toadboy
Members-
Posts
14 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Everything posted by toadboy
-
Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 2/10/20 Protection Event Time: 5:20 PM Log File: 3a62cf26-4c21-11ea-b86d-6045cb9c59b9.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18996 License: Premium -System Information- OS: Windows 10 (Build 17763.973) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Phishing Domain: ipv4.login.msa.akadns6.net IP Address: 40.90.137.126 Port: 443 Type: Outbound File: C:\Windows\System32\svchost.exe (end) Malwarebytes www.malwarebytes.com -Log Details- Protection Event Date: 2/10/20 Protection Event Time: 5:16 PM Log File: aece50f2-4c20-11ea-a991-6045cb9c59b9.json -Software Information- Version: 4.0.4.49 Components Version: 1.0.810 Update Package Version: 1.0.18996 License: Premium -System Information- OS: Windows 10 (Build 17763.973) CPU: x64 File System: NTFS User: System -Blocked Website Details- Malicious Website: 1 , C:\Windows\System32\svchost.exe, Blocked, -1, -1, 0.0.0 -Website Data- Category: Phishing Domain: ipv4.login.msa.akadns6.net IP Address: 40.90.137.120 Port: 443 Type: Outbound File: C:\Windows\System32\svchost.exe (end)
-
I'm experiencing this also
-
Thank you for the help!
-
The results of the scan was clean. Here's the log Thank you SophosVirusRemovalTool.log
-
Alright. Thanks for the help
-
Ok, thanks. Is there anything else that I should do that you can think of? Any other thing I should check on my pc? Do you think I'm in the safe?
-
Thanks for the reply. I literally found that 1337 folder right before you replied. There was no System32.exe file there but the verge-qt.exe was there. I deleted the whole folder. I also saw that there is something in my registry at: Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\users\USER\appdata\roaming\1337\verge-qt.exe.ApplicationCompany C:\users\USER\appdata\roaming\1337\verge-qt.exe.FriendlyAppName Are these also a part of the malware and can I safely delete these ? I don't know much about how the registry works...
-
Hi, David I uploaded the exe file to VirusTotal and got these results back: https://www.virustotal.com/gui/file/8f1b589503ff1beb6a85c636e4af1c3045d0e5348e091b24b3937d557e68471f/detection
-
So, I don't believe this is a false positive but after talking to one of your experts, they suggested I make a post here. This post is related to the one I posted yesterday: What happened: So I have this crypto wallet for Verge Currency (XVG) and last week there was an update for it. 6.0. So I had to download and install the new one. No problems. Then yesterday I got a msg on Discord from someone called Verge UpdateBot that said that 6.1 was out and I needed to install it. This made me think back on the previous update that they had a few months back. 5.0 came out and a couple of days later there was another update, 5.1. So I went in to the github and it looked legit, so I downloaded the zip file, extracted the .exe file and replaced the legit .exe file in my programs and I ran it. I notification warning came up (don't remember what it said) but I stupidly ignored it and continued because I thought it was a false positive, which has happened before with this wallet. That's when I believe Win Def kicked in and quarantined it. I did some scans on both windef and mbam and I removed the two files which were called: Trojan:Win32/Conteban.B!ml Trojan:Win32/Suloc.l!cl I did some googling and I suspect they might be ransomware. Mbam said it was a keylogger. I uploaded the zip files to VirusTotal and I got these results back: https://www.virustotal.com/gui/file/66b8b7f71492853cbf34e4ee0d178d6bacff247e1835035817cb40d384b130f3/detection The files I downloaded is at: https://github.com/vergescurrency/VERGE/releases/tag/v6.1.0 The specific file I downloaded is: https://github.com/vergescurrency/VERGE/releases/download/v6.1.0/verge-6.1.0-win64.zip and the file I executed was the one called: verge-qt.exe (If the Github and the files are taken down before you can check them, let me know and I can send you the zip file) I've spoken with the XVG team and they have confirmed that this is not legit and didn't come from them. I hope you can give me some information about these files and what they do etc. My system seems fine and I haven't noticed any problems after this incident but I would like to make sure that I'm safe and find out if there is anything else that I can do. Thank you mbamreport.txt
-
I would like to add the link to the virus itself so hopefully you might check it out and see what it does. https://github.com/vergescurrency/VERGE/releases/tag/v6.1.0 I downloaded the one called: verge-6.1.0-win64.zip and I replaced the old verge-qt.exe file in my program with the verge-qt.exe file from that link and I executed it. https://github.com/vergescurrency/VERGE/releases/download/v6.1.0/verge-6.1.0-win64.zip
-
Hi. I got a msg about updating a wallet for my Verge XVG crypto wallet and it turned out to be a keylogger. I think windefend stopped it when I ran the exe file. I have removed all traces of it from my pc I believe but I want you to take a look anyway. FRST.txt Addition.txt
-
Thanks for your help! This thread can be tagged as solved now
-
Hi From what I've gathered, the bing thing is normal but it does open up a bing search in firefox and not a direct link to a MS URL. I would still like for you to have a look at my system. I will PM you the files if that is alright?
-
Yesterday I went thru and deleted over 5000 email going all the way back to 2003. I might have clicked some links in some of them. I have noscript and ublock on my browser and I didn't get any notification from mbam that something fishy was going on. Today there was a notification that mbam had found a PUP: BING-LAVASOFT-FF59.XML I quarantined it and deleted it. It didn't look like it was installed or anything (maybe noscript stopped it?) I've run several more scans with mbam, adwcleaner and windefender and I haven't found anything after I removed it. But one thing I noticed is when I was in windows settings, looking at the recovery section, on the right side it says: "Have a question?" with links underneath it in blue color and when I clicked the one that said: "Create a recovery drive", it opened up a tab in my firefox browser with a bing.com search. I'm can't recall if this is normal behavior and that it's supposed to open it through bing search instead of a google search or not. I'm slightly paranoid and I hope you can help me out. I have run Farbar and I got the FRST.txt and the Addition.txt but I noticed that there was some sensitive info in there that makes me not comfortable posting it here so I was hoping I could PM a mod with those files instead. Thanks mbam_log.txt