Trojan bitcoin address changer that keeps instalilng itself into Chrome

[Thedoctor1]

Hello,

I discovered I had this Trojan a couple weeks ago now. I had no idea untill I requested a couple payouts from a BTC casino. The payouts would normally end up in my Exodus wallet but this time they never went in. I called the casino out for fraud. But they claimed they had nothing to do with it. I signed up with a totally different bitcoin casino a week later. And the same thing happened. This made me wonder and do a Malwarebytes scan. Turns out i got some sort of trojan that keeps changing btc addresses into ones that are owned by the creators of the trojan. It does it so sneeky you don't even see it happen when you re-check your input btc address, the thing changes it in like one 10th of a second once you click on send so you don't even notice it happening.

I have found out that the trojan installs itself into a folder called Extension C:\Users\The Doctor\AppData\Local\Google\Chrome\User Data\Default\Extension

There is a folder called Extensions that looks a lot like it but seems to be legit and has an extra S at the end.

I also notice each time the trojan reinstalls there is about a kwarter of my screen blue screened box popping up. It shows for not even half a second and there is no time to read or see anything in it. I suspect this is the virus file that's hidden somewhere installing itself every time.

I've set my default browser to Firefox now and it does not install to that sofar. Yet I do not feel safe knowing this software keeps triggering itself and reinstalling into chrome. Malwarebytes sofar was the only software able to find it every time. Hitmanpro did not even see it nor anything else. Eset is my main antivirus that also never sees it when I scan. Adaware found nothing. Superantispyware found nothing. Spybot search and destroy found nothing. So I'm very close now to just reinstalling windows.

I hope somebody can tell me how to get rid of this thing and hunt down the source file that keeps reinstalling.

I have included a zip file containing the malwarebytes log file and the virus files that it has put into the extension folder perhaps someone can filter out what it is.

 

The btc changer.rar

[David H. Lipman]

Thank You

Please reference the following on how to provide sample submissions such that Malwarebytes' Anti-Malware (MBAM) can detect targeted but presently undetected threats in the form of disk files.

Malware Hunters group
Purpose of this forum

This being a Browser Extension, it does not contain  files that MBAM targets via Signatures and it contains several Javascripts.  Based upon the above, instead of sending each script to Virus Total for a report, I have sent the RAR to get a an overarching report of the browser extension.

https://www.virustotal.com/gui/file/928d139c805bc24938f84b04b13c95e8a977a3500f8e8ebc8eba44801357d482/detection

 

[AdvancedSetup]

Hello  and        @Thedoctor1

 

My screen name is AdvancedSetup and I will assist you with your system issues.
 

Let's keep these principles as we proceed. Make sure to read the entire post below first.

• Please follow all steps in the provided order and post back all requested logs
• Please attach all log files to your post, unless otherwise requested
• Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans have been completed.
• Temporarily disable Microsoft SmartScreen to download the software below if needed. Make sure to turn it back on once the scans are completed.
• Searching, detecting, and removing malware isn't instantaneous and there is no guarantee to repair every system.
• Before we start, please make sure that you have an external backup, not connected to this system, of all private data.
• Do not run online games while the case is ongoing. Do not do any free-wheeling or risky web-surfing.
• Only run the tools I guide you to use. Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
• Cracked, Hacked, or Pirated programs are not only illegal but also can make a computer a malware victim. Having such programs installed is the easiest way to get infected. It is the leading cause of ransomware encryption. It is at times also a big source of current Trojan infections. If there are any on the system you should uninstall them before we proceed.
• Please be patient and stick with me until I give you the "all clear". We don't want to waste your time, please don't waste ours.
• If your system is running Discord, please be sure to Exit it while this case is ongoing.

 

To begin, please do the following

 

Please run the following steps and post back the logs as an attachment when ready.
Temporarily disable your antivirus or other security software first. Make sure to turn it back on once the scans are completed.
Temporarily disable Microsoft SmartScreen to download software below if needed. Make sure to turn it back on once the scans are completed.
If you still have trouble downloading the software please click on Reveal Hidden Contents below for examples of how to allow the download.
 

Spoiler

 

 

 

 

Spoiler

When downloading with some browsers you may see a different style of screens that may block FRST from downloading. The program is safe and used hundreds of times a week by many users.

Example of Microsoft Edge blocking the download

 

STEP 01

• If you already have Malwarebytes installed then open Malwarebytes and click on the Scan button. It will automatically check for updates and run a Threat Scan.
• If you don't have Malwarebytes installed yet please download it from here and install it.
• Once installed then open Malwarebytes and select Scan and let it run.
• Once the scan is completed make sure you have it quarantine any detections it finds.
• If no detections were found click on the Save results drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If there were detections then once the quarantine has completed click on the View report button, Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If the computer restarted to quarantine you can access the logs from the Detection History, then the History tab. Highlight the most recent scan and double-click to open it. Then click the Export drop-down, then the Export to TXT  button, and save the file as a Text file to your desktop or other location you can find and attach that log on your next reply.
• If Malwarebytes won't run then please skip to the next step and let me know in your next reply that the scanner would not run.

STEP 02

Please download AdwCleaner by Malwarebytes and save the file to your Desktop.

• Double-click to run the program
• Accept the End User License Agreement.
• Wait until the database is updated.
• Click Scan Now.
• When finished, if items are found please click Quarantine.
• Your PC should reboot now if any items were found.
• After reboot, a log file will be opened. Attach or Copy its content into your next reply.

RESTART THE COMPUTER Before running Step 3

STEP 03
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

• Double-click to run it. When the tool opens, click Yes to disclaimer.
• Press the Scan button.
• It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
• The first time the tool is run, it also makes another log (Addition.txt). If you've, run the tool before you need to place a check mark here each time
• Please attach the Additions.txt log to your reply as well.
• On your next reply, you should be attaching frst.txt and additions.txt to your post, every time.

 

Thanks

[Thedoctor1]

I followed all the steps as told above and posted the txt files below.

Addition.txt AdwCleaner log.txt FRST.txt malwarebytes scan after quarant items.txt

[AdvancedSetup]

Thank you for the logs. @Thedoctor1

 

Your DNS Servers: 192.168.1.254

Please consider changing your default DNS Server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

• Google Public DNS: IPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
• Cloudflare: IPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
• OpenDNS: IPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
• DNSWATCH: IPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b

The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

 

Please run the following fix below. This will be a 2 part fix script.

Temporarily disable your real-time protection from ESET / NOD32 before running the script.

Once the fix has been completed, please attach the file FIXLIST.TXT to your next reply.

 

Save the attached file FIXLIST.TXT to the same location as the Farbar scanner program. C:\Users\The Doctor\Downloads\

Then run the program with admin rights:  C:\Users\The Doctor\Downloads\FRST64.exe

Then click on the FIX button and let it run.

fixlist.txt

 

After the restart attach the FIXLOG.TXT file to your next reply and we'll move on from there.

 

 

 

[Thedoctor1]

Ehm I think it made this file after I ran the steps above...

 

 

Fixlog.txt

[Thedoctor1]

I also changed my dns to Cloudflare Dns just now.

[AdvancedSetup]

Thank you for the log @Thedoctor1

That was a pretty good run. Let me have you run the following please.

 

 

Let me have you run a different scanner to double-check. I don't expect it to find anything, but no harm in checking.

