Windows Defender detected TrojanClicker:JS/Chroject.A

I recently removed Trojan:Win32/Nymaim, which was detected by Windows Defender on a Microsoft Windows 10 system. When Windows Defender detected that malware, it prevented the weekly backup program on the system, which was the Windows 7 backup and restore utility, from completing successfully. After removing that malware, I ran the backup program again, but I found that again the backup program did not complete successfully due to Windows detecting a trojan during the backup operation. This time it was TrojanClicker:JS/Chroject.A.

Windows Defender detected
TrojanClicker:JS/Chroject.A

The file listed for the detected malware had a timestamp of 2014 as did the directory it was located in though backups had been running successfully years after that date.

C:\Users\Pamela>dir \Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa\fjfjhwr.js
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa

11/20/2014  10:27 AM             5,680 fjfjhwr.js
               1 File(s)          5,680 bytes
               0 Dir(s)  849,629,917,184 bytes free

C:\Users\Pamela>dir /ad \Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa

10/22/2014  02:46 PM    <DIR>
10/22/2014  02:46 PM    <DIR>          ..
               0 File(s)              0 bytes
               2 Dir(s)  849,629,913,088 bytes free

C:\Users\Pamela>dir /s \Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa

10/22/2014  02:46 PM    <DIR>          .
10/22/2014  02:46 PM    <DIR>          ..
11/20/2014  10:27 AM             5,680 fjfjhwr.js
11/20/2014  10:27 AM               194 manifest.json
               2 File(s)          5,874 bytes

     Total Files Listed:
               2 File(s)          5,874 bytes
               2 Dir(s)  849,625,391,104 bytes free

C:\Users\Pamela>

I turned off Windows Defender's real-time protection temporarily, so I could upload the file to the VirusTotal site. I found that 14 of the 56 antivirus programs the site was using when the file was uploaded to the site on October 12, 2018 detected the file, which is a JavaScript file, as malware. I had the site reanalyze the file. VirusTotal reported again that 14 of 56 antivirus programs identified the script as malware (PDF, online). I saw a similarly named directory on the system and uploaded the .js JavaScript file in that directory to VirusTotal also. VirusTotal identified it as the file I uploaded just a few minutes before I uploaded the second instance I found.

C:\Users\Pamela> dir C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\tcqayekwzke
 Volume in drive C is OS
 Volume Serial Number is 4445-F6ED

 Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\tcqayekwzke

10/22/2014  02:45 PM    <DIR>          .
10/22/2014  02:45 PM    <DIR>          ..
11/20/2014  10:27 AM             5,680 Dzszqhzx.js
11/20/2014  10:27 AM               195 manifest.json
               2 File(s)          5,875 bytes
               2 Dir(s)  849,596,837,888 bytes free

C:\Users\Pamela>

I permanently deleted both directories containing the malevolent JavaScript files by right-clicking on them while holding down the shift key and choosing delete. The directories were visible by putting the full directory path into the Windows File Explorer directory field. I then ran a custom scan on drive C: with Windows Defender to have it check for any other malware on that drive before I attempted another backup.

A sgactavacsa.zip file containing the malware is available for analysis - use a userid of zoo and a password of malware to download the file, which will likely reqiure any antivirus software on the system on which the file is being downloaded is temporarily disabled.

Related articles:

  1. Windows Defender detected Trojan:Win32/Nymaim
  2. Turning off Windows Defender Temporarily