ComboJack Cryptojacker

ComboJack Cryptojacker is a malicious infection that is capable of hijacking the clipboard and replacing its contents specifically to modify crypto-currency wallet addresses. This is done in the hopes of replacing intended wallet addresses with the ones that belong to cyber criminals, so that crypto-currency would be silently redirected to the wrong wallet without the user’s notice. This kind of activity is incredibly stealthy and malicious, and all Windows users need to take appropriate security measures to ensure that this malicious Trojan – also known as Trojan.ComboJack – does not slither in. According to recent analysis, the infection exploited the CVE-2017-8579 vulnerability to spread, and Microsoft has already patched it. Therefore, the first step everyone owning Windows should take is to update their operating systems. As long as all security updates are installed, vulnerabilities cannot be exploited to spread malware. Have you recently found that you need to delete ComboJack Cryptojacker from your own Windows operating system? If you have, you should continue reading to learn more.

This is not the first time our research team has encountered a malicious Trojan capable of monitoring clipboard content specifically for crypto-currency wallet addresses. CryptoShuffler is another well-known threat that is capable of doing that. It has been reported that this malware has stolen at least 14,000 USD using the deceptive method. It is currently unknown how much ComboJack has managed to steal from its victims, but the sum could exceed any speculation, which is why we should not get into that. According to research, this particular infection relies on spam emails for successful distribution. In one sample obtained by malware experts, the infection was being distributed using an email message that asked the target to confirm whose passport was found. A PDF file was attached to the file, and the message in that file read “This PDF document embeds file [name].doc.” A dialog message popped up asking the user to confirm if they wanted to open the file. If they agreed with that, an embedded RTF file was opened, and it contained an HTA file that exploited the CVE-2017-8579 vulnerability to run PowerShell commands and download the malicious ComboJack Cryptojacker. The victim did not realize that they needed to delete anything.

For as long as ComboJack Cryptojacker is active, it checks the clipboard every half a second to check for pasted crypto-currency wallet addresses. According to our knowledge, the infection is capable of tracking Bitcoin, Ethereum, Litecoin, Monero, Qiwi, WebMoney, and Yandex Money. Notably, the latter two represent digital payment services, not crypto-currency, which is the biggest difference we have seen in comparison to CryptoShuffler. For every single one of the tracked systems, ComboJack has a replacement ready. For example, if it discovers a wallet format that is compatible with Bitcoin, it replaces it with 1LGskAycxvcgh6iAoigcvbwTtFjSfdod2x. At the time of research, transactions had not been made to this specific wallet. All in all, although the infection is silent, it is not invisible, and there are malicious files that require removal. Needless to say, if you do not know that there is something to look for, finding it can be impossible, and this is why installing trustworthy anti-malware software is crucial. If your system is not updated, and security software is not set in place to ensure full-time protection, ComboJack Cryptojacker is unlikely to be the last infection you will face and need to delete.

Without a doubt, it is our strong recommendation that you implement anti-malware software to delete ComboJack Cryptojacking malware – as well as other threats – and to protect your operating system. If that is not on your agenda, you need to find and remove the components of this malicious infection, and the instructions below should help you out. Of course, you also must update your operating system to patch all vulnerabilities, and you need to figure out a way to ensure that your system remains malware-free in the future. Note that while some spam emails and downloaders are clearly malicious, some of them can be created to fool even more experienced users, which is why you should not rely on your own expertise alone. Installing reliable security software is recommended even if you are able to delete ComboJack Cryptojacker manually.

ComboJack Cryptojacker Removal

1. Tap keys Ctrl+Shift+Esc to launch Task Manager and then click the Processes tab.
2. Select the process that is malicious (if you cannot identify it, do not terminate random processes because that could create more problems) and click End process.
3. Tap keys Win+E to launch Explorer and then enter %TEMP% into the bar at the top.
4. Right-click and Delete the file named NVDisplay.Container.exe.
5. Enter %ALLUSERSPROFILE%\ (or %ALLUSERSPROFILE%\Application Data, depending on the Windows version) into the bar at the top.
6. Right-click and Delete the folder named NVIDIA (it should contain a file named NVDisplay.Container.exe).
7. Empty Recycle Bin and then immediately perform a full system scan to check for malicious leftovers.