Jump to content
trgnn

Copy paste BTC & ETH address, help to remove

Recommended Posts

Hello, I just created an account here as I was researching about this malware. I'm on a clean computer, no cracks or illegally purchased software. I get the same issues since a few days. This one is also targetting ETH addresses, not only BTC. The ETH address it's using is this one 0x9d787053f9839966A664b0e14e9C26a3684F6E44

Share this post


Link to post
Share on other sites

In addition to Malwarebytes, I tried a Kasperski Antivirus and a Spybot run. Nothing seem to detect this crap 😕

Share this post


Link to post
Share on other sites

Hi,      :welcome:

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Helpers look for cases that have had zero replies  when reviewing this help section.   This case had 4 back-to-back posts by you.

 

 

Let’s  please try to get and run a special tool from Microsoft. This is a different report tool.

It does not make changes. It will be just a report.

 

  • Please download Sysinternals Autoruns from here and save it to your desktop.
     
  • Note: you also need to do the following:
  • Right-click on Autoruns.exe and select Properties
  • Click on the Compatibility tab
  • Under Privilege Level check the box next to Run this program as an administrator
  • Click on Apply then click OK


Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
 

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:
 

  • Include empty locations
  • Hide Microsoft entries
  • Hide Windows entries


Verify that the following is checked, if it is unchecked, check it:
 

  • Verify code signatures


Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.


Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

Share this post


Link to post
Share on other sites

Thanks for that.

I suggest you do 2 things at this point.  The first is to get the latest update for Malwarebytes 4.0.4

Start Malwarebytes.

Click the Settings icon at the top right.

Click the General tab if needed.   On that tab, click on the button marked  "Check for Updates "

Follow all prompts  and have patience.

 

[    2    ]

Run a  new   scan with Malwarebytes.
Start Malwarebytes 

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.


Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.


Let it remove what it has detected.

 

Share this post


Link to post
Share on other sites

Done ! It just found the bitcoin-QT core software so I deleted it even if that is a false positive. It's an open sourced software, sources on Github, thousands of contributions. Cleaned it just to be sure.

 

The issue is still there tho. 

Share this post


Link to post
Share on other sites

This procedure will use the Windows System File Checker tool  ( SFC ).

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

sfc /scannow

 

After it has finished:        

Please start the Windows File Explorer  and go to the folder  C:\Windows\Logs\CBS

You will find the log-file CBS.log

with your mouse, click it one time so it has focus on the file.   Then do a right-click with the mouse on CBS.log and select "Send to Compressed Files folder".

It will show a message to the effect that the zip file will be created on the DESKTOP.

Proceed with the selection.   When done,  CBS.zip will be on Desktop.

Please attach the CBS.zip file with your reply.

Thank you.

 

Share this post


Link to post
Share on other sites

Hello.

Thank you for the log.   The SFC run was a worthwhile run;  it made repairs.

Next, I would like to check on the overall state of Windows

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

 

DISM /Online /Cleanup-Image /ScanHealth

and  tap enter-key   and let it proceed.   Have patience  and wait for it to complete  to 100 %.

Let me know what the bottom line status-message says at the end.

Share this post


Link to post
Share on other sites

Terminé ! 

À la fin j'ai:

C:\WINDOWS\system32>DISM /Online /Cleanup-Image /ScanHealth

Outil Gestion et maintenance des images de déploiement
Version : 10.0.17763.771

Version de l’image : 10.0.17763.864

[==========================100.0%==========================] Le magasin de composants est réparable.
L’opération a réussi.

 

Share this post


Link to post
Share on other sites

Uh sorry french :D

It says:

The XXXXX (I don't know what that is) is recoverable.

Operation succeeded.

 

Share this post


Link to post
Share on other sites

Thank you on that.

I would suggest  to upgrade to the Windows 10 build 1909    ( that is the November 2019 build update).  You should be able to manually get it thru Windows Update.

It may take repeated tries with Windows Update till your pc is able to see that Update.  You should make a try each day, from here on out, till you see it offered.

The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security.  Click on Windows Update.

The Windows Update ( eventually) will have a display  show up for November 2019  [ Build 1909 ].

Note that the display will show the new build in a new way, in the middle of the display.  You will need to click on the blue line marked "Download and install now"  when ready.

 

Have lots of patience during all the processes.  If your machine is a notebook or laptop, be sure it is directly connected to regular cord power.

Getting that Windows build update will put this pc in a better position for a more secure operating system.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.