JS:Stealer-J [TR)] - Windows

Status
Not open for further replies.

archaon1

New Member
Thread author
Mar 5, 2023
5
Hello,


I got a trojan named JS:Stealer and i would like to get rid of it.
Can you help me ?


I think that i got it from this download: https://gsTWOus.com/games/lord-of-the-rings-war-in-the-north-free-download/
Be careful: here is the avast warning when you click on this url.
If you really want to click on this URL, you have to change the gsTWOus by gs2us.

1678018186-0-avast-war.jpg



This trojan tries to connect from my pc to an URL but it's blocked by avast.

1678017159-0-avast.jpg


Avast didn't find anything during the scan.


Here are the results from the different scan:

Adwcleaner - The quarantine doesn't work for the PreInstalled.LenovoIMController.
It shows up again at each scan.
1678018022-2-adwcleaner.jpg



Hitman Pro:

1678018020-3-hitman-pro.jpg


Malwarebytes:
The quarantine doesn't work for them.
They show up again at each scan.

1678018023-4-malwarebytes.jpg



ESET Online Scanner:

1678018022-5-eset-online-scanner.jpg


But even with multiple scan for each of them, they can't get rid of the trojan.

Still, because the ESET found something here and because i don't recognize those authorizations, i think that the trojan is located here.

1678018024-5-service-state.jpg


But i can't access to this file because it's attributed to the system.
I need the total control, which i don't have as an administrator.
May be someone knows how to do it ?




If needed, here are some screenshots from TCPview:

At 12h 18min 52sec, there was Avast who blocked the trojan.
The TCP just after:

1678017324-1-tcp-1-12h18m52s-juste-apres-alerte-avast.jpg


1min after:

1678017469-1-tcp-1-12h18m52s-un-peu-apres-l-alerte-avast.jpg



Since the trojan is often trying to reach some URL when i start chrome, here is the TCP when i just opened chrome (Avast did not blocked any trojan behavior this time)
1678017332-1-tcp-3-quand-j-ouvre-chrome.jpg

Here is the TCPview when i close chrome. One is still active nonetheless.
1678017330-1-tcp-4-il-reste-apres-la-fermeture-chrome.jpg




And here is the TCPview when i watch a single youtube video.


1678017815-1-tcp-5-en-plein-visionnage-d-une-video-youtube.jpg



Thank you for your attention,
Michael
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hello, Welcome to MalwareTips.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download Malwarebytes Anti-Malware from Malwarebytes or
from BleepingComputer


Right-click on the MBAM icon and select Run as administrator to run the tool.
Click Yes to accept any security warnings that may appear.
Once the MBAM dashboard opens, on the right detail pane click on the word "Current" under the Scan Status to update the tool database.
On the left menu pane click the Settings tab, and then select the Protection tab on the top.
Under the Scan Options, turn on the button Scan for rootkits and Scan within archives.
Click the Scan tab on the right detail pane, select Threat Scan and click the Start Scan button
Note: The scan may take some time to finish, so please be patient.
If potential threats are detected, ensure to check mark all the listed items, and click the Quarantine Selected button.
While still on the Scan tab, click the View Report button, and in the window that opens click the Export button, select Text file (*.txt), and save the log to your Desktop.
The log can also be viewed by clicking the log to select it, then clicking the View Report button.

Please post the log for my review.

Note: If asked to restart the computer, please do so immediately.
===

Please download AdwCleaner by Malwarebytes your Desktop.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click the Scan button and wait for the process to complete.
Click the LogFile button and the report will open in Notepad.

IMPORTANT

If you click the Clean button all items listed in the report will be removed.

If you find some false positive items or programs that you wish to keep, Close the AdwCleaner windows.

Close all open programs and internet browsers.
Double click on AdwCleaner.exe to run the tool.
Click the Scan button and wait for the process to complete.
Check off the element(s) you wish to keep.
Click on the Clean button follow the prompts.
A log file will automatically open after the scan has finished.
Please post the content of that log file with your next answer.
You can find the log file at C:\AdwCleanerCx.txt (x is a number).
===

Download the Farbar Recovery Scan Tool (FRST).
Choose the 32 or 64 bit version for your system.
and save it to a folder on your computer's Desktop.
Ensure that you are in an Administrator Account
Double-click to run it. When the tool opens click Yes to disclaimer.
Check the boxes as seen here:
L7kNU5y.jpg

Press Scan button.
It will make a log (FRST.txt) in the same directory the tool is run. Please copy and Attach it to your reply.
The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Please attach the logs for my review.
How to attach a file to your reply:
In the Reply section in the bottom of the topic Click the "Upload file" button.
Do this for both files. Then press the "Post reply" button.
<<<>>>
Wait for further instructions

p.s.

The Farbar program is updated often.
If it's identified as suspicious by your Anti-Virus program trust it if Downloaded from the link I provided.
You should restore the program from the Quarantine folder.
<<<>>>
 

archaon1

New Member
Thread author
Mar 5, 2023
5
Hello Nasdaq,

Thank you for your help.

Here is the log that you asked for.

Let me know if you need anything else :)

archaon1
 

Attachments

  • AdwCleaner[C12].txt
    2.8 KB · Views: 11
  • archaon1 - Malwarebytes report - 20230305 - 15h38.txt
    2.6 KB · Views: 11
  • Addition.txt
    61.6 KB · Views: 13
  • FRST.txt
    51.3 KB · Views: 14

archaon1

New Member
Thread author
Mar 5, 2023
5
And if it's important: why did i started to scan my pc ?
Because someone took over my facebook's account.
By replacing the password, email and phone number linked to the fb account.
 

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,

Before starting/running the fixlist.txt attached I suggest you run the Malwarebytes and delele all the item reported.
Restat the computer when completed.

<<<>>>

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.
<<<>>>

Because someone took over my facebook's account.
By replacing the password, email and phone number linked to the fb account.

Your computer was compromised.
I suggest you change all our passwords on all personal and important links.

How to Create a Strong Password (and Remember It)
 

Attachments

  • Fixlist.txt
    16.1 KB · Views: 17
  • Applause
Reactions: Jack

archaon1

New Member
Thread author
Mar 5, 2023
5
Hi !

It worked :D
Thank you so much !!
Can you explain me what you did, though ?

archaon1
 

Attachments

  • Fixlog1.txt
    477 KB · Views: 18

nasdaq

Moderator
Verified
Staff Member
Nov 5, 2019
1,425
Hi,

I suggest you look at the Comment: lines in the fixlist that explains what is being done.

I will close this topic in 6 days. If any issues please call.
 
Status
Not open for further replies.

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top