Badshah Posted October 27, 2019 ID:1341752 Share Posted October 27, 2019 Whenever I try to copy my Bitcoin address and paste it. Another address gets pasted. No matter how many times I do it. It always pastes the same address for Bitcoin and the same thing happens for ETH.BCH.LTC any many other address.i tried to solve this problem by using avast but nothing happened. I tried to fix it with Malwarebytes after scan about 448 threats was found I deleted all of them still no change in this copy paste problem. This problem is giving me headache's. Please tell me how to solve this problem. Link to post Share on other sites More sharing options...
Badshah Posted October 28, 2019 Author ID:1341856 Share Posted October 28, 2019 whenever i try to copy any address these addresses always gets copied. Bitcoin:13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z Ethereum:0x1b3417c12EBfa72e384A210698192458A32d6D37 Bitcoin:qr07mvqqcchqvfy5q6hqa90z0c3zqhnchsaeaucl7z how can i solve this problem Link to post Share on other sites More sharing options...
Badshah Posted October 28, 2019 Author ID:1341908 Share Posted October 28, 2019 here is the text files Text file.txt FRST.txt FRST.txt Link to post Share on other sites More sharing options...
Badshah Posted October 28, 2019 Author ID:1341913 Share Posted October 28, 2019 Addition.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2019 ID:1342203 Share Posted October 30, 2019 Hi, My name is Maurice. I will be helping and guiding you, going forward on this case. Please follow my directions as we go along. Please do not do any changes on your own without first checking with me. If you will be away for more than 3 consecutive days, do try to let me know ahead of time, as much as possible. Please only just attach all report files, etc that I ask for as we go along. Your pr runs Windows 10 build 1903. Here's the way to clear the Windows Clipboard history (and what is in memory for "paste" operations in Windows.. Tap the Windows-key on keyboard so that you see the Windows 10 search box. In the search box, type in clipboard settings then tap Enter-key. Click on Clipboard settings. It will take you to clipboard settings. Under “Clear clipboard data,” click the Clear button. Clear clipboard history , I noticed a number of logged events by the Windows 10 Windows Defender antivirus. Such as this one Date: 2019-10-25 17:43:34.343 Description: Windows Defender Antivirus has detected malware or other potentially unwanted software. For more information please see the following:https://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Stimilina.E!bit&threatid=2147728120&enterprise=0 Name: PWS:Win32/Stimilina.E!bit ID: 2147728120 Severity: Severe Category: Password Stealer Path: file:_C:\Users\USER\AppData\Local\Temp\rebfrsxh.zfw.exe Detection Origin: Local machine Detection Type: FastPath Detection Source: Real-Time Protection Process Name: C:\Users\USER\Desktop\Bitcoin Generator Skynova.exe Security intelligence Version: AV: 1.305.576.0, AS: 1.305.576.0, NIS: 1.305.576.0 Engine Version: AM: 1.1.16500.1, NIS: 1.1.16500.1 Question: What do you know about this file C:\Users\USER\Desktop\Bitcoin Generator Skynova.exe PWS:Win32/Stimilina.E!bit is a Microsoft classification. MS says This threat can steal your personal information, such as your user names and passwords. It sends the stolen information to a malicious hacker. I would suggest to delete that file. Since this machine has AVAST antivirus, & thus has disabled Windows Defender, I would suggest to you to download and save the Windows Defener OFFLINE to a USB ( or else, if you have a optical drive writer, to a CD or DVD ). The goal is to download & save & then run the Windows Defender Offline. This is a antivirus / anti-malware from Microsoft & is a quite powerful one. I am going to cite the references for it at Microsoft. The download links are listed at the bottom of the article. The last part of the article addresses how to execute https://support.microsoft.com/en-us/help/17466 Link to post Share on other sites More sharing options...
Badshah Posted October 30, 2019 Author ID:1342220 Share Posted October 30, 2019 Hello @Maurice Naggar i've alredy deleted this C:\Users\USER\Desktop\Bitcoin Generator Skynova.exe file and cleared my clipboard data. but my bitcoin address copy paste problem has not been resolved. How can i resolve it? Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 30, 2019 ID:1342261 Share Posted October 30, 2019 Did you read all of my last reply? Please do the scan with Microsoft Windows Defender OFFLINE. Link to post Share on other sites More sharing options...
Badshah Posted October 31, 2019 Author ID:1342329 Share Posted October 31, 2019 Yes, i did the Windows Defender OFFLINE Scan.What should i do next? Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 31, 2019 ID:1342362 Share Posted October 31, 2019 What was the bottom line result of the Windows Defender scan ? Did it flag something ? Beyond that, I also need precise specifics from you. You mention using Copy & paste. I have to know, what program are you on when you do the Copy step? Is that in a text or word processor? or on a web browser ? if the latter, which one ? and is it when on Crypto Tab browser ? and, if on a web page, which web-page is that ? In other words, I need all the details of what is being copied from & what application is the container of the information when you do the copy. Please provide all that. ALSO, I need for you to do this special scan. I would suggest a free scan with the ESET Online Scanner Go to https://www.eset.com/us/home/online-scanner/ Look on the right side of the page. Click Scan Now It will start a download of "esetonlinescanner_enu.exe"Save the file to your system, such as the Downloads folder, or else to the Desktop. Go to the saved file, and double click it to get it started. When presented with the initial ESET options, click on "Computer Scan". Next, when prompted by Windows, allow it to start by clicking Yes When prompted for scan type, Click on Full scan Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button. Have patience. The entire process may take an hour or more. There is an initial update download. There is a progress window display. You should ignore all prompts to get the ESET antivirus software program. ( e.g. their standard program). You do not need to buy or get or install anything else. When the scan is completed, if something was found, it will show a screen with the number of detected items. If so, click the button marked “View detected results”. Click The blue “Save scan log” to save the log. If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files” ( in blue, at bottom). Press Continue when all done. You should click to off the offer for “periodic scanning”. . NOTE: In this sub-forum, we can help you to check out your system for malware & remove malware that is found. That we will do by doing a series of scans & other steps, as needed. Over and above that, if no malware is around, I will need to refer you elsewhere for this "copy > paste" situation. Copy-paste operations are special features of the Windows operating system. Strictly the operating system. And are not something controlled by either Malwarebytes or by other security programs. Link to post Share on other sites More sharing options...
Maurice Naggar Posted October 31, 2019 ID:1342406 Share Posted October 31, 2019 (edited) Please be sure that you have seen and done what I listed in my preceding reply. That includes answering my questions there and doing the ESET scan. This is additional things to do. lets do a special search. We need to search for a few things with SystemLook: Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. If prompted by Windows UAC, please allow it to run.If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button. COPY & paste the entire text into the main text box of SystemLook: all 5 lines in their entirety :regfind rundll32 C:\Users\USER :filefind d3dx11_31.dll d3dx*.dll Click the Look button to start the scan When finished, a notepad window will open with the results of the scan. A file will be created (on the same folder where you saved Systemlook_x64) with the results of the scan, named SystemLook.txt Please attach this log in your next reply. Thank you. Edited October 31, 2019 by Maurice Naggar Link to post Share on other sites More sharing options...
Badshah Posted November 1, 2019 Author ID:1342448 Share Posted November 1, 2019 Hello @Maurice Naggar When made a scan with Windows Defender OFFLINE it didn't find any threats and my PC restarted after the scan. when i copy my bitcoin address i copy it from my Blockchain account using Firefox Browser and i copy it with my Coinbase app with Blu-stacks. Whenever i copy and try to paste the address in my notepad or in any other web page the address changes into another address. No matter how many bitcoin address i copy it always changes in to the same bitcoin address. Bitcoin:13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z This is the address that always comes when i try to paste it.And i have Crypto Tab Browser But i dont use it to do my online crypto currency transactions. Because when i try to login to my goggle account using Crypto Tab Browser.For some unknown reason it always fails to login to my account. That's why i use Firefox instead of Crypto Tab Browser for online transactions. Sorry, i'm unable to give the scan dtails of ESET Online Scan. Because after downloading this "esetonlinescanner_enu.exe" File i tried to install it but it failed at the download and it said installation error. Here is the systemlook file SystemLook.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 1, 2019 ID:1342457 Share Posted November 1, 2019 Thanks for the info & the SystemLook report. I regret to read that there was a hitch with the ESET Online scan tool. . I would like for you to run a different tool ( Silentrunners ) to do a report about startup programs. It is just a report. IF you see or get any prompts questioning this tool, take the choice to allow it to Run. Download silentrunners.vbs to your Desktop. A zipped version can be found here. If you used the zipped version, unzip (extract) the file to its own folder: C:\Silent Runners. Double-click the SilentRunners.vbs inside the folder or on your desktop to start. A message box will appear asking if you want to skip the supplemental searches. Press "No" to include them. Another message box will appear saying: "Silent Runners has started. A message box like this will appear when its done." The tool will scan your system and create a log by default, in the same directory as the script or one your desktop. The log is named "Startup Programs (ComputerName) date/timestamp.txt". When finished, the next message to appear will say: "All Done! the results are in the file..." (it will provide the full path location of the log. Copy & paste the log in your next reply. Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute. PS: My current thinking is that something ( perhaps a DLL file) is what is used that causes the chicanery on the COPY > Paste of BTC addresses. Something that is stashed somewhere. Link to post Share on other sites More sharing options...
Badshah Posted November 1, 2019 Author ID:1342467 Share Posted November 1, 2019 @Maurice Naggar here is the silentrunners text log file Startup Programs (DESKTOP-RJM4HGE) 2019-11-01 17.47.49.txt Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 1, 2019 ID:1342550 Share Posted November 1, 2019 Thanks for the report. I had a bit of a struggle to download it ( strictly local issue on my rig). I am still studying the report. At this time, I would like you to do a Windows checkup. This procedure will use the Windows System File Checker tool ( SFC ). · Please download sfc_scannow.bat using the link below. → this link · Open your Downloads folder. · Double-click sfc_scannow.bat. · Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway. · A blue Command Prompt window will appear. · Upon completion, a file named mb-cbs-log.zip will be created on your Desktop. · Please attach the file in your next reply. Link to post Share on other sites More sharing options...
Badshah Posted November 2, 2019 Author ID:1342619 Share Posted November 2, 2019 Here is the log file of sfc_scannow.bat. mb-cbs-log.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 2, 2019 ID:1342678 Share Posted November 2, 2019 Thanks for that. Please locate & then send this next file as a attachment with your reply C:\Users\USER\AppData\Local\Temp\zip.vbs Link to post Share on other sites More sharing options...
Badshah Posted November 3, 2019 Author ID:1342717 Share Posted November 3, 2019 Sorry to say that i'm unable to give this file C:\Users\USER\AppData\Local\Temp\zip.vbs. Beacuse i couldn't find this file. I clear my temp files everyday using the Run app.I think maybe i have deleted this file thats why i couldn't find the file. tell me what should i do next. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 3, 2019 ID:1342773 Share Posted November 3, 2019 Please start the Windows File Explorer and go to the folder C:\Windows\Logs\CBS You will find the log-file CBS.log with your mouse, click it one time so it has focus on the file. Then do a right-click with the mouse on CBS.log and select "Send to Compressed Files folder". It will show a message to the effect that the zip file will be created on the DESKTOP. Proceed with the selection. When done, CBS.zip will be on Desktop. Please attach the CBS.zip file with your reply. Thank you. Link to post Share on other sites More sharing options...
Badshah Posted November 4, 2019 Author ID:1342843 Share Posted November 4, 2019 Here is the CBS.log file CBS.zip Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 4, 2019 ID:1342922 Share Posted November 4, 2019 Thank you for the CBS log. Let’s also please try to get and run a special tool from Microsoft. This is a different report tool. It does not make changes. It will be just a report. Please download Sysinternals Autoruns from here and save it to your desktop. Note: you also need to do the following: Right-click on Autoruns.exe and select Properties Click on the Compatibility tab Under Privilege Level check the box next to Run this program as an administrator Click on Apply then click OK Double-click Autoruns.exe to run it. Once it starts, please press the Esc key on your keyboard. Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options... In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them: Include empty locations Hide Microsoft entries Hide Windows entries Verify that the following is checked, if it is unchecked, check it: Verify code signatures Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish. When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns. Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder Attach the Autoruns.zip folder you just created to your next reply Thank you. Link to post Share on other sites More sharing options...
Badshah Posted November 5, 2019 Author ID:1343148 Share Posted November 5, 2019 here the Autoruns zipped file Autoruns.zip Link to post Share on other sites More sharing options...
Badshah Posted November 5, 2019 Author ID:1343174 Share Posted November 5, 2019 After giving you the Autoruns.zip file i tried to copy and paste my BTC address and this time it didn't change into another address. it actually pasted my address. Thank you for your help. Can tell how can i protect my PC in the future, so this doesn't happen again. Link to post Share on other sites More sharing options...
Solution Maurice Naggar Posted November 5, 2019 Solution ID:1343237 Share Posted November 5, 2019 Thank you for the Autoruns report. I am glad that the copy >paste issue has cleared. That was a unexpected but pleasant news. You asked how to keep the PC protected. The main thing for the immediate future is to keep a watch for Microsoft Windows Updates & for the upcoming November ( Fall) 2019 Windows Build 1909. It should be coming out over the next few weeks. And be sure you have Malwarebytes for Windows Premium & keep it current. And also follow safety best practices. Best practices & malware prevention: Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources. First rule of internet safety: slow down & think before you "click". Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos). Free games & free programs are like "candy". We do not accept them from "strangers". Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing. Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program. Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed. Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".Use a Standard user account rather than an administrator-rights account when "surfing" the web. See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet. Do a Windows Update. Make certain that Automatic Updates is enabled.https://support.microsoft.com/en-us/help/12373/windows-update-faq Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware. For other added tips, read "10 easy ways to prevent malware infection" Backup if your best friend. Be sure you do periodic backups of your system on offline media. [ B ] Be real sure that Windows System Restore service is ON. The earlier reports showed it to be off. Lets be sure to turn ON the Windows SYSTEM RESTORE Service. ( ENABLE it ) See this how-to https://www.tenforums.com/tutorials/99782-enable-disable-system-restore-windows.html [ C ] See this article on our Malwarebytes Bloghttps://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/ You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera. Scroll down to the tips section "How do I disable them". IF this pc has CHROME: I suggest you install the Malwarebytes Browser guard on to Chrome browser. To get & install the Malwarebytes Browser Guard extension for Chrome, Open this link in your Chrome browser: https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee Then proceed with the setup. IF this pc has FIREFOX: To get & install the Malwarebytes Browser Guard Firefox extension. Open this link in your Firefox browser: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/ Then proceed with the setup. That link is for English US. There are other language version. Just go to the very bottom right of the page and look at “Change language” list drop down. [ D ] Let me know if you need other help. You may delete the files I had you download. Link to post Share on other sites More sharing options...
Maurice Naggar Posted November 8, 2019 ID:1344070 Share Posted November 8, 2019 Glad we could help. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request. This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread. Thanks Link to post Share on other sites More sharing options...
Recommended Posts