Adware.Tracking Cookie, Trojan.Gen-Turkojan, Trojan.Gen-Foreign. What I need to do?

Status
Not open for further replies.
Juliet said:
All vbscript.dll does is allows programs to call it to run vbscripts. So if this is only happening in IE when you launch it, something may be trying to run a VB script in IE. If you are not sure the contents of this, I would reset IE back to defaults just to be safe.
Turning off Disable Internet Explorer VB Scripting seems to fix it.
MalwareBytes has a good write up of information here
https://forums.malwarebytes.com/topic/213719-exclusions-failure/

Also, some additional information from Microsoft. It explains a bit more about VBScript and why blocking/disabling it is a good idea.
https://blogs.windows.com/msedgedev/2017/04/12/disabling-vbscript-execution-in-internet-explorer-11/
Click to expand...

After deleting parts of chrome, the setup file worked. But after running the fixlist, some of the chrome extensions have been deleted, am I allowed to reload them? Thanks for the help, and give your information to me.

Fix result of Farbar Recovery Scan Tool (x64) Version: 02.06.2018
Ran by su (03-06-2018 12:18:00) Run:1
Running from C:\Users\su\Desktop
Loaded Profiles: su (Available Profiles: su)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CloseProcesses:
CreateRestorePoint:
Task: {0C639D82-FF21-4296-A972-D75D6828A80F} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-06-02] (Google Inc.)
Task: {3DEF727F-AD79-41D9-A3A0-1A05A4251C42} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [2018-06-02] (Google Inc.)
S3 Browser; %SystemRoot%\System32\browser.dll [X]
CHR HKLM\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-05-16]
CHR HKLM-x32\...\Chrome\Extension: [hdokiejnpimakedhajhdlcegeplioahd] - hxxp://clients2.google.com/service/update2/crx
CHR HKLM-x32\...\Chrome\Extension: [ngpampappnmepgilojfohadhhmbhlaek] - C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx [2018-05-16]
Emptytemp:

*****************

Processes closed successfully.
Restore point was successfully created.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0C639D82-FF21-4296-A972-D75D6828A80F} => not found
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineUA" => removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3DEF727F-AD79-41D9-A3A0-1A05A4251C42} => not found
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\GoogleUpdateTaskMachineCore" => removed successfully
"HKLM\System\CurrentControlSet\Services\Browser" => removed successfully
Browser => service removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => removed successfully
"HKLM\SOFTWARE\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => removed successfully
C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx => moved successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\hdokiejnpimakedhajhdlcegeplioahd" => removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\ngpampappnmepgilojfohadhhmbhlaek" => removed successfully
"C:\Program Files (x86)\Internet Download Manager\IDMGCExt.crx" => not found

=========== EmptyTemp: ==========

BITS transfer queue => 7888896 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 25665798 B
Java, Flash, Steam htmlcache => 0 B
Windows/system/drivers => 1030198 B
Edge => 9905348 B
Chrome => 135528372 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
Users => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 15206 B
LocalService => 0 B
NetworkService => 31008 B
NetworkService => 0 B
su => 39661411071 B

RecycleBin => 55087652 B
EmptyTemp: => 37.2 GB temporary data Removed.

================================


The system needed a reboot.

==== End of Fixlog 12:18:28 ====
Click to expand...
 
Juliet said:
Yes but make sure you download from the legitimate chrome web site since there are many fake sites out there.

Malicious Chrome Extensions Found in Chrome Web Store
https://blog.trendmicro.com/trendlabs-security-intelligence/malicious-chrome-extensions-found-chrome-web-store-form-droidclub-botnet/


Ready to remove tools and quarantine folders?
Click to expand...


In yesterday, I continue to receive this warning, is it serious?

Malwarebytes
www.malwarebytes.com

-Log Details-
Protection Event Date: 6/6/18
Protection Event Time: 4:01 PM
Log File: 20e0d091-6968-11e8-878e-2c4d544e0a6f.json
Administrator: Yes

-Software Information-
Version: 3.5.1.2522
Components Version: 1.0.367
Update Package Version: 1.0.5376
License: Trial

-System Information-
OS: Windows 10 (Build 17134.81)
CPU: x64
File System: NTFS
User: System

-Exploit Details-
File: 0
(No malicious items detected)

Exploit: 1
Malware.Exploit.Agent.Generic, , Blocked, [0], [392684],0.0.0

-Exploit Data-
Affected Application: Google Chrome (and plug-ins)
Protection Layer: Application Behavior Protection
Protection Technique: Exploit payload process blocked
File Name: C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe PowerShell.exe -windowstyle hidden -command Start-Process cmd -ArgumentList '\c takeown \f "C:\Users\su\AppData\Local\Temp\JQE2A33.tmp.dir\DIFXAPI.dll" && icacls "C:\Users\su\AppData\Local\Temp\JQE2A33.tmp.dir\DIFXAPI.dll" \grant *S-1-3-4:F \t \c \l' -Verb runAs
URL:



(end)
Click to expand...
 
And I want to ask this, my chrome continue to automatically add aol, ask in search! But when I scan with adwcleaner, it does not detect, it only disappears when i delete manual !!!
 
I'm not sure whats going on.
Did you install more chrome extensions?

~~~~~~~~~~~~~~~~~~~~~~~~
Follow the instructions in the thread below. Make sure to download the MBAR version linked in it. Let me know if you're not able to launch it and run a scan.

https://forums.malwarebytes.com/top...is-in-use-error-unable-to-start-malwarebytes/

If you manage to run a scan, delete everything it finds, and then copy/paste the content of the mbar-log-DATE-(TIME).txt log that is located in the MBAR folder here after.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`

RogueKiller
right-click on it and select
Spcusrh.png
Run as Administrator (for Windows Vista, 7, 8, 8.1 and 10 users)
  • Click on the Start Scan button in the right panel, which will bring you to another tab, and click on it again (this time it'll be in the bottom right corner)
  • Wait for the scan to complete
  • On completion, the results will be displayed
  • Check every single entry (threat found), and click on the Remove Selected button
  • On completion, the results will be displayed. Click on the Open Report button in the bottom left corner, followed by the Open TXT button (also in the bottom left corner)
  • This will open the report in Notepad. Copy/paste its content in your next reply

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~`
Let's run a new scan with Farbar Recovery Scan Tool
  • Right-Click FRST.exe / FRST64.exe and select
    AVOiBNU.jpg
    Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply.
 
Glad we could help.
SakDYGv.gif

Since this issue appears resolved ... this Topic is closed.
 
Status
Not open for further replies.
Back
Top