I recently removed Trojan:Win32/Nymaim, which was detected by Windows Defender on a Microsoft Windows 10 system. When Windows Defender detected that malware, it prevented the weekly backup program on the system, which was the Windows 7 backup and restore utility, from completing successfully. After removing that malware, I ran the backup program again, but I found that again the backup program did not complete successfully due to Windows detecting a trojan during the backup operation. This time it was TrojanClicker:JS/Chroject.A.
The file listed for the detected malware had a timestamp of 2014 as did the directory it was located in though backups had been running successfully years after that date.
C:\Users\Pamela>dir \Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa\fjfjhwr.js
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
11/20/2014 10:27 AM 5,680 fjfjhwr.js
1 File(s) 5,680 bytes
0 Dir(s) 849,629,917,184 bytes free
C:\Users\Pamela>dir /ad \Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
10/22/2014 02:46 PM <DIR>
10/22/2014 02:46 PM <DIR> ..
0 File(s) 0 bytes
2 Dir(s) 849,629,913,088 bytes free
C:\Users\Pamela>dir /s \Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\sgactavacsa
10/22/2014 02:46 PM <DIR> .
10/22/2014 02:46 PM <DIR> ..
11/20/2014 10:27 AM 5,680 fjfjhwr.js
11/20/2014 10:27 AM 194 manifest.json
2 File(s) 5,874 bytes
Total Files Listed:
2 File(s) 5,874 bytes
2 Dir(s) 849,625,391,104 bytes free
C:\Users\Pamela>I turned off Windows Defender's real-time protection temporarily, so I could upload the file to the VirusTotal site. I found that 14 of the 56 antivirus programs the site was using when the file was uploaded to the site on October 12, 2018 detected the file, which is a JavaScript file, as malware. I had the site reanalyze the file. VirusTotal reported again that 14 of 56 antivirus programs identified the script as malware (PDF, online). I saw a similarly named directory on the system and uploaded the .js JavaScript file in that directory to VirusTotal also. VirusTotal identified it as the file I uploaded just a few minutes before I uploaded the second instance I found.
C:\Users\Pamela> dir C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\tcqayekwzke
Volume in drive C is OS
Volume Serial Number is 4445-F6ED
Directory of C:\Users\Pamela\AppData\LocalLow\EmieSiteList\Jjjfajkuvclm\tcqayekwzke
10/22/2014 02:45 PM <DIR> .
10/22/2014 02:45 PM <DIR> ..
11/20/2014 10:27 AM 5,680 Dzszqhzx.js
11/20/2014 10:27 AM 195 manifest.json
2 File(s) 5,875 bytes
2 Dir(s) 849,596,837,888 bytes free
C:\Users\Pamela>I permanently deleted both directories containing the malevolent JavaScript files by right-clicking on them while holding down the shift key and choosing delete. The directories were visible by putting the full directory path into the Windows File Explorer directory field. I then ran a custom scan on drive C: with Windows Defender to have it check for any other malware on that drive before I attempted another backup.
A sgactavacsa.zip file containing the malware is available for analysis - use a userid of zoo and a password of malware to download the file, which will likely reqiure any antivirus software on the system on which the file is being downloaded is temporarily disabled.
Related articles: