Strange happening cutting and pasteing a bitcoin address.

[bob123]

No shit.  WOW!  I've run malwarebytes and norton and it always was clean.

Small corrrection:

Your PC was not compromised with a malware which was known to malwarebytes and norton.
This does not mean that it is/was clean.

AV's only recognize already well known malware or very obvious ones.
It's not that hard to make it undetectable by standard AV engines.

An AV can only confirm that a device is compromised, but not that it is clean.


You should definitely make a backup of your most important files and format your hard drive reinstalling your OS.

[sandy-is-fine]

Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

 After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

[bob123]

Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

So, you had shared clipboard enabled?
If so, this definitely makes sense. If it isn't, nuking the VM does not necessarily mean your problem is solved.

And for the future, you might want to make sure to disable any interfaces such as shared folders, shared clipboard, network interfaces, etc..

[sandy-is-fine]

Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

So, you had shared clipboard enabled?
If so, this definitely makes sense. If it isn't, nuking the VM does not necessarily mean your problem is solved.

And for the future, you might want to make sure to disable any interfaces such as shared folders, shared clipboard, network interfaces, etc..

And I am quite sure THIS download https://bitcointalk.org/index.php?topic=5305039.new#new or one similar to it is where it came from.
https://archive.vn/wip/lIP97

[NotATether]

OK that does it. This is the third instance of someone getting compromised by clipboard malware I read these last two weeks. I'm going to write a Windows utility that nukes anything that replaces a BTC address in the clipboard with another address and use sha1 checksums to whitelist legitimate binaries like browsers and wallets.

[sandy-is-fine]

OK that does it. This is the third instance of someone getting compromised by clipboard malware I read these last two weeks. I'm going to write a Windows utility that nukes anything that replaces a BTC address in the clipboard with another address and use sha1 checksums to whitelist legitimate binaries like browsers and wallets.

PLEASE  !!!!   

[DireWolfM14]

Hmmm, I see this thread was moved and I got no notice of it.  Anyway, I THINK I found the cause.  I run an Oracle Virtualbox WIN10 VM to use as a (LOL) sandbox for questionable items I find in posts on here before I report them as malware or whatever.  It seems that is what bit me and I believe I know where/when I got it.  Unfortunately (or fortunately) the guy was nuked after I reported his post.

After I reboot, I no longer have the issue but, so far, as soon as I load the VM it returns.  That's how it looks at the moment, of course I can easily be proven wrong although I have replicated it about 10x so far.  If that is the case it's easy enough to nuke the VM.

So, you had shared clipboard enabled?
If so, this definitely makes sense. If it isn't, nuking the VM does not necessarily mean your problem is solved.

And for the future, you might want to make sure to disable any interfaces such as shared folders, shared clipboard, network interfaces, etc..

And I am quite sure THIS download https://bitcointalk.org/index.php?topic=5305039.new#new or one similar to it is where it came from.
https://archive.vn/wip/lIP97

Head bob123's warning!  I use VMs for a variety of things myself, mostly so I can test stuff on Ubuntu and MacOS, and I have those linked to my host PC via shared folders and clipboard, but if you are using a VM for investigating potential malware, make sure to keep that VM isolated.

Deleting that VM might work, but unless you're a wizard with the windows registry and can confirm your host PC hasn't been infected I recommend you nuke the whole system and start from scratch.