Returning Trojan Threat popping up with Windows Defender in Windows 11

[Liberty610]

Hi everyone.

I am having an odd issue. I been chasing a trojan threat that seems to be changing/popping back up on a regular basis, but it's not being detected with Maleware bytes scans or manual Windows Defender scans. But windows Defender warns me about it on and off at random times. Every time I remove it, it stays gone for a while, but then randomly comes back at another time. I went a couple days this time without seeing it, but now it is back. This is happening on both my Windows 11 laptop and my Windows 11 desktop. They are both set up similar, as I run a small project studio for audio and video work, and this has been an issue on both systems.

The threat pops up as a Trojan. Defender shows it as Trojan:JS/KryptoStealer.GA!MSR

It's always located in the same hidden folder, but the ending of the file is always different.

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\  is the location it is always in. The actual file name changes though. The latest one was found just a little bit ago and was listed as this:

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\6XDAO3K1\U5O2133D.htm

 

Other ones have popped up as well, but the  file right before the.htm is always different. The list below shows an example of this.

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\6XDAO3K1\U5O2133D.htm

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\6ZXV3TKU\R5H1U6Y1.htm

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\Q85R5FAZ\DA67D5YO.htm

The only suggestions I have been offered was on another forum and it was to nuke and pave my system (reinstall Windows). I have a TON of production software with licenses and settings I would rather not un-register and re-install if I can avoid it. I just can't seem to find much details on what I should do.

When I do a Maleware bytes scan on my system, nothing pops up. If I do a Full Windows Defender scan after removing the threat, nothing pops up. It seems to come back at random times. Any ideas what is causing this and how I can remove it permanently? Digging into it online a bit, it appears to be a web browser bring the file in. I use Firefox mostly, but I also use Chrome and Edge for certain tasks. I have used Bleachbit to clean out cache and history on all the browsers, but that doesn't seem to help.

Any suggestions would be great. Thanks  in advance for any replies.

[PineyCreek]

5 minutes ago, Liberty610 said:

Hi everyone.

I am having an odd issue. I been chasing a trojan threat that seems to be changing/popping back up on a regular basis, but it's not being detected with Maleware bytes scans or manual Windows Defender scans. But windows Defender warns me about it on and off at random times. Every time I remove it, it stays gone for a while, but then randomly comes back at another time. I went a couple days this time without seeing it, but now it is back. This is happening on both my Windows 11 laptop and my Windows 11 desktop. They are both set up similar, as I run a small project studio for audio and video work, and this has been an issue on both systems.

The threat pops up as a Trojan. Defender shows it as Trojan:JS/KryptoStealer.GA!MSR

It's always located in the same hidden folder, but the ending of the file is always different.

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\  is the location it is always in. The actual file name changes though. The latest one was found just a little bit ago and was listed as this:

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\6XDAO3K1\U5O2133D.htm

 

Other ones have popped up as well, but the  file right before the.htm is always different. The list below shows an example of this.

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\6XDAO3K1\U5O2133D.htm

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\6ZXV3TKU\R5H1U6Y1.htm

file: C:\Users\myusername\AppData\Local\Microsoft\Windows\INetCache\IE\Q85R5FAZ\DA67D5YO.htm

The only suggestions I have been offered was on another forum and it was to nuke and pave my system (reinstall Windows). I have a TON of production software with licenses and settings I would rather not un-register and re-install if I can avoid it. I just can't seem to find much details on what I should do.

When I do a Maleware bytes scan on my system, nothing pops up. If I do a Full Windows Defender scan after removing the threat, nothing pops up. It seems to come back at random times. Any ideas what is causing this and how I can remove it permanently? Digging into it online a bit, it appears to be a web browser bring the file in. I use Firefox mostly, but I also use Chrome and Edge for certain tasks. I have used Bleachbit to clean out cache and history on all the browsers, but that doesn't seem to help.

Any suggestions would be great. Thanks  in advance for any replies.

Try a web-based scan like Trend Micro's House Call, maybe see if you get any different results:
https://www.trendmicro.com/en_us/forHome/products/housecall.html

 

Pretty sure that directory is the temp cache for IE though.  Tried just clearing IE's temp files/cache?

[BiotechBen]

Bitdefender free-version will generally get you squared away. Even though edge has essentially become knockoff Chrome, unless the application doesn't support Firefox or chrome I wouldn't use it. Microsoft had their heyday with browsers, and it was a long time ago.

[Liberty610]

12 minutes ago, PineyCreek said:

Try a web-based scan like Trend Micro's House Call, maybe see if you get any different results:
https://www.trendmicro.com/en_us/forHome/products/housecall.html

 

Pretty sure that directory is the temp cache for IE though.  Tried just clearing IE's temp files/cache?

Yes, it appears to be internet browser related I believe.The more I dig into this online, the more I am seeing suggestions to reset all my browsers to defualts and try from there.

The most resent time this happened, I noticed it popped up after using Edge browser for a moment. I don't use Edge much, but I do a couple times a day. So I went ahead and reset all 3 of my browsers. Idk if that will be enough for not. I have been chasing this thing for a good week now. It has been less and less that it pops up, but I want to know the root cause of it. I have NEVER had issues with maleware or virsus on my systems because I don't do a bunch of things that are dubbed risky. So I would like to know the origins of this thing. I can't seem to find many other search results online about this specific one.

[Liberty610]

1 minute ago, BiotechBen said:

Bitdefender free-version will generally get you squared away. Even though edge has essentially become knockoff Chrome, unless the application doesn't support Firefox or chrome I wouldn't use it. Microsoft had their heyday with browsers, and it was a long time ago.

I had Bitdefender free at one point, but then they got rid of the free edition I thought?

[BiotechBen]

2 minutes ago, Liberty610 said:

I had Bitdefender free at one point, but then they got rid of the free edition I thought?

Nope, although honestly, retailers have been running like 24hr fire sales for bitdefender subscriptions, I recently got mine from staples 6-devices 1yr for $21 tax included

 

If you are US based:

https://www.bestbuy.com/site/bitdefender-total-security-5-device-2-year-subscription-windows-apple-ios-mac-os-android-digital/6395890.p?skuId=6395890&ref=NS&loc=101&ref=212&loc=1&gclid=CjwKCAjw5P2aBhAlEiwAAdY7dLzYWSiKU2GD3AP3rDViNjBXu_niu3hi4TyjuzjNU9rrNNUL8_iLmRoC5V0QAvD_BwE&gclsrc=aw.ds

 

 

[PineyCreek]

Don't know if this is you or not, but I found this as well:
https://forums.tomshardware.com/threads/windows-defender-keeps-finding-odd-trojan-after-bootup.3783184/

 

Edge is the rebranding/remake/remaster/wot the the MS browser is called now, is Chromium-based, and is generally inoffensive, but I'm pretty sure it still uses the old file structures including referencing IE.  Wouldn't be surprised if it's called IE vX.X (Edge) internally.  Plenty of corps go through rebrands and keep the same filenames, directory structures, etc. for convenience's sake.

[DigitalGoat]

Have you tried ADWCleaner, it tends to pick up browser based nasties better than anti virus apps, including redirectors, persistant urls, popups etc, worth a try if you still have issues and it is free.

[Liberty610]

1 hour ago, BiotechBen said:

Nope, although honestly, retailers have been running like 24hr fire sales for bitdefender subscriptions, I recently got mine from staples 6-devices 1yr for $21 tax included

 

If you are US based:

https://www.bestbuy.com/site/bitdefender-total-security-5-device-2-year-subscription-windows-apple-ios-mac-os-android-digital/6395890.p?skuId=6395890&ref=NS&loc=101&ref=212&loc=1&gclid=CjwKCAjw5P2aBhAlEiwAAdY7dLzYWSiKU2GD3AP3rDViNjBXu_niu3hi4TyjuzjNU9rrNNUL8_iLmRoC5V0QAvD_BwE&gclsrc=aw.ds

 

 

Awesome. I have re-downloaded the free version and logged it into my account I had previously. I am US based, and I will def. check out the deals on it. I think the free will be enough for me, but after this whole ordeal, I may just got with a paid subscription for a while.

1 hour ago, PineyCreek said:

Don't know if this is you or not, but I found this as well:
https://forums.tomshardware.com/threads/windows-defender-keeps-finding-odd-trojan-after-bootup.3783184/

 

Edge is the rebranding/remake/remaster/wot the the MS browser is called now, is Chromium-based, and is generally inoffensive, but I'm pretty sure it still uses the old file structures including referencing IE.  Wouldn't be surprised if it's called IE vX.X (Edge) internally.  Plenty of corps go through rebrands and keep the same filenames, directory structures, etc. for convenience's sake.

Yes, that was me as well. I posted that the other day. Their siggestions was to wipe it out and reinstall windows, which I have done in the past when there was a reoccurring issue I couldn't get rid of, but as I stated in my original post, I do a lot of production work where I have license keys tied to my PCs, and it is a HUGE pain in the a$$ to log into my iLok (and other) accounts, un-register them all, re-install windows, then re-register them, ect.

1 hour ago, DigitalGoat said:

Have you tried ADWCleaner, it tends to pick up browser based nasties better than anti virus apps, including redirectors, persistant urls, popups etc, worth a try if you still have issues and it is free.

I have not tried this yet, but came across it as a suggestion a couple other times. I will give this a whirl as well. Thanks!

Thank you for the replies. Much appreciated!

[Stollek]

26 minutes ago, Liberty610 said:

Awesome. I have re-downloaded the free version and logged it into my account I had previously. I am US based, and I will def. check out the deals on it. I think the free will be enough for me, but after this whole ordeal, I may just got with a paid subscription for a while.

Yes, that was me as well. I posted that the other day. Their siggestions was to wipe it out and reinstall windows, which I have done in the past when there was a reoccurring issue I couldn't get rid of, but as I stated in my original post, I do a lot of production work where I have license keys tied to my PCs, and it is a HUGE pain in the a$$ to log into my iLok (and other) accounts, un-register them all, re-install windows, then re-register them, ect.

I have not tried this yet, but came across it as a suggestion a couple other times. I will give this a whirl as well. Thanks!

Thank you for the replies. Much appreciated!

I have the exact same problem and would appreciate it if you could let me know if you found a solution to the Problem.

[Liberty610]

4 hours ago, Stollek said:

I have the exact same problem and would appreciate it if you could let me know if you found a solution to the Problem.

So far, I cast fully say I was able to get rid of the problem for sure. On my laptop, the problem didn't come back, but on my desktop it did. 

 

Idid deferral this all at once to get age no this problem. I don't know what web browser(s) you use, but the first thing I did that was suggested on a couple websites,  was to reset any of the browsers you use to default settings. This helped other people get rid of simular issues they where have. I use a mix of Firefox,  Edge, and Chrome,  depending on what tasks I'm doing, so I ended up resting all of them. 

 

After I did that,  I installed Bitdefender (free version). I don't know if it would have seen this Trojan or not,  as everytime deceiver found it, it would remove it. So now that Bitdefender is my main anti-virus, I'm not hoping it keeps this from happening again. 

 

From what I've read, this is browser based, as is getting stored in internet online type cache. I really don't know for sure where or came from, but I have not been able to find much about this exact issue online. I am however, getting other people replying to me on other forums about it, just like you have here,  saying they have the same issue. 

 

Try resetting all your browsers to default settings. I would also try using BleachBit and clearing out the cookies, history, temp files,  ect. But use it with caution. If you don't know what your doing with it,  you can delete things you don't want to delete. 

