Jump to content

File detected ...Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe


Saahana
Go to solution Solved by Maurice Naggar,

Recommended Posts

Hi ! 
I have a little big problem, and I can't succeed in finding a solution.

Malwarebytes detected the same files each minute, each second... I don't know if the problem is here but all my accounts were hacked this week (Instagram, Paypal, Epic Games, Riot Games, Twitter, Youtube....) It makes me so nervous and sad...

You will find enclosed the error files and the screen concerning this file. 

I really don't even know what I supposed to do... Maybe someone can help me ? 
Many thanks in advance ! 
Have a good day

unknown.png

File.txt

Link to post
Share on other sites

  • Staff

Hi, @Saahana,

Unfortunately, your system is infected.

I will move your topic to an appropriate forum so hopefully some of our valuable staff/members can help you with the infection.

While you are waiting for the next qualified/approved malware removal expert helper to weigh in on your topic, please carefully follow the instructions within the following:

I'm infected - What do I do now?

 

Edited by Dashke
  • Thanks 1
  • Sad 1
Link to post
Share on other sites

Hi, many thanks for your help.

I'm so sad to know my system infected and I hope there is a solution to help me ! 

Then, I carefully follow your instructions. So, you will find enclosed : 
Threat Scan : clear
- Addition 
- FRST 

Please don't hesitate if you need further information. 

Thanks a lot again for your help ! 
Have a nice day, 

Threat scan.png

Addition.txt FRST.txt

Link to post
Share on other sites

Hello :welcome:   @Saahana

I will guide you along on looking for malware. Let us keep these principles as we go along.

  • Removing malware can be unpredictable
  • Please don't run any other scans, download, install or uninstall any programs while I'm working with you.
  • Only run the tools I guide you to.
  • Do not run online games while case is on-going. Do not do any free-wheeling web-surfing.
  • The removal of malware isn't instantaneous, please be patient.
  • Cracked or or hacked or pirated programs are not only illegal, but also will make a computer a malware victim. Having such programs installed, is the easiest way to get infected. It is the leading cause of ransomware encryptions. It is at times also big source of current trojan infections. Please uninstall them now, if any are here, before we start the cleaning procedure.
  • Please stick with me until I give you the "all clear".
  • If your system is running Discord, please be sure to Exit out of it while this case is on-going.

The block notices mean that Malwarebytes real-time web protection is keeping this Windows machine safe from potential harm. I will get back with you after a full review of your last reports. But first this one time scan

Please  set File Explorer to SHOW ALL folders, all files, including Hidden ones.  Use OPTION ONE or TWO of this article
Please use thuis guide https://www.tenforums.com/tutorials/7078-turn-off-show-all-folders-windows-10-navigation-pane.html

Do a Check for Update using the Malwarebytes Settings >> General tab.

See this Support Guide https://support.malwarebytes.com/hc/en-us/articles/360042187934-Check-for-updates-in-Malwarebytes-for-Windows

When it shows a new version available, Accept it and let it proceed forward.  Be sure it succeeds.

If prompted to do a Restart, just please follow all directions.

Let me know how that goes.    Next, the Malwarebytes scan.

Then click the Security tab.  Scroll down and lets be sure the line in SCAN OPTIONs for

"Scan for rootkits" is ON 👈   Click it to get it ON if it does not show a blue-color .

 

Next, click the small x on the Settings line to go to the main Malwarebytes Window.   Next click the blue button marked Scan.

 

When the scan phase is done, be real sure you Review and have all detected lines items check-marked on each line on the left. That too is very critical.

>>>>>>      👉      You can actually click the topmost left  check-box  on the very top line to get ALL lines  ticked   ( all selected).         <<<<     💢

MB4_scan_tick_ALL.jpg.954dd31097351eba2c305a1321a445d6.jpg

 

Please double verify you have that TOP  check-box tick marked.   and that then, all lines have a tick-mark

 

Then click on Quarantine  button.

MB4_scan_all_Quarantine2.jpg.99b8d9b73d90d347577ae0826ac406b1.jpg

 


Then, locate the Scan run report;  export out a copy;  & then attach in with your  reply.
See https://support.malwarebytes.com/hc/en-us/articles/360038479194-View-Reports-and-History-in-Malwarebytes-for-Windows-v4

Edited by Maurice Naggar
  • Thanks 1
Link to post
Share on other sites

After that scan has completed, this is the next procedure to use a standalone one time on-demand scan. 

The Microsoft Safety Scanner is a free Microsoft stand-alone virus scanner that can be used to scan for & remove malware or potentially unwanted software from a system. 

The download links & the how-to-run-the tool are at this link at Microsoft 

https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

 

Look on Scan Options & select  FULL scan  .

Then start the scan. Have lots of patience. Once you start the scan & you see it started, then leave it be.  

  • Once you see it has started, take a long long break;  walk away.  Do not pay credence if you see some intermediate early flash messages on screen display.  The only things that count are the End result at the end of the run.
  • Again, any on-screen display about repeat 'infection' is not to be relied on.  Ignore those.
  • We only rely on the end result that is on the log-report-file.

 

This is likely to run for many hours   ( depending on number of files on your machine & the speed of hardware.)

The log is named MSERT.log  

the log will be at  

Windows\debug\msert.log

Please attach that log with your reply. We will do more later. I will guide you.

  • Thanks 1
Link to post
Share on other sites

  • Solution

Thank you for the reports. In fact, this machine still has very strong indications of malware. There is what looks like at least one trojan if not more. This is per a full review of the Farbar FRST reports.
IF it is the case that someone installed a low-cost, or "so-called free program" crack or hacked or shared application [ like perhaps a Adobe app, or a popular game or perhaps a Microsoft product/program, or other commercial app] that was downloaded from a dodgy or pirate site ...say from early July thru recent time....please be sure to Stop and let me know.
Because if true, that is what caused this serious malware infection.

What follows is offered as-is. There is no guarantee with it. If you wish to Stop and consider wiping the machine clean and cleanly installing Windows operating system, stop and let me know.

The custom script below is aimed to remove the malware items, and selected sub-folders of the malwares. This job will run exclusively and also at the end, it will do a Windows Restart ( reboot).

Please be sure to Close any open work files, documents,  any apps you started yourself  before starting this. THIS run will do a Windows RESTART. Once it starts it will auto-close any other running app.

We will use FRST64.exe  on the C:\Users\Saahana\Downloads folder to run a custom script.    The system will be rebooted after the script has run.

This custom script is for  Saahana  only / for this machine only.

  • Please save the (attached file named) FIXLIST.txt   to the   Downloads   folder

Fixlist.txt        <<< - - - - -

Then, Start the Windows Explorer and then, go  to the Downloads    folder.


RIGHT click on FRST64.exe    and select RUN as Administrator and allow it to proceed.  Reply YES when prompted to allow to run.

  •    If the tool warns you the version is outdated, please download and run the updated version.
  • IF Windows prompts you about running this, select YES to allow it to proceed.
  • IF you get a block message from Windows about this tool......

               click line More info information on that screen
               and click button Run anyway on next screen.

  • on the FRST window:

Click the Fix button just once, and wait.

PLEASE have lots and lots of patience when this starts. You will see a green progress bar start. Lots of patience. 

Please attach the FIXLOG.txt with your next reply later, at your next opportunity. Be sure to let me know, How is the system at that point.

  • Thanks 1
Link to post
Share on other sites

Uninstall that rogue Adobe After Effect and then Restart Windows.

Yes do run the procedure I listed. FRST64 is the Farbar report tool that you used earlier to run me the FRST report earlier today. That is on your Second post up at the top. Farbar FRST is a known trusted tool.  I listed in my reply that your machine has it ! 👍😎

  • Haha 1
Link to post
Share on other sites

Bravo. Merci. I need some additional data collection from you and then I will ask you to execute a special one-time scan.

First, on the Desktop of this machine, please find a ZIP file named  14.09.2022_00.48.53.zip
On your next reply, attach ( upload) that ZIP file.

Next:

A request please 

I would like to get a copy of what we placed in Quarantine, from the runs I had you do. Please. 

  • Using Windows File Explorer, Navigate to C:\FRST folder on your system. Expand the folder so you see all contents.
  • Right click on Quarantine > Send to > Compressed (zipped) folder
  • Upload the archive in your next reply   ( I mean ATTACH it )
  • If archive is too big you can upload here > https://wetransfer.com/

 

This here you can start & once it is under way, you can leave the machine alone & let it run over-night. No need to keep watch once it starts the actual scan run. 

Next, This will be a check with ESET Onlinescanner for viruses, other malware, adwares, & potentially unwanted applications.

Go to https://download.eset.com/com/eset/tools/online_scanner/latest/esetonlinescanner.exe

 

It will start a download of "esetonlinescanner.exe"

  • Save the file to your system, such as the Downloads folder, or else to the Desktop.
  • Go to the saved file, and double click it to get it started.

 

  • When presented with the initial ESET options, click on "Computer Scan".
  • Next, when prompted by Windows, allow it to start by clicking Yes
  • When prompted for scan type, Click on Full scan

Look at & tick ( select ) the radio selection "Enable ESET to detect and quarantine potentially unwanted applications" and click on Start scan button.

  • Have patience. The entire process may take an hour or more. There is an initial update download.

There is a progress window display. You may step away from machine &. Let it be.  That is, once it is under way, you should leave it running.  It will run for several hours.