I would suggest a free scan with the ESET Online Scanner

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

• It will start a download of "esetonlinescanner.exe"
• Save the file to your system, such as the Downloads folder, or else to the Desktop.
• Go to the saved file, and double click it to get it started. 
• When presented with the initial ESET options, click on "Computer Scan".
• Next, when prompted by Windows, allow it to start by clicking Yes 
• When prompted for scan type, Click on Full scan 
• Look at & tick  ( select )   the radio selection "Enable ESET to detect and quarantine potentially unwanted applications"   and click on the Start scan button.
• Have patience.  The entire process may take an hour or more. There is an initial update download.
• There is a progress window display.
• You should ignore all prompts to get the ESET antivirus software program.   ( e.g. their standard program).   You do not need to buy or get or install anything else.
• When the scan is completed, if something was found, it will show a screen with the number of detected items.  If so, click the button marked “View detected results”.
• Click The blue “Save scan log” to save the log.
• If something was removed and you know it is a false finding, you may click on the blue ”Restore cleaned files”  ( in blue, at the bottom).
• Press Continue when all done.  You should click to off the offer for “periodic scanning”.

 

Note: If you do need to do a File Restore from ESET please follow the directions below

[KB2915] Restore files quarantined by the ESET Online Scanner version 3

https://support.eset.com/en/kb2915-restore-files-quarantined-by-the-eset-online-scanner

 

[Thedoctor1]

Quick update in between the Eset scanner tool is running right now, however I don't understand how that will find anything that the paid for Eset internet security I have on my computer could not find ? It's one of the few softwares I actualy paid for ;)

I have also had my computer on for almost the entire day. Normaly the trojan would have at least installed itself like 4 times by now but sofar it has not come back yet :) I hope it will not come back tonight also. I think the fix has done it's work but I won't cheer just yet cause you never know with this nasty thing ;)

 

[AdvancedSetup]

I don't believe it's the exact same program as your installed version. We'll see. If the issue is still present there are other scanners we can use.

Thanks @Thedoctor1

 

[Thedoctor1]

Oke It just finished the scan it did not find anytying out of the ordinary it found 5 files of that 2 where double because I also had my external harddisk open and it also scanned that to be safe. The files it found where cracks inside software I've been using for over a year before I got the Trojan. And a DLL file from Wondershare that also did not look suspicious. It also stated the files did not look that risky at the end of the scan. For some reason it never gave an option to save any log for me... I made it put back out of quarantine 3 of the files and let it delete the other 2 patches because I do not even use those other 2 video converters (that had a patch) anyway.

I just did another Malwarebytes scan and it comes up clean same for adwcleaner.. nothing found. Like I said the Trojan would have re-installed itself by now multiple times already... so my guess is that it's gone for now at least.

To be safe I will keep scanning in the upcoming weeks every day just to be sure it's not coming back in some strange way...

Is there anything else you want me to do now ?

 

If it turns out this was the fix is there any way I could support you or malwarebytes for the best help I've received online sofar? I guess by buying the pro version :) Because I feel that is in place since you have done more for me then my paid for Eset has ever done. You could also just drop your BTC address if that is allowed on here ;) but I guess the owners would not be happy if you did that :P

[AdvancedSetup]

Sounds good. Let's go ahead and check some other programs @Thedoctor1

 

SecurityCheck by glax24              

I would like you to run a tool named SecurityCheck to inquire about the current security update status of some applications.

• Download SecurityCheck by glax24: https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
• If Microsoft SmartScreen blocks the download, click through to save the file
• This tool is safe.   Smartscreen is overly sensitive.
• If SmartScreen blocks the file from running click on More info and Run anyway
• Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"  and reply YES to allow to run & go forward
• Wait for the scan to finish. It will open a text file named SecurityCheck.txt Close the file.  Attach it with your next reply.
• You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

 

 

Thank you

 

 

[Thedoctor1]

Hmm strange messages about ccleaner that I believe is safe to use I have been for a long time...

SecurityCheck.txt

[Thedoctor1]

Something else just happened also. I ran a Malwarebytes scan and these 2 items popped up. I quarantained them and deleted them:

Trojan.PowerShell.Generic, C:\WINDOWS\SYSTEM32\92422250-86A1-4ABF-A97C-11B21E04C887.ps1, In quarantaine,

Trojan.PowerShell.Generic, C:\WINDOWS\SYSTEM32\EA3CE147-B573-4986-A7C1-82CE5CFF4B3E.ps1, In quarantaine

 

I believe last week while the other trojan was nesting itself during one scan I also found 2 addings to the system 32 area. I don't know but perhaps the 2 are related. Computer seems clean again now but I will keep scanning.

[AdvancedSetup]

Computer experts no longer recommend the use of CCleaner. It has been sold of many times now and has had issues in the past, etc.
Windows can already do just about anything it does with builtin tools.

 

Adobe Flash Player 32 PPAPI v.32.0.0.465 Warning! This software is no longer supported. Please uninstall it.

NETGATE Registry Cleaner 2020-18.0.840 - please uninstall it

Wondershare Helper Compact 2.6.0 v.2.6.0 - please uninstall it

 

 

Do I need a Windows Registry Cleaner?
https://forums.malwarebytes.org/index.php?showtopic=126481

 

 

 

Please run the following tool to scan for and install updates for your computer

Patch My PC Home Updater
https://patchmypc.com/home-updater

 

 

The log also indicates that Windows is not fully up to date. Please click on START and type in "Check for updates" and allow Windows to scan for and install any updates found.

 

Thanks @Thedoctor1

[Thedoctor1]

Thank you,

I uninstalled the 3 softwares mentioned above. I also removed Ccleaner it was getting on my nerves anyway with all the constant pop ups for buying the software's pro version. Windows was already doing updates after the fix you provided me last time. I had updates turned off I did that again because I am scared at one point it will download some update that is going to stop my computer from working since my version of windows came from the piratebay ;)

I can see in software it has now installed this: https://support.microsoft.com/nl-nl/topic/kb5001716-bijwerken-voor-windows-serviceonderdelen-bijwerken-fb9dd3d3-d702-4f8a-af10-b9551cfa6e13

and a thing called Microsoft update health tools...

I'll just leave those I guess.

 

Pc home updater showed these in green and updated:

.NET Framework 4.8.03752
Atomic Wallet 2.22.0  -  2.22.0
Google Chrome  -  106.0.5249.119
Malwarebytes version 4.5.15.215  -  4.5.15.215
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
Mozilla Firefox (x64 nl)
Mozilla Thunderbird (x86 nl)
NVIDIA PhysX Systeem Software 9.21.0713
PotPlayer-64 bit  -  220914
qBittorrent 4.4.5
Skype versie 8.89  -  8.89
WinDirStat 1.1.2
WinRAR 6.11 (64-bit)

Color [Green] = Updated Application Installed

It showed these in red so to be outdated:

Everything 1.4.1.1017 (x64)
MPC-HC 1.9.4 (64-bit)
OpenOffice 4.1.7  -  4.17.9800
Resilio Sync  -  2.6.4
TeamSpeak 3 Client  -  3.3.2
VLC media player  -  3.0.16
XMedia Recode 64bit version 3.5.4.5

I ran the software and it installed all the updates. Might I say the way it does this in the background is very creepy, just saying.

[AdvancedSetup]

It's just a fast, easy way to update silently. But it's only doing what you asked it to update with.

At this point you should no longer be having any alerts, blocks, etc. from Malwarebytes or other antivirus about a Bitcoin infection.

How is the computer running now? Any other signs of an infection? @Thedoctor1

 

[Thedoctor1]

The computer seems to be running without any signs of infections now. What I do notice is that my startup speed went from 15/20 seconds to almost a minute and a half now, perhaps that has to do with removing Netgate or the fact it is downloading the windows update and then holding it in memory or something. I don't know but I just go do something else when the pc boots now.

Thank you for the help fixing the infection :)

[AdvancedSetup]

It may have had one or two slow downs for updating but it should not be an ongoing issue. Normally after cleaning most computers run and load faster.

Please run the Farbar scanner again with Admin rights and get me new logs

FRST.TXT
ADDITION.TXT

 

Thank you @Thedoctor1

 

[Thedoctor1]

FRST.txt Addition.txt

[AdvancedSetup]

You have the following driver still not installed.

 

==================== Defecte Apparaatbeheer Apparaten ============

Name: PCI-controller voor ontsleutelen/versleutelen
Description: PCI-controller voor ontsleutelen/versleutelen
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI-apparaat
Description: PCI-apparaat
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI-apparaat
Description: PCI-apparaat
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

Name: PCI-apparaat
Description: PCI-apparaat
Class Guid:
Manufacturer:
Service:
Problem: : The drivers for this device are not installed. (Code 28)
Resolution: To install the drivers for this device, click "Update Driver", which starts the Hardware Update wizard.

 

 

Please DOUBLE-CHECK and verify this is the correct link for your motherboard

https://www.asus.com/us/Motherboards-Components/Motherboards/PRIME/PRIME-X570-P/HelpDesk_Download/

 

 

[Thedoctor1]

Yes it is the right one, but to be honest I am not willing to risk updating stuff like that I know my luck it will break the computer. It is working fine now for me.

[AdvancedSetup]

ROFL

Well, it's not really working well, but that's up to you.

How is the computer running now then?

Any other signs of an infection or issue I can assist you with before we close up here?

 

[Thedoctor1]

It seems to be running like it did when I first installed my windows on it so I'm happy with it. For me the important part was getting rid of the nasty thing stealing my bitcoins :) and that worked. So I thank you again for all the help in fixing that.

[AdvancedSetup]

Great, glad to hear and you're quite welcome for the assistance. @Thedoctor1

 

 

Let's go ahead and do some clean-up work and remove the tools and logs we've run.

Please download KpRm by kernel-panik and save it to your desktop.

• right-click kprm_(version).exe and select Run as Administrator.
• Read and accept the disclaimer.
• When the tool opens, ensure all boxes under Actions are checked.
• Under Delete Quarantines select Delete Now, then click Run.
• Once complete, click OK.
• A log will open in Notepad titled kprm-(date).txt.
• Please attach that file to your next reply. (not compulsory)

 

1. Recommend using a Password Manager for all websites, etc. that require a password. Never use the same password on more than one site.
   https://www.howtogeek.com/240255/password-managers-compared-lastpass-vs-keepass-vs-dashlane-vs-1password/
2. Make sure you're backing up your files https://forums.malwarebytes.com/topic/136226-backup-software/
3. Keep all software up to date - PatchMyPC - https://patchmypc.com/home-updater#download
4. Keep your Operating System up to date and current at all times - https://support.microsoft.com/en-us/windows/windows-update-faq-8a903416-6f45-0718-f5c7-375e92dddeb2
5. Further tips to help protect your computer data and improve your privacy: https://forums.malwarebytes.com/topic/258363-tips-to-help-protect-from-infection/ 
6. Please consider installing the following Content Blockers for your Web browsers if you haven't done so already. This will help improve overall security

Malwarebytes Browser Guard

•   Google Chrome: https://chrome.google.com/webstore/detail/malwarebytes-browser-guar/ihcjicgdanjaechkgeegckofjjedodee
•   Microsoft Edge: https://support.malwarebytes.com/hc/en-us/articles/4413298736787-Install-Malwarebytes-Browser-Guard-on-Microsoft-Edge-browser
•   Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/malwarebytes/

uBlock Origin

• Google Chrome: https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm 
• Microsoft Edge: https://microsoftedge.microsoft.com/addons/detail/ublock-origin/odfafepnkmbhccpbejgmiehpchacaeak 
• Mozilla Firefox: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin

 

Further reading if you like to keep up on the malware threat scene: Malwarebytes Blog  https://blog.malwarebytes.com/

Hopefully, we've been able to assist you with correcting your system issues.

Thank you for using Malwarebytes