Need some serious help, been hit by malware

[jztemple2]

My wife clicked on an attachment to our Spectrum bill, only it turned out not to be the Spectrum bill, it was bad stuff. I've deleted the email and the attachment, which was an iso, but now I'm getting this pop-up from Malwarebytes every minute. I've also deleted a .vbs file which I found in her Documents folder. I've tried deleting that jsc.exe file but I'm blocked because I don't have permissions from "TrustedInstaller".

I'm rather at a loss at what to do next. That Malwarebytes pop-up comes up now several times a minute and I can't seem to find a setting in Malwarebytes to tell it to stop telling me and just do something about it.

[Blackhawk]

#1. Unplug the PC from the network.

[Isgrimnur]

[jztemple2]

OK, so deleting jsc.exe isn't what I need to do. And unplugging from the internet doesn't fix the problem.So something is repeatedly trying to access a website, is that it? Is there a way to figure out what process is trying to do that?

[LawBeefaroni]

OK, so deleting jsc.exe isn't what I need to do. And unplugging from the internet doesn't fix the problem.So something is repeatedly trying to access a website, is that it? Is there a way to figure out what process is trying to do that?

I think the recommendation to unplug from the network was to limit damage, not fix the problem.

It looks like it is trying to use Jscript to do something but I'll defer to the experts..

[Pyperkub]

To verify that your jsc.exe is the correct one, launch a command prompt/powershell prompt and run sfc /scannow (system file checker, scan system files to verify they are the correct ones).

[gilraen]

The jsc.exe file is most likely legit. Con-ip.com is a DNS redirection service, so the malware is trying to hijack your web browsing.

Try to download and run RogueKiller - it's something that seems to be recommended a lot on the Malwarebytes forum by their own tech experts in response to this type of error.

[Anonymous Bosch]

My wife clicked on an attachment to our Spectrum bill, only it turned out not to be the Spectrum bill, it was bad stuff. I've deleted the email and the attachment, which was an iso, but now I'm getting this pop-up from Malwarebytes every minute. I've also deleted a .vbs file which I found in her Documents folder. I've tried deleting that jsc.exe file but I'm blocked because I don't have permissions from "TrustedInstaller".

I'm rather at a loss at what to do next. That Malwarebytes pop-up comes up now several times a minute and I can't seem to find a setting in Malwarebytes to tell it to stop telling me and just do something about it.

I would strongly recommend using the free TronScript (and reading through the linked documentation), as previously mentioned here:

In terms of getting a poorly-running and/or compromised Windows PC back to functionality, TronScript will likely prove to be more effective.

Here's a tutorial video that walks you through how to use it:

[Blackhawk]

OK, so deleting jsc.exe isn't what I need to do. And unplugging from the internet doesn't fix the problem.So something is repeatedly trying to access a website, is that it? Is there a way to figure out what process is trying to do that?

I think the recommendation to unplug from the network was to limit damage, not fix the problem.

Right, yanking the network cable prevents anything from your system getting to them, prevents them from getting to your system, and prevents it from spreading to other machines on your network. That is always the first step when you think you are compromised. Stop it from doing more than it already has, and then figure out how to remove it.

Think of it as a quarantine.

[jztemple2]

RogueKiller didn't find anything . I'm still reading through the scary documentation of Tron

I did figure out how to stop the constant Malwarbytes pop-ups by turning off the notifications. Not really much of an issue right now and frankly I think my wife just ignores them anyway .

So what I think I have is something that uses Javascript to call jsc.exe to try to contact a website. Malwarebytes keeps blocking that so at least no damage is being done.

And here is more info someone might be able to use, first the report that Malwarebytes generates

Code: Select all

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 5/27/22
Protection Event Time: 12:42 PM
Log File: 0fb6d12e-dddc-11ec-aafa-70b5e8317333.json

-Software Information-
Version: 4.5.9.198
Components Version: 1.0.1676
Update Package Version: 1.0.55476
License: Premium

-System Information-
OS: Windows 10 (Build 19044.1645)
CPU: x64
File System: NTFS
User: System

-Blocked Website Details-
Malicious Website: 1
, C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: RiskWare
Domain: fcairo.con-ip.com
IP Address: 194.213.3.27
Port: 333
Type: Outbound
File: C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe



(end)