  • At screen "Detections occured and resolved" click on blue button "View detected results"
  • On next screen, at lower left, click on blue "Save scan log"
  • View where file is to be saved. Provide a meaningful name for the "File name:"
  • On last screen, set to Off (left) the option for Periodic scanning
  • Click "save and continue"
  • Please attach the report file so I can review
  • After all this, we will have more to do.  So keep monitoring this topic-thread.
  • Cordialement
  • Thanks 1
Link to post
Share on other sites

I appreciate that you sent the ZIP and RAR files. Merci. 😉👍
On the ESET Online scanner tool, it did find a DLL file that it marked & removed & tagged it as a trojan,
C:\Users\Saahana\AppData\Roaming\Keep Notes Manager\libcm30.dll    variante de Win32/Agent.AEQX cheval de troie    nettoyé par suppression

Q: What do you know, if any, about "Keep notes manager" ?

At this point, at your next opportunity, I would very much recommend this next scan ( we simply want another check for potential leftover malware, if any).
This tool is intended as a one time use. One on-demand use. The tool is self-contained. It does not "install" as a installed program.

We will run another antivirus scanner  and see if it finds any other issues for us.

Please download and run the following Kaspersky Virus Removal Tool 2020 and save it to your Desktop.

(Kaspersky Virus Removal Tool version 20.0.10.0 was released on November 9, 2021)

Download: Kaspersky Virus Removal Tool

How to run a scan with Kaspersky Virus Removal Tool 2020
https://support.kaspersky.com/15674

How to run Kaspersky Virus Removal Tool 2020 in the advanced mode
https://support.kaspersky.com/15680

How to restore a file removed during Kaspersky Virus Removal Tool 2020 scan
https://support.kaspersky.com/15681

 


Select the  image.png  Windows Key and R Key together, the "Run" box should open.

user posted image

Drag and Drop KVRT.exe into the Run Box.

user posted image

C:\Users\{your user name}\DESKTOP\KVRT.exe will now show in the run box.

image.png

add -dontencrypt   Note the space between KVRT.exe and -dontencrypt

C:\Users\{your user name}\DESKTOP\KVRT.exe -dontencrypt should now show in the Run box.
 
image.png


That addendum to the run command is very important, when the scan does eventually complete the resultant report is normally encrypted, with the extra command it is saved as a readable file.

Reports are saved here C:\KVRT2020_Data\Reports and look similar to this report_20220914_113021.klr
Right-click direct onto that report, select > open with > Notepad. Save that file and attach it to your reply. Note the name of that file will include the year & month & day & hhmmss for the run date.

To start the scan select OK in the "Run" box.

A EULA window will open, tick all confirmation boxes then select "Accept"

image.png

In the new window select "Change Parameters"

image.png

In the new window ensure all selection boxes are ticked, then select "OK" The scan should now start...

user posted image

When complete if entries are found there will be options, if "Cure" is offered leave as is. For any other options change to "Delete" then select "Continue"

user posted image

When complete, or if nothing was found select "Close"

image.png

Attach the report information as previously instructed...
 
Thank you
Link to post
Share on other sites

After finishing steps above & when you get the next chance.
I need you to do 2 things. The first is just to insure that the real-time protections from Microsoft Defender Antivirus is not turned off.
Start Malwarebytes. Click Settings ( gear ) icon. Next, lets make real sure that Malwarebytes does NOT register with Windows Security Center

Click the Security Tab. Scroll down to

"Windows Security Center"

Click the selection to the left  for the line "Always register Malwarebytes in the Windows Security Center".
{ We want that to be set as Off   .... be sure that line's  radio-button selection is all the way to the Left.  thanks. }

This will not affect any real-time protection of the Malwarebytes for Windows    😃.

Close Malwarebytes.

>

I would like a report set for review.   This is a report only.

Please download MALWAREBYTES MBST Support Tool

Once you start it click Advanced >>> then   Gather Logs

 Have patience till the run has finished.

Upload an archive once it is done. Attach the mbst-grab-results.zip from the Desktop.

 

  • Please attach  mbst-grab-results.zip    to your reply
  • The IP block actions by Malwarebytes are keeping the machine safe from potential threats.
  • We do need the support zip reports to see more detail  ( the screen grabs just do not have full details + those screens give no clue as to what processes are running.
Link to post
Share on other sites

Hi, 

Thank you again for your help ! For your information, I really don't know nothing about "Keep notes manager"... 

Please find enclosed the report from the KVRT analyse. I cant open it with note, so i sent it to you on .rar, hope its not a problem for you. 

I think it's ok because they find items on quarantine, but tell me your opinion. 
 

report_2022.09.14_20.31.57.rar

Link to post
Share on other sites

  • Root Admin

The data from Kaspersky

<Report>
    <Metadata Version="1" PCID="{A8D86A3B-AC44-35A5-E1E7-8CFBB5E0781C}" LastModification="2022.09.14 20:54:41.694" />
    <EventBlocks>
        <Block0 Type="Scan" Processed="639175" Found="3" Neutralized="3">
            <Event0 Action="Scan" Time="133076539592091467" Object="" Info="Started" />
            <Event1 Action="Detect" Time="133076540894372933" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\client32.exe" Info="not-a-virus:RemoteAdmin.Win32.NetSup.i" />
            <Event2 Action="Detect" Time="133076540894572411" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\PCICL32.DLL" Info="not-a-virus:HEUR:RemoteAdmin.Win32.NetSup.gen" />
            <Event3 Action="Detect" Time="133076546338916182" Object="C:\Users\Saahana\Desktop\14.09.2022_00.48.53.zip" Info="not-a-virus:RemoteAdmin.Win32.NetSup.i" />
            <Event4 Action="Scan" Time="133076550585329071" Object="" Info="Finished" />
            <Event5 Action="Select action" Time="133076551760615599" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\client32.exe" Info="Delete" />
            <Event6 Action="Select action" Time="133076551760615599" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\PCICL32.DLL" Info="Delete" />
            <Event7 Action="Select action" Time="133076551760615599" Object="C:\Users\Saahana\Desktop\14.09.2022_00.48.53.zip" Info="Delete" />
            <Event8 Action="Disinfection" Time="133076551760615599" Object="" Info="Started" />
            <Event9 Action="Quarantined" Time="133076551760665458" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\client32.exe" Info="" />
            <Event10 Action="Quarantined" Time="133076551760966203" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\PCICL32.DLL" Info="" />
            <Event11 Action="Quarantined" Time="133076551761287286" Object="C:\Users\Saahana\Desktop\14.09.2022_00.48.53.zip" Info="" />
            <Event12 Action="Deleted" Time="133076551761297260" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\client32.exe" Info="" />
            <Event13 Action="Deleted" Time="133076551761297260" Object="C:\FRST\Quarantine\C\Users\Saahana\AppData\Roaming\WinSupUpdata\PCICL32.DLL" Info="" />
            <Event14 Action="Deleted" Time="133076551761297260" Object="C:\Users\Saahana\Desktop\14.09.2022_00.48.53.zip" Info="" />
            <Event15 Action="Disinfection" Time="133076551763128809" Object="" Info="Finished" />
        </Block0>
    </EventBlocks>
</Report>

 

 

All items basically that were in Quarantine already, and, or the zip file created for review.

@Maurice Naggar will be along shortly to continue. Thank you for the logs @Saahana

 

 

 

  • Like 2
Link to post
Share on other sites

Hello @Saahana Thank you. Kudos, you have the Premium Malwarebytes program. This is just some housekeeping / adjusting. 

Launch Malwarebytes for Windows.
Cick the gear-like Settings icon on the top-right bar.
On the General tab
look down to "Manual scan performance" impact
click the selection "Manual scans take less priority ( less performance impact"  >> Les analyses manuelles sont moins prioritaires (moins d'impact sur les performances

click the Security column tab
Look down to "Scan options"
on the line "Scan for rootkits) set that to the left-side ( off position)
That is the normal default position.

Close Malwarebytes.

  • Yes, the items in FRST\quarantine were out of the way & no longer any threat.

 

  • I would recommend getting a readout report as to update status of some key apps.
  • Download SecurityCheck by glax24 from here  https://tools.safezone.cc/glax24/SecurityCheck/SecurityCheck.exe
  • and save the tool on the desktop.
  • If Windows's  SmartScreen block that with a message-window, then
  • Click on the MORE INFO spot and over-ride that and allow it to proceed.

                               This tool is safe.   Smartscreen is overly sensitive.

Right-click  with your mouse on the Securitycheck.exe  and select "Run as administrator"   and reply YES to allow to run & go forward
Wait for the scan to finish. It will open in a text file named SecurityType.txt. Close the file.  Attach it with your next reply.
You can find this file in a folder called SecurityCheck, C:\SecurityCheck\SecurityCheck.txt

Link to post
Share on other sites

Thank you for SecurityCheck report. There are a few items that need your attention.
The elevation prompt for administrators disabled
^It is recommended to enable (default): Win+R typing

UserAccountControlSettings

and Enter^

Discord v.1.0.9004  Warning! Download Update

Bonjour v.3.1.0.1  Warning! Application is distributed through the partnership programs and bundle assemblies. Uninstallation recommended. You do not need "Bonjour".

The good stuff is:
Malwarebytes is on & protecting your system.
Microsoft Defender antivirus is on & protecting your system.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.