How to solve Bitcoin address copy paste problem

[Badshah]

Whenever I try to copy my Bitcoin address and paste it. Another address gets pasted. No matter how many times I do it. It always pastes the same address for Bitcoin and the same thing happens for ETH.BCH.LTC any many other address.i tried to solve this problem by using avast but nothing happened. I tried to fix it with Malwarebytes after scan about 448 threats was found I deleted all of them still no change in this copy paste problem. This problem is giving me headache's. Please tell me how to solve this problem.

[Badshah]

whenever i try to copy any address these addresses always gets copied.

Bitcoin:13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z
Ethereum:0x1b3417c12EBfa72e384A210698192458A32d6D37
Bitcoin:qr07mvqqcchqvfy5q6hqa90z0c3zqhnchsaeaucl7z
how can i solve this problem

[Badshah]

here is the text files

Text file.txt FRST.txt FRST.txt

[Badshah]

Addition.txt

[Maurice Naggar]

Hi, 

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Your pr runs Windows 10  build 1903.    Here's the way to clear the Windows Clipboard history   (and what is in memory for "paste" operations in Windows..

Tap the Windows-key on keyboard so that you see the Windows 10 search box.

In the search box, type in

clipboard settings

 

then tap Enter-key.  

Click on Clipboard settings.

It will take you to clipboard settings.
Under “Clear clipboard data,” click the Clear button. Clear clipboard history

 

,

I noticed a number of logged events by the Windows 10 Windows Defender antivirus.   Such as this one

 

Date: 2019-10-25 17:43:34.343
Description:
Windows Defender Antivirus has detected malware or other potentially unwanted software.
For more information please see the following:
https://go.microsoft.com/fwlink/?linkid=37020&name=PWS:Win32/Stimilina.E!bit&threatid=2147728120&enterprise=0
Name: PWS:Win32/Stimilina.E!bit
ID: 2147728120
Severity: Severe
Category: Password Stealer
Path: file:_C:\Users\USER\AppData\Local\Temp\rebfrsxh.zfw.exe
Detection Origin: Local machine
Detection Type: FastPath
Detection Source: Real-Time Protection
Process Name: C:\Users\USER\Desktop\Bitcoin Generator Skynova.exe
Security intelligence Version: AV: 1.305.576.0, AS: 1.305.576.0, NIS: 1.305.576.0
Engine Version: AM: 1.1.16500.1, NIS: 1.1.16500.1

 

Question:   What do you know about this file   C:\Users\USER\Desktop\Bitcoin Generator Skynova.exe

PWS:Win32/Stimilina.E!bit   is a Microsoft classification.   MS says This threat can steal your personal information, such as your user names and passwords. It sends the stolen information to a malicious hacker.

I would suggest to delete that file.

 

 

Since this machine has AVAST antivirus, & thus has disabled Windows Defender, I would suggest to you to download and save the Windows Defener OFFLINE to a USB   ( or else, if you have a optical drive writer, to a CD or DVD ).

The goal is to download & save & then run the Windows Defender Offline.  This is a antivirus / anti-malware from Microsoft & is a quite powerful one.

 

I am going to cite the references for it at Microsoft.

The download links are listed at the bottom of the article.  The last part of the article addresses how to execute

https://support.microsoft.com/en-us/help/17466

 

[Badshah]

Hello @Maurice Naggar

i've alredy deleted this C:\Users\USER\Desktop\Bitcoin Generator Skynova.exe file and cleared my clipboard data. but my bitcoin address copy paste problem has not been resolved. How can i resolve it?

[Maurice Naggar]

Did you read all of my last reply?   Please do the scan with Microsoft Windows Defender OFFLINE.

[Badshah]

Yes, i did the Windows Defender OFFLINE Scan.What should i do next?

[Maurice Naggar]

What was the bottom line result of the Windows Defender scan ?    Did it flag something ?

Beyond that, I also need precise specifics from you.   You mention using Copy & paste.   I have to know, what program are you on when you do the Copy step?

Is that in a text or word processor?   or on a web browser ?  if the latter, which one ?

and is it when on Crypto Tab browser ?

and, if on a web page, which web-page is that ?

In other words, I need all the details of what is being copied from & what application is the container of the information when you do the copy.

Please provide all that.

 

ALSO, I need for you to do this special scan.

I would suggest a free scan with the ESET Online Scanner
Go to https://www.eset.com/us/home/online-scanner/

Look on the right side of the page.  Click Scan Now
It will start a download of "esetonlinescanner_enu.exe"
Save the file to your system, such as the Downloads folder, or else to the Desktop.

Go to the saved file, and double click it to get it started.
When presented with the initial ESET options, click on "Computer Scan".

Next, when prompted by Windows, allow it to start by clicking Yes

When prompted for scan type, Click on Full scan
Click on the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on Start scan button.

Have patience.  The entire process may take an hour or more. There is an initial update download.
There is a progress window display.
You should ignore all prompts to get the ESET antivirus software program.   ( e.g.  their standard program).   You do not need to buy or get or install anything else.

When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.

Click The blue “Save scan log” to save the log.

If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at bottom).

Press Continue when all done.  You should click to off the offer for “periodic scanning”.

.

NOTE: In this sub-forum, we can help you to check out your system for malware & remove malware that is found.

That we will do by doing a series of scans & other steps, as needed.

Over and above that, if no malware is around, I will need to refer you elsewhere for this "copy > paste" situation.

Copy-paste operations are special features of the Windows operating system.   Strictly the operating system.   And are not something controlled by either Malwarebytes or by other security programs.

[Maurice Naggar]

Please be sure that you have seen and done what I listed in my preceding reply.   That includes answering my questions there and doing the ESET scan.

This is additional things to do.

lets do a special search.

We need to search for a few things with SystemLook:

Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop

Right-click SystemLook_x64.exe and select Run as Administrator to start the tool.

If prompted by Windows  UAC, please allow it  to run.
If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.

COPY & paste the entire text into the main text box of SystemLook:    all 5 lines in their entirety

 

:regfind

rundll32 C:\Users\USER

:filefind

d3dx11_31.dll

d3dx*.dll

 

 

Click the Look button to start the scan

When finished, a notepad window will open with the results of the scan.

A file will be created (on the same folder where you saved Systemlook_x64) with the results of the scan, named SystemLook.txt

Please attach  this log in your next reply.

Thank you.

 

Edited October 31, 2019 by Maurice Naggar

[Badshah]

Hello @Maurice Naggar

When made a scan with Windows Defender OFFLINE it didn't find any threats and my PC restarted after the scan.
when i copy my bitcoin address i copy it from my Blockchain account using Firefox Browser and i copy it with my Coinbase app with Blu-stacks.
Whenever i copy and try to paste the address in my notepad or in any other web page the address changes into another address.
No matter how many bitcoin address i copy it always changes in to the same bitcoin address.

Bitcoin:13gwPnRgJjqsg2T1QQ6LQXtxWJAQDJWD6z

This is the address that always comes when i try to paste it.And i have Crypto Tab Browser But i dont use it to do my online crypto currency transactions.
Because when i try to login to my goggle account using Crypto Tab Browser.For some unknown reason it always fails to login to my account.
That's why i use Firefox instead of Crypto Tab Browser for online transactions.
 
Sorry, i'm unable to give the scan dtails of ESET Online Scan. Because after downloading this  "esetonlinescanner_enu.exe" File i tried to install it but it failed at
the download and it said installation error.

Here is the systemlook file
 

SystemLook.txt

[Maurice Naggar]

Thanks for the info & the SystemLook report.

I regret to read that there was a hitch with the ESET Online scan tool.

.

I would like for you to run a different tool ( Silentrunners ) to do a report about startup programs.   It is just a report.  IF you see or get any prompts questioning this tool, take the choice to allow it to Run.

 

Download silentrunners.vbs to your Desktop.
A zipped version can be found here.

• If you used the zipped version, unzip (extract) the file to its own folder: C:\Silent Runners.
• Double-click the SilentRunners.vbs inside the folder or on your desktop to start.
• A message box will appear asking if you want to skip the supplemental searches.
• Press "No" to include them.
•  
• Another message box will appear saying: "Silent Runners has started. A message box like this will appear when its done." The tool will scan your system and create a log by default, in the same directory as the script or one your desktop. The log is named "Startup Programs (ComputerName) date/timestamp.txt".
• When finished, the next message to appear will say: "All Done! the results are in the file..." (it will provide the full path location of the log.
• Copy & paste the log in your next reply.

Note: If you have a script blocking program you may get a warning asking if you want to allow the script to run. Some will say "malicious script warning" or something to that effect. There is nothing malicious about this script, you can click to allow it to execute.  

 

PS:  My current thinking is that something ( perhaps a DLL file) is what is used that causes the chicanery on the COPY > Paste of BTC addresses.

Something that is stashed somewhere.

 

 

 

[Badshah]

@Maurice Naggar

here is the silentrunners text log file

Startup Programs (DESKTOP-RJM4HGE) 2019-11-01 17.47.49.txt

[Maurice Naggar]

Thanks for the report.   I had a bit of a struggle to download it  ( strictly local issue on my rig).   I am still studying the report.

