[SOLVED] Windows Defender keeps finding odd Trojan after bootup?

liberty610

Distinguished
Oct 31, 2012
442
3
18,815
12
Hello. I am hoping someone can help me out here.

I have a Windows 11 Laptop and Desktop PC that this has been happening to. I am trying to fugure out what was installed on both devices to cause this, as they are both identical in what is install as I use them both for production work.

Recently, Windows Defender has been popping up with a find. It is " Trojan: JS/KryptoStealer.GA!MSR"

I says it is installed under c:\users\myusername\\AppData\Local\Microsoft\Windows\NetCahe\IE\6a2NR886\3RGICL2G.htm

It keeps removing it from my desktop and laptop. So far, I have not seen it return on my laptop since doing the latest scan and Windows update, but it came back on my Desktop just this morning. I updating the desktop with the latest windows updates.

So far, the only thing I can think of that may have caused this is an app I have been using for several years called Money Manager EX. It's an offline banking app I use to work out budgets and bills. U updated it recently to the latest version on both devices, but I scanned it prior to installing it and nothing came back. So I am wondering if I got it some other way.

I have the latest updates to Malware Bytes free edition, and it doesn't seem to find anything in it's scans.

Any thoughts or suggestions on this? Thanks in advance for any help.
 
Oct 31, 2022
1
1
25
1
Hello. I am hoping someone can help me out here.

I have a Windows 11 Laptop and Desktop PC that this has been happening to. I am trying to fugure out what was installed on both devices to cause this, as they are both identical in what is install as I use them both for production work.

Recently, Windows Defender has been popping up with a find. It is " Trojan: JS/KryptoStealer.GA!MSR"

I says it is installed under c:\users\myusername\\AppData\Local\Microsoft\Windows\NetCahe\IE\6a2NR886\3RGICL2G.htm

It keeps removing it from my desktop and laptop. So far, I have not seen it return on my laptop since doing the latest scan and Windows update, but it came back on my Desktop just this morning. I updating the desktop with the latest windows updates.

So far, the only thing I can think of that may have caused this is an app I have been using for several years called Money Manager EX. It's an offline banking app I use to work out budgets and bills. U updated it recently to the latest version on both devices, but I scanned it prior to installing it and nothing came back. So I am wondering if I got it some other way.

I have the latest updates to Malware Bytes free edition, and it doesn't seem to find anything in it's scans.

Any thoughts or suggestions on this? Thanks in advance for any help.

This might be a bit late, but are you using any sidebar like 8gadget with the "Network Meter" from Addgadgets? I had the same thing in the same location pop up on my computer today. I tracked it down to a sidebar app Network Meter that appears to have a bad/old URL that it was trying to grab my IP address from (and subsequently grabbing part of a malicous script from the bad URL). I don't think it actually installed or ran any malicous files/scripts/malware. There was an update to 8gadget pack that seems to fix it.

https://8gadgetpack.net/#Versionhistory

Trojan:JS/KryptoStealer.GA!MSR

https://www.virustotal.com/gui/file/80c1cd75477ce7e89e8d591e6a268cded6524980d9f25b3fbfb25d551c4a1c1b/detection

Please vote on the left side if this helped you so others can find it easier.
 
Last edited:
Reactions: liberty610

liberty610

Distinguished
Oct 31, 2012
442
3
18,815
12
I just rebooted from Windows update. Prior to doing so, I went into the windows defender options and told it to remove the threat instead of allowing it to quarantine it. After doing a reboot, I am no longer seeing it so far, and I am doing a full system scan with defender. so far so good.

These are also the steps I took last night with my laptop. I have booted that up twice and it has not returned. I'll keep monitoring the situation and see if the threat pops back up. If it does, I'll have to wipe out both computers and re-install. I have not made an OS backup. I have everything else backed up on drives and in cloud storage, but I do not have a full system backup.
 

USAFRet

Titan
Moderator
Mar 16, 2013
161,104
13,295
176,090
24,450
I just rebooted from Windows update. Prior to doing so, I went into the windows defender options and told it to remove the threat instead of allowing it to quarantine it. After doing a reboot, I am no longer seeing it so far, and I am doing a full system scan with defender. so far so good.

These are also the steps I took last night with my laptop. I have booted that up twice and it has not returned. I'll keep monitoring the situation and see if the threat pops back up. If it does, I'll have to wipe out both computers and re-install. I have not made an OS backup. I have everything else backed up on drives and in cloud storage, but I do not have a full system backup.
Well, its too late for a full system backup.

If that infection still exists, it would just include the infection as well.
 
Reactions: PEnns
Since all data is backed up just format and reinstall windows. Then restore your data and install your programs and then make a system back up and keep current back ups, so that this is never a problem again

See @USAFRet backup system and follow it. Hopefully he will post the link.
 

liberty610

Distinguished
Oct 31, 2012
442
3
18,815
12
Righto. I know it's too late to do a system back up now. I have never really done a full system back up, because I have all my main data backup to other drives. Most of them kept offline. I usually never have any issues like this. I don't tamper with prirated software. I use a VPN with any of my public connections (even most of the time while at home). Think I'll play it safe and do re-installs. Thanks for the replies.

If anyone has a link to share to do a system backup, I'll be sure to re-install all my apps and settings once Windows is installed, then do the back up before proceeding with other online activities.
 

USAFRet

Titan
Moderator
Mar 16, 2013
161,104
13,295
176,090
24,450
If anyone has a link to share to do a system backup, I'll be sure to re-install all my apps and settings once Windows is installed, then do the back up before proceeding with other online activities.
Macrium Reflect.



And its not just "a backup", but rather an ongoing series, updated regularly.
 

littleben

Distinguished
Mar 7, 2015
18
0
18,510
0
Hi. I've just had the same virus name pop up after boot. Removed the threat it came back once and I've restarted a few times and doesn't seem to be coming back

I'm performing an offline scan of all drives

You guys mention a restore from a full backup but would a system restore point do?

Thanks for any help
 

USAFRet

Titan
Moderator
Mar 16, 2013
161,104
13,295
176,090
24,450
Hi. I've just had the same virus name pop up after boot. Removed the threat it came back once and I've restarted a few times and doesn't seem to be coming back

I'm performing an offline scan of all drives

You guys mention a restore from a full backup but would a system restore point do?

Thanks for any help
A Restore Point may contain that same "virus", depending on when it was made.
 
Oct 31, 2022
1
1
25
1
Hello. I am hoping someone can help me out here.

I have a Windows 11 Laptop and Desktop PC that this has been happening to. I am trying to fugure out what was installed on both devices to cause this, as they are both identical in what is install as I use them both for production work.

Recently, Windows Defender has been popping up with a find. It is " Trojan: JS/KryptoStealer.GA!MSR"

I says it is installed under c:\users\myusername\\AppData\Local\Microsoft\Windows\NetCahe\IE\6a2NR886\3RGICL2G.htm

It keeps removing it from my desktop and laptop. So far, I have not seen it return on my laptop since doing the latest scan and Windows update, but it came back on my Desktop just this morning. I updating the desktop with the latest windows updates.

So far, the only thing I can think of that may have caused this is an app I have been using for several years called Money Manager EX. It's an offline banking app I use to work out budgets and bills. U updated it recently to the latest version on both devices, but I scanned it prior to installing it and nothing came back. So I am wondering if I got it some other way.

I have the latest updates to Malware Bytes free edition, and it doesn't seem to find anything in it's scans.

Any thoughts or suggestions on this? Thanks in advance for any help.

This might be a bit late, but are you using any sidebar like 8gadget with the "Network Meter" from Addgadgets? I had the same thing in the same location pop up on my computer today. I tracked it down to a sidebar app Network Meter that appears to have a bad/old URL that it was trying to grab my IP address from (and subsequently grabbing part of a malicous script from the bad URL). I don't think it actually installed or ran any malicous files/scripts/malware. There was an update to 8gadget pack that seems to fix it.

https://8gadgetpack.net/#Versionhistory

Trojan:JS/KryptoStealer.GA!MSR

https://www.virustotal.com/gui/file/80c1cd75477ce7e89e8d591e6a268cded6524980d9f25b3fbfb25d551c4a1c1b/detection

Please vote on the left side if this helped you so others can find it easier.
 
Last edited:
Reactions: liberty610

Boldimore

Reputable
Apr 28, 2019
2
2
4,510
0
This might be a bit late, but are you using any sidebar like 8gadget with the "Network Meter" from Addgadgets? I had the same thing in the same location pop up on my computer today. I tracked it down to a sidebar app Network Meter that appears to have a bad/old URL that it was trying to grab my IP address from (and subsequently grabbing part of a malicous script from the bad URL). I don't think it actually installed or ran any malicous files/scripts/malware. There was an update to 8gadget pack that seems to fix it.

https://8gadgetpack.net/#Versionhistory

Trojan:JS/KryptoStealer.GA!MSR

https://www.virustotal.com/gui/file/80c1cd75477ce7e89e8d591e6a268cded6524980d9f25b3fbfb25d551c4a1c1b/detection
I am gonna be honest. Your help is 10 hours too late. Wiped my windows to find the same blocked threats continuing. The nuisance of reinstalling everything x.x

I can confirm, this fixed my issue. Installed the newest 8gadgets pack onto my Win11.
I had these threats found for a few months:
Trojan:Script/Wacatac.B!ml
Trojan:JS/KryptoStealer.GA!MSR

TAG: FIX FOR Trojan:Script/Wacatac.B!ml, Trojan:JS/KryptoStealer.GA!MSR popping up, 8 gadgets pack
 
Oct 31, 2022
1
0
10
0
This might be a bit late, but are you using any sidebar like 8gadget with the "Network Meter" from Addgadgets? I had the same thing in the same location pop up on my computer today. I tracked it down to a sidebar app Network Meter that appears to have a bad/old URL that it was trying to grab my IP address from (and subsequently grabbing part of a malicous script from the bad URL). I don't think it actually installed or ran any malicous files/scripts/malware. There was an update to 8gadget pack that seems to fix it.

https://8gadgetpack.net/#Versionhistory

Trojan:JS/KryptoStealer.GA!MSR

https://www.virustotal.com/gui/file/80c1cd75477ce7e89e8d591e6a268cded6524980d9f25b3fbfb25d551c4a1c1b/detection
I'm so glad I read your comment instead of formatting like that other Moderator suggested.
It's a good thing that this is the 2nd Google result when looking for Trojan:JS/KryptoStealer.GA!MSR
 

liberty610

Distinguished
Oct 31, 2012
442
3
18,815
12
This might be a bit late, but are you using any sidebar like 8gadget with the "Network Meter" from Addgadgets? I had the same thing in the same location pop up on my computer today. I tracked it down to a sidebar app Network Meter that appears to have a bad/old URL that it was trying to grab my IP address from (and subsequently grabbing part of a malicous script from the bad URL). I don't think it actually installed or ran any malicous files/scripts/malware. There was an update to 8gadget pack that seems to fix it.

https://8gadgetpack.net/#Versionhistory

Trojan:JS/KryptoStealer.GA!MSR

https://www.virustotal.com/gui/file/80c1cd75477ce7e89e8d591e6a268cded6524980d9f25b3fbfb25d551c4a1c1b/detection
Thank you for the reply. YES. This is something I had installed on my system. It was the gadgets to monitor things. Thank you for replying! I can rest easy now, knowing how it got on my system and that it was not a major issue.

I ended up getting a super cheap 2 year subscription of Bitdefender, and decided NOT to format my pc just yet. The reason why this 'threat' didn't come back on my laptop was because the network meter gadget was not loading properly on one of the boot ups. It was displaying as a purple glitched out box. So I just closed it out and never re-opened it. Hence why Defender stopped seeing it on my laptop, but the desktop kept getting it.

To test the theory that this was causing the threat to pop up, I opened the network gadget on my laprtop, and Bitdefender flagged it as trying to execute a malicious website and blocked it.

I will uninstall the gadgets app and update it to the latest version. THANK YOU SO MUCH FOR THE REPLY!!!! This made my night!
 

ASK THE COMMUNITY

TRENDING THREADS