Jump to content
jztflokzz

Infected with a bitcoin stealer

Recommended Posts

Hey!

I've just found out that whenever i copy a BTC address, it actually autochanges into another addy, meaning i'm infected with the famous "bitcoin stealer" virus. I believe this came from some files which i opened on a RDP of mine, which must have some how cross infected me to my regular PC from my RDP. I don't understand how this is possible, but it has happened to me once before already, and i had to reinstall my PC. I do not wish to do that now, and i was wondering if anybody could help me with cleaning my PC of this virus completely. Please and thank you!

Share this post


Link to post
Share on other sites

Also i am currently running a full scan with Malwarebytes, i ran a quickscan however no threats were found. I've attached Addition and FRST, and will attach the log once finished.

Addition.txt FRST.txt

Share this post


Link to post
Share on other sites

Hello @jztflokzz

 

Please run the following steps and post back the logs as an attachment when ready.

STEP 01

  • If you're already running Malwarebytes then open Malwarebytes and check for updates. Then click on the Scan tab and select Threat Scan and click on Start Scan button.
  • If you don't have Malwarebytes installed yet please download it from here and install it.
  • Once installed then open Malwarebytes and select Scan and let it run.
  • Once the scan is completed click on the View Report button, then the Export button and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
  • If Malwarebytes won't run then please skip to the next step and let me know in your next reply.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

  • Right-click on the program and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan Now.
  • When finished, please click Clean & Repair.
  • Your PC should reboot now if any items were found.
  • After reboot, a log file will be opened. Attach or Copy its content into your next reply.

 

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens, click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a checkmark here.
  • Please attach the Additions.txt log to your reply as well.

 

Thanks

Share this post


Link to post
Share on other sites

Hello @AdvancedSetup and thank you for taking your time to help me,

One update i'd like to add is that i ran a malwarebytes scan yesterday, first a regular one, and then a "complete" one which scanned all the disks on my PC. After that first regular scan i noticed it no longer changed my bitcoin address, however last time i had this virus i noticed that after restarting my computer/using an antivirus it sometimes would "stop working" just for it to surprise me and come back at a later time. So i'm at no means sure that i'm clean. Hopefully you can help me figure that out. Aswell, i'd like to add that after doing the adwcleaner reboot, upon booting into windows, i had about 4 or 5 CMD windows open for a brief moment then close. Not sure if that has something to do with adwcleaner, although it probably does because i've never noticed that before. I've attached all necessary files below.

AdwCleaner[S00].txt FRST.txt Addition.txt

Share this post


Link to post
Share on other sites

Overall the logs look good. Let me have you run the following fix which will check the operating system files and do a disk check and remove temp files

Then afterwards I'll leave you some information to further help protect your privacy and data.

I would recommend against using uTorrent as that is a direct route into your system for unverified files as well as potentially illegal data. It only takes one bad file to go through and encrypt all your data.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt

Thanks

 

Share this post


Link to post
Share on other sites
3 hours ago, AdvancedSetup said:

Overall the logs look good. Let me have you run the following fix which will check the operating system files and do a disk check and remove temp files

Then afterwards I'll leave you some information to further help protect your privacy and data.

I would recommend against using uTorrent as that is a direct route into your system for unverified files as well as potentially illegal data. It only takes one bad file to go through and encrypt all your data.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

fixlist.txt 381 B · 3 downloads

Thanks

 

I have attached the log. I'm still a bit paranoid, since last time it seemed like my PC was clear aswell but it somehow came back. Please let me know if theres anything more you want to check, such as autorun or anything, or if it looks good.

 

Thanks

Fixlog.txt

Share this post


Link to post
Share on other sites

The logs look good. We can go ahead and run one more offline scan if you like though

 

Please perform a Windows Defender Offline scan and post back the results

Windows Defender Offline is a powerful offline scanning tool that runs from a trusted environment, without starting your operating system.
This topic describes using Windows Defender Offline in Windows 10, Windows 8.1, and Windows 7.

Using Windows Defender Offline on Windows 10

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options.
    • In previous versions of Windows: Under Threat history, select Run a new advanced scan.
  3. Select Windows Defender Offline scan, and then select Scan now.

 

Where can I find scan results?

To see the Windows Defender Offline scan results:

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options, and then select Threat history.
    • In previous versions of Windows: Select Threat history,

 

 

Share this post


Link to post
Share on other sites
5 minutes ago, AdvancedSetup said:

The logs look good. We can go ahead and run one more offline scan if you like though

 

Please perform a Windows Defender Offline scan and post back the results

Windows Defender Offline is a powerful offline scanning tool that runs from a trusted environment, without starting your operating system.
This topic describes using Windows Defender Offline in Windows 10, Windows 8.1, and Windows 7.

Using Windows Defender Offline on Windows 10

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options.
    • In previous versions of Windows: Under Threat history, select Run a new advanced scan.
  3. Select Windows Defender Offline scan, and then select Scan now.
Note: Before you use Windows Defender Offline, make sure to save any open files and close apps and programs.
The Windows Defender Offline scan takes about 15 minutes to run, and then your PC will restart.

 

Where can I find scan results?

To see the Windows Defender Offline scan results:

  1. Select Start , and then select Settings  > Update & Security  > Windows Security  > Virus & threat protection .
  2. On the Virus & threat protection screen, do one of the following:
    • In the current version of Windows 10: Under Current threats, select Scan options, and then select Threat history.
    • In previous versions of Windows: Select Threat history,

 

 

Hey, when i click "Open app" in "Virus & threat protection" it just opens up Malwarebytes. Is that what its supposed to do or no? It's not opening windows defender atleast

Share this post


Link to post
Share on other sites

You may have Defender turned off and allowing only Malwarebytes to run

Turn of registering Malwarebytes in the Windows Security Center.

That should allow Windows Defender to see the change and allow it to run. If not then try rebooting the computer and let me know.

 

image.png

Share this post


Link to post
Share on other sites
6 minutes ago, AdvancedSetup said:

You may have Defender turned off and allowing only Malwarebytes to run

Turn of registering Malwarebytes in the Windows Security Center.

That should allow Windows Defender to see the change and allow it to run. If not then try rebooting the computer and let me know.

 

image.png

I went to open the log and it was empty. Does that mean all is good?

Share this post


Link to post
Share on other sites

You can look in Event Viewer as well to see what was done.

Click on Start and type in EVENTVWR and run that application.

Then browse down to Applications and Services Logs, -> Microsoft, -> Windows

image.png

Then down to Windows Defender, -> Operational

 

image.png

I doubt that it found anything but you can check it out

 

Share this post


Link to post
Share on other sites
13 hours ago, AdvancedSetup said:

You can look in Event Viewer as well to see what was done.

Click on Start and type in EVENTVWR and run that application.

Then browse down to Applications and Services Logs, -> Microsoft, -> Windows

image.png

Then down to Windows Defender, -> Operational

 

image.png

I doubt that it found anything but you can check it out

 

Yeah you're right nothing was found. Just hopefully i'm 100% good now and it's not lurking in the background and waiting to enable itself again.

Share this post


Link to post
Share on other sites

I think it's probably more to do with the web browser than a real infection. I'll leave you with some information to better help protect your privacy and data.

 

 

If you're not backing up your data and you're still using Google Chrome then you're just not serious about Privacy, Safety, and protecting your data. Malwarebytes is a fantastic program but you still need to back up your data and you still need to block scripts and Ads in your browser. 
If you're still using Google Chrome I would highly suggest you consider using Firefox instead. For more advanced users you might consider installing NoScript as well (it does have a higher learning curve though)

PrivacyTools - Encryption, and tools to protect against global mass surveillance - https://www.privacytools.io

Help Secure your browsers
 
You may be interested in using our new Malwarebytes Browser Guard to help protect your browser from items that uBlock or others don't target.

Please install uBlock Origin for your browsers to better protect your system.

FireFox, ChromeOpera , SafariMicrosoft Edge
AdBlock Plus for Internet Explorer

How to use uBlock Origin to protect your online privacy and security | uBlock Origin tutorial 2018
This video tutorial above explains how to use uBlock Origin in advanced user mode and all the advanced settings to protect your online privacy and help prevent unwanted sites from changing your browser settings

Delete Cookies Automatically

Cookie AutoDelete plugin
Chrome  | Firefox 

Browser push notifications: a feature asking to be abused
HTTPS Everywhere
NOTHING TO HIDE documentary

Review your email and Office choices

Quit Gmail for free encrypted email - Tutanota
Why ProtonMail Is More Secure Than Gmail
LibreOffice - Free and open source office suite

Use Password Management software

Bitwarden
KeePass Password Safe

Make sure you use a strong master password
Then set the key transformation settings (the link below helps provide information on how to choose good settings)
https://pthree.org/2016/06/29/further-investigation-into-scrypt-and-argon2-password-hashing
KeePass Password Manager: Full Detailed Setup (good YouTube video on setup and using Keepass but choose the Argon2 method for Key transformation)

Encrypted Instant Messenger and Voice Calls

Please review the following site for a breakdown of features of different Messenger applications.

SafeSwiss
Riot
Signal
Wire     
NOTE: Recent news of Wire having new investors and moving to the United States.
Wickr Me

Follow-up Reading

Everything you need to know about cybercrime
10 easy ways to prevent malware infection 
Keep your data backed up

Thank you for choosing Malwarebytes as your preferred security protection software and tell your friends and family too. We're here to help.


 

 

Share this post


Link to post
Share on other sites

Thank you for your help, althought i'm confused on what you mean by the browser thing. It was actually happening in my notepad, and even on telegram aswell. Can i actually get infected through my browser like that?

They way i originally thought it happened was that i ran some sketchy stuff on my RDP a few days ago, and it somehow crossinfected its way onto my main PC. is this possible?

Edited by AdvancedSetup
removed unneeded quoting

Share this post


Link to post
Share on other sites

There was nothing specifically found to account for it. Most people don't seem to reboot their computer very often and visit hundreds of websites between reboots. In theory things should not get out of the browser sandbox but things do happen. I wish I did have a specific find to point a finger at but nothing obvious was found to account for it. If Windows is in an unstable state it could account for it. 

 

 

Share this post


Link to post
Share on other sites
2 hours ago, AdvancedSetup said:

There was nothing specifically found to account for it. Most people don't seem to reboot their computer very often and visit hundreds of websites between reboots. In theory things should not get out of the browser sandbox but things do happen. I wish I did have a specific find to point a finger at but nothing obvious was found to account for it. If Windows is in an unstable state it could account for it. 

 

 

Yeah i actually do rarely reboot my computer. But i did do that first major scan of my harddrives, and it found two threats, and both were utorrent. So maybe i got infected through utorrent? Not sure. I'd post the log if i knew how to get it after the scan has been done already

Share this post


Link to post
Share on other sites

Open Malwarebytes and click the center of the scanner bulls-eye

image.png

Select the log you want to view or save and choose the appropriate option

 

image.png

 

 

 

Share this post


Link to post
Share on other sites
On 2/12/2020 at 9:49 PM, AdvancedSetup said:

Open Malwarebytes and click the center of the scanner bulls-eye

image.png

Select the log you want to view or save and choose the appropriate option

 

image.png

 

 

 

Thank you.

I've attached the two only scans i've seen where malwarebytes had detected "infections".

log2.txt log1.txt

Share this post


Link to post
Share on other sites

Those are not installed and active threats. Those are PUP (Potentially Unwanted Programs) as they can potentially lead to a real infection or otherwise pose a risk to your security data.

Highly recommend you review and try to follow at least some of the advice in my post #13 to help improve your privacy and data security.

Is there anything else we can assist you with @jztflokzz

Share this post


Link to post
Share on other sites

Due to the lack of feedback, this topic is closed to prevent others from posting here.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this topic. Other members who need assistance please start your own topic in a new thread.

Thanks

 

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.