Pages:
Author

Topic: Missing receiving address in my bitcoin wallet (Read 777 times)

HCP
legendary
Activity: 2086
Merit: 4363
November 12, 2019, 02:15:44 PM
#49
Yes, but if you look at OPs 2nd post in this thread... he states he copy/pasted several addresses just fine... This was well before any mention of downloading/installing/running any AV/anti-malware software:
- I did copy-paste a few of the addresses from the list, by your advice, and everything looks fine. I got the same addresses in the txt

For the clipboardjacker to simply stop working is not something I've encountered before... not saying it isn't possible. Perhaps some malware author got clever and created a version that tries to avoid detection by only changing every "1 in X" addresses... Huh
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
The super confusing part in all this is that the OP said he already tried copy/pasting multiple bitcoin addresses since this incident and they all copy and paste just fine... I've never seen a clipboard hijacker that only works "once" and then stops working??!? Huh
The clipboard virus might have been flagged and deleted by his Malwarebytes AV in the meantime that is why he was able to copy/paste the correct address when instructed to try it out.

If you follow the OP's timeline this seems like the most plausible scenario.  It's hard to point to any one thing that caused this, the proper trouble shooting steps were taken out of sequence, in my opinion.  It's unfortunate because it would have been nice to help the OP figure out exactly what caused his issue so he can avoid it in the future.  As it is, this might happen to him again if he continues downloading and installing software the way he's been.
legendary
Activity: 2730
Merit: 7065
The super confusing part in all this is that the OP said he already tried copy/pasting multiple bitcoin addresses since this incident and they all copy and paste just fine... I've never seen a clipboard hijacker that only works "once" and then stops working??!? Huh
The clipboard virus might have been flagged and deleted by his Malwarebytes AV in the meantime that is why he was able to copy/paste the correct address when instructed to try it out.
HCP
legendary
Activity: 2086
Merit: 4363
I didn't notice that he posted this image except the one that shows the file infected.
It looks like the Malwarebytes detected 26 infected file which I think the reason why he is suffering from this clipboard virus.
No... it is showing a bunch of "Potentially Unwanted Programs" aka PUPs... these are NOT necessarily viruses or trojans or malware... but annoying things that you may or may not want on your PC... vast number of these tend to be "Browser Helpers" or toolbars etc.

The super confusing part in all this is that the OP said he already tried copy/pasting multiple bitcoin addresses since this incident and they all copy and paste just fine... I've never seen a clipboard hijacker that only works "once" and then stops working??!? Huh
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
He did scan more than just Electrum folder, and he posts the link on the first page: https://prnt.sc/ptqd3s

But since he himself admits he has limited knowledge about all this (including formating disc), finding the cause of this incident is quite uncertain and very likely difficult to solve. My advice would be to backup everything you need from your computer (pictures, videos, documents) and take it to someone who will do the disk formatting and installation of the new operating system.

Then the computer should be protected with antivirus/antimalware/firewall, and used in a manner appropriate to the computer on which cryptocurrency is used. This means that such a computer is your personal bank, no torrent or porn should be mixed with very sensitive information such as private keys, coins address/s or seeds.

I didn't notice that he posted this image except the one that shows the file infected.
It looks like the Malwarebytes detected 26 infected file which I think the reason why he is suffering from this clipboard virus.


@GerGys
If you don't know how to format your PC I can help you but first, follow what Lucius suggested above backup all important files first including wallet files before you PM me.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
You said previously that all the addresses in your electrum wallet begin with 1 yet this address begins with 3. Did you not notice this difference when pasting the address into your email? It's a pretty big difference.

edit: also could this address be from some website or exchange you were using at the time?

I wonder if he actually meant this address: 1P24xfd96qvMzLN81qxNhgPn2pm8Efa5AG.

According to blockchain that address received a payment, and instantly broadcast this transaction:
0ddca07771e20587b00a1685702f1be13c2748832fa8c835040cdc2c3001ab33

According to blockchair the the same transaction was confirmed about an hour and half after the payment:
0ddca07771e20587b00a1685702f1be13c2748832fa8c835040cdc2c3001ab33

also could this address be from some website or exchange you were using at the time?

I was thinking the same thing, maybe the OP was trying to multi-task and succeeding about as well I do when I try.
legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
Have you just scanned the folder of Electrum and detected this exploit?
You need to scan the whole PC to find the infected file.

He did scan more than just Electrum folder, and he posts the link on the first page: https://prnt.sc/ptqd3s

But since he himself admits he has limited knowledge about all this (including formating disc), finding the cause of this incident is quite uncertain and very likely difficult to solve. My advice would be to backup everything you need from your computer (pictures, videos, documents) and take it to someone who will do the disk formatting and installation of the new operating system.

Then the computer should be protected with antivirus/antimalware/firewall, and used in a manner appropriate to the computer on which cryptocurrency is used. This means that such a computer is your personal bank, no torrent or porn should be mixed with very sensitive information such as private keys, coins address/s or seeds.
legendary
Activity: 3710
Merit: 1586
Abdussamad, yes, the address is the same.

That's the blockchain transaction link :  https://www.blockchain.com/btc/tx/0ddca07771e20587b00a1685702f1be13c2748832fa8c835040cdc2c3001ab33

When I check the address later, I saw that the payment left the address 2 sec after it's received: https://bitref.com/1P24xfd96qvMzLN81qxNhgPn2pm8Efa5AG

If I understand the blockchain correct, the payment is sent to address : 3Ksti3jfX7Vb6FUZW4mWZbazyFcAeyjkCy   and that address isn't my address. Actually, I didn't see the payment in my wallet at all.

You said previously that all the addresses in your electrum wallet begin with 1 yet this address begins with 3. Did you not notice this difference when pasting the address into your email? It's a pretty big difference.

edit: also could this address be from some website or exchange you were using at the time?
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
Malwarebytes just detected a threat and the file again is the Electrum wallet

That's the threat : https://prnt.sc/pumzht

Have you just scanned the folder of Electrum and detected this exploit?
You need to scan the whole PC to find the infected file.

Can you try to scan the whole PC with Kaspersky Total Security maybe this one will detect more than Malwarebytes they have a 1-month free trial and make sure to update the database first before you scan the whole PC?

Let's see if it can detect more suspicious files if they detect they will automatically quarantine the infected file.
legendary
Activity: 2268
Merit: 18771
As I said before, the legitimate version of Electrum often gets flagged as a false positive by malwarebytes and other anti-virus software

You can see a response to this issue on the Electrum github here: Electrum binaries flagged by some antivirus (false positive) #3198

You can also search this forum or reddit and see plenty of posts describing that exact issue.

That's not to say you should just ignore it, as you may have actually downloaded a fake version of Electrum. What you should do is to ensure you only ever download from electrum.org and nowhere else, and verify your download by following these steps (https://bitcoinelectrum.com/how-to-verify-your-electrum-download/) prior to installing it. If you do both these things, then you can safely ignore any threats detected by malwarebytes.
newbie
Activity: 35
Merit: 0
Malwarebytes just detected a threat and the file again is the Electrum wallet

That's the threat : https://prnt.sc/pumzht
legendary
Activity: 2268
Merit: 18771
So at some point between your wallet and sending the email, the address has changed to a different one. As far as I can see there are three possibilities here, provided you are using a genuine version of Electrum (which you say you are):

You previously had the incorrect address on your clipboard, didn't actually copy your own address (just think you did), and then pasted the incorrect address in to the email.
You have malware which meant that although you copied the correct address, you pasted the incorrect address in to the email. I would repeat the exact same steps you performed before to see if this is reproducible. Copy the same address you did before, and paste it in to the same email provider.
Your email is compromised. What email provider are you using? It's possible if someone else has access they could edit any emails you try to send, or even recall emails you have already sent and replace them with their own.

I would think the second is by far the most likely, especially considering malwarebytes is giving you 25 potential positives on a scan. It's just a bit strange that it isn't reproducible (although it might never be now if malwarebytes as quarantined the offending malware).

As always, before hitting send on any transaction or communication, you should be double checking your address against the source (in this case, your Electrum wallet).

This topic would be worth a read: How to lose your Bitcoins with CTRL-C CTRL-V
hero member
Activity: 1358
Merit: 851
If I understand the blockchain correct, the payment is sent to address : 3Ksti3jfX7Vb6FUZW4mWZbazyFcAeyjkCy   and that address isn't my address. Actually, I didn't see the payment in my wallet at all.
You have sent the address through email? Right? Now check the email if you have sent this address or not. If you have sent this one (which isn't own by you), then you have been infected with copy/paste malware which have changed your actual address into this one.
Or, if you have sent a correct address which is from your wallet, there's two possible case may happen-
1. The sender device have been infected with copy/paste malware.
2. The sender intentionally sent on his address. (which is unlikely since you had some previous deals).


Check your mail and confirm if it's the mistake from your side.
newbie
Activity: 35
Merit: 0
Abdussamad, yes, the address is the same.

That's the blockchain transaction link :  https://www.blockchain.com/btc/tx/0ddca07771e20587b00a1685702f1be13c2748832fa8c835040cdc2c3001ab33

When I check the address later, I saw that the payment left the address 2 sec after it's received: https://bitref.com/1P24xfd96qvMzLN81qxNhgPn2pm8Efa5AG

If I understand the blockchain correct, the payment is sent to address : 3Ksti3jfX7Vb6FUZW4mWZbazyFcAeyjkCy   and that address isn't my address. Actually, I didn't see the payment in my wallet at all.
legendary
Activity: 3710
Merit: 1586
emails you sent are stored in the send folder of your email client/website. so do confirm that the address was the one where the coins were sent.
newbie
Activity: 35
Merit: 0
Lucius, no, I didn't scan the PC in safe mode, but I will do it. Thanks for the advice!

DireWolfM14, I sent the receiving address via email. This person always doing a direct btc payments to me and I always email him the address. Today I received a btc payment through my website and everything was fine. I also sent a btc payment about 20 min ago and everything was fine again.
Hope it was just a onetime problem!
But, of course, it doesn't mean that I should not protect my PC. I am thinking to format the disc, but will need time to find an info how to do that. I think also I should update the Electrum wallet, but also will need time to read how to do that.
copper member
Activity: 2338
Merit: 4543
Join the world-leading crypto sportsbook NOW!
But I just checked the Remote Settings and saw, that "Allow Remote Assistance connections to this computer" option was enabled (I don't know why).

That option is enabled on Windows by default.  It doesn't matter, because you would have to manually start a "Remote Assistance" session to grant anyone access to your computer.  If you haven't used that feature then that's not your issue.

HCP, yes, I copy-pasted (in txt) a few addresses from my Addresses list and everything was fine.
But I didn't try yet to test a direct payment to my btc wallet (to be honest, I'm afraid to do that). Maybe I should test with a small amount. But today I got a btc payment through my website and everything is fine.

In your original post you said that you copy and pasted your receiving address, how did you share it with the person who was to send you the payment?  Did you email it to him, use a messaging app, social media..?

legendary
Activity: 3234
Merit: 5637
Blackjack.fun-Free Raffle-Join&Win $50🎲
GerGys, did you scan your PC in safe mode with Malwarebytes and that antivirus which I have recommended to you in a previous post? I am asking this because some malware is much easier to be removed from the system if you scan in safe mode.

Since you say that your Remote Settings was enabled, there is a possibility that you have something very malicious on your computer, maybe some type of remote access trojan, and these things are most effectively resolved by formatting the disk. If you are not ready to format the disc, do you have a smartphone (Android 5+) on which you can install Electrum? There is a direct link on Electrum site for mobile version.
newbie
Activity: 35
Merit: 0
Abdussamad, I don't have teamviewer type program and didn't use teamviewer. But I just checked the Remote Settings and saw, that "Allow Remote Assistance connections to this computer" option was enabled (I don't know why). I disabled it. Thanks for the advice!


HCP, yes, I copy-pasted (in txt) a few addresses from my Addresses list and everything was fine.
But I didn't try yet to test a direct payment to my btc wallet (to be honest, I'm afraid to do that). Maybe I should test with a small amount. But today I got a btc payment through my website and everything is fine.
legendary
Activity: 3710
Merit: 1586
There was another user who had a similar problem and he discovered that it was due to remote desktop protocol (RDP) or teamviewer type programs. These let a remote computer modify his clipboard and so he was only affected when that RDP/teamviewer software was running and he copy pasted addresses. Do you use software like that?
Pages:
Jump to: