Jump to content

Hijacked Clipboard


Recommended Posts

Hi there,

My clipboard is hijacked, to replace wallet addresses when transfering cryptocurrencies. I googled the issue and stumbled upon this forum.

Looking at threads, I think I know what is expected of me. 

I've scanned with Malwarebytes and deleted the threats, which did not solve the issue.

So I've used FRST and attached the exports. 

Could you please help me identify the threat?

Let me know if you need any other information.

 

Thanks in advance!

Addition.txt FRST.txt

Link to post
Share on other sites

Hello WenM and welcome to Malwarebytes,

Continue with the following:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

fixlist.txt

Link to post
Share on other sites
2 hours ago, kevinf80 said:

Hello WenM and welcome to Malwarebytes,

Continue with the following:

Please download the attached fixlist.txt file and save it to the Desktop or location where you ran FRST from.

NOTE. It's important that both files, FRST or FRSTEnglish, and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system that cannot be undone.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt) or wherever you ran FRST from. Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.

NOTE-1: This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity. Depending on the speed of your computer this fix may take 30 minutes or more.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. Also, make sure you know the passwords for all websites as cookies will also be removed.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Flash Player cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin


Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

user posted image

The system will be rebooted after the fix has run.

Next,

Open Malwarebytes, select > small cog wheel top right hand corner, that will open "settings" from there select "Security" tab.

Scroll down to "Scan Options" ensure Scan for Rootkits and Scan within Archives are both on....

Clsoe out the settings window, this will take you back to "DashBoard" select the Blue "Scan Now" tab......

When the scan completes quarantine any found entries...

To get the log from Malwarebytes do the following:
 
  • Click on the Detection History tab > from main interface.
  • Then click on "History" that will open to a historical list
  • Double click on the Scan log which shows the Date and time of the scan just performed.
  • Click Export > From export you have two options:
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt) - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply

     
  • Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…


Next,

Download AdwCleaner by Malwarebytes onto your Desktop.

Or from this Mirror
 
  • Right-click on AdwCleaner.exe and select http://i.imgur.com/Spcusrh.pngRun as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Accept the EULA (I accept), then click on Scan
  • Let the scan complete. Once it's done, make sure that every item listed in the different tabs is checked and click on the Quarantine button. This will kill all the active processes
  • Once the cleaning process is complete, AdwCleaner will ask to restart your computer, do it
  • After the restart, a log will open when logging in. Please copy/paste the content of that log in your next reply


Next,

Download "Microsoft's Safety Scanner" and save direct to the desktop

Ensure to get the correct version for your system....

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download


Right click on the Tool, select Run as Administrator the tool will expand to the options Window
In the "Scan Type" window, select Quick Scan
Perform a scan and Click Finish when the scan is done.


Retrieve the MSRT log as follows, and post it in your next reply:

1) Select the Windows key and R key together to open the "Run" function
2) Type or Copy/Paste the following command to the "Run Line" and Press Enter:

notepad c:\windows\debug\msert.log

The log will include log details for each time MSRT has run, we only need the most recent log by date and time....

Let me see those logs in your reply...

fixlist.txt 8.16 kB · 7 downloads

I followed the steps and my laptop rebooted after running the FRST fix. However, it won't boot now. I get stuck on a black screen saying "preparing automatic recovery" but it's not doing anything after that. I don't even get a possibility to boot in safe mode.

Please advise how to proceed.

Link to post
Share on other sites

Hiya WenM,

There was nothing in the FRST fix that would stop your system from booting, so not really sure what has happened there... Can you hard reset the PC, that is power off. When powered remove the power source. Cable for PC, cable and battery for laptop. When that is completed hold in the start button for at least 30 seconds. When that is complete reinstate powe sources and reboot.. Any change..?

Thanks,

Kevin

Link to post
Share on other sites
4 minutes ago, kevinf80 said:

Hiya WenM,

There was nothing in the FRST fix that would stop your system from booting, so not really sure what has happened there... Can you hard reset the PC, that is power off. When powered remove the power source. Cable for PC, cable and battery for laptop. When that is completed hold in the start button for at least 30 seconds. When that is complete reinstate powe sources and reboot.. Any change..?

Thanks,

Kevin

It's a laptop with a non-removable battery, so shutting down power completely isn't possible. Holding the power button for over 30 seconds doesn't do anything either.

Link to post
Share on other sites

Hiya WenM,

Never came across that model, the generic instructions for Lenovo laptops follows:

  1. Turn off your computer and disconnect the ac power adapter.
  2. Turn on your computer. Press F1 to enter lenovo Setup when the lenovo logo is displayed.
  3. Select Config -> Power. The Power submenu is displayed.
  4. Select Disable built-in battery.
  5. Click Yes in the Setup Warning window, then the computer turns off automatically. Wait three to five minutes to let the computer cool.

To turn back on later use same instructions but use "Enable" option..

After that with cable removed hold in the start button for 30 seconds.. When that completes plug in the cable and see if it now boots up ok....

Thanks,

Kevin...

Link to post
Share on other sites

I accidentally pressed mark as solution, bit it's not resolved.

I've opened up my laptop to disconnect the battery cable. After that pressed the power button for 30 seconds, but I still get the same screen. I can't go into settings or anything. I get a blue screen and after that the "automatic recovery" screen. Then I need to reboot because it doesn't do anything, but then the cycle starts anew. What about booting with a recovery drive?

Link to post
Share on other sites

Hiya WenM,

When you access the RE Windows should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Advance Options" from there you should see the following:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


As FRST will have created a restorepoint select "System Restore" from there follow the prompts to restore back to FRST restore point...
 
Let me know if you can boot normally after system restore completes...
 
Thanks,
 
Kevin..
Link to post
Share on other sites

Hiya WenM,

Very odd, the first action of the FRST fix was to make sure System Restore was active, if not then make it active. Then create a restore point.. Maybe the infection had some kind of trap door to kill off your system during removal... Not really sure.

Please download Farbar Recovery Scan Tool from here:

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

save it to a USB flash drive. Ensure to get the correct version for your system, 32 bit or 64 bit...

Next,


Access the RE again. Windows should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Advance Options" from there you should see the following:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt


Ensure to plug the flash drive into an open USB port... Now select Command prompt

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\frst64 or e:\frst depending on your version. Press Enter Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thanks,

Kevin...
Link to post
Share on other sites

Access FRST exactly as you did to get the log, when you have FRST open do the following:

Run FRST one more time:

Copy/paste the following exactly as written in the edit box after "Search:".

rpcss.dll;User32.dll

Click Search Files button and post the log (Search.txt) it makes to your reply.

user posted image
 
Post that log...
Link to post
Share on other sites
Download attached fixlist.txt file (end of reply) and save it to the USB stick you saved FRST into. "Do not open that file when running FRST fix"
NOTE. It's important that both FRST and fixlist.txt are in the same location or the fix will not work.

Access FRST as you did to get the log, press the Fix button just once and wait.
The tool will make a log on the USB stick (Fixlog.txt). Please post it to your reply.

Reboot your system, see if it will now load windows correctly..

user posted image

fixlist.txt

Link to post
Share on other sites

Hiya WenM,

Not good, ok the only way back now is to Refresh your system. Windows will be reinstalled, you will not lose any personal files, pictures, videos, music etc.. You will lose any software that did not come with your PC or was not downloaded from the Windows app store...

Remove usb device, boot to RE as you`ve done previously it should open to the "Choose an Option" window....

From that window select "Troubleshoot" from the next window select "Refresh your PC" follow the prompts from there, make sure to keep personal stuff...

You should now be able to boot to normal windows...

Thank you,

Kevin..

refresh.JPG

Link to post
Share on other sites

Hi, sorry for the late reply, busy weekend.

Yeah, I had to reinstall Windows. At first this wouldn't work either, because it said there wasn't enough disk space for the installation. Since I wasn't able to boot up completely, I couldn't delete files or programs. I managed to boot up notepad via prompt and deleted files through the explorer in Notepad.

 

So in the end, I still have all my files, Windows is working again, the virus is gone and I've learned a valuable lesson about backups and virus protection. Thanks for your help, time and patience!!

Link to post
Share on other sites

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following for Tips to help protect from infection

Thank you

 

 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.