Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: Adware.Tracking Cookie, Trojan.Gen-Turkojan, Trojan.Gen-Foreign. What I need to do?

  1. #21
    Junior Member
    Join Date
    Mar 2018
    Posts
    15

    Default

    Quote Originally Posted by Juliet View Post
    All vbscript.dll does is allows programs to call it to run vbscripts. So if this is only happening in IE when you launch it, something may be trying to run a VB script in IE. If you are not sure the contents of this, I would reset IE back to defaults just to be safe.
    Turning off Disable Internet Explorer VB Scripting seems to fix it.
    MalwareBytes has a good write up of information here
    https://forums.malwarebytes.com/topi...sions-failure/

    Also, some additional information from Microsoft. It explains a bit more about VBScript and why blocking/disabling it is a good idea.
    https://blogs.windows.com/msedgedev/...t-explorer-11/
    After deleting parts of chrome, the setup file worked. But after running the fixlist, some of the chrome extensions have been deleted, am I allowed to reload them? Thanks for the help, and give your information to me.

    Fix result of Farbar Recovery Scan Tool (x64) Version: 02.06.2018
    Ran by su (03-06-2018 12:18:00) Run:1
    Running from C:\Users\su\Desktop
    Loaded Profiles: su (Available Profiles: su)
    Boot Mode: Normal
    ==============================================

    fixlist content:
    *****************
    CloseProcesses:
    CreateRestorePoint:
    Task: {0C639D82-FF21-4296-A972-D75D6828A80F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-06-02] (Google Inc.)
    Task: {3DEF727F-AD79-41D9-A3A0-1A05A4251C42} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-06-02] (Google Inc.)
    S3 Browser; %SystemRoot%\System32\browser.dll [X]
    CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-05-16]
    CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
    CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-05-16]
    Emptytemp:

    *****************

    Processes closed successfully.
    Restore point was successfully created.
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C639D82-FF21-4296-A972-D75D6828A80F} => not found
    C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3DEF727F-AD79-41D9-A3A0-1A05A4251C42} => not found
    C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
    "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
    "HKLM\System\CurrentControlSet\Services\Browser" => removed successfully
    Browser => service removed successfully
    "HKLM\SOFTWARE\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => removed successfully
    "HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => removed successfully
    C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx => moved successfully
    "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => removed successfully
    "HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => removed successfully
    "C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx" => not found

    =========== EmptyTemp: ==========

    BITS transfer queue => 7888896 B
    DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 25665798 B
    Java, Flash, Steam htmlcache => 0 B
    Windows/system/drivers => 1030198 B
    Edge => 9905348 B
    Chrome => 135528372 B
    Firefox => 0 B
    Opera => 0 B

    Temp, IE cache, history, cookies, recent:
    Default => 0 B
    Users => 0 B
    ProgramData => 0 B
    Public => 0 B
    systemprofile => 0 B
    systemprofile32 => 0 B
    LocalService => 15206 B
    LocalService => 0 B
    NetworkService => 31008 B
    NetworkService => 0 B
    su => 39661411071 B

    RecycleBin => 55087652 B
    EmptyTemp: => 37.2 GB temporary data Removed.

    ================================


    The system needed a reboot.

    ==== End of Fixlog 12:18:28 ====

  2. #22
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,572

    Default

    some of the chrome extensions have been deleted, am I allowed to reload them?
    Yes but make sure you download from the legitimate chrome web site since there are many fake sites out there.

    Malicious Chrome Extensions Found in Chrome Web Store
    https://blog.trendmicro.com/trendlab...idclub-botnet/


    Ready to remove tools and quarantine folders?
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
    Want to help others? Join the ClassRoom and learn how.

  3. #23
    Junior Member
    Join Date
    Mar 2018
    Posts
    15

    Default

    Quote Originally Posted by Juliet View Post
    Yes but make sure you download from the legitimate chrome web site since there are many fake sites out there.

    Malicious Chrome Extensions Found in Chrome Web Store
    https://blog.trendmicro.com/trendlab...idclub-botnet/


    Ready to remove tools and quarantine folders?

    In yesterday, I continue to receive this warning, is it serious?

    Malwarebytes
    www.malwarebytes.com

    -Log Details-
    Protection Event Date: 6/6/18
    Protection Event Time: 4:01 PM
    Log File: 20e0d091-6968-11e8-878e-2c4d544e0a6f.json
    Administrator: Yes

    -Software Information-
    Version: 3.5.1.2522
    Components Version: 1.0.367
    Update Package Version: 1.0.5376
    License: Trial

    -System Information-
    OS: Windows 10 (Build 17134.81)
    CPU: x64
    File System: NTFS
    User: System

    -Exploit Details-
    File: 0
    (No malicious items detected)

    Exploit: 1
    Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

    -Exploit Data-
    Affected Application: Google Chrome (and plug-ins)
    Protection Layer: Application Behavior Protection
    Protection Technique: Exploit payload process blocked
    File Name: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe PowerShell.exe -windowstyle hidden -command Start-Process cmd -ArgumentList '\c takeown \f "C:\Users\su\AppData\Local\Temp\JQE2A33.tmp.dir\DIFXAPI.dll" && icacls "C:\Users\su\AppData\Local\Temp\JQE2A33.tmp.dir\DIFXAPI.dll" \grant *S-1-3-4:F \t \c \l' -Verb runAs
    URL:



    (end)

  4. #24
    Junior Member
    Join Date
    Mar 2018
    Posts
    15

    Default

    And I want to ask this, my chrome continue to automatically add aol, ask in search! But when I scan with adwcleaner, it does not detect, it only disappears when i delete manual !!!

  5. #25
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,572

    Default

    I'm not sure whats going on.
    Did you install more chrome extensions?

    ~~~~~~~~~~~~~~~~~~~~~~~~
    Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

    https://forums.malwarebytes.com/topi...-malwarebytes/

    If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

    RogueKiller
    right-click on it and select Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
    • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
    • Wait for the scan to complete
    • On completion, the results will be displayed
    • Check every single entry (threat found), and click on the Remove Selected button
    • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
    • This will open the report in Notepad. Copy/paste its content in your next reply


    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
    Let's run a new scan with Farbar Recovery Scan Tool
    • Right-Click FRST.exe / FRST64.exe and select Run as administrator to run the programme.
    • Click Yes to the disclaimer.
    • Ensure the Addition.txt box is checked.
    • Click the Scan button and let the programme run.
    • Upon completion, click OK, then OK on the Addition.txt pop up screen.
    • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
    Want to help others? Join the ClassRoom and learn how.

  6. #26
    Security Expert Juliet's Avatar
    Join Date
    Feb 2007
    Location
    Deep South
    Posts
    3,572

    Default

    Glad we could help.
    Since this issue appears resolved ... this Topic is closed.
    Windows Insider MVP Consumer Security 2009 - 2017
    Please do not PM me for Malware help, we all benefit from posting on the open board.
    Want to help others? Join the ClassRoom and learn how.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •