BTC stolen from electrum wallet

Bitcoin Forum

November 05, 2024, 06:08:14 PM

Welcome, Guest. Please login or register.

News: Latest Bitcoin Core release: 28.0 [Torrent]

Home

Help

Search

Login

Register

More

Bitcoin Forum > Bitcoin > Development & Technical Discussion > Wallet software > Electrum > BTC stolen from electrum wallet

Pages: [1] 2 » All

« previous topic next topic »

Author

Topic: BTC stolen from electrum wallet (Read 2553 times)

edgebits (OP)

Newbie

Offline

Offline

Activity: 37
Merit: 0

⇾ BTC stolen from electrum wallet

April 02, 2014, 12:24:28 AM
Last edit: April 02, 2014, 12:36:16 AM by edgebits

#1

Can anyone shine a light on how this happened??? I had a decent password to my understanding (~15 characters with numbers and symbols).

I've never had an issue and suddenly an hour ago my coins got withdrawed on six seperate transactions to the same address until they finally were all depleted..

heres a screenshot

https://i.imgur.com/LWXNChd.png

Im a noob so don't understand why the make it so complicated to post an image..

The coins were all sent to this address: 17avcFVaa9dWNXiEx9ALChvN77py9dmHwC

Joshuar

Hero Member

Offline

Offline

Activity: 504
Merit: 500

eidoo wallet

Re: BTC stolen from electrum wallet

April 02, 2014, 12:25:18 AM

#2

Someone found out your private key? Keylogger? Virus?

❱❱

'''Your Blockchain Asset'''
▬▬▬▬▬▬▬▬ Experience ▬▬▬▬▬▬▬▬

██
█║█
║║║
║║║
█║█
██

▄██▄
▄██████▄
▄██████████
▄██████████▀ ▄▄
▄██████████▀ ▄████▄
▄██████████▀ ████████▄
██████████▀ ▀████████
▀███████▀ ▄███▄ ▀████▀ ▄█▄
▄███▄ ▀███▀ ▄███████▄ ▀▀ ▄█████▄
▄███████▄ ▄██████████ ▄█████████
█████████ ▄██████████▀ ▄██████████▀
▀█████▀ ▄██████████▀ ▄██████████▀
▀▀▀ ▄██████████▀ ▄██████████▀
██████████▀ ▄██████████▀
▀███████▀ █████████▀
▀███▀ ▄██▄ ▀█████▀
▄██████▄ ▀▀▀
█████████
▀█████▀
▀▀▀

e i d o o
██

▄██▄
▄██████▄
▄██████████
▄██████████▀ ▄▄
▄██████████▀ ▄████▄
▄██████████▀ ████████▄
██████████▀ ▀████████
▀███████▀ ▄███▄ ▀████▀ ▄█▄
▄███▄ ▀███▀ ▄███████▄ ▀▀ ▄█████▄
▄███████▄ ▄██████████ ▄█████████
█████████ ▄██████████▀ ▄██████████▀
▀█████▀ ▄██████████▀ ▄██████████▀
▀▀▀ ▄██████████▀ ▄██████████▀
██████████▀ ▄██████████▀
▀███████▀ █████████▀
▀███▀ ▄██▄ ▀█████▀
▄██████▄ ▀▀▀
█████████
▀█████▀
▀▀▀

██
█║█
║║║
║║║
█║█
██

''Token Sale Ends Oct 16^th'''
Twitter Facebook Discussion Bounty

❰❰

escrow.ms

Legendary

Offline

Offline

Activity: 1274
Merit: 1004

Re: BTC stolen from electrum wallet

April 02, 2014, 12:30:50 AM

#3

Hi, please use imgur.com for uploading screenshot.

Ps: Scan your pc with malware byets anti malware and
did you have saved unencrypted wallet backup somewhere or saved seed in some insecure place like email?

datafish

Donator
Full Member

Offline

Offline

Activity: 129
Merit: 100

Swimming in a sea of data

Re: BTC stolen from electrum wallet

April 02, 2014, 12:35:08 AM

#4

It's odd that they are seemingly random amounts.

edgebits (OP)

Newbie

Offline

Offline

Activity: 37
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 12:38:19 AM

#5

Quote from: escrow.ms on April 02, 2014, 12:30:50 AM

Hi, please use imgur.com for uploading screenshot.

Ps: Scan your pc with malware byets anti malware and
did you have saved unencrypted wallet backup somewhere or saved seed in some insecure place like email?

thanks for the help. I did have a backup on a usb that was attached to the pc while the coins were stolen but it was still protected by the same password for withdrawal no? seed is only on paper no where is it saved on pc.

LAMarcellus

Full Member

Offline

Offline

Activity: 180
Merit: 100

Re: BTC stolen from electrum wallet

April 02, 2014, 12:45:25 AM

#6

How do you acquire your coins? Online exchange, mining, localbitcoin.com?
Also, Damien, what version of windows do you use?

Sorry for your loss Sad

Sad

Please let us know how the Malware bytes scan turns out.

The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion. – Albert Camus

edgebits (OP)

Newbie

Offline

Offline

Activity: 37
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 12:59:32 AM

#7

Quote from: LAMarcellus on April 02, 2014, 12:45:25 AM

How do you acquire your coins? Online exchange, mining, localbitcoin.com?
Also, Damien, what version of windows do you use?

Sorry for your loss Sad

Sad

Please let us know how the Malware bytes scan turns out.

Through online exchange. My windows version is 7 home premium. I will let you know what the scan tells me.

chakra74

Newbie

Offline

Offline

Activity: 29
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 01:14:18 AM

#8

Another precaution you can take against keyloggers is an on-screen keyboard that hides anything you enter into a password field. I usually type all sensitive information with Neo's SafeKeys. It's a small easy to install program, that gives me another layer of peace of mind.

There's many much more robust password programs out there, but I like the simplicity of just typing them in myself. Even if you run a malware detector, it's possible that which ever one you use will let some malware through.

Always assume you have malware installed.

edgebits (OP)

Newbie

Offline

Offline

Activity: 37
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 01:16:16 AM

#9

Quote from: chakra74 on April 02, 2014, 01:14:18 AM

Another precaution you can take against keyloggers is an on-screen keyboard that hides anything you enter into a password field. I usually type all sensitive information with Neo's SafeKeys. It's a small easy to install program, that gives me another layer of peace of mind.

There's many much more robust password programs out there, but I like the simplicity of just typing them in myself. Even if you run a malware detector, it's possible that which ever one you use will let some malware through.

Always assume you have malware installed.

thank you for the valuable info kind sir

Taras

Legendary

Offline

Offline

Activity: 1386
Merit: 1053

Please do not PM me loan requests!

WWW

Re: BTC stolen from electrum wallet

April 02, 2014, 01:19:40 AM

#10

Why do people have to take what's not theirs... Undecided

Undecided

Sickening.

edgebits (OP)

Newbie

Offline

Offline

Activity: 37
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 01:20:01 AM

#11

Quote from: LAMarcellus on April 02, 2014, 12:45:25 AM

How do you acquire your coins? Online exchange, mining, localbitcoin.com?
Also, Damien, what version of windows do you use?

Sorry for your loss Sad

Sad

Please let us know how the Malware bytes scan turns out.

Well, here is the report.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/04/2014
Scan Time: 9:17:54 PM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.04.01.10
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Damien

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 268552
Time Elapsed: 16 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, 2644, , [ba7479ac88f3df57e729af99629fc040]

Modules: 0
(No malicious items detected)

Registry Keys: 51
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\YoutubeAdblocker.YoutubeAdblocker, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\YoutubeAdblocker.YoutubeAdblocker.1.0, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\YoutubeAdblocker.YoutubeAdblocker, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\YoutubeAdblocker.YoutubeAdblocker.1.0, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{31DBE255-DED2-6664-AFE4-95F62E8195DE}\INPROCSERVER32, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\gRReaAttsavEur.gRReaAttsavEur, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\gRReaAttsavEur.gRReaAttsavEur.2.7, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\gRReaAttsavEur.gRReaAttsavEur, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\gRReaAttsavEur.gRReaAttsavEur.2.7, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{92175CF4-E534-6917-802D-73D1993E9B67}\INPROCSERVER32, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.TopArcadeHits.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{CF190686-9E72-403C-B99D-682ABDB63C5B}, , [71bd61c4710a1f172b151b2462a0817f],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4820778D-AB0D-6D18-C316-52A6A0E1D507}, , [1f0f68bd4e2d82b4ca799ba712efac54],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CA41BB14-E67B-1653-C57B-5CA99418A866}, , [a48a889d92e94beb7ac9083aac55dc24],
PUP.Optional.DigitalSites.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DSite, , [0826fe27304bf145e4c8c267bc45c040],
PUP.Optional.FunMoods.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Funmoods, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.HDVidCndec.A, HKLM\SOFTWARE\WOW6432NODE\HDvid Codec V6.0, , [3cf23ee76912ca6c62454b1b30d20ef2],
PUP.Optional.SaveSense.A, HKLM\SOFTWARE\WOW6432NODE\SaveSenseLive, , [77b70223c0bb191dc7eca1ee46bdb24e],
PUP.Optional.TornTV.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Torntv V6.0, , [26082bfa37440d290cc1b0b4e31f9b65],
PUP.Optional.1ClickDownload.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\1ClickDownload, , [dc529f86fc7f74c235d58002c2414ab6],
PUP.FunMoods, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Funmoods, , [31fdc263bebdd1659de0d39f3fc31be5],
PUP.Optional.SaveSense.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SaveSense, , [7faf66bfe893db5b426d1c73828133cd],
PUP.Optional.SaveSense.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SaveSenseLive, , [17179d884d2e2412931d533ca55e35cb],
PUP.Optional.CrossRider.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Crossrider, , [35f9e342e299a98dea63563f44bf0af6],
PUP.Optional.ValueApps.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CONDUIT\ValueApps, , [58d6899c1b60c76ff4f2dc8e80823bc5],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, , [98968e974d2e49ed9ed125453ec45fa1],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, , [0925ba6baccf59dd436ed2aeb74ca060],
PUP.Optional.CrossRider.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\installdaddy, , [ef3f6db8c1babf775d3f324f927124dc],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\INTERFACE\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\INTERFACE\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, , [f935fc2987f40d298b8ed87c649ec33d],

Registry Values: 3
Trojan.MSIL, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Adobe Update, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, , [ba7479ac88f3df57e729af99629fc040]
PUP.Optional.NextLive.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|NextLive, C:\Windows\SysWOW64\rundll32.exe "C:\Users\Damien\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l, , [ed4135f0037874c21a7365e70cf52ad6]
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0H1L1J1L1S1R1N, , [0925ba6baccf59dd436ed2aeb74ca060]

Registry Data: 1
PUP.Optional.Conduit, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://search.conduit.com?SearchSource=10&CUI=UN13507171334195564&UM=2&ctid=CT3289075, Good: (http://www.google.com), Bad: (http://search.conduit.com?SearchSource=10&CUI=UN13507171334195564&UM=2&ctid=CT3289075),,[2e002ef72457a88eaf05c54a44c0619f]

Folders: 20
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3287810, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289075, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289847, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.SaveSense, C:\Program Files (x86)\SaveSenseLive, , [d35bab7a7506e155fb5d054e788a16ea],
PUP.Optional.SaveSense, C:\Program Files (x86)\SaveSenseLive\CrashReports, , [d35bab7a7506e155fb5d054e788a16ea],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive\Update, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive\Update\Log, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense.A, C:\Users\Damien\AppData\Local\SaveSenseLive, , [61cd0a1bf487b77fc599ca890ff3b64a],
PUP.Optional.SaveSense.A, C:\Users\Damien\AppData\Local\SaveSenseLive\CrashReports, , [61cd0a1bf487b77fc599ca890ff3b64a],
PUP.Optional.Visualbee, C:\Users\Damien\AppData\Local\VisualBeeExe, , [2c0271b4afcccf67582bd87ba0620ff1],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\cache, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.Multiplug, C:\Program Files (x86)\YoutubeAdblocker, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.YoutubeAdblocker.A, C:\ProgramData\YoutubeAdblocker, , [7eb04ed70f6c211560d363f39d6545bb],

Files: 40
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, , [ba7479ac88f3df57e729af99629fc040],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\nengine.dll, , [ed4135f0037874c21a7365e70cf52ad6],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.x64.dll, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.dll, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\greatsaveer\y.x64.dll, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\greatsaveer\y.dll, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, C:\ProgramData\YoutubeAdblocker\17o36WPGCu.exe, , [1f0f68bd4e2d82b4ca799ba712efac54],
PUP.Optional.MultiPlug.A, C:\ProgramData\greatsaveer\jL.exe, , [a48a889d92e94beb7ac9083aac55dc24],
PUP.Optional.DigitalSites.A, C:\Users\Damien\AppData\Roaming\DSite\UpdateProc\UpdateTask.exe, , [0826fe27304bf145e4c8c267bc45c040],
PUP.Optional.OneClickDownloader.A, C:\Users\Damien\Downloads\hdvid_codec_chrome.exe, , [ff2fed380576ae889e6287832bd6f50b],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Local\genienext\nengine.dll, , [bd71f035a5d6a88ea0edaf9d8d74d927],
PUP.Optional.Pricegong, C:\Users\Damien\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage, , [cc6248dd6813ea4c5d6a4226eb17cd33],
PUP.Optional.Pricegong, C:\Users\Damien\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage-journal, , [7ab48f96c7b426107d4ab2b6679b9769],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\config.dat, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\info.dat, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\STTL.DAT, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\TTL.DAT, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\config.dat, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\info.dat, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\src.dat, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\STTL.DAT, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\TTL.DAT, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\UpdateTask.exe, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.HDVidCodec.A, C:\Windows\Tasks\HDvid Codec V6.0-chromeinstaller.job, , [fc32ba6b215a20167037cfc020e3d030],
PUP.Optional.HDVidCodec.A, C:\Windows\Tasks\HDvid Codec V6.0-updater.job, , [47e7ac791f5cd0669710652ac43f7e82],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3287810\UninstallerUI.exe, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289075\UninstallerUI.exe, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289847\UninstallerUI.exe, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive\Update\Log\SaveSenseLive.log, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\config.dat, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\info.dat, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\STTL.DAT, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\TTL.DAT, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\UpdateTask.exe, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\nengine.cookie, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\cache\spark.bin, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.Multiplug, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.dat, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.tlb, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.YoutubeAdblocker.A, C:\ProgramData\YoutubeAdblocker\17o36WPGCu.dat, , [7eb04ed70f6c211560d363f39d6545bb],

Physical Sectors: 0
(No malicious items detected)

(end)

Joshuar

Hero Member

Offline

Offline

Activity: 504
Merit: 500

eidoo wallet

Re: BTC stolen from electrum wallet

April 02, 2014, 01:24:31 AM

#12

Quote from: edgebits on April 02, 2014, 01:20:01 AM

Quote from: LAMarcellus on April 02, 2014, 12:45:25 AM

How do you acquire your coins? Online exchange, mining, localbitcoin.com?
Also, Damien, what version of windows do you use?

Sorry for your loss Sad

Sad

Please let us know how the Malware bytes scan turns out.

Well, here is the report.

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 01/04/2014
Scan Time: 9:17:54 PM
Logfile:
Administrator: Yes

Version: 2.00.0.1000
Malware Database: v2014.04.01.10
Rootkit Database: v2014.03.27.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Chameleon: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Damien

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 268552
Time Elapsed: 16 min, 46 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Shuriken: Enabled
PUP: Enabled
PUM: Enabled

Processes: 1
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, 2644, , [ba7479ac88f3df57e729af99629fc040]

Modules: 0
(No malicious items detected)

Registry Keys: 51
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\YoutubeAdblocker.YoutubeAdblocker, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\YoutubeAdblocker.YoutubeAdblocker.1.0, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\YoutubeAdblocker.YoutubeAdblocker, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\YoutubeAdblocker.YoutubeAdblocker.1.0, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{31DBE255-DED2-6664-AFE4-95F62E8195DE}, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{31DBE255-DED2-6664-AFE4-95F62E8195DE}\INPROCSERVER32, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\BROWSER HELPER OBJECTS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\gRReaAttsavEur.gRReaAttsavEur, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\gRReaAttsavEur.gRReaAttsavEur.2.7, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\gRReaAttsavEur.gRReaAttsavEur, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\gRReaAttsavEur.gRReaAttsavEur.2.7, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\SETTINGS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{92175CF4-E534-6917-802D-73D1993E9B67}, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\CLASSES\CLSID\{92175CF4-E534-6917-802D-73D1993E9B67}\INPROCSERVER32, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.TopArcadeHits.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\STATS\{CF190686-9E72-403C-B99D-682ABDB63C5B}, , [71bd61c4710a1f172b151b2462a0817f],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{4820778D-AB0D-6D18-C316-52A6A0E1D507}, , [1f0f68bd4e2d82b4ca799ba712efac54],
PUP.Optional.MultiPlug.A, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\{CA41BB14-E67B-1653-C57B-5CA99418A866}, , [a48a889d92e94beb7ac9083aac55dc24],
PUP.Optional.DigitalSites.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\DSite, , [0826fe27304bf145e4c8c267bc45c040],
PUP.Optional.FunMoods.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Funmoods, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.HDVidCndec.A, HKLM\SOFTWARE\WOW6432NODE\HDvid Codec V6.0, , [3cf23ee76912ca6c62454b1b30d20ef2],
PUP.Optional.SaveSense.A, HKLM\SOFTWARE\WOW6432NODE\SaveSenseLive, , [77b70223c0bb191dc7eca1ee46bdb24e],
PUP.Optional.TornTV.A, HKU\S-1-5-18-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Torntv V6.0, , [26082bfa37440d290cc1b0b4e31f9b65],
PUP.Optional.1ClickDownload.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\1ClickDownload, , [dc529f86fc7f74c235d58002c2414ab6],
PUP.FunMoods, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\Funmoods, , [31fdc263bebdd1659de0d39f3fc31be5],
PUP.Optional.SaveSense.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SaveSense, , [7faf66bfe893db5b426d1c73828133cd],
PUP.Optional.SaveSense.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\SaveSenseLive, , [17179d884d2e2412931d533ca55e35cb],
PUP.Optional.CrossRider.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\APPDATALOW\SOFTWARE\Crossrider, , [35f9e342e299a98dea63563f44bf0af6],
PUP.Optional.ValueApps.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\CONDUIT\ValueApps, , [58d6899c1b60c76ff4f2dc8e80823bc5],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE\1I1T1Q1S, , [98968e974d2e49ed9ed125453ec45fa1],
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE, , [0925ba6baccf59dd436ed2aeb74ca060],
PUP.Optional.CrossRider.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLEDBROWSEREXTENSIONS\installdaddy, , [ef3f6db8c1babf775d3f324f927124dc],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\INTERFACE\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\INTERFACE\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\CLASSES\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{EAF749DC-CD87-4B04-B22A-D4AC3FBCB2BC}, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{E2343056-CC08-46AC-B898-BFC7ACF4E755}, , [f935fc2987f40d298b8ed87c649ec33d],

Registry Values: 3
Trojan.MSIL, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|Adobe Update, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, , [ba7479ac88f3df57e729af99629fc040]
PUP.Optional.NextLive.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|NextLive, C:\Windows\SysWOW64\rundll32.exe "C:\Users\Damien\AppData\Roaming\newnext.me\nengine.dll",EntryPoint -m l, , [ed4135f0037874c21a7365e70cf52ad6]
PUP.Optional.InstallCore.A, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\INSTALLCORE|tb, 0H1L1J1L1S1R1N, , [0925ba6baccf59dd436ed2aeb74ca060]

Registry Data: 1
PUP.Optional.Conduit, HKU\S-1-5-21-1765719292-827427354-1992714951-1001-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN|Start Page, http://search.conduit.com?SearchSource=10&CUI=UN13507171334195564&UM=2&ctid=CT3289075, Good: (http://www.google.com), Bad: (http://search.conduit.com?SearchSource=10&CUI=UN13507171334195564&UM=2&ctid=CT3289075),,[2e002ef72457a88eaf05c54a44c0619f]

Folders: 20
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3287810, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289075, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289847, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.SaveSense, C:\Program Files (x86)\SaveSenseLive, , [d35bab7a7506e155fb5d054e788a16ea],
PUP.Optional.SaveSense, C:\Program Files (x86)\SaveSenseLive\CrashReports, , [d35bab7a7506e155fb5d054e788a16ea],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive\Update, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive\Update\Log, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense.A, C:\Users\Damien\AppData\Local\SaveSenseLive, , [61cd0a1bf487b77fc599ca890ff3b64a],
PUP.Optional.SaveSense.A, C:\Users\Damien\AppData\Local\SaveSenseLive\CrashReports, , [61cd0a1bf487b77fc599ca890ff3b64a],
PUP.Optional.Visualbee, C:\Users\Damien\AppData\Local\VisualBeeExe, , [2c0271b4afcccf67582bd87ba0620ff1],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\cache, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.Multiplug, C:\Program Files (x86)\YoutubeAdblocker, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.YoutubeAdblocker.A, C:\ProgramData\YoutubeAdblocker, , [7eb04ed70f6c211560d363f39d6545bb],

Files: 40
Trojan.MSIL, C:\Users\Damien\AppData\Roaming\Adobe\AdobeUpdate.exe, , [ba7479ac88f3df57e729af99629fc040],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\nengine.dll, , [ed4135f0037874c21a7365e70cf52ad6],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.x64.dll, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.dll, , [f13d2df899e2eb4b0b380f33c43db44c],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\greatsaveer\y.x64.dll, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, C:\Program Files (x86)\greatsaveer\y.dll, , [e34b1a0bcdae80b655eeff43c93809f7],
PUP.Optional.MultiPlug.A, C:\ProgramData\YoutubeAdblocker\17o36WPGCu.exe, , [1f0f68bd4e2d82b4ca799ba712efac54],
PUP.Optional.MultiPlug.A, C:\ProgramData\greatsaveer\jL.exe, , [a48a889d92e94beb7ac9083aac55dc24],
PUP.Optional.DigitalSites.A, C:\Users\Damien\AppData\Roaming\DSite\UpdateProc\UpdateTask.exe, , [0826fe27304bf145e4c8c267bc45c040],
PUP.Optional.OneClickDownloader.A, C:\Users\Damien\Downloads\hdvid_codec_chrome.exe, , [ff2fed380576ae889e6287832bd6f50b],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Local\genienext\nengine.dll, , [bd71f035a5d6a88ea0edaf9d8d74d927],
PUP.Optional.Pricegong, C:\Users\Damien\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage, , [cc6248dd6813ea4c5d6a4226eb17cd33],
PUP.Optional.Pricegong, C:\Users\Damien\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pricegong.conduitapps.com_0.localstorage-journal, , [7ab48f96c7b426107d4ab2b6679b9769],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\UpdateTask.exe, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\config.dat, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\info.dat, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\STTL.DAT, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.Updater, C:\Users\Damien\AppData\Roaming\DigitalSites\UpdateProc\TTL.DAT, , [52dcff26a0db40f67743bab0b151b54b],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\config.dat, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\info.dat, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\src.dat, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\STTL.DAT, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\TTL.DAT, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.FunMoods.A, C:\Users\Damien\AppData\Roaming\Funmoods\UpdateProc\UpdateTask.exe, , [c16d0f16c5b656e0a78a521ac1412ed2],
PUP.Optional.HDVidCodec.A, C:\Windows\Tasks\HDvid Codec V6.0-chromeinstaller.job, , [fc32ba6b215a20167037cfc020e3d030],
PUP.Optional.HDVidCodec.A, C:\Windows\Tasks\HDvid Codec V6.0-updater.job, , [47e7ac791f5cd0669710652ac43f7e82],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3287810\UninstallerUI.exe, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289075\UninstallerUI.exe, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.Conduit.A, C:\ProgramData\Conduit\IE\CT3289847\UninstallerUI.exe, , [98963ee7ee8dd660a0d3b69cf9096b95],
PUP.Optional.SaveSense, C:\ProgramData\SaveSenseLive\Update\Log\SaveSenseLive.log, , [eb43e93c64172313a1b8f85b62a0c33d],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\config.dat, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\info.dat, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\STTL.DAT, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\TTL.DAT, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.SaveSense, C:\Users\Damien\AppData\Roaming\SaveSense\UpdateProc\UpdateTask.exe, , [3fefe1448dee4fe763f77fd49c667987],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\nengine.cookie, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.NextLive.A, C:\Users\Damien\AppData\Roaming\newnext.me\cache\spark.bin, , [59d5141174073ef80a95d2816f932ad6],
PUP.Optional.Multiplug, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.dat, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.Multiplug, C:\Program Files (x86)\YoutubeAdblocker\EczE2YPQl.tlb, , [f935fc2987f40d298b8ed87c649ec33d],
PUP.Optional.YoutubeAdblocker.A, C:\ProgramData\YoutubeAdblocker\17o36WPGCu.dat, , [7eb04ed70f6c211560d363f39d6545bb],

Physical Sectors: 0
(No malicious items detected)

(end)

must be a keylogger then, you can get a keylogger on your computer from simply downloading a document someone sent you etc, especially ones like ardamax dont register as viruses.

❱❱

'''Your Blockchain Asset'''
▬▬▬▬▬▬▬▬ Experience ▬▬▬▬▬▬▬▬

██
█║█
║║║
║║║
█║█
██

▄██▄
▄██████▄
▄██████████
▄██████████▀ ▄▄
▄██████████▀ ▄████▄
▄██████████▀ ████████▄
██████████▀ ▀████████
▀███████▀ ▄███▄ ▀████▀ ▄█▄
▄███▄ ▀███▀ ▄███████▄ ▀▀ ▄█████▄
▄███████▄ ▄██████████ ▄█████████
█████████ ▄██████████▀ ▄██████████▀
▀█████▀ ▄██████████▀ ▄██████████▀
▀▀▀ ▄██████████▀ ▄██████████▀
██████████▀ ▄██████████▀
▀███████▀ █████████▀
▀███▀ ▄██▄ ▀█████▀
▄██████▄ ▀▀▀
█████████
▀█████▀
▀▀▀

e i d o o
██

▄██▄
▄██████▄
▄██████████
▄██████████▀ ▄▄
▄██████████▀ ▄████▄
▄██████████▀ ████████▄
██████████▀ ▀████████
▀███████▀ ▄███▄ ▀████▀ ▄█▄
▄███▄ ▀███▀ ▄███████▄ ▀▀ ▄█████▄
▄███████▄ ▄██████████ ▄█████████
█████████ ▄██████████▀ ▄██████████▀
▀█████▀ ▄██████████▀ ▄██████████▀
▀▀▀ ▄██████████▀ ▄██████████▀
██████████▀ ▄██████████▀
▀███████▀ █████████▀
▀███▀ ▄██▄ ▀█████▀
▄██████▄ ▀▀▀
█████████
▀█████▀
▀▀▀

██
█║█
║║║
║║║
█║█
██

''Token Sale Ends Oct 16^th'''
Twitter Facebook Discussion Bounty

❰❰

cbeast

Donator
Legendary

Offline

Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.

Re: BTC stolen from electrum wallet

April 02, 2014, 01:27:05 AM

#13

It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.

edgebits (OP)

Newbie

Offline

Offline

Activity: 37
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 01:35:29 AM

#14

Where should I go from here? Quarantine/delete all the potential threats? reformat pc? throw it out? shoot myself in the head?

LAMarcellus

Full Member

Offline

Offline

Activity: 180
Merit: 100

Re: BTC stolen from electrum wallet

April 02, 2014, 01:46:12 AM

#15

I myself quarantine and delete all. Restart my comp then scan again for peace of mind.
I personally use the "watch only" feature of electrum so that my private keys are not stored on the computer.

You backed up onto a USB stick. Did you ever back up onto the hard drive? Default path?
Was your computer on and electrum running when the theft occured?

I am curious whether this loss is due to some form of malware or whether the "12 word seed" used to create Electrum wallets has been broken.

Finally as cbeast said, the transaction outputs are anomalous and suggest someone could've physically accessed your computer. Is this a possibility?

The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion. – Albert Camus

cbeast

Donator
Legendary

Offline

Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.

Re: BTC stolen from electrum wallet

April 02, 2014, 01:51:47 AM

#16

It looks like address 1jgxSfpvEeKo6PQTZXqLM9J3sH34UJZN9 is your compromised address, but I wouldn't assume it's the only one. I think there is an option to freeze individual addresses, but the safest thing to do is sweep each individual private key to a new wallet.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.

LAMarcellus

Full Member

Offline

Offline

Activity: 180
Merit: 100

Re: BTC stolen from electrum wallet

April 02, 2014, 01:53:51 AM

#17

Quote from: cbeast on April 02, 2014, 01:27:05 AM

It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.

Care to elaborate on the bolded section?
Also the OP is using Electrum. I'm not sure electrum offers advanced key management features. Which feature are you referring to?
Just trying to learn here.
Thanks for your input.

The only way to deal with an unfree world is to become so absolutely free that your very existence is an act of rebellion. – Albert Camus

cbeast

Donator
Legendary

Offline

Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.

Re: BTC stolen from electrum wallet

April 02, 2014, 01:58:43 AM

#18

Quote from: LAMarcellus on April 02, 2014, 01:53:51 AM

Quote from: cbeast on April 02, 2014, 01:27:05 AM

It is really interesting that transactions f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb and 3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 both had outputs of 0.35298503 BTC. This suggests that two seperate wallets share the same private key. That is practically impossible unless a hacker got into your computer or you were using advanced key management features improperly.

Care to elaborate on the bolded section?
Also the OP is using Electrum. I'm not sure electrum offers advanced key management features. Which feature are you referring to?
Just trying to learn here.
Thanks for your input.

I doubt a hacker would only steal from one address. They would have cleaned out the wallet using keyloggers. Electrum has the ability to import and export private keys as well as sync to other wallets. DON'T USE THEM unless you are an expert. I lost dozens of BTC that way before I learned the dangers.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.

raindex

Newbie

Offline

Offline

Activity: 32
Merit: 0

Re: BTC stolen from electrum wallet

April 02, 2014, 02:03:40 AM

#19

3befa4d5c84ce1518327911d436b8852996da47f091d4c725a2ebca4fef98f52 is when OP received this amount on address 1jgxSfpvEeKo6PQTZXqLM9J3sH34UJZN9 and f5b06763dc780608dd63b44ed4b6a20097ed66b45c59177710cd692230fcbecb is when same amount was stolen from this address.

There is still a little hope that someone close to you decided to prank you on April 1st,

cbeast

Donator
Legendary

Offline

Offline

Activity: 1736
Merit: 1014

Let's talk governance, lipstick, and pigs.

Re: BTC stolen from electrum wallet

April 02, 2014, 02:09:31 AM

#20

If someone gives you a private key as a "prize" you should always sweep from it, not import it, because they control that address as well if your wallet ever happens to use it as a change address.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.

Pages: [1] 2 » All

Bitcoin Forum > Bitcoin > Development & Technical Discussion > Wallet software > Electrum > BTC stolen from electrum wallet

« previous topic next topic »

Jump to:

Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines