Hello all members and readers outside the forum.
I would like to tell you my story that happened to me yesterday morning with I have been fithing till today.
It is extremely important due to highly increasing interesting in crypto currencies across the globe.Especially for newcomers excited about all of this amazing crypto currency world that want to invest their money in.OK so.
About three weeks ago I decided to enter the world of cryptos. I wanted to invest some my money and diversify my investition into different alternate coins couse everything told me they will grow in the long run and it is good thing to do so (most of them are deflationary by definition).
So I joined the forum, read a lot, felt amazded by all of this,
install new wallets everyday, more or less popular or completely new coins.
Eventually i picked my top 10 best to invest at that moment in my opinion. Bought BTC and exchanged them for those cryptos. So during next two weeks I had more or less I wanted in my wallets.
Durring those days I ofcourse encrypted every wallet I had.I watched the charts every day, tried a little arbitrage between markets (with little success) that let me buy more and fill my investmens with new coins.
I was happy and very excited during all those days. It runned smooth and nice.
I felt secure.
Then yesterday morning I had some BTC on Cryptsy and wanted to buy some Digitalcoins (it was about 1100).
So I bought them and sent to my DGC wallet.
At that moment I remembered that I had a feeling that most probably I didnt encrypt one of my wallets and wasn't sure it was Digitalcoin wallet or not. I had there something like a 1900 DGC.
So I opened my wallet, waited to sync and in a second after it synced then instantaneously -1900 DGC has been sent from my wallet to other address. And second after that my newly bought 1100 DGC came to me from Cryptsy. I am quite new in all and first thought was it is some error or something but? Here is the screenshot:
Trannsaction id:
http://dgc.cryptocoinexplorer.com/address/DG5phm55dZiWwX5oknkJJgKkULMeXtFCoFThief address: DG5phm55dZiWwX5oknkJJgKkULMeXtFCoF
Other withdraw (2013-11-27) is a desperate rescue of my own coins to another wallet (created on other PC) but later more about it.
Aha, and my wallet was encrypted.
So I became really suspicious.
Maybe there is a trojan or something like that in my OS? I started to look at Windows Process Manager I have open all the time at second monitor but nothing suspicious there.
So I opened CCleaner and there found something weird looking:
It was almost obvious that something like this shouldn't be in my autostart. So I tried to close it, delete it throught CCleaner but
everytime I did that it was auto enablem again!So I think ok, let's go to this directory. So I clicked C, Users, Pawel and .... ? Where are "ensuy" and "qfiyp" directories?
THERE WEREN'T VISIBLE despite I had "show hidden files and directories" checked.
So I put the address C:\Users\Pawel\ensuy into address bar and what happened?
Screen shaked and all of my windows were immediately closed.At this moment it was obvious something really scarry is going on and felt hugely unsafe.
I opened command console, went to C:\Users\Pawel typed "dir" but those directories were also not visible in listing.Co I typed manually "ensuy" and "qfiyp" and then I was in:
thecoin-qt.exeAnd some other not visible files (there were more than this visible on listing).
My still ongoing antivirus (AVG) did not catch anything!I tried to delete it manually through cmd but it didn't help. I tried restart in Safe Mode, still nothing. Can't get rid of that.
Even when I tried to delete it directly from registry keys it did not help.
So I started to search internet and downloaded some
antimalware software.
After full scan it found those files and after reboot I could delete them from autostart, registry keys and from those directories I mentioned above. But I still cannot delete those directories despite they were empty.
So what next!? I asked myself.I started to open my wallets one by one and change the passphrases. But one question was on my mind:
"If I change a passphrase when I am not synced becouse blocks are loading, then is my newly encrypted wallet sent to the network or not?!"I did not know the answer for that question (now I know) but what else I could do I though.
The problem was I didn't opened most of my wallets since several days and lastly there is so huge traffic on market that blocks were loading and loading endlessly.
I felt a little bit more secure after delete of this trojan or whatever it was. But I had a strong feeling that something is still very not right and that it was most probably a keylogger couse how it is possible for somebody to send money from my wallet without knowing my password?
I started to change all my passwords, for email, markets, everything.. but I had this strong feeling that I shoudn't do that on this system anymore. Maybe there is already installed rootkit or any other who knows what?
Then I also started to think, where it was installed? I checked the data of "thecoin-qt.exe" and realized it was just after I decided to enter to this crypto world!
I also put this phrase into google and there was a match:
http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~AutoIt-AAB/detailed-analysis.aspxThis is it, or branch of it, very similar.
I searched though my browser history and my memory and rememered that at the very begining of my journey when I was so turned on and installed everywallet in excited rush there was one new alt coin project I felt weird about.
!!! https://bitcointalk.org/index.php?topic=333160.0 !!!I remember exactly
when I downloaded this client and wanted to click on it,
something told to me DONT.
