Jump to content

Crypto Address Auto Change - Clipboard Hijack


Go to solution Solved by Maurice Naggar,

Recommended Posts

7 minutes ago, Maurice Naggar said:

but i have many remote desktop servers which i need to connect if i follow this i think that gonna not make copy from any remote desktop server . 

Link to post
Share on other sites

51 minutes ago, Maurice Naggar said:

Is the issue on only just 1 machine ?

I do need you to do all steps on just one machine to get started.  Do what is listed on this pinned post 

https://forums.malwarebytes.com/topic/9573-im-infected-what-do-i-do-now/

 

i have just followed the step and uploaded the required files. please check

Addition.txt FRST.txt mwblog.txt

Link to post
Share on other sites

Thank you. The Malwarebytes for Windows reports no malicious malware.

I will be guiding you to doing a series of scans. Starting with this.

 

Let me suggest you do one scan with Adwcleaner to check for adwares.

First download & save it 

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then do a scan with Adwcleaner 

 

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

 

Note Question: This Windows 10 here, do you access it yourself from a external connection source ?

Or is it only used by you in person sitting there?

Link to post
Share on other sites

29 minutes ago, Maurice Naggar said:

Thank you. The Malwarebytes for Windows reports no malicious malware.

I will be guiding you to doing a series of scans. Starting with this.

 

Let me suggest you do one scan with Adwcleaner to check for adwares.

First download & save it 

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

 

Then do a scan with Adwcleaner 

 

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

 

Note Question: This Windows 10 here, do you access it yourself from a external connection source ?

Or is it only used by you in person sitting there?

i have the log file..

 

i used windows 10 on my personal laptop.. meaning i m sitting there

Link to post
Share on other sites

Howdy. What follows is a custom script for this system.

The script Fixlist.txt  needs to be saved to the same folder that contains FRST64.exe   /  you have yours saved on desktop.

 

The custom script on this post is ONLY for this machine and NO other.   

 

  • Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

  • If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

 

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt   to the DESKTOP folder

Fixlist.txt

 

Start the Windows Explorer and then, to the DESKTOP folder.

  • RIGHT click on  FRST64.exe   and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run  the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • IF you get a block message from Windows about this tool......

click line More info information on that screen

and click button Run anyway on next screen.

 

  • on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots  of patience when this starts. You will see a green progress bar start. This run here should be fairly quick.

If you receive a message that a reboot is required, please make sure you allow it to restart normally.

  • The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

 

Do let me know how things are overall,  after all this.

Link to post
Share on other sites

That is very good to know.

We need to delete one file that is a threat.

On the Windows taskbar , on the Windows search box, type in

 

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

Once the Command prompt window is up, copy > paste the line in the code-box below into the command-window.

 

del C:\Windows\System32\msh.exe

Reply YES to delete when prompted.

.

There is one file we need uploaded for analysis at Virustotal.

The site uses multiple search engines from several companies).

Go to the link https://www.virustotal.com/gui/home/upload

 

You will see Choose file button. Click that as a first step. You will then see a dialog grid from Windows.

 

I need for you to upload 

 C:\Windows\System32\msn.exe 

 

I need for you to save the Link to the result analysis at Virustotal.

Let me know.   Much thanks.

Link to post
Share on other sites

10 hours ago, Maurice Naggar said:

That is very good to know.

We need to delete one file that is a threat.

On the Windows taskbar , on the Windows search box, type in

 

cmd.exe

and then look at the entire list of choices, and click on Run as Administrator.

 

Once the Command prompt window is up, copy > paste the line in the code-box below into the command-window.

 

del C:\Windows\System32\msh.exe

Reply YES to delete when prompted.

.

There is one file we need uploaded for analysis at Virustotal.

The site uses multiple search engines from several companies).

Go to the link https://www.virustotal.com/gui/home/upload

 

You will see Choose file button. Click that as a first step. You will then see a dialog grid from Windows.

 

I need for you to upload 

 C:\Windows\System32\msn.exe 

 

I need for you to save the Link to the result analysis at Virustotal.

Let me know.   Much thanks.

i have tried to follow your instruction but the file you mention msh.exe is not available in my system anymore so i can not delete with CMD and can not upload on virustotal. 

 

is there anything else i can do ? 

Link to post
Share on other sites

Ok. I'll guide you on tools cleanup on next round.

Now, just as safety checks, 2 scans that will not take a lot of time.

1. Do a new scan with Malwarebytes for Windows.

2. Do a scan with Microsoft Safety Scanner.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

Select "QUICK " scan from scan Options.

Let me know the result of this.

The log is named MSERT.log  

the log will be at  

C:\Windows\debug\msert.log

Please attach that log with your reply.

  • Like 1
Link to post
Share on other sites

Thanks. That's better.

New readout please. 

FRST64 is on your desktop.

 

Right-click on FRST64.exe and select Run as Administrator to start the tool , and reply YES to allow it to proceed and run.

 

  • Windows 10 users will be prompted about Windows *SmartScreen protection* - click line More info information on that screen and click button Run anyway on next screen._
  • Click YES when prompted by Windows U A C prompt to allow it to run.
  • Note: If you are prompted by Windows SmartScreen, click More info & followup & choose Run anyway.

 

Approve the Windows UAC prompt on Windows Vista and newer operating systems by clicking on Continue or Yes. 

 

Click Yes when the *disclaimer* appears in FRST.

The tool may want to update itself - in that case you'll be prompted when the update is completed and ready to use.

 

Make sure that Addition options is *checked* - the configuration should look exactly like on the screen below (do not mark additional things unless asked).

Press Scan button and wait.

 

The tool will produce 2 logfiles on your desktop: FRST.txt , Addition.txt 

Click OK button when it shows up. Close the Notepad windows when they show on screen. The tool saves the files.

 

Please attach these 2 files to your next reply.

Thank you.

Link to post
Share on other sites

  • Solution

I have a new script for you to run.

It should not take a whole lot of time.

It will search for a potential malicious msn.exe

If found it should remove it.

It will Enable MS Microsoft Defender.

It will run Windows System File Checker.

.

Please first the old Fixlist.txt on desktop.

The new script Fixlist.txt needs to be saved to the same folder that contains FRST64.exe / you have yours saved on desktop.

 

The custom script on this post is ONLY for this machine and NO other.   

 

Please be sure to Close any open work files, documents, any apps you started yourself before starting this.

 

The system will be rebooted after the script has run.

 

Please save the (attached file named) FIXLIST.txt to the DESKTOP folder

Fixlist.txt

 

Start the Windows Explorer and then, to the DESKTOP folder.

 

  • RIGHT click on FRST64.exe and select RUN as Administrator and allow it to proceed. Reply YES when prompted to allow to run the tool. If the tool warns you the version is outdated, please download and run the updated version.

IF Windows prompts you about running this, select YES to allow it to proceed.

 

  • on the FRST window:

Click the Fix button just once, and wait.

The tool will complete its run after restart.

When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity .

 

I will review your log after you send it.   I will likely guide you to doing a scan with MS Defender.

Link to post
Share on other sites

Bravo. Thank you.

This run squashed the other pest.

Your system should be in much better state.

I would recommend that you do a Scan with Microsoft Defender.

A quick scan would be ok.

Use guide at Tenforums 

https://www.tenforums.com/tutorials/84796-how-scan-windows-defender-antivirus-windows-10-a.html

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.