Clipboard hijacked : Binance Smart Chain address copy paste problem

[Doom75]

Hi

I am using window 10 Pro and Kaspersky Total Security 2021. Whenever I try to copy my BSC address and paste it. Another address gets pasted. this problem does not occur systematically, it is very random, sometimes the copy and paste works normally sometimes not.

I tried to fix it by using Malwarebytes, AdwCleaner and Farbar Recovery Scan Tool.
Results are attached below :

Thank you for your help.

Addition.txt AdwCleaner[C14].txt FRST.txt Malwarebytes.txt

[Maurice Naggar]

Hello @Doom75    

Thanks for the reports. Be sure that you have done one Windows Restart since running Adwcleaner.  it needs that to finish its cleanup.

I will make a new reply soon, for the next action.

[Maurice Naggar]

Hello @Doom75

We will use FRST64.exe  on  C:\Users\Victor\Desktop\Clipboard hijacked  folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Doom75  only / for this machine only.

This custom script has some specific things, plus some general aspect to help the system overall.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files.   It will also run the Windows DISM tool to check the system.

NOTE-2:  It will help the issue at hand of the clipboard.

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 
If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.

Please save the (attached file named) FIXLIST.txt   to the  C:\Users\Victor\Desktop\Clipboard hijacked  folder   

Fixlist.txt

Start the Windows Explorer and then, to the C:\Users\Victor\Desktop\Clipboard hijacked   folder.

RIGHT click on  FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

IF you get a block message from Windows about this tool......
click line More info information on that screen
and click button Run anyway on next screen.

on the FRST window:
Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity   

Please know this will do a Windows Restart.   Just let it do its run.

[Doom75]

Hi Maurice Naggar,

I have followed all the instructions you advised me to follow.

I have attached the requested file.

 

Thank you for your time and your help.

Fixlog.txt

[Maurice Naggar]

Thank you.  The Windows System File Checker ( SFC ) and DISM found no issues.

Please let me know, how is the situation vis-a-vis the original issue-at-hand ?

[Doom75]

Very well, I will test the copy and paste of BSC type address to see if the malware has disappeared, I will do this over several days, I'll keep you informed. Thanks

[Maurice Naggar]

👍

[Maurice Naggar]

I am glad to have worked with you. We can call this case a wrap.   😄

We can proceed with cleanup of tools we used.

To remove the FRST64 tool & its work files, do this. Go to your C:\Users\Victor\Desktop\Clipboard hijacked folder. Do a RIGHT-click on FRST64.exe & select RENAME & then change it to

UNINSTALL.exe

.
Then run that ( double click on it) to begin the cleanup process.

Any other download file I had you download, you may delete. I wish you all the best. Stay safe.
Consider using PatchMyPC, keep all your software up-to-date - https://patchmypc.com/home-updater#download

Sincerely.    😎

Maurice

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you

 

 

[Maurice Naggar]

Topic has been reopened per request.

Thanks

 

[Maurice Naggar]

Hello.  Sorry to learn that the issue has re-appeared.

Start by first running a new Scan with Malwarebytes for Windows.

Next, do a new run of Farbar FRST report tool.

Attach a copy of the Latest Malwarebytes scan report.   Also attach the FRST.txt  +  Addition.txt so that I can review all.

[Doom75]

Hi Maurice,

I have put all the required files as attachments. I don't know if there is a cause and effect link but it's just after installing linux and ubuntu via wsl2 and python that the problem reappeared.

ubuntu can be found here \\wsl$\Ubuntu-20.04

I followed these instructions to install ubuntu https://docs.microsoft.com/en-us/windows/wsl/install-manual

Thank you for your help.

Addition.txt AdwCleaner[S15].txt FRST.txt Malwarebytes.txt Malwarebytes2.txt

[Maurice Naggar]

I'll review these and get back with you.  But I am also wanting to know, if by any chance, has a game cracking plugin been downloaded and installed recently ?  or even any program software hack ?

also

[ 2   ]

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article

https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

[   3   ]

There is a search tool that we will use to look for certain types of script or batch files..
Please download SystemLook (64-bit) by jpshortstuff and save it to your desktop 

Right-click SystemLook_x64.exe and select Run as Administrator to start the tool. 
If prompted by Windows  UAC, please allow it  to run.
If you receive an "Open file - security warning"... asking "Do you want to run this file?", press the Run button.

COPY & paste the entire text into the main text box of SystemLook: 
 

:filefind
.bat
.vbs
.ps1

 

Click the Look button to start the scan 
When finished, a notepad window will open with the results of the scan. 
A file will be created (on the same folder where you saved SystemLook with the results of the scan, named SystemLook.txt
Please attach  this log in your next reply. 

[Doom75]

No I haven't downloaded any warez software recently and I didn't find any in my folders.

Recently I have just downloaded Rust, Subtrate and a git file :

sudo apt install -y git clang curl libssl-dev llvm libudev-dev
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
curl https://getsubstrate.io -sSf | bash -s -- --fast
cargo install --force subkey --git https://github.com/paritytech/substrate --locked
git clone https://github.com/capsule-corp-ternoa/chain.git

I have attached the results of Systemlook. Thanks

SystemLook.txt

[Maurice Naggar]

Lets try this as a next step.

In the Windows 10 search box, type in

remote desktop

on the result list, look for Remote Desktop application app
and click on "Run as Administrator"

Click on Yes when prompted
on the following window, look at bottom right-side & click on "Show Options"

Next click on the tab "Local Resources"
and un- tick  the check box for Clipboard

Apply the adjustment & close that window.

[Doom75]

Done, the box was already unchecked.

[Maurice Naggar]

Hello.

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select QUICK scan.

Then start the scan. Have  patience. 

• Once you see it has started, take a long  break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.

 

Let me know the result of this.    

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply.

[Maurice Naggar]

One other additional suggestion.   This system runs on Windows 10 PRO  and if you do not need or use Remote Desktop,  you can turn that off.
https://www.tenforums.com/tutorials/92433-enable-disable-remote-desktop-connections-windows-10-pc.html

[Doom75]

Hello,

I just used Microsoft Safety Scanner, the generated file is attached.

Thanks

msert.log

[Maurice Naggar]

That is very good. MS Safety scanner reports no infection.   Please see my preceding reply to turn off Remote Desktop.

[Doom75]

I have disabled Remote Desktop Connections

[Maurice Naggar]

Good.  Now as we go along, always tell me with each reply, if the "hijack" is still present.  I will be leading you thru a series of other scans.

Let's do one scan with Malwarebytes Adwcleaner to check for adwares. Just before pressing that "scan" button, be sure that Chrome & Edge, or other web browser are Closed.

It will not take much time,

First download & save it

https://support.malwarebytes.com/hc/en-us/articles/360038520054-Download-and-install-Malwarebytes-AdwCleaner

Then be sure to close all web browsers.

Then go to where the EXE file is saved. Start Adwcleaner.  Then do a scan with Adwcleaner

https://support.malwarebytes.com/hc/en-us/articles/360038520114-Malwarebytes-AdwCleaner-scan-and-clean

Attach the clean log.

[Doom75]

That's done,

Apparently the hjack doesn't seem to be active anymore, copying and pasting my BSC address works for the moment.

AdwCleaner[S16].txt

[Maurice Naggar]

Excellent.  Thank you.    👍

Next I would suggest to insure to Update Malwarebytes & then do a new special scan with it.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for 

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

😉

[Doom75]

Done, the file is attached.😉

 

 

Malwarebytes3.txt