Next is a .json log file generated by Malwarebytes

Code: Select all

FB64D9DE141C076EAC9A44D8374E912DDFC3C8D1925A0FB348565C4C10EA24C3
{
   "applicationVersion": "4.5.9.198",
   "chromeSyncResetQueryRequested": false,
   "chromeSyncResetQueryResult": false,
   "clientID": "",
   "clientType": "other",
   "componentsUpdatePackageVersion": "1.0.1676",
   "coreDllFileVersion": "0.0.0",
   "cpu": "x64",
   "dbSDKUpdatePackageVersion": "1.0.55474",
   "detectionDateTime": "2022-05-27T15:53:49Z",
   "fileSystem": "NTFS",
   "id": "33369032-ddd5-11ec-8d45-70b5e8317333",
   "isUserAdmin": true,
   "licenseState": "licensed",
   "linkagePhaseComplete": false,
   "loggedOnUserName": "System",
   "machineID": "",
   "os": "Windows 10 (Build 19044.1645)",
   "schemaVersion": 20,
   "sourceDetails": {
      "type": "mwac"
   },
   "threats": [
      {
         "ddsSigFileVersion": "",
         "linkedTraces": [

         ],
         "mainTrace": {
            "archiveMember": "",
            "archiveMemberMD5": "",
            "cleanAction": "block",
            "cleanResult": "successful",
            "cleanResultErrorCode": 0,
            "cleanTime": "",
            "generatedByPostCleanupAction": false,
            "hubbleRequestErrorCode": 0,
            "id": "33369033-ddd5-11ec-88de-70b5e8317333",
            "igExitCode": "",
            "isPEFile": false,
            "isPEFileValid": false,
            "isWhitelistedByAdsInfo": false,
            "linkType": "none",
            "objectMD5": "",
            "objectPath": "",
            "objectSha256": "",
            "objectSize": -1,
            "objectType": "website",
            "resolvedPath": "",
            "websiteData": {
               "blockType": 12,
               "ip": "194.213.3.27",
               "isInbound": false,
               "port": 333,
               "processPath": "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\jsc.exe",
               "url": "fcairo.con-ip.com"
            }
         },
         "ruleID": -1,
         "ruleString": "",
         "rulesVersion": "0.0.0",
         "srcEngineComponent": "unknown",
         "srcEngineThreatNames": [

         ],
         "threatID": -1,
         "threatName": ""
      }
   ],
   "threatsDetected": 1
}

I guess I'm still trying to figure out what file is generating those Javascript executions. Right now I can't figure out how to trace that. If this was MS-DOS I could do that...

[Blackhawk]

I wouldn't assume that no damage is being done. Reduced, maybe.

If you have the means, back up any vital data on the system, just in case (and be sure to scan the backups afterwards.)

[Pyperkub]

I wouldn't assume that no damage is being done. Reduced, maybe.

If you have the means, back up any vital data on the system, just in case (and be sure to scan the backups afterwards.)

Yah, can boot into safe mode and run Malware bytes from there too.

[jztemple2]

I wouldn't assume that no damage is being done. Reduced, maybe.

If you have the means, back up any vital data on the system, just in case (and be sure to scan the backups afterwards.)

I keep backups of her computer for that reason. I've already done multiple scans today.

I don't know if any more damage is being done, but I can't really do anything more right now than I have. She's already gone back on using the computer (without asking me ).

I wonder if there is a way to track what programs are doing Javascipt calls? Off to the internet!

[jztemple2]

I wouldn't assume that no damage is being done. Reduced, maybe.

If you have the means, back up any vital data on the system, just in case (and be sure to scan the backups afterwards.)

Yah, can boot into safe mode and run Malware bytes from there too.

Hmm, how do I reboot windows in safe mode? I used to know that but I'm unsure now.

UPDATE: Found a site with five recommended methods!

[Anonymous Bosch]

I'm still reading through the scary documentation of Tron

You really needn't fret over anything. The video above walks you through and clearly demonstrates precisely what TronScript does and how it operates. But I think it's always a sensible notion to read documentation when you can.

[Blackhawk]

I wouldn't assume that no damage is being done. Reduced, maybe.

If you have the means, back up any vital data on the system, just in case (and be sure to scan the backups afterwards.)

I keep backups of her computer for that reason. I've already done multiple scans today.

I don't know if any more damage is being done, but I can't really do anything more right now than I have. She's already gone back on using the computer (without asking me ).

I wonder if there is a way to track what programs are doing Javascipt calls? Off to the internet!

If everything is backed up and safe, have you considered just nuking it and reinstalling Windows? It's a hassle, but it isn't that much more effort than what you are already doing, and it is the closest thing to a guarantee you can get that it's gone.

It also solves the potential future issue of compromised or corrupted files creating technical problems.

[jztemple2]

If everything is backed up and safe, have you considered just nuking it and reinstalling Windows? It's a hassle, but it isn't that much more effort than what you are already doing, and it is the closest thing to a guarantee you can get that it's gone.

It also solves the potential future issue of compromised or corrupted files creating technical problems.

If it was my computer it wouldn't be an issue, but she's got all these tweaks and settings and her tax programs and stuff on hers and she's really, really not happy with losing all that and have to reinstall and reset everything. I'll do it if I'm sure there's more to this than endless URL calls that are being blocked by Malwarebytes, but it will be a last resort.

[Pyperkub]

I wouldn't assume that no damage is being done. Reduced, maybe.

If you have the means, back up any vital data on the system, just in case (and be sure to scan the backups afterwards.)

I keep backups of her computer for that reason. I've already done multiple scans today.

I don't know if any more damage is being done, but I can't really do anything more right now than I have. She's already gone back on using the computer (without asking me ).

I wonder if there is a way to track what programs are doing Javascipt calls? Off to the internet!

If everything is backed up and safe, have you considered just nuking it and reinstalling Windows? It's a hassle, but it isn't that much more effort than what you are already doing, and it is the closest thing to a guarantee you can get that it's gone.

It also solves the potential future issue of compromised or corrupted files creating technical problems.

And, of course, if you used a USB stick for moving files, doing backups, you should scan it and make sure that any malware didn't infect the USB stick. That's another fun attack vector!

[Kasey Chang]

Looks like MalwareBytes just blocked traffic to a weird IP address for you. It's traced to a "risky" ISP in UK called "Daniel Jackson".

Which is likely a proxy to forward the IP somewhere else, but then, what's what con-ip.com is: a DNS redirector (points you somewhere else). It appears to be hosted in Spain as it referenced Spanish laws and half the site was written in Spanish.

Something was loaded into your registry autorun every few minutes to try a different address (or same address).

If you are serious about tracking this down, you may need Microsoft PowerToys Process Explorer and Process Monitor

https://docs.microsoft.com/en-us/sysint ... s-explorer

https://docs.microsoft.com/en-us/sysint ... ds/procmon

Basically, use Procmon to figure out who's calling the JSC.exe, and/or use Process Explorer to find it

Another possibility is to use Autoruns to figure out what had been added that calls the JSC

https://docs.microsoft.com/en-us/sysint ... s/autoruns

I personally doubt this malware is messing with your computer that much. I think it's a trojan that wants to download additional malware to your system and that's been blocked. I recommend downloading those system tools on USB stick and keep your system off the Internet until you figure it out.

[Daehawk]

Didn't this just happened recently?

[jztemple2]

Looks like MalwareBytes just blocked traffic to a weird IP address for you. It's traced to a "risky" ISP in UK called "Daniel Jackson".

Which is likely a proxy to forward the IP somewhere else, but then, what's what con-ip.com is: a DNS redirector (points you somewhere else). It appears to be hosted in Spain as it referenced Spanish laws and half the site was written in Spanish.

Something was loaded into your registry autorun every few minutes to try a different address (or same address).

If you are serious about tracking this down, you may need Microsoft PowerToys Process Explorer and Process Monitor

https://docs.microsoft.com/en-us/sysint ... s-explorer

https://docs.microsoft.com/en-us/sysint ... ds/procmon

Basically, use Procmon to figure out who's calling the JSC.exe, and/or use Process Explorer to find it

Another possibility is to use Autoruns to figure out what had been added that calls the JSC

https://docs.microsoft.com/en-us/sysint ... s/autoruns

I personally doubt this malware is messing with your computer that much. I think it's a trojan that wants to download additional malware to your system and that's been blocked. I recommend downloading those system tools on USB stick and keep your system off the Internet until you figure it out.

Thanks for those recommendations! Those will be good tools for the toolbox. As it is, RogueKiller (or RougeKiller for those who remember an earlier thread ) did finally come through, although it was on the third time I did a scan with it.


The folder that had that .vbs file also had several others which I assume were associated with the malicious Javascript calls. I deleted the whole folder and that ended the trojan website calls.

I did have this dialog box come up a couple of times, but after that it stopped as well.


Since then no more malicious web connecting. So everything seems to be fine and I appreciate all the help everyone has given. OOer's are the best in a crisis!

Now I'm just dealing with a minor issue on her machine that came up a week or so ago. I have had the machine power manager set to put her rig to sleep after twenty minutes, same with the monitor. Been working just fine for a couple of years. Now, suspiciously after the last Windows update, the machine has been randomly waking up, but not often enough for me to figure out a pattern. It's such a minor issue that I've not bothered dealing with it for the time being, but I'll do some research on it eventually. My wife isn't bothered by it, she'd rather have the thing on twenty-four hours a day anyway

[Daehawk]

Mine runs 24/7...this one 11 years now.