Thread looks weird, no community around... but he provides source codes (
yeaah and you didnt check them and also how could you know what is in that .exe DUMB ASS!).
I remember I deleted it quickly after installation couse I feel it was weird. BUT IT WAS TOO LATE - REMEMBER THAT NEWCOMER!Then I found those thread, looked at last post and... everything became clear... I had a trojan\keylogger\and who knows what more.
So I moved to my brothers PC (his computer was shut down for weeks couse he is in another country right now so hacker couldn't reach it).To be sure I turned off internet connection on my laptop.
Firstly I started to download my most valuable wallets so I started with Megacoin which I invested most of my money.
Blocks loading, I see amount of my MGC on it and waiting.
Then..
Synced..
Puh!
To: MA6CFTXYwQwBKmLBT8A3x9zzT6rYAG2RDf
Debet: -8406.00 MΣC
Kwota netto: -8406.00 MΣC
ID transakcji: 91c1167e94e13f70dd5dfc777bf4d3295dc45f7a062eb14be484ebbbd122bf88
So I realized, YES IT WAS KEYLOGGER AND EVEN MORE COUSE HE STOLE YOUR WALLETS!At that point I didn't belive at all if my laptop is safe right now or not so I changed every password for every website, forum, market, wallet, etc. And started to download my other wallets and change passphrases of every of them again.
Also started to create new wallets of all my coins (
I WILL NOT USE those wallet address that you see on the screens anymore) with another new passwords.
I sit till 4:30 am loading blocks, changing passwords, creating new wallets, securing them, sending coins to them (if there was above 0 ...) and had very unpleasant feeling everytime wallet got synced...
Till morning next day (it is today) I slept few hours couse didn't have anymore power, super tired, even right now.
And he also stole all mine
Primecoins:
Status: 3407 potwierdzeń
Data: 2013-11-25 21:16
Do: AKfSuxQDE1Q8YQWKbhLGVvTAfG6jzrJ5tg
Debet: -112.30 XPM
Prowizja transakcji: -0.04435538 XPM
Kwota netto: -112.34435538 XPM
ID transakcji: 4bb9e53613a697d4af0d2681634535b4a038e723e1c2e6924f1c4433ba14a375
and
Peercoins
Status: 131 potwierdzeń
Data: 2013-11-27 09:52
Do: PWYWk7tNT78AdcY4c58VbtuVMTbHS7WgZQ
Debet: -55.00 PPC
Prowizja transakcyjna: -0.01 PPC
Kwota netto: -55.01 PPC
ID transakcji: 2abd81835bc8b1db41e7965be235a1e4f498be02302a578117725004d02dd848
What is intersing in above screen why his withdraw that happened after mine was confirmed and mine no?
--------
Right now I finished everything and struggling to install clean Win 7 on my laptop (there are some problems as always with .ios's from Windows, I have my key ofcourse). I am very tired but a little bit happy I saved almost half of mine diversified wallets...
I know it was silly from my side and I should be more careful. You know how it is when you are super excited about something. You can easliy became thoughtless about thins you normaly care about.
I am no admin here of course but I would suggest this thread as a
WARNING and also some instructions how to detect that something is not right and our wallets and computers could be in dangerous.
I strongly suggest to all of you to check your systems like I described above. Even if you did not install this wallet I mentioned.Why?!
We are at the begining of new upcoming era of virtual money, virtual wallets. My case is simple and it was quite easy to avoid it but remember, new technologies always attracts thiefs with their new ways of robbing us. This will not be the last time someone of us will last money. They for sure working on something right now and I strongly suggest - BE EXTREMELY COUTIOUS with your coins and wallets. Install not only antivirus couse but also anti malware software and hide your wallets as deep as you can.
So in sum I have lost about: 1900 Digitalcoins, 8400 Megacoins, 112 Primecoins and 55 Peercoins.
I took a lesson I will never forget. Learn from my mistakes...
TO THE THIEF THAT ROBBED MEI know you actively look through this forum. Most probably you have new account and still are with us.
I belive in people and if you have some empathy in yourself, please give me back my money. At least some.
Here are my new adresses:
Digitalcoin:DFUiUnDGQYAGPmoXrXeQgAVz7uborYfHgz
Megacoin:MAMbeVmzwpBhyyA1u39vyFNmZCEUbUM5rk
Peercoin:PWwjLApspBX8PE3ECwPfSs2HWje1euAjqs
Primecoin:Ad7L8CSnWvWXCh8mBTrDvkAp2tX9BbmyiW
--------------
For all of those that read that far. Thank you a lot that I could share my story with you and please take care about your coins.
Wish all of you smart, growing investments.
Pablo
ps. sorry for my English, it is not my native language.
