This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

JS AdInject

Hi,

I have a user who works from home a fair bit. I have Sophos Endpoint Security and Control v10.6 installed on his Windows 10 Pro computer. It is configured to get updates from Sophos directly rather than our Endpoint server.

When we open IE, Sophos pops up with a Quarantine message for JS AdInject. Browser windows start opening till it finally stops responding.

I can clean JS AdInject but it still comes back. A full Sophos scan comes back empty. I have also installed Sophos Virus Removal Tool which doesn't detect it at all.

Any advice on how I can remove this?

Thanks,



This thread was automatically locked due to age.
Parents Reply Children
  • I hope this is what you need.

     

    20170329 055123       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2OI7A29P\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055428       File "C:\$Recycle.Bin\S-1-5-21-3198381788-2401096007-148893834-1001\$RQU5DWG.js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055650       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055650       On-access scanner has denied access to location "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" for user DESKTOP-LC4016A\Username
    20170329 055725       File "C:\$Recycle.Bin\S-1-5-21-3198381788-2401096007-148893834-1001\$RQU5DWG.js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 055725       Scanning "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20170329 055725       Scanning "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2OI7A29P\1009[1].js" returned SAV Interface error 0xa0040210: The file could not be accessed.
    20170329 055727       File "C:\$Recycle.Bin\S-1-5-21-3198381788-2401096007-148893834-1001\$RQU5DWG.js" has been cleaned up.
    20170329 055728       Adware or PUA 'JS AdInject' has been removed.

    20170329 074828       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 074850       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).

    20170329 075219       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 075219       On-access scanner has denied access to location "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" for user DESKTOP-LC4016A\Username
    20170329 075220       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 080355       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 080358       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2QYMD8F9\1009[1].js" has been cleaned up.
    20170329 080358       Adware or PUA 'JS AdInject' has been removed.
    20170329 080420       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).
    20170329 080420       On-access scanner has denied access to location "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" for user DESKTOP-LC4016A\Username
    20170329 080421       File "C:\Users\Username\AppData\Local\Microsoft\Windows\INetCache\Low\IE\TQF4JRWY\1009[1].js" belongs to adware or PUA 'JS AdInject' (of type Adware).

  • Hello Paul Pazios,

    sorry, been out of office.
    So it still constantly pops up when IE is opened (even now after the reset) but no page is accessed and IE is unusable? Are the name (1009[1].js) and the ...\Low\IE\ subfolders the same? The log suggests that they have been cleaned up (which is likely: removed) on the second attempt.

    Personally I'd try to take the sample and submit it to Sophos, well, guess I'd have a glance to assess what it could be first.

    If it apparently reappears I'd empty the ...\Low\IE\ cache (it's just a local cache anyway). I don't use IE when it can be avoided so I can't say why and how the .js should get there again (in case it does) especially when no page is opened. But let's see.

    Christian