At this time, I would like you to do a Windows checkup.

 

This procedure will use the Windows System File Checker tool  ( SFC ).

 

·  Please download sfc_scannow.bat using the link below.
→  this link

·  Open your Downloads folder.

·  Double-click sfc_scannow.bat.

·  Note: If you are prompted by Windows SmartScreen, click More info followed by Run anyway.

·  A blue Command Prompt window will appear.

·  Upon completion, a file named mb-cbs-log.zip will be created on your Desktop.

·  Please attach the file in your next reply.

 

 

[Badshah]

Here is the log file of sfc_scannow.bat.

mb-cbs-log.zip

[Maurice Naggar]

Thanks for that.   Please locate & then send this next file as a attachment with your reply

C:\Users\USER\AppData\Local\Temp\zip.vbs

[Badshah]

Sorry to say that i'm unable to give this file C:\Users\USER\AppData\Local\Temp\zip.vbs. Beacuse i couldn't find this file. I clear my temp files everyday using the Run app.I think maybe i have deleted this file thats why i  couldn't find the file. tell me what should i do next.

[Maurice Naggar]

Please start the Windows File Explorer  and go to the folder  C:\Windows\Logs\CBS

You will find the log-file CBS.log

with your mouse, click it one time so it has focus on the file.   Then do a right-click with the mouse on CBS.log and select "Send to Compressed Files folder".

It will show a message to the effect that the zip file will be created on the DESKTOP.

Proceed with the selection.   When done,  CBS.zip will be on Desktop.

Please attach the CBS.zip file with your reply.

Thank you.

[Badshah]

Here is the CBS.log file

CBS.zip

[Maurice Naggar]

Thank you for the CBS log.

 

Let’s also please try to get and run a special tool from Microsoft. This is a different report tool.

It does not make changes. It will be just a report.

 

• Please download Sysinternals Autoruns from here and save it to your desktop.
   
• Note: you also need to do the following:
• Right-click on Autoruns.exe and select Properties
• Click on the Compatibility tab
• Under Privilege Level check the box next to Run this program as an administrator
• Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
 

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:
 

• Include empty locations
• Hide Microsoft entries
• Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:
 

• Verify code signatures

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

[Badshah]

here the Autoruns zipped file

Autoruns.zip

[Badshah]

After giving you the Autoruns.zip file i tried to copy and paste my BTC address and this time it didn't change into another address. it actually pasted my address. Thank you for your help. Can tell how can i protect my PC  in the future, so this doesn't happen again. 

[Maurice Naggar]

Thank you for the Autoruns report.  I am glad that the copy >paste issue has cleared.  That was a unexpected but pleasant news.

You asked how to keep the PC protected.

The main thing for the immediate future is to keep a watch for Microsoft Windows Updates & for the upcoming November ( Fall) 2019 Windows Build 1909.

It should be coming out over the next few weeks.

And be sure you have Malwarebytes for Windows Premium & keep it current.   And also follow safety best practices.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.
 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

Keep your system and programs up to date. Several programs release security updates on a regular basis to patch vulnerabilities. Keeping your software patched up prevents attackers from being able to exploit them to drop malware.

For other added tips, read "10 easy ways to prevent malware infection"

 

Backup if your best friend.  Be sure you do periodic backups of your system on offline media.

 

[  B  ]   Be real sure that Windows System Restore service is ON.

The earlier reports showed it to be off.  Lets be sure to turn ON the Windows SYSTEM RESTORE Service.   ( ENABLE it )

See this how-to   https://www.tenforums.com/tutorials/99782-enable-disable-system-restore-windows.html

 

[   C  ]

See this article on our Malwarebytes Blog
https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

 

You want to disable the ability of each web browser on this machine from being able to allow "push ads". That means Chrome, Firefox, or Edge browser (on Windows 10), or on Opera.

Scroll down to the tips section "How do I disable them".

IF this pc has CHROME:

I suggest you install the Malwarebytes Browser guard on to Chrome browser.

To get & install the Malwarebytes Browser Guard extension for Chrome,

 

Open this link in your Chrome   browser: 

https://chrome.google.com/webstore/detail/malwarebytes/ihcjicgdanjaechkgeegckofjjedodee

 

Then proceed with the setup.

 

IF this pc has FIREFOX:

To get & install the Malwarebytes Browser Guard  Firefox extension.

Open this link in your Firefox browser:   

https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

Then proceed with the setup.

That link is for English US.   There are other language version.  Just go to the very bottom right of the page and look at “Change language” list drop down.

 

[   D  ]

Let me know if you need other help.

You may delete the files I had you download.

 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks