Pages:
Author

Topic: [ANN] THECOIN THC - OFFICIAL START - 11/13/2013 (Read 7226 times)

newbie
Activity: 56
Merit: 0
November 27, 2013, 11:28:32 AM
#36
Grogorash, If this is true:

https://bitcointalk.org/index.php?topic=349072.0;topicseen

You are one fu_king son of a bitch!
hero member
Activity: 490
Merit: 500
:)
Right oh got the reply from Sophos about the submission i sent through.

It would appear this is a virus.


heres the results


Hello,

Thank you for contacting Sophos Technical Support.

**Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.**

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.


mingwm10.dll -- clean
libstdc__-6.dll -- clean
libgcc_s_dw2-1.dll -- clean
QtGui4.dll -- clean
QtNetwork4.dll -- clean
libdb_cxx-4.8.dll -- non-malicious
thecoin.exe -- identity created/updated (New detection Troj/AutoIt-AAB)
Y3VUO5HYVD.exe -- clean
svchost.com -- clean
DC2135CED98D8A4D7C0CEE202BB0B8~ -- non-malicious
F5A17C00E427F919C4A49EEF5AD0EE~ -- non-malicious
94308059B57B3142E455B38A6EB920~ -- non-malicious
thecoin-qt.exe -- non-malicious
start.vbs -- non-malicious
start.cmd -- non-malicious
9137175.vbe -- non-malicious
63319.KYU -- non-malicious
46813.EHL -- non-malicious
4504992.VVP -- identity created/updated (New detection Troj/AutoIt-AAB)
start.lnk -- non-malicious
F5A17C00E427F919C4A49EEF5AD0EE~ -- non-malicious
DC2135CED98D8A4D7C0CEE202BB0B8~ -- non-malicious
94308059B57B3142E455B38A6EB920~ -- non-malicious
5C8DDA36D60247082B142836039F46~ -- non-malicious
5C8DDA36D60247082B142836039F46~ -- non-malicious
theCoin-qt.rar.zip -- archive file
theCoin-qt.rar -- archive file
QtCore4.dll -- non-malicious




soooo if you have downloaded this, get your PC cleaned up or risk the issues that come from viruses.



Lol. Always check new coins for virus/trojans you download before launching them. Or better, compile them yourself. If you have launched it, it might be too late already. If you're coins are missing you know why Tongue This is a financial world, and people would go far to steal from others.
sr. member
Activity: 308
Merit: 250
Right oh got the reply from Sophos about the submission i sent through.

It would appear this is a virus.


heres the results


Hello,

Thank you for contacting Sophos Technical Support.

**Please note that this is an automated response. If you have any questions, require assistance or clarification on this analysis, please feel free to reply to this email quoting this case number in the subject line.**

The file(s) submitted were malicious in nature and detection will be available on the Sophos Databank shortly.


mingwm10.dll -- clean
libstdc__-6.dll -- clean
libgcc_s_dw2-1.dll -- clean
QtGui4.dll -- clean
QtNetwork4.dll -- clean
libdb_cxx-4.8.dll -- non-malicious
thecoin.exe -- identity created/updated (New detection Troj/AutoIt-AAB)
Y3VUO5HYVD.exe -- clean
svchost.com -- clean
DC2135CED98D8A4D7C0CEE202BB0B8~ -- non-malicious
F5A17C00E427F919C4A49EEF5AD0EE~ -- non-malicious
94308059B57B3142E455B38A6EB920~ -- non-malicious
thecoin-qt.exe -- non-malicious
start.vbs -- non-malicious
start.cmd -- non-malicious
9137175.vbe -- non-malicious
63319.KYU -- non-malicious
46813.EHL -- non-malicious
4504992.VVP -- identity created/updated (New detection Troj/AutoIt-AAB)
start.lnk -- non-malicious
F5A17C00E427F919C4A49EEF5AD0EE~ -- non-malicious
DC2135CED98D8A4D7C0CEE202BB0B8~ -- non-malicious
94308059B57B3142E455B38A6EB920~ -- non-malicious
5C8DDA36D60247082B142836039F46~ -- non-malicious
5C8DDA36D60247082B142836039F46~ -- non-malicious
theCoin-qt.rar.zip -- archive file
theCoin-qt.rar -- archive file
QtCore4.dll -- non-malicious




soooo if you have downloaded this, get your PC cleaned up or risk the issues that come from viruses.

member
Activity: 85
Merit: 10
pools?
sr. member
Activity: 308
Merit: 250
did as requested, no signs of it under Processes/Applications/tasks/services

the exe is currently running and cant see any signs of AutoIt anywhere >.<


Just out of interest when did you download wallet, i wonder if maybe the download you got was editted in some way after it was uploaded (how big was the download mine was 9,452kb in zipped form, the exe is 3,427kb unzipped)


It's the same size zipped, 9,452KB. Sorry when I said check ctr alt delete/ task manager I forgot to say it's under processes. The image name is svhost.exe and the description is Autoit v 3 script. It hops all over the place.


Hey hey,

With the Svchost.exe clue i have also discovered i have the script running, Got the bluescreen on first attempt to access the process location.

On reboot the process is still running, Killing the process also caused a bluescreen (no bluescreen for 5 odd years then 2 in 5 minutes! awesome! lol)

anyway, on reboot jumped in to Safemode, deleted everything that was added to the machine today, foudn copies of the .Dll files in one of my other legitimate wallets and copied those over the .Dlls that were added to the syswow folder.   (odd thing i found here! All the created times for the legitimate Dlls were created exactly 1 hour before the dodgy ones, which would imply if the dlls are in-fact dodgy and were edited by the coin creator he did it so that they look very much like the real ones, except he is in a different time zone to me.  (although this is just speculation ^.^)

rebooted back into normal mode

no signs of the process running any more, but will be reinstalling loads of antivirus/malware tools tonight to do a complete disinfect.

but on first glance it doesn't look like it has done anything horrible all the wallets i have left on the machine are from dead or dying coins and the contents of them doesn't seem to have changed.  (I dont actually keep wallets for bitcoin/litecoin/Prime etc on internet facing machines, but recently i have been considering it! after this ill leave them on the USB stick and just suffer the hassle of having to dig it out when ever i want to send coinage ^.^ )



Sooooo thanks for pointing out the process i didnt consider looking under the svchosts (which is dumb as i have seen things hide under there before! (sorry for doubting you ;-) )


On a good note though, I just discovered someone sent me 5.4 million Pennies ^.^ now all i need is for them to stop being worth only 0.00000002ltc >.<




I forgot to mention, Anyone else scanning files with Sophos End Point protection or MalwareBytes, this script didnt show up at all in the results.  Probably because its using http://www.autoitscript.com/site/ which appears to be a self contained program - my knowledge of programming languages is next to Zero so im assuming the reason it didnt show up is because they is realitively new? anyone that has used it before please let us know. thanking you :-)
hero member
Activity: 592
Merit: 500
did as requested, no signs of it under Processes/Applications/tasks/services

the exe is currently running and cant see any signs of AutoIt anywhere >.<


Just out of interest when did you download wallet, i wonder if maybe the download you got was editted in some way after it was uploaded (how big was the download mine was 9,452kb in zipped form, the exe is 3,427kb unzipped)


It's the same size zipped, 9,452KB. Sorry when I said check ctr alt delete/ task manager I forgot to say it's under processes. The image name is svhost.exe and the description is Autoit v 3 script. It hops all over the place.
newbie
Activity: 7
Merit: 0
how did u fix the blu screen?
newbie
Activity: 18
Merit: 0
nothing for me, it's ok and it works
sr. member
Activity: 308
Merit: 250
did as requested, no signs of it under Processes/Applications/tasks/services

the exe is currently running and cant see any signs of AutoIt anywhere >.<


Just out of interest when did you download wallet, i wonder if maybe the download you got was editted in some way after it was uploaded (how big was the download mine was 9,452kb in zipped form, the exe is 3,427kb unzipped)


on another issue, the wallet has now synced to 06:04:50 this morning and wont go anything further...

also it has synced to block 12655.... which would imply with a 2 minute block time that there has been mining going on for 17.5 days... (someone please check the math on that .... for some reason my brain failed to function part way through doing the sums.)



sooooooo it looks like we might not of been given all the info in the first post... So until the mysterous 12655 blocks are eplained ill be removing everything from the machine as it looks like its not legit

buuuuuuut if there's a perfect explanation for the blocks ill stick it back on ^.^
hero member
Activity: 592
Merit: 500
My system was fine and is now fine. My laptop was fine (the machine i tried it on) and is now fine, once I removed the included .dll that somehow ran  a autoit v3 script. Everything is ok now, I tried it on my test machine and it failed the....test. Have fun mining THC, I am gonna have fun smoking it!


have fun :-) im at work so can spark anything up for a few more hours :-(


Also its now syncing (still no sign of any horribleness ^.^)

Haha thanks, hope those 3 hours go quick!. Can you just check something for me though, ctrl alt delete and tell me if you see autoit script v3 running, cause it loads when you click the "thecoin.exe" and it tells you the dll's are missing. So it's not the dll's, I apologise for that error. Why would a script load when the .exe does not load due to missing dll's?. Yes, I tried this on a 2nd laptop. I can try on a 3rd and 4th, for science.
sr. member
Activity: 308
Merit: 250
My system was fine and is now fine. My laptop was fine (the machine i tried it on) and is now fine, once I removed the included .dll that somehow ran  a autoit v3 script. Everything is ok now, I tried it on my test machine and it failed the....test. Have fun mining THC, I am gonna have fun smoking it!


have fun :-) im at work so can spark anything up for a few more hours :-(


Also its now syncing (still no sign of any horribleness ^.^)
hero member
Activity: 592
Merit: 500
You released a coin called THC with a big skunk leaf as your coin logo and your telling me to "stop smoke".

haha

No, really, good luck with the coin.
newbie
Activity: 29
Merit: 0
cant get any connections... so cant sync >.<

Anyone got a node?

Try yo sinc now

My system was fine and is now fine. My laptop was fine (the machine i tried it on) and is now fine, once I removed the included .dll that somehow ran a fake svhost.exe  which was really a autoit v3 script. Everything is ok now, I tried it on my test machine and it failed the....test. Have fun mining THC, I am gonna have fun smoking it!

Lol ... Stop smoke
hero member
Activity: 592
Merit: 500
My system was fine and is now fine. My laptop was fine (the machine i tried it on) and is now fine, once I removed the included .dll that somehow ran  a autoit v3 script. Everything is ok now, I tried it on my test machine and it failed the....test. Have fun mining THC, I am gonna have fun smoking it!
sr. member
Activity: 308
Merit: 250
fine, ignore my blatant warnings people!

I didnt ignore your warnings... i have no bluescreen, no signs of your problem on my machine, no signs of the process you talk about. scanned all the files with Malwarebytes and Sophos, couldnt find anything dodgy going on.


if i were you i would scan your machine and look for another possible source. its a long shot but the timing could of been coincidental (as i said a long shot but you never know)



hero member
Activity: 592
Merit: 500
fine, ignore my blatant warnings people!
sr. member
Activity: 308
Merit: 250
cant get any connections... so cant sync >.<

Anyone got a node?
hero member
Activity: 592
Merit: 500
wow, just like magic!

If you delete the .dll and shut the process Autoit v3 script in task manager, you get a blue screen and then it reboots and it's gone!

Houdini would be proud!

member
Activity: 107
Merit: 10
addnode ?
I cant sync
hero member
Activity: 592
Merit: 500
odd, Autoit v3 script. Hopping around on my lappys task manager, wasn't there before. any ideas?
Pages:
Jump to: