Jump to content

toadboy

Members
  • Posts

    14
  • Joined

  • Last visited

Everything posted by toadboy

  1. Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 2/10/20 Protection Event Time: 5:20 PM Log File: 3a62cf26-4c21-11ea-b86d-6045cb9c59b9.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18996 License: Premium -System Information- OS: Windows 10 (Build 17763.973) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Phishing Domain: ipv4.login.msa.akadns6.net IP Address: 40.90.137.126 Port: 443 Type: Outbound File: C:\Windows\System32\svchost.exe (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 2/10/20 Protection Event Time: 5:16 PM Log File: aece50f2-4c20-11ea-a991-6045cb9c59b9.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18996 License: Premium -System Information- OS: Windows 10 (Build 17763.973) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Phishing Domain: ipv4.login.msa.akadns6.net IP Address: 40.90.137.120 Port: 443 Type: Outbound File: C:\Windows\System32\svchost.exe (end)
  2. The results of the scan was clean. Here's the log Thank you SophosVirusRemovalTool.log
  3. Ok, thanks. Is there anything else that I should do that you can think of? Any other thing I should check on my pc? Do you think I'm in the safe?
  4. Thanks for the reply. I literally found that 1337 folder right before you replied. There was no System32.exe file there but the verge-qt.exe was there. I deleted the whole folder. I also saw that there is something in my registry at: Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\users\USER\appdata\roaming\1337\verge-qt.exe.ApplicationCompany C:\users\USER\appdata\roaming\1337\verge-qt.exe.FriendlyAppName Are these also a part of the malware and can I safely delete these ? I don't know much about how the registry works...
  5. Hi, David I uploaded the exe file to VirusTotal and got these results back: https://www.virustotal.com/gui/file/8f1b589503ff1beb6a85c636e4af1c3045d0e5348e091b24b3937d557e68471f/detection
  6. So, I don't believe this is a false positive but after talking to one of your experts, they suggested I make a post here. This post is related to the one I posted yesterday: What happened: So I have this crypto wallet for Verge Currency (XVG) and last week there was an update for it. 6.0. So I had to download and install the new one. No problems. Then yesterday I got a msg on Discord from someone called Verge UpdateBot that said that 6.1 was out and I needed to install it. This made me think back on the previous update that they had a few months back. 5.0 came out and a couple of days later there was another update, 5.1. So I went in to the github and it looked legit, so I downloaded the zip file, extracted the .exe file and replaced the legit .exe file in my programs and I ran it. I notification warning came up (don't remember what it said) but I stupidly ignored it and continued because I thought it was a false positive, which has happened before with this wallet. That's when I believe Win Def kicked in and quarantined it. I did some scans on both windef and mbam and I removed the two files which were called: Trojan:Win32/Conteban.B!ml Trojan:Win32/Suloc.l!cl I did some googling and I suspect they might be ransomware. Mbam said it was a keylogger. I uploaded the zip files to VirusTotal and I got these results back: https://www.virustotal.com/gui/file/66b8b7f71492853cbf34e4ee0d178d6bacff247e1835035817cb40d384b130f3/detection The files I downloaded is at: https://github.com/vergescurrency/VERGE/releases/tag/v6.1.0 The specific file I downloaded is: https://github.com/vergescurrency/VERGE/releases/download/v6.1.0/verge-6.1.0-win64.zip and the file I executed was the one called: verge-qt.exe (If the Github and the files are taken down before you can check them, let me know and I can send you the zip file) I've spoken with the XVG team and they have confirmed that this is not legit and didn't come from them. I hope you can give me some information about these files and what they do etc. My system seems fine and I haven't noticed any problems after this incident but I would like to make sure that I'm safe and find out if there is anything else that I can do. Thank you mbamreport.txt
  7. I would like to add the link to the virus itself so hopefully you might check it out and see what it does. https://github.com/vergescurrency/VERGE/releases/tag/v6.1.0 I downloaded the one called: verge-6.1.0-win64.zip and I replaced the old verge-qt.exe file in my program with the verge-qt.exe file from that link and I executed it. https://github.com/vergescurrency/VERGE/releases/download/v6.1.0/verge-6.1.0-win64.zip
  8. Hi. I got a msg about updating a wallet for my Verge XVG crypto wallet and it turned out to be a keylogger. I think windefend stopped it when I ran the exe file. I have removed all traces of it from my pc I believe but I want you to take a look anyway. FRST.txt Addition.txt
  9. Thanks for your help! This thread can be tagged as solved now
  10. Hi From what I've gathered, the bing thing is normal but it does open up a bing search in firefox and not a direct link to a MS URL. I would still like for you to have a look at my system. I will PM you the files if that is alright?
  11. Yesterday I went thru and deleted over 5000 email going all the way back to 2003. I might have clicked some links in some of them. I have noscript and ublock on my browser and I didn't get any notification from mbam that something fishy was going on. Today there was a notification that mbam had found a PUP: BING-LAVASOFT-FF59.XML I quarantined it and deleted it. It didn't look like it was installed or anything (maybe noscript stopped it?) I've run several more scans with mbam, adwcleaner and windefender and I haven't found anything after I removed it. But one thing I noticed is when I was in windows settings, looking at the recovery section, on the right side it says: "Have a question?" with links underneath it in blue color and when I clicked the one that said: "Create a recovery drive", it opened up a tab in my firefox browser with a bing.com search. I'm can't recall if this is normal behavior and that it's supposed to open it through bing search instead of a google search or not. I'm slightly paranoid and I hope you can help me out. I have run Farbar and I got the FRST.txt and the Addition.txt but I noticed that there was some sensitive info in there that makes me not comfortable posting it here so I was hoping I could PM a mod with those files instead. Thanks mbam_log.txt
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.