbox>\user\all\boost_interprocess\SHROOMSURI
3122a3124,3136
> <sandbox>\user\current\AppData\Roaming\SHROOMS\.lock
> <sandbox>\user\current\AppData\Roaming\SHROOMS\blk0001.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\db.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\debug.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\peers.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\wallet.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\database\log.0000000001
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000004.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000005.sst
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\CURRENT
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOCK
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOG
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\MANIFEST-000002

Registry changes:

Quote

Windows Registry Editor Version 5.00

[user\current\software\SHROOMS]

[user\current\software\SHROOMS\SHROOMS-Qt]

[user\current\software\SHROOMS\SHROOMS-Qt\settings]
"rootpath"="<path>"
"port"="5566"
"username"="admin"
"password"="qt"
"anonymous"="false"
"readonly"="false"
"oneip"="false"

[user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"<path>\shroom.exe"="SHROOMS-Qt (OSS GUI client for SHROOMS)"

Not sure what is the username/password part is about but these were all the changes the walelt created.

Edit: Looks like those reg keys are for an FTP server? https://code.google.com/p/qt-ftp-server/source/browse/mainwindow.cpp#120

Not your keys, not your coins!

trader19 (OP)

Legendary

Offline

Activity: 1232
Merit: 1001

Re: Be careful about Viruses!

July 18, 2015, 04:30:55 PM
Last edit: July 18, 2015, 05:29:41 PM by trader19

#34

Quote from: bathrobehero on July 17, 2015, 04:36:49 PM

Quote from: trader19 on July 16, 2015, 04:55:53 PM

https://mega.co.nz/#!sUIQhCrZ!ZpHNYTqjkg7hzehHiWaNzAXZky6Acb6xUev19AWoYYk

File changes:

Quote

> <sandbox>\user\all\boost_interprocess\SHROOMSURI
3122a3124,3136
> <sandbox>\user\current\AppData\Roaming\SHROOMS\.lock
> <sandbox>\user\current\AppData\Roaming\SHROOMS\blk0001.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\db.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\debug.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\peers.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\wallet.dat
> <sandbox>\user\current\AppData\Roaming\SHROOMS\database\log.0000000001
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000004.log
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\000005.sst
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\CURRENT
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOCK
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\LOG
> <sandbox>\user\current\AppData\Roaming\SHROOMS\txleveldb\MANIFEST-000002

Registry changes:

Quote

Windows Registry Editor Version 5.00

[user\current\software\SHROOMS]

[user\current\software\SHROOMS\SHROOMS-Qt]

[user\current\software\SHROOMS\SHROOMS-Qt\settings]
"rootpath"="<path>"
"port"="5566"
"username"="admin"
"password"="qt"
"anonymous"="false"
"readonly"="false"
"oneip"="false"

[user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"<path>\shroom.exe"="SHROOMS-Qt (OSS GUI client for SHROOMS)"

Not sure what is the username/password part is about but these were all the changes the walelt created.

Edit: Looks like those reg keys are for an FTP server? https://code.google.com/p/qt-ftp-server/source/browse/mainwindow.cpp#120

ty for looking into it, looks like i was infected for some time now so wallets look clean. i am closing this case, don't be naive like i am and download any shit wallet just because everybody are mining and hyping. thanks for your time.

Join the Elastic revolution!

Elastic - The Decentralized Supercomputer
ELASTIC WEBSITE | NEW ANNOUNCEMENT THREAD | ELASTIC SLACK | ELASTIC FORUM