[Kasey Chang]

Since then no more malicious web connecting.

Yeah, sounds like you caught it in time.

Consider disabling WSH to block this type of errors altogether via a simple regedit of policies.

https://www.ryadel.com/en/disable-windo ... s-malware/

[naednek]

My wife clicked on an attachment to our Spectrum bill, only it turned out not to be the Spectrum bill, it was bad stuff. I've deleted the email and the attachment, which was an iso, but now I'm getting this pop-up from Malwarebytes every minute. I've also deleted a .vbs file which I found in her Documents folder. I've tried deleting that jsc.exe file but I'm blocked because I don't have permissions from "TrustedInstaller".

I'm rather at a loss at what to do next. That Malwarebytes pop-up comes up now several times a minute and I can't seem to find a setting in Malwarebytes to tell it to stop telling me and just do something about it.

I would strongly recommend using the free TronScript (and reading through the linked documentation), as previously mentioned here:

In terms of getting a poorly-running and/or compromised Windows PC back to functionality, TronScript will likely prove to be more effective.

Here's a tutorial video that walks you through how to use it:

from my experience with Tron, it was cool how it's implemented. It didn't fix anything for me. I had to reformat after running the tool twice.

[Anonymous Bosch]

My wife clicked on an attachment to our Spectrum bill, only it turned out not to be the Spectrum bill, it was bad stuff. I've deleted the email and the attachment, which was an iso, but now I'm getting this pop-up from Malwarebytes every minute. I've also deleted a .vbs file which I found in her Documents folder. I've tried deleting that jsc.exe file but I'm blocked because I don't have permissions from "TrustedInstaller".

I'm rather at a loss at what to do next. That Malwarebytes pop-up comes up now several times a minute and I can't seem to find a setting in Malwarebytes to tell it to stop telling me and just do something about it.

I would strongly recommend using the free TronScript (and reading through the linked documentation), as previously mentioned here:

In terms of getting a poorly-running and/or compromised Windows PC back to functionality, TronScript will likely prove to be more effective.

Here's a tutorial video that walks you through how to use it:

from my experience with Tron, it was cool how it's implemented. It didn't fix anything for me. I had to reformat after running the tool twice.

Realistically, short of reformatting and performing a full Windows reinstallation, there is no miracle panacea that will necessarily cure every compromised Windows PC, as the TronScript documentation accurately observes:

Fair Warning

Attempting to clean/fix a PC (with Tron or any other tool) that's been compromised by malware and such can result in partially or completely disabling that PC, and can require a full reinstallation of Windows to restore full functionality. This isn't a "Tron issue", this is just how PCs are. Before you run Tron, be aware that the act of cleaning/repairing your PC can inadvertently disable your PC or adversely affect your data in the process. Your system may or may not be repairable; your data may or may not be recoverable. If you choose to run Tron anyway you must be prepared for the possibility of reformatting the hard drive, reinstalling Windows, and recovering your data from a backup.

General Info

Tron is a collection of programs, tools, utilities, and Windows functions that are scripted together. It is designed to remove malware and bloatware, repair damaged operating systems, update old versions of very common applications, free up drive space by clearing out caches, and more. By consolidating and automating these tasks into a single execution it saves a lot of time and makes the whole process a more efficient.

Tron is not intended to be run on a machine that is already running properly and/or just had a clean OS install done to it. Tron's intended goal is to take a badly-running Windows PC (bloated, infected with malware, neglected, etc) and automate about 85% of the work involved in getting it to run well again. There is nothing Tron does which you couldn't do on your own without it. Tron's real power is in its automation and the breadth of tools that it uses to achieve its intended goal.

While Tron can do a lot of good things for an affected PC, it is important to know that Tron is not a miracle cure-all.

…

Common Questions (Troubleshooting)

I ran Tron but my problem is still happening. Why didn't Tron fix it?

If you're still having an issue after Tron, it may fall into the ~15% of things Tron can't fix automatically.

That being said, while YMMV, in my experience TronScript has proven remarkably effective in restoring poorly-running and/or compromised Windows PCs back to functionality, especially in comparison to solely scanning with Malwarebytes.

[jztemple2]

Since then no more malicious web connecting.

Yeah, sounds like you caught it in time.

Consider disabling WSH to block this type of errors altogether via a simple regedit of policies.

https://www.ryadel.com/en/disable-windo ... s-malware/

Wow, that's some great stuff there, just the thing to fix on her machine. Thanks Kasey