Clipboard Hijacking

[Lone Shark]

Not sure if this is the right post to put this, if not kindly tell me where.
What happened: I was moving some funds from my bitvest investments to another wallet, the first transaction went through and the other one didn't. Thinking that maybe it was just because the network is clogged I just let it be for a while and go about some other things. Then an hour passed and checked the address, it still didn't have the transaction I was waiting for.

Upon checking, what was pasted was some other address which was similar to my target address. Only that the address I accidentally sent it to was identically only with regard to the first three characters. Good thing the amount is just 0.007BTC.

I figured out that my clipboard was being hijacked when I tried copying my address and pasting it on a text file and compared it. The results were shocking as the trojan kept on hijacking my clipboard and changed all address I copied into a new one with address with identical first three characters. I tried this more than 20 times, all were hijacked.

Prior to this incident, I installed shit loads of antivirus for fears of having these kinds of problems. I did a quick trial and error and found out that my Malwarebytes was the cause of the problem. Admittedly, my antiviruses are all cracked (lesson learned). Sadly, the Malwarebytes I got from IpTorrents were infected by a trojan virus that hijacks the clipboard when copying addresses and changes it to something else.

I incorrectly believed that the address I was sending to was to my target address as I only checked the first few characters and got careless and sent it to the address that came from my hijacked clipboard.

Why I am writing this: Well, just to inform and warn the community so that this doesn't affect anyone else. Also, I'd like to know if anyone has a solution to prevent this from happening. Maybe you have a program that prevents the hijacking of clipboards or some antivirus/antimalware that is catered to bitcoin users.

Update 1: Deleted Malwarebytes but the issue persists. So I guess it wasn't malwarebytes or it was part of the problem. Now, I don't know what to do.

[ImHash]

Check few first digits and few last digits of each address or just check the entire address letter by letter.
You know what is the best and effective way to solve this? reinstall operating system completely.

[Lone Shark]

Check few first digits and few last digits of each address or just check the entire address letter by letter.
You know what is the best and effective way to solve this? reinstall operating system completely.

I am considering it, but it's too much work to reinstall the whole OS. It will be my last resort, if I do still get another hijacking. For now, I'm checking every address I paste over anywhere.

[jaceefrost]

Is this the same thing or same address which hijacked this guys clipboard here: https://bitcointalk.org/index.php?topic=1331120.0 ?

[NeuroticFish]

Get either Kaspersky rescue system, either Avira rescue CD. The names are approximate, but Google will help on them. Kaspersky is better name, but Avira seemed faster in my use.
Burn the iso onto CD, boot from that and disinfect your system. It may be enough.
You can check afterwards if your clipboard still acts strange...

[Lone Shark]

Is this the same thing or same address which hijacked this guys clipboard here: https://bitcointalk.org/index.php?topic=1331120.0 ?

It is not the same. In his thread he said any address he copies becomes this -> 19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u
In my case, ever address I copy becomes another but has the same first three characters.

Like this,
From: 19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u
It changes to: 19Z2ULGZt7fmRF5Z8LVr9k6J8P7oaMsQbe

Update: Deleted Malwarebytes but the issue persists. So I guess it wasn't malwarebytes or it was part of the problem. Now, I don't know what to do.

[achow101]

First of all, get your antivirus (and software for that matter) from a legitimate source. Warez often contain viruses.

This virus is very well known and has been around for a long time. You can get some other antivirus (the real Malwarebytes usually does a good job of cleaning out malware already on your system) or just format and reinstall your OS.

[miningdude]

Use avast to avoid, viruses like that I've been using that software for long time
(paid verision)

[jaceefrost]

Is this the same thing or same address which hijacked this guys clipboard here: https://bitcointalk.org/index.php?topic=1331120.0 ?

It is not the same. In his thread he said any address he copies becomes this -> 19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u
In my case, ever address I copy becomes another but has the same first three characters.

Like this,
From: 19ZM2pjq6U4jVb283GZkCPNukjeyb2YZ2u
It changes to: 19Z2ULGZt7fmRF5Z8LVr9k6J8P7oaMsQbe

Update: Deleted Malwarebytes but the issue persists. So I guess it wasn't malwarebytes or it was part of the problem. Now, I don't know what to do.

I see. Thanks for informing. I though it was the only hijacking address since that's the only one I've come across. I think it's best if you clean your whole computer and reinstall windows or whatever OS you are using. It's best to put some time in fixing it cause you may forgot it one day that theres that hijacking address in your clipboard ad accidentaly send some more money.

[buwaytress]

Dude, that's a new one for me - you sound like you're on Windows so if you don't want the hassle of a reinstall/reboot, I'd use the Restore option first to get myself back to a restore point before all this started.

You might want to check the sites you're using for crypto, starting with bitvest! I won't be surprised if they were the source.

Temporary solution: type the first 3 characters and copy the rest.

Or get new addresses!

P.S. The "scam" address doesn't have any transactions to it, not as you said?

[RodeoX]

Thanks for the warning! Can you tell us what operating system you are using?

[Lone Shark]

Im on Windows 10. So far I don't think it is with bitvest as I have been using the site for quite some time and only had problems else where. Probably the cause of all this is downloading cracked stuff from the torrents. Lesson learned, bought me some licenses just now and will do a full overnight system in-depth scan. Will update you guys if it persists.

[wmabern]

Only download programs/applications from the manufacturers confirmed website. This is especially true for anti-virus programs.

If you want to download torrents of other applications, that's cool. I do it every now and then. But DON'T do that with a program you expect to protect your computer and data! As was mentioned in previous post, MANY torrent downloads contain malware. I would venture to say that probably over 50% of the warez downloaded have some form of malware in them.

Only download your anti-virus/anti-malware programs from the products official website. Then pay for the professional version.

Anti-virus programs are not the place to skimp on paying for a product. If you KNOW you have a valid, professional AV program, then if you download some app that has malware in it, it will not cost you the data on your PC, your identity being stolen, ransomware, or in your case, BTC being stolen.

If you don't pay for a single other program, it's imperative to have a valid, paid-for AV program.

No other reasonable options, IMHO.

[NeuroticFish]

Whatever he install now, the malware is already there and if it's done very good, it can trick the antivirus programs.
The correct way to clean is to boot from something clean (a bootable CD or USB) and then disinfect. Boot from that Windows again only after you cleaned it.

[wmabern]

Whatever he install now, the malware is already there and if it's done very good, it can trick the antivirus programs.
The correct way to clean is to boot from something clean (a bootable CD or USB) and then disinfect. Boot from that Windows again only after you cleaned it.

Yes, you're right. He needs to do a clean boot, as you say, with either an anti-virus rescue disk or even the OS disk. The best option is the AV rescue disk if one is available, but most people do not make one. (I don't think I have a current one.)

Second best, IMO, is to boot with Hirem's Boot CD (or similar) and run the AV scan from there. That will take care of the bug. Then he should be able to boot normally. He can download and burn the Hirems Boot CD on another PC.

After the PC has been thoroughly cleaned, he can add a good copy of MWB back onto the PC.

Running Malwarebytes on the PC that you are running your wallet on ( in addition to some well-respected brand of updated, ant-virus software ) is definitely a VERY good idea. It's the source of the MWB program that was the problem.

Even the "Free" version of Malwarebytes offers you some additional protection. They have just released a new version and if you are licensed under the previous version number, your old license key is still valid until your original subscription date arrives.

The new version is $39.99 per year. If you get the two-year subscription, they will knock 25% or $20 off the two-year pricing.
That's pretty cheap to protect your data and who-knows how many $$$$ of BTC's.

Anyway, download the newest version and choose "Trial" when you install it. That way you will get the full, premium editions full protection for 14 days. At the end of the 14 days, you can either pay for it and keep the premium version protection features or stay with free and it will continue to function in free mode.

Can't hurt to have the Premium protection for free for 14 days. I run the paid Premium Edition on the PC that runs Bitcoin Core and my wallet, and the Free Edition on my other laptops/PC's.

Here is a link to the new versions download: https://www.malwarebytes.com/

Don't take chances with your data or your Bitcoins!!! But you know that, as I'm sure your intentions were good to be running MWB in the first place. 
Good luck and best wishes!