[Stollek]

52 minutes ago, Liberty610 said:

So far, I cast fully say I was able to get rid of the problem for sure. On my laptop, the problem didn't come back, but on my desktop it did. 

 

Idid deferral this all at once to get age no this problem. I don't know what web browser(s) you use, but the first thing I did that was suggested on a couple websites,  was to reset any of the browsers you use to default settings. This helped other people get rid of simular issues they where have. I use a mix of Firefox,  Edge, and Chrome,  depending on what tasks I'm doing, so I ended up resting all of them. 

 

After I did that,  I installed Bitdefender (free version). I don't know if it would have seen this Trojan or not,  as everytime deceiver found it, it would remove it. So now that Bitdefender is my main anti-virus, I'm not hoping it keeps this from happening again. 

 

From what I've read, this is browser based, as is getting stored in internet online type cache. I really don't know for sure where or came from, but I have not been able to find much about this exact issue online. I am however, getting other people replying to me on other forums about it, just like you have here,  saying they have the same issue. 

 

Try resetting all your browsers to default settings. I would also try using BleachBit and clearing out the cookies, history, temp files,  ect. But use it with caution. If you don't know what your doing with it,  you can delete things you don't want to delete. 

Thanks for your reply. Appreciate it.

   

I use only Firefox. And I wiped my system as of this morning. Just to be shure.

 

I am curious if this type of trjoan or virus or whatever is still around on my other drives. Therefore I will just try the tool that are mentioned in this thread. thanks for that too, folks.   

 

I am also very interested in where this crap come from and why there is so few information on the Web.

 

Anyway thanks a lot.

[Liberty610]

46 minutes ago, Stollek said:

Thanks for your reply. Appreciate it.

   

I use only Firefox. And I wiped my system as of this morning. Just to be shure.

 

I am curious if this type of trjoan or virus or whatever is still around on my other drives. Therefore I will just try the tool that are mentioned in this thread. thanks for that too, folks.   

 

I am also very interested in where this crap come from and why there is so few information on the Web.

 

Anyway thanks a lot.

I too am wondering how I got this. I don't visit dodgy sites, and I don't do pirated software. I don't click on links in emails ever, even if I pretty much know it's a legit email.

 

I've always been super cautious, so I never really used anything outside windows defender with the accepting of Bitdefender. It was free forever, then they took the free option away, then brought it back apparently. But I went ahead abd grabbed the full security pack for 2 years/5 devices for $30 on best buy. 

 

 The only thing I can think of that may have brought this weird thing into the fold is I went to one of those websites that allows you to page a YouTube link into it so you can download an offline MP4 version of the video. Other than that,  I have no idea where this thing came from. 

[Liberty610]

19 hours ago, PineyCreek said:

Don't know if this is you or not, but I found this as well:
https://forums.tomshardware.com/threads/windows-defender-keeps-finding-odd-trojan-after-bootup.3783184/

 

Edge is the rebranding/remake/remaster/wot the the MS browser is called now, is Chromium-based, and is generally inoffensive, but I'm pretty sure it still uses the old file structures including referencing IE.  Wouldn't be surprised if it's called IE vX.X (Edge) internally.  Plenty of corps go through rebrands and keep the same filenames, directory structures, etc. for convenience's sake.

Okay guys, UPDATE in case others have this same issue as I did. On the Tom's Hardware forum that was also me that was included in the reply here, someone found the cause of the issue. I have the Gadget8pack installed on my systems. It's the old school sidebar Windows gadgets that allows you to monitor things and have gadgets on your desktop. The network monitoring gadget was hitting an outdated site that was trying to pull a script with it. I have attached a screen shot of the person's reply that found the issue.

There is an updated version of the gadgets app, and it apparently has solved the issue.

You can also hit up the forum thread directly here at this link and read the full response:

https://forums.tomshardware.com/threads/windows-defender-keeps-finding-odd-trojan-after-bootup.3783184/#post-22841824