Copy paste BTC & ETH address, help to remove

[trgnn]

Hello, I just created an account here as I was researching about this malware. I'm on a clean computer, no cracks or illegally purchased software. I get the same issues since a few days. This one is also targetting ETH addresses, not only BTC. The ETH address it's using is this one 0x9d787053f9839966A664b0e14e9C26a3684F6E44

[trgnn]

Here are my FRST.txt and Malwarbytes logs

Addition.txt FRST.txt Malwares.txt

[trgnn]

In addition to Malwarebytes, I tried a Kasperski Antivirus and a Spybot run. Nothing seem to detect this crap 😕

[Maurice Naggar]

Hi,      

My name is Maurice. I will be helping and guiding you, going forward on this case.

Please follow my directions as we go along.  Please do not do any changes on your own without first checking with me.

If you will be away for more than 3 consecutive days,  do try to let me know ahead of time, as much as possible.

 

Please only just attach   all report files, etc  that I ask for as we go along.

 

Helpers look for cases that have had zero replies  when reviewing this help section.   This case had 4 back-to-back posts by you.

 

 

Let’s  please try to get and run a special tool from Microsoft. This is a different report tool.

It does not make changes. It will be just a report.

 

• Please download Sysinternals Autoruns from here and save it to your desktop.
   
• Note: you also need to do the following:
• Right-click on Autoruns.exe and select Properties
• Click on the Compatibility tab
• Under Privilege Level check the box next to Run this program as an administrator
• Click on Apply then click OK

Double-click Autoruns.exe to run it.
Once it starts, please press the Esc key on your keyboard.
Now that scanning is stopped, click on the Options button at the top of the program and select Filter Options...
 

In the Autoruns Filter Options dialogue, verify that the following are unchecked, if they are checked, uncheck them:
 

• Include empty locations
• Hide Microsoft entries
• Hide Windows entries

Verify that the following is checked, if it is unchecked, check it:
 

• Verify code signatures

Once that's done press the F5 key on your keyboard, this will start the scan again, this time let it finish.
When it's finished and says Ready. on the lower left of the program window, please click on the File button at the top of the program and select Save and save the Autoruns.arn file to your desktop and close Autoruns.

Right click on the Autoruns.arn file on your desktop and hover your mouse over Send To and select Compressed (zipped) Folder
Attach the Autoruns.zip folder you just created to your next reply

 

Thank you.

[trgnn]

Thanks for your answer ! Here's the file you requiered 

DESKTOP-NSPNQHG.zip

[Maurice Naggar]

Thanks for that.

I suggest you do 2 things at this point.  The first is to get the latest update for Malwarebytes 4.0.4

Start Malwarebytes.

Click the Settings icon at the top right.

Click the General tab if needed.   On that tab, click on the button marked  "Check for Updates "

Follow all prompts  and have patience.

 

[    2    ]

Run a  new   scan with Malwarebytes.
Start Malwarebytes 

Click Settings ( gear icon)   at the top right of Malwarebytes window.   We want to see the SETTINGS window.

Then click the SECURITY  tab.
Scroll down and lets be sure the line in SCAN OPTIONs for "Scan for rootkits" is ON
Click it to get it ON  if it does not show a blue-color

Now click the small X  to get back to the main menu window.

Click the SCAN button.
Select a Threat Scan ( which should be the default).

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

Then click on Quarantine selected.

 

Be sure all items were removed. Then too, Repeat the scan one more time. It does not take long.

and again, be sure all detected items are removed.

Let it remove what it has detected.

 

[trgnn]

Done ! It just found the bitcoin-QT core software so I deleted it even if that is a false positive. It's an open sourced software, sources on Github, thousands of contributions. Cleaned it just to be sure.

 

The issue is still there tho. 

[Maurice Naggar]

This procedure will use the Windows System File Checker tool  ( SFC ).

 

Open an elevated command prompt window i.e. run Command Prompt as an administrator .

It is best to use the Windows Copy ( CTRL+ C )  and paste  ( CTRL+V )  for the whole line, as-is

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

sfc /scannow

 

After it has finished:        

Please start the Windows File Explorer  and go to the folder  C:\Windows\Logs\CBS

You will find the log-file CBS.log

with your mouse, click it one time so it has focus on the file.   Then do a right-click with the mouse on CBS.log and select "Send to Compressed Files folder".

It will show a message to the effect that the zip file will be created on the DESKTOP.

Proceed with the selection.   When done,  CBS.zip will be on Desktop.

Please attach the CBS.zip file with your reply.

Thank you.

 

[trgnn]

Thank you for helping mate. Really apreciated! Here's the file you asked for!

CBS.zip

[Maurice Naggar]

Hello.

Thank you for the log.   The SFC run was a worthwhile run;  it made repairs.

Next, I would like to check on the overall state of Windows

To Get the elevated command prompt, press Windows-key + X key  and then selected Command prompt ( Admin )

On that command prompt,  Copy & Paste this command

 

DISM /Online /Cleanup-Image /ScanHealth

and  tap enter-key   and let it proceed.   Have patience  and wait for it to complete  to 100 %.

Let me know what the bottom line status-message says at the end.

[trgnn]

Terminé ! 

À la fin j'ai:

C:\WINDOWS\system32>DISM /Online /Cleanup-Image /ScanHealth

Outil Gestion et maintenance des images de déploiement
Version : 10.0.17763.771

Version de l’image : 10.0.17763.864

[==========================100.0%==========================] Le magasin de composants est réparable.
L’opération a réussi.

 

[trgnn]

Uh sorry french

It says:

The XXXXX (I don't know what that is) is recoverable.

Operation succeeded.

 

[Maurice Naggar]

Thank you on that.

I would suggest  to upgrade to the Windows 10 build 1909    ( that is the November 2019 build update).  You should be able to manually get it thru Windows Update.

It may take repeated tries with Windows Update till your pc is able to see that Update.  You should make a try each day, from here on out, till you see it offered.

The suggestion I have is to go to the Start menu, click the Windows Settings icon. Select Update & Security.  Click on Windows Update.

The Windows Update ( eventually) will have a display  show up for November 2019  [ Build 1909 ].

Note that the display will show the new build in a new way, in the middle of the display.  You will need to click on the blue line marked "Download and install now"  when ready.

 

Have lots of patience during all the processes.  If your machine is a notebook or laptop, be sure it is directly connected to regular cord power.

Getting that Windows build update will put this pc in a better position for a more secure operating system.

[Maurice Naggar]

Hello.   Checking up on your case.  How are things at this point?

[trgnn]

Hey sorry for the delays, I had to travel and had a bad Internet there. The updates process seems to have solved the issue. I wonder how and I'll be extremely careful but so far so good. 

 

Thanks a lot

[Maurice Naggar]

Hello.   You are welcome.  That is great news.

 

Best  practices & malware prevention:
Follow best practices when browsing the Internet, especially on opening links coming from untrusted sources.
First rule of internet safety: slow down & think before you "click".

Never click links without first hovering your mouse over the link and seeing if it is going to an odd address ( one that does not fit or is odd looking or has typos).

Free games & free programs are like "candy". We do not accept them from "strangers".

Never open attachments that come with unexpected ( out of the blue ) email no matter how enticing.
Never open attachments from the email itself. Do not double click in the email. Always Save first and then scan with antivirus program.

 

 

Pay close attention when installing 3rd-party programs. It is important that you pay attention to the license agreements and installation screens when installing anything off of the Internet. If an installation screen offers you Custom or Advanced installation options, it is a good idea to select these as they will typically disclose what other 3rd party software will also be installed.
Take great care in every stage of the process and every offer screen, and make sure you know what it is you're agreeing to before you click "Next".

Use a Standard user account rather than an administrator-rights account when "surfing" the web.
See more info on Corrine's SecurityGarden Blog http://securitygarden.blogspot.com/p/blog-page_7.html
Dont remove your current login. Just use the new Standard-user-level one for everyday use while on the internet.

 
Do a Windows Update.

Make certain that Automatic Updates is enabled.
https://support.microsoft.com/en-us/help/12373/windows-update-faq

 

Sincerely,

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Thanks