Author

Topic: WARNING! TraderCoin is a virus / keylogger (Read 1812 times)

sr. member
Activity: 369
Merit: 250
Cryptsy.com • Got Shitcoins?
September 03, 2014, 03:41:13 PM
#7
Thanks MaG Smiley
legendary
Activity: 1526
Merit: 1002
Waves | 3PHMaGNeTJfqFfD4xuctgKdoxLX188QM8na
October 24, 2013, 01:38:18 PM
#6
I tried this on several computers--one accidentally (&^%!!?*&) and then deliberately.  It logs keystrokes on Windows 7 and XP computers, but it seems to vary where it puts stuff, both in directories and in the registry.  It puts a crss.exe and fmss.exe file in one of the user/appdata folders.  I'd recommend just scanning your C: drive (or OS drive, if you are different than most) for them.  Then scan your registries for "crss", "fmss" and "MXsound".  You can look in msconfig and you may or may not see them, so you can check them off before restarting.  Once I found everything, it seemed to go away without too much protest.  There may be other files, so if anyone sees any different ones, please report.  The crss.exe and fmss.exe showed in explorer with a nice blue-circle "T", the Tradercoin logo.

If you think you have it fixed, rename afsdsjk to afsdsjk.txt, then see if another, newer afsdsjk file appears.  If it does, you still have the keylogger loaded!  

This was a wakeup call for me, I can't believe I was silly enough to allow this.  Anyone else actually lose anything?  Discover important passwords in the afsdsjk file?

Only the LogMeIn password for one rig but that's completely different from the account password I use so I don't change it.
newbie
Activity: 14
Merit: 0
October 24, 2013, 01:35:48 PM
#5
I tried this on several computers--one accidentally (&^%!!?*&) and then deliberately.  It logs keystrokes on Windows 7 and XP computers, but it seems to vary where it puts stuff, both in directories and in the registry.  It puts a crss.exe and fmss.exe file in one of the user/appdata folders.  I'd recommend just scanning your C: drive (or OS drive, if you are different than most) for them.  Then scan your registries for "crss", "fmss" and "MXsound".  You can look in msconfig and you may or may not see them, so you can check them off before restarting.  Once I found everything, it seemed to go away without too much protest.  There may be other files, so if anyone sees any different ones, please report.  The crss.exe and fmss.exe showed in explorer with a nice blue-circle "T", the Tradercoin logo.

If you think you have it fixed, rename afsdsjk to afsdsjk.txt, then see if another, newer afsdsjk file appears.  If it does, you still have the keylogger loaded!   

This was a wakeup call for me, I can't believe I was silly enough to allow this.  Anyone else actually lose anything?  Discover important passwords in the afsdsjk file?
hero member
Activity: 504
Merit: 500
October 24, 2013, 12:16:12 PM
#4
thnx for the warning Magnet.
legendary
Activity: 1526
Merit: 1002
Waves | 3PHMaGNeTJfqFfD4xuctgKdoxLX188QM8na
October 24, 2013, 12:13:11 PM
#3

Ah thanks, didn't see this topic  Smiley
That's the problem with the topic, nobody looks over there (scam accusations)
legendary
Activity: 1526
Merit: 1002
Waves | 3PHMaGNeTJfqFfD4xuctgKdoxLX188QM8na
October 24, 2013, 12:08:08 PM
#1
If you downloaded TraderCoin earlier today: it's a VIRUS.

(don't get confused with TradeCoin, that's another coin)

My virusscanner didn't catch it (Eset NOD32).
I never run new clients on my main computer, except for today (was in a hurry) and got punished for it.  Lips sealed

Why this topic? Saltypistoon deleted the thread about TraderCoin, so someone who already downloaded it might not know it's a virus.

How to remove it:

Startup in safe mode, look in your temp folder if you think you are infected (C:\Users\UserName\AppData\Local\Temp)

If you got infected, there should be a qblt.exe, crss.exe, pic0.tmp and something like "afsdsjk" with about the same date and time stamp.
Also remove the client folder and the tradercoin folder in "roaming" (though I think it does no harm to leave it there).

The "afsdsjk" file is a plain text file with the logged keys, edit it in notepad to see if they got your passwords. They didn't in my case, didn't type much while away for work.

Delete all the files in temp after you find them there, just to make sure.

After deleteing the virus, my PC gave me blue screens so I restarted again in safe mode and did a system restore to a point before I got infected.

Warning: don't change passwords on the infected computer before you are 100% sure you got rid of this virus!

Jump to: