BTC Address copy/paste virus

[Hannahx]

Hello, whenever I try to copy my BTC/BNB address it pastes a wrong one.

 

Addition.txt FRST.txt

[Maurice Naggar]

Hello.         @Hannahx

My name is Maurice.  I will guide you.  Let me know what name you prefer to go by. 

I will guide you along on looking for potential malware. Lets keep these principles as we go along.

• Removing malware can be unpredictable
• ...things can go very wrong!
• Backup
• any files that cannot be replaced. You can copy them to a CD/DVD, external drive or a USB-storage drive or flash/thumb drive
• Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Only run the tools I guide you to.
• Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
• The removal of malware isn't instantaneous, please be patient.
• Please stick with me until I give you the "all clear".

Your topic will be closed if you haven't replied within 4 days!
If I have not replied to your last post after 36 hours, please then send me a P M.

This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started.

 

• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes
• When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

• Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.

• At screen "Detections occured and resolved" click on blue button "View detected results"
• On next screen, at lower left, click on blue "Save scan log"
• View where file is to be saved. Provide a meaningful name for the "File name:"
• On last screen, set to Off (left) the option for Periodic scanning
• Click "save and continue"
• Please attach the report file so I can review

[Hannahx]

Thank you for your quick response.

I did the scan and here is the file report.

scanlog01.txt

[Maurice Naggar]

Thank you. The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  CUSTOM scan  & then select the C drive to be scanned.

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

• Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
• Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
• We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later.

[Hannahx]

The result of the msert scan is heremsert.log

[Maurice Naggar]

Thank you. Do a new scan with Malwarebytes for Windows.

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

 

Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

[Hannahx]

There was no update and im doing the scan now.

After restarting my Computer I got the log file.

malwarebytes.txt

[Hannahx]

Nothing changed so far, I still copy paste the wrong adresses.

[Maurice Naggar]

Tell me exactly, are you using a specific browser as part of that ?  if yes, which specifc browser?

I I R C  I had a case once where there was a bad file extension on the browser.

[Hannahx]

I am using Google Chrome

[Maurice Naggar]

Please first Delete Cache for the Chrome browser.  Then Close it.  and as a test, use the EDGE browser instead.  Let me know if that one 'works' normal.

[Hannahx]

Still the same issue, it happens everywhere not just in my browser. As soon as it recognizes a wallet or mining address in my copy/paste it changes to some scam address.

[Maurice Naggar]

Hello. Next, a custom script to do  checks & selected  cleanups. 

We will use FRST64.exe  on the Desktop\FRST to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  HANNAHX  only / for this machine only.

 

This custom script has some specific things, plus some general aspect to help the system overall.  Hoping it will not exceed 60 minutes in execute time.

NOTE-1:  This script will  run a scan using System File Checker to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. .  It will run the Windows DISM tool to check the system.  It will rebuild the Winsock.   It will attempt a quick scan with Microsoft Defender.

NOTE-2: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications will be automatically closed. 

The following directories are emptied:

• Windows Temp
• Users Temp folders
• Edge, IE, FF, Chrome,  and Opera  & BRAVE caches, HTML5 storages, Cookies and History
• Recently opened files cache
• Flash Player cache
• Java cache
• Steam HTML cache
• Explorer thumbnail and icon cache
• Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

•  
• Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this.

 

• If there are any CD / DVD / or USB-flash-thumb or USB-storage drives attached,  please disconnect any of those.
• Please save the (attached file named) FIXLIST.txt   to the   Desktop\FRST   folder

Fixlist.txt              <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Desktop\FRST    folder.

RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.
  to run the tool. If the tool warns you the version is outdated, please download and run the updated version.
IF Windows prompts you about running this, select YES to allow it to proceed.

• IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

• on the FRST window:

Click the Fix button just once, and wait.

 

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 
If you receive a message that a reboot is required, please make sure you allow it to restart normally.
The tool will complete its run after restart.
When finished, the tool will make a log ( Fixlog.txt) in the same location from where it was run.

Please attach the FIXLOG.txt with your next reply later, at your next opportunity.  This here is not a one-shot-cure-all.  There will be more to do later. 

[Hannahx]

Thank you so much!!! The issue was fixed and here is the log.

Fixlog.txt

[Maurice Naggar]

YAY. Bravo. I need you to do one adjustment. This is just to insure that MS Defender is all ON. 

Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

Do a on-demand run with Microsoft Defender  and do a Quick scan.

From the Start menu, select Settings, then select Update and Security.

Next, look at the left-side menu & select Windows Security

Next, In Windows Security section: Click on the grey button Open Windows Security

Now, click on the shield Virus and threat protection

On the next display, look at all the options.  Look down the list and see "Check for Updates" .

You should click on that to have the system check for updates for Windows Defender.  Watch & wait for that to complete.

Please also note that the Scan options (all) can be displayed by clicking on Scan options.
Do a QUICK scan.
Let me know the end result of what the Microsoft Defender reports.

[Hannahx]

[Maurice Naggar]

Excellent   

Thank you.   This next is just a report to check on some Windows services  

Download   Farbar's Service Scanner utility

and Save to your Desktop.

Right-Click on fss.exe and select Run As Administrator.

Answer Yes to ok when prompted.

If your firewall then puts out a prompt, again, allow it to run.

Once FSS is on-screen, be sure the following items are check-marked:

• Internet Services
  Windows Firewall
  System Restore
  Security Center/Action Center
  Windows Update
  Windows Defender
  Other services

  

Click on "Scan".

It will create a log (FSS.txt) in the same directory the tool is run.   Please attach that file. 

[    2    ]

I would recommend getting a readout report as to update status of some key apps.

• Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe

 

• and save the tool on the desktop.
• If Windows's  SmartScreen block that with a message-window, then
• Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

[Hannahx]

Here is the log file.

FSS.txt

[Maurice Naggar]

Hi. The FSS report is very good. Could you please run the 2nd tool, SecurityCheck so I can then review.  Sincerely. 😉

[Hannahx]

Here's the Security Check.

SecurityCheck.txt

[Maurice Naggar]

The Microsoft Defender antivirus services are running. That is excellent.
As to the rest of the SecurityCheck report: there are 3 apps that should be updated. and there are 4 notes of caution.
Notepad++ (64-bit x64) v.8.2.1 Warning! Download Update

------------------------------ [ ArchAndFM ] ------------------------------
WinRAR 6.10 beta 3 (64-bit) v.6.10.3  Warning! Download Update

-------------------------- [ IMAndCollaborate ] ---------------------------
Discord v.1.0.9003  Warning! Download Update

--------------------------------- [ P2P ] ---------------------------------
µTorrent v.3.5.5.46206  Warning! Ad-supported P2P-client.

---------------------------- [ UnwantedApps ] -----------------------------
CCleaner v.5.90  Warning! Suspected demo version of anti-spyware, driver updater or optimizer. If this program is not familiar to you it is recommended to uninstall it 

Bonjour v.3.1.0.1  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. 

JDownloader 2 v.2.0  Warning! Suspected Adware! If this program is not familiar to you it is recommended to uninstall

NEXT

This is where I relay to you the all clear. You have done well. And you kept up the pace & followed advice very well. Kudos.

What follows is just a tools cleanup. 

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• You may attach that file to your next reply. (not compulsory)

Do let me know if you need other help at this point.  But as far as original issue, we are done.

😉 

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this topic with your request.

This applies only to the originator of this thread. Other members who need assistance please start your own topic in a new thread.

Please review the following to help you better protect your computer and privacy Tips to help protect from infection

Thank you