This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

JS AdInject

Hi,

I have a user who works from home a fair bit. I have Sophos Endpoint Security and Control v10.6 installed on his Windows 10 Pro computer. It is configured to get updates from Sophos directly rather than our Endpoint server.

When we open IE, Sophos pops up with a Quarantine message for JS AdInject. Browser windows start opening till it finally stops responding.

I can clean JS AdInject but it still comes back. A full Sophos scan comes back empty. I have also installed Sophos Virus Removal Tool which doesn't detect it at all.

Any advice on how I can remove this?

Thanks,



This thread was automatically locked due to age.
  • Hello Paul Pazios,

    two common causes are a dubious start page or some "helpful" add-on. Do you have on-access scan for Adware and PUAs enabled?

    Christian

  • Hi Christian,

    Thanks for the reply.

    I have them enabled. I have also reset IE and have confirmed that only Microsoft Add-ons are running.

    The Run section of the Registry looks clean too.

  • Hello Paul Pazios,

    could you show the portion of the endpoint's SAV.txt (in %ProgramData%\Sophos\Sophos Anti-Virus\logs\) with the detection (ideally several) and the subsequent cleanup?

    Christian

  • I hope this is what you need.

     

    20170329 055123       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2OI7A29P\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055428       File "C:\$Recycle.Bin\S-1-5-21-3198381788-2401096007-148893834-1001\$RQU5DWG.js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055650       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055650       On-access scanner has denied access to location "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" for user DESKTOP-LC4016A\Username
    20170329 055725       File "C:\$Recycle.Bin\S-1-5-21-3198381788-2401096007-148893834-1001\$RQU5DWG.js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055725       Scanning "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20170329 055725       Scanning "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2OI7A29P\1009[1].js" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20170329 055727       File "C:\$Recycle.Bin\S-1-5-21-3198381788-2401096007-148893834-1001\$RQU5DWG.js" has been cleaned up.
    20170329 055728       Adware or PUA 'JS AdInject' has been removed.

    20170329 074828       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 074850       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).

    20170329 075219       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 075219       On-access scanner has denied access to location "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" for user DESKTOP-LC4016A\Username
    20170329 075220       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 080355       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 080358       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" has been cleaned up.
    20170329 080358       Adware or PUA 'JS AdInject' has been removed.
    20170329 080420       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 080420       On-access scanner has denied access to location "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" for user DESKTOP-LC4016A\Username
    20170329 080421       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).

  • Hello Paul Pazios,

    sorry, been out of office.
    So it still constantly pops up when IE is opened (even now after the reset) but no page is accessed and IE is unusable? Are the name (1009[1].js) and the ...\Low\IE\ subfolders the same? The log suggests that they have been cleaned up (which is likely: removed) on the second attempt.

    Personally I'd try to take the sample and submit it to Sophos, well, guess I'd have a glance to assess what it could be first.

    If it apparently reappears I'd empty the ...\Low\IE\ cache (it's just a local cache anyway). I don't use IE when it can be avoided so I can't say why and how the .js should get there again (in case it does) especially when no page is opened. But let's see.

    Christian