"You are 78% there" malware hijack - solved, but from where did it come?

antspants · Mar 5, 2026

Yeah, some things are obvious, even to the OP.

You didn’t happen to note the info Malwarebytes gave?

pseymour · Mar 5, 2026

I’m as sharp as a wooden spoon.

Marie SWE · Mar 5, 2026

If it was the domain in the first post, its kind of fun going to it with Linux and cut just after the /qr/ I get redirected to Microsoft.
So is Microsoft the malware.

*LOL*

Jokes aside..

I'm at the wrong computer right now so i cant easy fake a win11/edge header to see if it does something else then just sending me to MS.. If you skip the /qr/ and just go on the domain it gives a 403 page.
The server is behind cloudflare so an classic nmap scan fails.. to many fingerprints on the domain and IP.
I found an disposal email address principaltomato virgilian com .. I found a name highly likely fake.. Beverly Smith... the dns servers was named kayden and rachel.
The person behind the domain have used publicdomainregistry com to register the domain. The domain in the first post was last changed 2 days ago

As for how the computer got infected. Its hundreds of ways.. social engendering is most common.. You get an e-mail, or visit a webpage with bad code, or fallen for a fake captcha.. or ended up on a 1-click exploit. etc etc etc.....
If you are lucky you can see when the bad files was created on your computer and then see in your logs what you did on that time, maybe browser history around that time... and so on.

glasskuter · Mar 6, 2026

I'm a "better safe than sorry" gal. I would wipe that drive and restore a known good image or clean install PDQ.

112022 · Mar 6, 2026

Marie SWE said:
If it was the domain in the first post, its kind of fun going to it with Linux and cut just after the /qr/ I get redirected to Microsoft.
So is Microsoft the malware. *LOL*

Important point, that the domain was msupdateservice.info - which did not strike me as a legitimate site, and I was right. The fact that it was telling me I needed the Authenticator app, which I already had on my phone, and was asking me to download the app from a website rather than the google play store on my Android phone was also concerning.

andrew129260 · Mar 6, 2026

antspants said:
You didn’t happen to note the info Malwarebytes gave?

Noting the things found under the history section of malwarebytes would help greatly here determining what it was.

I have seen bad ads cause this behavior in a browser, it launches full screen then shows this.

Usually alt + F4 will close it and then you can simply navigate away with no actual infection typically occurring.

But the fact that threats were found is much more interesting. As everyone already suggested, I would wipe the pc and restore from your latest backup.

Alternatively, If you pay for malwarebytes you can contact them and their support will help ensure your machine is clean.

You could also reach out to the folks at bleeping computer to see if they find any leftover infections.

sgayres · Mar 6, 2026

112022 said:
Important point, that the domain was msupdateservice.info - which did not strike me as a legitimate site, and I was right. The fact that it was telling me I needed the Authenticator app, which I already had on my phone, and was asking me to download the app from a website rather than the google play store on my Android phone was also concerning.

This is another example of scammers creating new ways to scam - this one seeming to look official and presenting to the user to mess with an "authenticator app" which most people do not understand to begin with taking advantage of new security products being pushed by legitimate apps that the user may have come across.

I am at a loss at how the initial file got on your PC - maybe some convincing trick.

In the past, someone would receive an email from a seemingly legit sender (UPS, FedEx, IRS) with a "report" attached. Often it would be a zipped file containing what looked like a PDF file with an Adobe-like graphoc but it was not a PDF but instead a scr (script). The person would try to read the "report" agree to the User Account Control (UAC) message but instead of a "report" the program would run the script that would begin to encrypt their user data like Word documents, Excel sheets, PDF files, etc. Inside every directory this data encryption took place was an instruction on how to pay the crooks to decrypt the data. CryptoLocker, CTB-Locker were a couple of names I remember. I had some customers fall for this.

What you have (had) is something I have not yet encountered exactly. The initial exe extracted the program somewhere that is allowed like in your AppData Temp directories to be run at login. That image file with the 78% thing on it would be extracted in the same place. A delay occurred and then the image popped up. Since it seems to pint to a dead end, it also could be something old that no longer serves a purpose to its creators, no longer working as intended. Short lived.

I've seen something similar that phones home when the user logs into Windows. Before I wiped her computer, I copied the image that was used to block her system from whoever was trying to remote back in. It looked rudimentary and comical to me but to her, it looked like something legit. I hit Ctrl-Alt-Delete to access Task Manager so I could close it and I realized it was a backdrop and I was fighting for control with an intruder who was able to log in. When I caught him, he was trying to use the Ctrl-Alt-Screen to change her password. we went back and forth for a few minutes until I finally gave up the jousting battle, unplugged and made the decision to wipe and reinstall.

112022 · Mar 6, 2026

For what it's worth, I am attaching the only malwarebytes scans done in 2026 to have found anything. One is from March 2, one from March 5, the day the problem appeared, one from this morning.

sgayres · Mar 6, 2026

Ahhh.... so you have probably seen it..

Process: 1
Backdoor.RemoteAccessTrojan, C:\PROGRAMDATA\PATCHDIRSEC\CLIENT32.EXE, Quarantined, 6191, 1377722, 1.0.107762, , ame, , EE75B57B9300AAB96530503BFAE8A2F2, 06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268

The file is "Client.32" and was deposited into C: ProgramData \ Patchdirsec. MB has detected that it was a "Remote Access Trojan" probably similar to what my customer above had. And the 78% "almost there" image was probably a backdrop curtain like I said. Whether someone DID actually suceed in accessing your computer remotely without your knowledge depends on if a scammer was monitoring to see if your system went online after it was "infected".

I would be interested to see if the Patchdirsec folder in AppData is still there and what Malwarebytes left in it. I'm guessing the wallpaper jpg might still be there. To view the AppData folder and its contents you need to unhide hidden items. On Windows 11, open File Explorer, click View, hover over Show and put a check in front of Hidden Items.

If the jpg or png "wallpaper image" is still there, I sure would like to have it for my collection. :)

Bree · Mar 6, 2026

Marie SWE said:
I found an disposal email address principaltomato virgilian com .. I found a name highly likely fake.. Beverly Smith... the dns servers was named kayden and rachel.
The person behind the domain have used publicdomainregistry com to register the domain. The domain in the first post was last changed 2 days ago

The QR code in the Reddit example in post #11 points to the same msupdateservice.info domain, Whois says it was first registered by Beverly on 20 Jan 2026. Beverly's Washington address is a leafy residential suburb.

Marie SWE · Mar 6, 2026

112022 said:
Important point, that the domain was msupdateservice.info - which did not strike me as a legitimate site, and I was right. The fact that it was telling me I needed the Authenticator app, which I already had on my phone, and was asking me to download the app from a website rather than the google play store on my Android phone was also concerning.

I totally understand you got suspicious.

I just dived in to it as i got curious. I collected virus and malware in the past as people collect stamps.

And my joke about MS being the malware might have been less fun, but i joke about MS being a malware now and then.

So the first trace you have is on March 2nd.. Then you can trace back in the windows logs and browser history to see when you might have picked it up.

I have a thumb rule.. Never trust a computer that have been infected.
So i think you should consider to back up all your personal files and then wipe and reinstall your computer.
Even if its only local malware, i would scan all devices in your network.... just as a safety measure. No more, no less.

Marie SWE · Mar 6, 2026

Bree said:
The QR code in the Reddit example in post #11 points to the same msupdateservice.info domain, Whois says it was first registered by Beverly on 20 Jan 2026. Beverly's Washington address is a leafy residential suburb.

Hi

Fun to run in to you in this kind of threads.

Okay, i have not looked on Reddit what they have written in there. But yes it was created then.

I have a feeling this Beverly isn't the person to lynch for this though.

pseymour · Mar 6, 2026

There used to be a Beverly Harrison at Microsoft Research! Coincidence?! Yeah, probably.

Borg 386 · Mar 6, 2026

Suggest you run these 2 programs to try & stop the process that might still be running in the background. Better safe then sorry. Some viruses/malware don't go away easily.

The 1st is in older one but is highly effective, I've used it many times cleaning peoples PC's/Lappys.

Download RKill

RKill is a program that was developed at BleepingComputer.com that attempts to terminate known malware processes so that your normal security software can then run and clean your computer of infections. When RKill runs it will kill malware processes and then removes incorrect executable...

www.bleepingcomputer.com

NOTE:
As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

Below are a list of RKill download links using different filenames. We offer RKill under different filenames because some malware will not allow processes to run unless they have a certain filename. Therefore when attempting to run RKill, if a malware terminates it please try a different filename offered below.

You may wish to give this one a try as well. I don't have much experience with this one but it has been effective in finding hidden processes.

Download RogueKiller

RogueKiller is a security tool that can be used to terminate and remove malicious processes and programs from your computer. RogueKiller has the ability to remove infections such as ZeroAccess, TDSS, rogue anti-spyware programs, and Ransomwares.

www.bleepingcomputer.com

112022 · Mar 6, 2026

sgayres said:
Ahhh.... so you have probably seen it..

The file is "Client.32" and was deposited into C: ProgramData \ Patchdirsec. MB has detected that it was a "Remote Access Trojan" probably similar to what my customer above had. And the 78% "almost there" image was probably a backdrop curtain like I said. Whether someone DID actually suceed in accessing your computer remotely without your knowledge depends on if a scammer was monitoring to see if your system went online after it was "infected".

I would be interested to see if the Patchdirsec folder in AppData is still there and what Malwarebytes left in it. I'm guessing the wallpaper jpg might still be there. To view the AppData folder and its contents you need to unhide hidden items. On Windows 11, open File Explorer, click View, hover over Show and put a check in front of Hidden Items.

If the jpg or png "wallpaper image" is still there, I sure would like to have it for my collection. :)

Good call. Yes, there is a patchdirsec folder, and it contained client.32, although no wallpaper.jpg that I could find.

Running malwarebytes again found these items:

Malwarebytes
www.malwarebytes.com

-Scan Details-
Process: 1
Backdoor.RemoteAccessTrojan, C:\PROGRAMDATA\PATCHDIRSEC\CLIENT32.EXE, Quarantined, 6181, 1377722, 1.0.107866, , ame, , EE75B57B9300AAB96530503BFAE8A2F2, 06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268

Module: 1
Backdoor.RemoteAccessTrojan, C:\PROGRAMDATA\PATCHDIRSEC\CLIENT32.EXE, Quarantined, 6181, 1377722, 1.0.107866, , ame, , EE75B57B9300AAB96530503BFAE8A2F2, 06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268

File: 1
Backdoor.RemoteAccessTrojan, C:\PROGRAMDATA\PATCHDIRSEC\CLIENT32.EXE, Quarantined, 6181, 1377722, 1.0.107866, , ame, , EE75B57B9300AAB96530503BFAE8A2F2, 06A0A243811E9C4738A9D413597659CA8D07B00F640B74ADC9CB351C179B3268

(end)

sgayres · Mar 6, 2026

112022 said:
Good call. Yes, there is a patchdirsec folder, and it contained client.32, although no wallpaper.jpg that I could find.

Running malwarebytes again found these items:

So the client32.exe seems to be regenerating at the command of something else. I've seen this happen before. I hope you have disconnected your computer from the Internet while investigating this. My suspicion is that the QR code thing is a secondary scam to try to get authentication credentials but also to keep the victim busy on their mobile phone while the scammer uses the backdoor trojan to access websites where passwords are filled in by a browser's password manager. Google (chrome)/Microsoft (edge) accounts, financial/banking, money app, email, online retailers can all be acessed by someone remoting in.

Any 2-factor notifications you did not initiate? To guard against the worst, I would closely monitor accounts, change passwords, make sure 2-factor is turned on with your phone number, change security questions. There is no way to know what a scammer may have accessed on your computer or even if he did at all.

AND do a wipe, reinstall.

112022 · Mar 6, 2026

sgayres said:
So the client32.exe seems to be regenerating at the command of something else. I've seen this happen before. I hope you have disconnected your computer from the Internet while investigating this. My suspicion is that the QR code thing is a secondary scam to try to get authentication credentials but also to keep the victim busy on their mobile phone while the scammer uses the backdoor trojan to access websites where passwords are filled in by a browser's password manager. Google (chrome)/Microsoft (edge) accounts, financial/banking, money app, email, online retailers can all be acessed by someone remoting in.

Any 2-factor notifications you did not initiate? To guard against the worst, I would closely monitor accounts, change passwords, make sure 2-factor is turned on with your phone number, change security questions. There is no way to know what a scammer may have accessed on your computer or even if he did at all.

AND do a wipe, reinstall.

It appears that I have finally eliminated the problem, after Malwarebytes kept finding things - the same things I believe - after every restart. Pasting from google AI what I did:

Removing
client32.exe often involves dealing with a legitimate remote management tool (NetSupport Manager/School) that has been hijacked by malware (Remote Access Trojan). The file typically resides in C:\Program Files\NetSupport\NetSupport Manager or within user AppData folders.
Here is the recommended approach to remove client32.exe:

1. Immediate Isolation and Preparation

Disconnect from the Internet: Pull the Ethernet cable or turn off Wi-Fi immediately to stop data exfiltration by the malicious actor.

Enter Safe Mode: Restart your computer in Safe Mode to prevent the malicious process from running.

2. Manual Removal Process

Terminate the Process: Open Task Manager (Ctrl+Shift+Esc), locate client32.exe, right-click it, and select End Task.

Uninstall via Control Panel: Check for "NetSupport" or "Acer Classroom Manager" in the "Add/Remove Programs" section of the Windows Control Panel.

Delete Files and Folders: Search for and delete client32.exe and its surrounding folders, often found in AppData\Roaming or Program Files.

Clean Registry Keys: Open regedit, and remove entries related to NetSupport or client32.exe from HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

In addition to client32.exe, there was another suspicious thing that I failed to note or screenshot, called "ocean audio," that had appeared on my computer on 2/26, a day before the first suspicious thing (a browser tab crash) happened, and I'd certainly never downloaded or installed this ocean audio thing.

Since then I've restarted at least twice, run malwarebytes multiple times during the sessions, and it's come up clean each time, versus before it was finding things after every restart.

Anything sensitive I have has 2FA set up, so I'll keep an eye on things, but feel like I'm good right now with no need to wipe. Hard to prove a negative, but only time will tell.

sgayres · Mar 6, 2026

Good job being persistent and thorough. Looks like you indeed got it!

"You are 78% there" malware hijack - solved, but from where did it come?

Like a rolling drone.

My Computers

putting the mental back in experimental

My Computer

I almost never bite.......

My Computers

aka Mama Glass

My Computers

Well-known member

My Computer

Well-known member

My Computers

Active member

My Computers

Well-known member

Attachments

My Computer

Active member

My Computers

Well-known member

My Computers

I almost never bite.......

My Computers

I almost never bite.......

My Computers

putting the mental back in experimental

My Computer

Well-known member

My Computer

Well-known member

My Computer

Active member

My Computers

Well-known member

My Computer

Active member

My Computers