Pages:
Author

Topic: Be careful about Viruses! (Read 2516 times)

legendary
Activity: 1232
Merit: 1001
July 18, 2015, 11:30:55 AM
#34
https://mega.co.nz/#!sUIQhCrZ!ZpHNYTqjkg7hzehHiWaNzAXZky6Acb6xUev19AWoYYk

File changes:
Quote
> \user\all\boost_interprocess\SHROOMSURI
3122a3124,3136
> \user\current\AppData\Roaming\SHROOMS\.lock
> \user\current\AppData\Roaming\SHROOMS\blk0001.dat
> \user\current\AppData\Roaming\SHROOMS\db.log
> \user\current\AppData\Roaming\SHROOMS\debug.log
> \user\current\AppData\Roaming\SHROOMS\peers.dat
> \user\current\AppData\Roaming\SHROOMS\wallet.dat
> \user\current\AppData\Roaming\SHROOMS\database\log.0000000001
> \user\current\AppData\Roaming\SHROOMS\txleveldb\000004.log
> \user\current\AppData\Roaming\SHROOMS\txleveldb\000005.sst
> \user\current\AppData\Roaming\SHROOMS\txleveldb\CURRENT
> \user\current\AppData\Roaming\SHROOMS\txleveldb\LOCK
> \user\current\AppData\Roaming\SHROOMS\txleveldb\LOG
> \user\current\AppData\Roaming\SHROOMS\txleveldb\MANIFEST-000002

Registry changes:

Quote
Windows Registry Editor Version 5.00

[user\current\software\SHROOMS]

[user\current\software\SHROOMS\SHROOMS-Qt]

[user\current\software\SHROOMS\SHROOMS-Qt\settings]
"rootpath"=""
"port"="5566"
"username"="admin"
"password"="qt"
"anonymous"="false"
"readonly"="false"
"oneip"="false"

[user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"\shroom.exe"="SHROOMS-Qt (OSS GUI client for SHROOMS)"


Not sure what is the username/password part is about but these were all the changes the walelt created.

Edit: Looks like those reg keys are for an FTP server? https://code.google.com/p/qt-ftp-server/source/browse/mainwindow.cpp#120
ty for looking into it, looks like i was infected for some time now so wallets look clean. i am closing this case, don't be naive like i am and download any shit wallet just because everybody are mining and hyping. thanks for your time.
legendary
Activity: 2002
Merit: 1051
ICO? Not even once.
July 17, 2015, 11:36:49 AM
#33
https://mega.co.nz/#!sUIQhCrZ!ZpHNYTqjkg7hzehHiWaNzAXZky6Acb6xUev19AWoYYk

File changes:
Quote
> \user\all\boost_interprocess\SHROOMSURI
3122a3124,3136
> \user\current\AppData\Roaming\SHROOMS\.lock
> \user\current\AppData\Roaming\SHROOMS\blk0001.dat
> \user\current\AppData\Roaming\SHROOMS\db.log
> \user\current\AppData\Roaming\SHROOMS\debug.log
> \user\current\AppData\Roaming\SHROOMS\peers.dat
> \user\current\AppData\Roaming\SHROOMS\wallet.dat
> \user\current\AppData\Roaming\SHROOMS\database\log.0000000001
> \user\current\AppData\Roaming\SHROOMS\txleveldb\000004.log
> \user\current\AppData\Roaming\SHROOMS\txleveldb\000005.sst
> \user\current\AppData\Roaming\SHROOMS\txleveldb\CURRENT
> \user\current\AppData\Roaming\SHROOMS\txleveldb\LOCK
> \user\current\AppData\Roaming\SHROOMS\txleveldb\LOG
> \user\current\AppData\Roaming\SHROOMS\txleveldb\MANIFEST-000002

Registry changes:

Quote
Windows Registry Editor Version 5.00

[user\current\software\SHROOMS]

[user\current\software\SHROOMS\SHROOMS-Qt]

[user\current\software\SHROOMS\SHROOMS-Qt\settings]
"rootpath"=""
"port"="5566"
"username"="admin"
"password"="qt"
"anonymous"="false"
"readonly"="false"
"oneip"="false"

[user\current_classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache]
"\shroom.exe"="SHROOMS-Qt (OSS GUI client for SHROOMS)"


Not sure what is the username/password part is about but these were all the changes the walelt created.

Edit: Looks like those reg keys are for an FTP server? https://code.google.com/p/qt-ftp-server/source/browse/mainwindow.cpp#120
sr. member
Activity: 249
Merit: 250
July 17, 2015, 04:26:08 AM
#32
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Code:
Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e],
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae],
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0],
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9],
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b],
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad],
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a],
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729],
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe],
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4],
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6],
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33],
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2],
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b],
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5],
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb],
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d],
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917],
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2],
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f],
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46],
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62],
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f],
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0],
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3],
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080],
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9],
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8],
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91],
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12],
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967],
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84],
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9],
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84],
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be],
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74],
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e],
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d],
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6],
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1],
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789],
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81],
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)


thank you for warning.
legendary
Activity: 938
Merit: 1000
July 16, 2015, 07:28:58 PM
#31
dclog in roaming is a keylogger
you need - an anti-keylogger

Key scrambler was created specifially to counter
crypto wallet unlocks. Very cheap.

Vegas has a theft and approached this security company to create it
(he has no interest) but, did post on another coin after finding a keylogger on
his system that was unsuccessful due to KeyScrambler.

Piriform's free anti-logger is good too. Everyone should at least be using that lightweight client.
legendary
Activity: 1218
Merit: 1002
Supporting DMD, ERC & PIO
July 16, 2015, 06:55:11 PM
#30
dclog in roaming is a keylogger
you need - an anti-keylogger

Key scrambler was created specifially to counter
crypto wallet unlocks. Very cheap.

Vegas has a theft and approached this security company to create it
(he has no interest) but, did post on another coin after finding a keylogger on
his system that was unsuccessful due to KeyScrambler.
legendary
Activity: 1232
Merit: 1001
July 16, 2015, 11:41:09 AM
#29
Don't you have EA wallet installed? It was just confirmed that it has wallet stealer virus
EA? no i don't think so. i have a bunch of wallet installed, hard to say which one installed spyware.
legendary
Activity: 1232
Merit: 1001
July 16, 2015, 11:37:17 AM
#28
looks like i had RAT spyware installed long before yesterday. from logs i find it's refog keylogger, don't ask me how av didn't block it. idk
https://www.raymond.cc/blog/how-to-uninstall-refog-keylogger-without-knowing-master-password/
still investigating, so be paranoid about new wallets.
hero member
Activity: 770
Merit: 500
July 16, 2015, 10:18:20 AM
#27
Don't you have EA wallet installed? It was just confirmed that it has wallet stealer virus
legendary
Activity: 2002
Merit: 1051
ICO? Not even once.
July 16, 2015, 09:19:58 AM
#26
You can track what (file/registry) changes a wallet does with Sandboxie using SandboxDiff. To avoid a wallet link switcheroo which seems to be usual, if you send me your downloaded wallet in pm I can post a log tomorrow as I have to run now.
legendary
Activity: 1638
Merit: 1013
July 16, 2015, 09:16:33 AM
#25
I compared the binary at release and the one now and they have the same hashes. Can you post the hashes of the binary that you installed?
legendary
Activity: 1036
Merit: 1000
8b 16b DEMOSCENE FTW
July 16, 2015, 09:11:35 AM
#24
If you still have original suspected binary run it within virtual enviroment (I don't think sandbox will give enough safety), get Process Explorer, find wallet process, go its properties, find "Strings/Memory" and publish it.
legendary
Activity: 1232
Merit: 1001
July 16, 2015, 09:02:07 AM
#23

First of all you should make sure you have same versions of wallet. Second, comparing scans proofs nothing since malware might be not activated yet.
Third, even if your PC is infected it does not mean that infection has been made by mentioned wallet nor mentioned wallet contains malware nor mentioned wallet did not make your coins disappear. Like I said stealing coins from running wallet is prettty easy if user is not smart one and there's no way to detect it using non-cryptocurrencies-aware antivirus.



thanks, still trying to find source but is not easy as i already deleted infection.
legendary
Activity: 1036
Merit: 1000
8b 16b DEMOSCENE FTW
July 16, 2015, 08:57:40 AM
#22

First of all you should make sure you have same versions of wallet. Second, comparing scans proofs nothing since malware might be not activated yet.
Third, even if your PC is infected it does not mean that infection has been made by mentioned wallet nor mentioned wallet contains malware nor mentioned wallet did not make your coins disappear. Like I said stealing coins from running wallet is prettty easy if user is not smart one and there's no way to detect it using non-cryptocurrencies-aware antivirus.


hero member
Activity: 770
Merit: 500
July 16, 2015, 08:49:39 AM
#21
So i did a scan too and i have none of your infections, so you should be more than sure that your infection has nothing to do with shrooms wallet. You got infected by something else.

Code:
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.MSIL.Dropper, C:\Users\x\Downloads\papercoin-qt.rar, , [6f04657dcebc61d56d45655a3ac730d0],

Physical Sectors: 0
(No malicious items detected)


(end)

I am having an infected wallet but i know about that lol, i was just lazy to delete it
legendary
Activity: 1232
Merit: 1001
July 16, 2015, 08:48:19 AM
#20
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction..  anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful

Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev?

Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway.  here is the malwarebyte analysis of my pc:
Code:
Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e],
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae],
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0],
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9],
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b],
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad],
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a],
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729],
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe],
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4],
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6],
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33],
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2],
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b],
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5],
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb],
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d],
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917],
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2],
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f],
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46],
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62],
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f],
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0],
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3],
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080],
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9],
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8],
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91],
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12],
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967],
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84],
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9],
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84],
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be],
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74],
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e],
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d],
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6],
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1],
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789],
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81],
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

Before just trashing the reputation of a coin, how sure are you that those files and registry entries come from the shroom wallet? None of the items you quoted appear on a test machine I installed the shroom wallet on. Can you post some better evidence that the above come from the shroom wallet apart from circumstantial? eg. the person holding the knife in the hand next to a dead body is not automatically guilty of murder, or worse, a passerby gets arrested for murder because he walked past a dead body at the same time when the police officer sees the dead body.
it's not my intention to trash any coin as i invested in both of them. you are totaly right, without any evidence i am just trolling and wanted to give fair warnings. after investigating it was RAT (keylogger) that was installed locally on pc. still searching for source of that dclogs folder in appdata. i changed title.
legendary
Activity: 1638
Merit: 1013
July 16, 2015, 08:32:58 AM
#19
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction..  anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful

Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev?

Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway.  here is the malwarebyte analysis of my pc:
Code:
Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e],
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae],
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0],
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9],
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b],
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad],
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a],
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729],
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe],
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4],
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6],
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33],
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2],
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b],
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5],
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb],
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d],
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917],
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2],
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f],
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46],
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62],
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f],
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0],
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3],
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080],
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9],
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8],
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91],
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12],
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967],
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84],
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9],
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84],
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be],
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74],
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e],
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d],
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6],
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1],
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789],
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81],
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

Before just trashing the reputation of a coin, how sure are you that those files and registry entries come from the shroom wallet? None of the items you quoted appear on a test machine I installed the shroom wallet on. Can you post some better evidence that the above come from the shroom wallet apart from circumstantial? eg. the person holding the knife in the hand next to a dead body is not automatically guilty of murder, or worse, a passerby gets arrested for murder because he walked past a dead body at the same time when the police officer sees the dead body.
hero member
Activity: 770
Merit: 500
July 16, 2015, 08:22:00 AM
#18
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction..  anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful

Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev?

Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway.  here is the malwarebyte analysis of my pc:
Code:
Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e],
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae],
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0],
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9],
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b],
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad],
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a],
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729],
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe],
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4],
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6],
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33],
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2],
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b],
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5],
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb],
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d],
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917],
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2],
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f],
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46],
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62],
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f],
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0],
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3],
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080],
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9],
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8],
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91],
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12],
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967],
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84],
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9],
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84],
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be],
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74],
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e],
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d],
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6],
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1],
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789],
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81],
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

You are clearly infected, out of curiosity i am running now a malwarebytes scan too
legendary
Activity: 1638
Merit: 1013
July 16, 2015, 08:19:07 AM
#17
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction..  anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful

Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev?

Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway.  here is the malwarebyte analysis of my pc:
Code:
Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e],
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae],
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0],
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9],
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b],
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad],
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a],
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729],
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe],
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4],
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6],
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33],
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2],
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b],
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5],
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb],
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d],
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917],
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2],
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f],
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46],
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62],
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f],
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0],
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3],
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080],
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9],
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8],
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91],
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12],
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967],
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84],
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9],
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84],
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be],
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74],
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e],
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d],
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6],
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1],
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789],
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81],
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)

Well then, let others who have installed the shroom wallet see if they have the same registry keys and files. That would sort the debate.
legendary
Activity: 1232
Merit: 1001
July 16, 2015, 08:12:42 AM
#16
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction..  anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful

Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev?

Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
checking now, if i ware dev and had nothing to hide no i wouldn't delete legit question as community would answer anyway.  here is the malwarebyte analysis of my pc:
Code:
Registrierungsschlüssel: 3
Backdoor.Agent.MSC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Backdoor.Agent.MSC, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS NT\CURRENTVERSION\IMAGE FILE EXECUTION OPTIONS\WIN32.EXE, , [1e532fb3e2a879bd8d1105416f947f81],
Malware.Trace, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\DC3_FEXEC, , [71000bd72169f83e79f88b62877c47b9],

Registrierungswerte: 1
PUP.Vulnerable.DellSystemDetect, HKU\S-1-5-21-3263657515-926084177-3591563880-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DellSystemDetect, C:\Users\0\AppData\Local\Apps\2.0\CWDABVX1.PTA\JEY57068.PLT\dell..tion_e30b47f5d4a30e9e_0005.000d_4ab2a66cfade09be\DellSystemDetect.exe, , [3041ffe311798da93956bf48778c15eb]

Registrierungsdaten: 0
(keine bösartigen Elemente erkannt)

Ordner: 6
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs, , [f978ba284d3d5fd79a3c47d431d3d22e],
Refog.Keylogger, C:\ProgramData\MPK, , [adc40fd34a403cfa34f2744fba4852ae],
Refog.Keylogger, C:\Windows\SysWOW64\MPK, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Help\German, , [fe73dc061f6b84b2e09c329bca38dc24],
Refog.Keylogger, C:\Windows\SysWOW64\MPK\Images, , [fe73dc061f6b84b2e09c329bca38dc24],

Dateien: 41
Backdoor.Bot, C:\ProgramData\Nimoru\GizmoSE, , [d29fe4fe701a4bebf24e165c6b9760a0],
Backdoor.Bot, C:\ProgramData\Nimoru\LicenseSE, , [6b06c51dc4c637ffe1607cf6689a17e9],
Trojan.BitcoinMiner, C:\Users\0\Downloads\CHC-cpuminer.zip, , [0d6405dd9af04fe7508127f4738eb54b],
Misused.Legit.AI, C:\Users\0\FJQIH\Autoit3132605.exe, , [bbb603dfe6a42b0bdecae33415ec53ad],
Misused.Legit.AI, C:\Users\0\FPLXT\AutoIt3-477747.exe, , [93de875b2e5ce55100a8ee29c041f60a],
Misused.Legit.AI, C:\Users\0\GBHHS\423830.exe, , [2a47736f5e2c73c3f2b633e4778ad729],
Misused.Legit.AI, C:\Users\0\IXXER\Autoit3361205.exe, , [f081677b5436ad891c8c6fa82ed302fe],
Misused.Legit.AI, C:\Users\0\PJFOQ\AutoIt3-317477.exe, , [18594999d1b994a24365090e68994cb4],
Misused.Legit.AI, C:\Users\0\PJYSH\AutoIt3-476488.exe, , [5c1531b14e3c8caa4a5ef225eb163ac6],
Misused.Legit.AI, C:\Users\0\PLNYL\AutoIt3-674095.exe, , [3b369a48fd8da78f08a06cab48b9cd33],
Misused.Legit.AI, C:\Users\0\QFBWN\AutoIt3-980556.exe, , [b6bbf6ec0387c0768d1b01165aa72ed2],
Misused.Legit.AI, C:\Users\0\RQABW\AutoIt3-305714.exe, , [ea8701e19ceecb6b9216bf58ac55659b],
Misused.Legit.AI, C:\Users\0\RWTPS\Autoit3799481.exe, , [4e23746e4b3f68ce93150d0afb065ba5],
Misused.Legit.AI, C:\Users\0\SARQB\Autoit3632787.exe, , [cca53ea497f3d2648721cd4aa75a45bb],
Misused.Legit.AI, C:\Users\0\SYMIW\Autoit3346420.exe, , [0a674f93b9d11f1744643ed9a65bd32d],
Misused.Legit.AI, C:\Users\0\SZCXS\70252.exe, , [462b3ea4c1c9ae881197d641ba47e917],
Misused.Legit.AI, C:\Users\0\UNQRL\Autoit3823165.exe, , [a5ccb9291d6d62d47b2dc3548d741ee2],
Misused.Legit.AI, C:\Users\0\UVZMS\Autoit3356564.exe, , [4d24875b2367a3931593be5940c1f10f],
Misused.Legit.AI, C:\Users\0\VFAIT\AutoIt3-233913.exe, , [343d9b4773170e288d1b59be48b9ba46],
Misused.Legit.AI, C:\Users\0\VNZZZ\Autoit3.214789.exe, , [71003aa88efcd561f9af1afd49b89e62],
Misused.Legit.AI, C:\Users\0\WEELT\Autoit3931513.exe, , [fc75657d7614dd594f5914034db4916f],
Misused.Legit.AI, C:\Users\0\WUZEP\AutoIt3-727504.exe, , [056c6c76404a0b2b099f63b4ce3320e0],
Misused.Legit.AI, C:\Users\0\YAHBI\Autoit3.432573.exe, , [7ff2ebf7e8a24de9505844d310f12dd3],
Misused.Legit.AI, C:\Users\0\YATOB\AutoIt3-72795.exe, , [d0a17270503ade58a404a275ef128080],
Misused.Legit.AI, C:\Users\0\ZKONP\AutoIt3-297516.exe, , [b1c0c61ca2e8dd591c8c5dba31d027d9],
Misused.Legit.AI, C:\Users\0\ZOQJQ\Autoit3862269.exe, , [76fb4b972d5d54e2565225f2c93858a8],
Misused.Legit.AI, C:\Users\0\NVWPL\Autoit333863.exe, , [beb35989ff8b63d300a8eb2c2cd56f91],
Misused.Legit.AI, C:\Users\0\NYMDT\Autoit3120957.exe, , [8ee3c41ea4e641f5e8c0ff185aa7ee12],
Misused.Legit.AI, C:\Users\0\OTCOG\AutoIt3-466746.exe, , [d0a180628703082e466250c789789967],
Misused.Legit.AI, C:\Users\0\JDHDW\Autoit3441978.exe, , [d29f4999ccbe1d190a9ec354e31e7c84],
Misused.Legit.AI, C:\Users\0\JSUGS\AutoIt3-306080.exe, , [343d1ac8e8a2f442990f0116c14047b9],
Misused.Legit.AI, C:\Users\0\KDYGY\AutoIt3-927653.exe, , [650cc61c4b3f3cfa4068c84fbd447c84],
Misused.Legit.AI, C:\Users\0\KMWRG\AutoIt3-993025.exe, , [620fc41e8505d165adfb1601ce3342be],
Misused.Legit.AI, C:\Users\0\KNLWO\AutoIt3-895236.exe, , [cca5d01289013204e2c693844fb28c74],
Misused.Legit.AI, C:\Users\0\KSVTO\AutoIt3-166262.exe, , [1e53f8ea9af0a195d8d0dd3ad22fd22e],
Misused.Legit.AI, C:\Users\0\LXVTT\AutoIt3-444060.exe, , [91e0b929cac066d0693f080fde23639d],
Misused.Legit.AI, C:\Users\0\BPVJQ\AutoIt3-60029.exe, , [f77a687af89238fea0082cebde233ac6],
Misused.Legit.AI, C:\Users\0\DCJRG\AutoIt3-791889.exe, , [066be7fb9feb61d523850b0cd42d4fb1],
Misused.Legit.AI, C:\Users\0\DINIH\Autoit3750382.exe, , [e190647e3e4c082eadfb72a5fd047789],
Backdoor.Agent.MSC, C:\Windows\SysWOW64\Windows Services\win32.exe, , [1e532fb3e2a879bd8d1105416f947f81],
Stolen.Data, C:\Users\0\AppData\Roaming\dclogs\2013-12-19-5.dc, , [f978ba284d3d5fd79a3c47d431d3d22e],

Physische Sektoren: 0
(keine bösartigen Elemente erkannt)


(end)
legendary
Activity: 1638
Merit: 1013
July 16, 2015, 08:08:46 AM
#15
today i got all my Crave stollen and M1 to, yesterday i downloaded two wallets NOC (Nocturna) and SHRM (SHROOMS), i scanned both at Virustotal but looks like infected wallet is fully undetected by antiviruses. so be carefull with this new coins.
After posting in SHROOMS thread about it my post got deleted so i assume SHROOMS wallet is infected.

Have you considered (before blaming a wallet that is marked as clean by all the AV products on Virustotal) that it could have been other activity like bad browsing behavior or alternatively a bad wallet prior to yesterday but the attacker used the exploit only now?
well everything is possible.. i found it suspicious after getting those two wallets that my coins are gone and on top of it my post getting deleted from SHROOM thread without interaction..  anyway i am just giving fair warnings to you guys, guy's a pro as this malware specifically designed to search remotely for txt and .dat files to find privkey as my wallets are encrypted. unfortunately there was old txt file somewhere in my hd with my privkeys. so be extra careful

Did you reverse engineer the wallet to know the MO? Wont you also delete posts that fud about a virus if you were a dev?

Anyone else got wallets stolen? Perhaps you should also look at any other wallets you installed recently and if any of those were confirmed to have trojans in them by virustotal before you blame a virustotal-clean wallet.
Pages:
Jump to: