toadboy #1 Posted November 22, 2019 So, I don't believe this is a false positive but after talking to one of your experts, they suggested I make a post here. This post is related to the one I posted yesterday: What happened: So I have this crypto wallet for Verge Currency (XVG) and last week there was an update for it. 6.0. So I had to download and install the new one. No problems. Then yesterday I got a msg on Discord from someone called Verge UpdateBot that said that 6.1 was out and I needed to install it. This made me think back on the previous update that they had a few months back. 5.0 came out and a couple of days later there was another update, 5.1. So I went in to the github and it looked legit, so I downloaded the zip file, extracted the .exe file and replaced the legit .exe file in my programs and I ran it. I notification warning came up (don't remember what it said) but I stupidly ignored it and continued because I thought it was a false positive, which has happened before with this wallet. That's when I believe Win Def kicked in and quarantined it. I did some scans on both windef and mbam and I removed the two files which were called: Trojan:Win32/Conteban.B!ml Trojan:Win32/Suloc.l!cl I did some googling and I suspect they might be ransomware. Mbam said it was a keylogger. I uploaded the zip files to VirusTotal and I got these results back: https://www.virustotal.com/gui/file/66b8b7f71492853cbf34e4ee0d178d6bacff247e1835035817cb40d384b130f3/detection The files I downloaded is at: https://github.com/vergescurrency/VERGE/releases/tag/v6.1.0 The specific file I downloaded is: https://github.com/vergescurrency/VERGE/releases/download/v6.1.0/verge-6.1.0-win64.zip and the file I executed was the one called: verge-qt.exe (If the Github and the files are taken down before you can check them, let me know and I can send you the zip file) I've spoken with the XVG team and they have confirmed that this is not legit and didn't come from them. I hope you can give me some information about these files and what they do etc. My system seems fine and I haven't noticed any problems after this incident but I would like to make sure that I'm safe and find out if there is anything else that I can do. Thank you mbamreport.txt Share this post Link to post Share on other sites
toadboy #2 Posted November 22, 2019 Hi, David I uploaded the exe file to VirusTotal and got these results back: https://www.virustotal.com/gui/file/8f1b589503ff1beb6a85c636e4af1c3045d0e5348e091b24b3937d557e68471f/detection Share this post Link to post Share on other sites
thisisu #3 Posted November 22, 2019 3 hours ago, toadboy said: Hi, David I uploaded the exe file to VirusTotal and got these results back: https://www.virustotal.com/gui/file/8f1b589503ff1beb6a85c636e4af1c3045d0e5348e091b24b3937d557e68471f/detection This archive has Backdoor.Quasar in it MD5: 35843A5F14D942C815F55F21B51E8F82 => https://www.virustotal.com/gui/file/1fde04dd38b0e62c6e39c9cf83d946052d665ab43be1aad712c665d4f216becf/detection That is what is being detected. I'm not seeing a false positive here regarding the other archives attached. C:\Users\<USER>\AppData\Roaming\1337\System32.exe If that file is on your system, I'd remove it. Share this post Link to post Share on other sites
toadboy #4 Posted November 22, 2019 Thanks for the reply. I literally found that 1337 folder right before you replied. There was no System32.exe file there but the verge-qt.exe was there. I deleted the whole folder. I also saw that there is something in my registry at: Computer\HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache C:\users\USER\appdata\roaming\1337\verge-qt.exe.ApplicationCompany C:\users\USER\appdata\roaming\1337\verge-qt.exe.FriendlyAppName Are these also a part of the malware and can I safely delete these ? I don't know much about how the registry works... Share this post Link to post Share on other sites
thisisu #5 Posted November 22, 2019 I would leave those alone. These are harmless leftovers of the verge QT software. They are not malware. Share this post Link to post Share on other sites
toadboy #6 Posted November 22, 2019 Ok, thanks. Is there anything else that I should do that you can think of? Any other thing I should check on my pc? Do you think I'm in the safe? Share this post Link to post Share on other sites
Porthos #7 Posted November 22, 2019 3 hours ago, toadboy said: Any other thing I should check on my pc? If you suspect your infected then please read and follow the instructions in this topic and then create a new topic in our malware removal area by clicking here and one of our malware removal specialists will assist you in checking and clearing the system of any threats. Share this post Link to post Share on other sites
toadboy #8 Posted November 22, 2019 Alright. Thanks for the help Share this post Link to post Share on other sites
