Thisara 0 Posted March 25, 2020 Share Posted March 25, 2020 Dear All, When each and every time I opened Google Chrome and its pages it appears and its blocked lot of page including google pay in Google settings. I uninstalled and reinstall both chrome and ESET. But it doesn't work. Please help me on this since its very hassle to work with continuous notifications. Best Regards, Thisara Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted March 25, 2020 Administrators Share Posted March 25, 2020 Please provide logs collected with ESET Log Collector but with also "quarantined files" selected in ELC. Link to comment Share on other sites More sharing options...
Thisara 0 Posted March 25, 2020 Author Share Posted March 25, 2020 13 minutes ago, Marcos said: Please provide logs collected with ESET Log Collector but with also "quarantined files" selected in ESET Log Collector. Dear Marcos, Please find the Logs with "quarantined files".. Please help me on this.. Need solve this as soon as possible. Once again thank you very much.eis_logs.zip Best Regards, Thisara Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted March 25, 2020 Most Valued Members Share Posted March 25, 2020 1 hour ago, Thisara said: Dear Marcos, Please find the Logs with "quarantined files".. Please help me on this.. Need solve this as soon as possible. Once again thank you very much.eis_logs.zip Best Regards, Thisara Maybe it's one of your extensions in the browser or the browser is hijacked somehow? Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 JS/scrinject.B is a common Eset false positive detection. We'll have to wait to see what @Marcos determines based on his review of the OP's logs. Link to comment Share on other sites More sharing options...
Thisara 0 Posted March 25, 2020 Author Share Posted March 25, 2020 (edited) 1 hour ago, Nightowl said: Maybe it's one of your extensions in the browser or the browser is hijacked somehow? Dear Nightowl, Then how can I get rid from that.. I herewith attached the my extention page. Plesae review that.. If someone hacked, how can i get rid from that..? Please help me. Thank you, Best Regards, Thisara Edited March 25, 2020 by Thisara Link to comment Share on other sites More sharing options...
Thisara 0 Posted March 25, 2020 Author Share Posted March 25, 2020 1 hour ago, itman said: JS/scrinject.B is a common Eset false positive detection. We'll have to wait to see what @Marcos determines based on his review of the OP's logs. Dear Itman, What you mean by " false positive detection" ? I can't understand.. Yes, We will wait till Marcos's reply.. Thank you, Best Regards, Thisara Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted March 25, 2020 Most Valued Members Share Posted March 25, 2020 9 minutes ago, Thisara said: Dear Nightowl, Then how can I get rid from that.. I herewith attached the my extention page. Plesae review that.. If someone hacked, how can i get rid from that..? Please help me. Thank you, Best Regards, Thisara Try to shut them down all and try one by one enabling and see if the message will disappear Also try to clean your cache. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted March 25, 2020 Administrators Share Posted March 25, 2020 The detection is correct. A malicious javascript (JS/Adware.Revizer-related) was detected when injected into a legitimate js file: Is the threat detected in any browser? Only on this device or also on other devices in your LAN? Is it detected if you run a browser without extensions? Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted March 25, 2020 Administrators Share Posted March 25, 2020 2 hours ago, itman said: JS/scrinject.B is a common Eset false positive detection. We'll have to wait to see what @Marcos determines based on his review of the OP's logs. I don't think it's a common FP. The thing is people tend to think our detections are FPs because no other AVs trigger detection but as you can see above, even in this case the detection was correct. Without analyzing a particular case it's impossible to make any conclusions regarding FPs. Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 25 minutes ago, Marcos said: Without analyzing a particular case it's impossible to make any conclusions regarding FPs. Agreed. 26 minutes ago, Marcos said: I don't think it's a common FP. I was referring to past forum postings where the issue was traced back to a recent signature update. Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 (edited) 7 hours ago, Thisara said: I uninstalled and reinstall both chrome I don't use Chrome, But I suspect it works similar to FireFox in regards to the user's profile. That is it is not deleted and when Chrome is reinstalled existing settings, extensions, and the like are retained and reestablished. It might come down to you having to manually delete this profile along with all traces of Chrome on your device. Then if the malware alerts cease upon reinstall, one by one reinstall your prior extensions. If Eset starts alerting after an extension installation, that is your culprit. An alternative to the above is to go to the malware support sections of either malwaretips.com or bleepingcomputer.com and have one of their malware remediation experts assist. They will instruct you to download and run a number of specialized tools for malware diagnostics along with other tools that specialize in removing browser based malware. Edited March 25, 2020 by itman Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 As far as JS/Adware.Revizer malware is concerned, this FireFox posting might be informative: https://support.mozilla.org/en-US/questions/1228037 . It is definitely extension related. Also appears MalwareBytes might be able to get rid of it; at least in FireFox. Link to comment Share on other sites More sharing options...
Thisara 0 Posted March 25, 2020 Author Share Posted March 25, 2020 1 hour ago, Marcos said: The detection is correct. A malicious javascript (JS/Adware.Revizer-related) was detected when injected into a legitimate js file: Is the threat detected in any browser? Only on this device or also on other devices in your LAN? Is it detected if you run a browser without extensions? Dear Marcos, Thank you very much. Yes.. It is detecting on all browsers..But only on this device.. Yes, I tryd even disabling all extentions. But its there. how can I detect that infected file, to delete.? Please help me on that. Thank you. Best Regards, Thisara Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 Another FYI observation in regards to the above posted script code. Of note is the amptylogick.com domain reference. Both Eset and Fortinet detect this domain as malicious on Virus Total; the only two listed solutions to do so. So I assume Eset's detection in this regard is by blacklist. Link to comment Share on other sites More sharing options...
Thisara 0 Posted March 25, 2020 Author Share Posted March 25, 2020 8 minutes ago, itman said: Another FYI observation in regards to the above posted script code. Of note is the amptylogick.com domain reference. Both Eset and Fortinet detect this domain as malicious on Virus Total; the only two listed solutions to do so. So I assume Eset's detection in this regard is by blacklist. Dear Itman, Can't I find that infected file.? Then I can delet that file/files.. If not, how can I blacklist this notification on eset.? Thank you. Best Regards, Thisara Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 1 hour ago, Thisara said: Yes.. It is detecting on all browsers. Are you stating you are getting the same alert in Edge and that you have no extensions installed in it? Link to comment Share on other sites More sharing options...
Thisara 0 Posted March 25, 2020 Author Share Posted March 25, 2020 3 minutes ago, itman said: Are you stating you are getting the same alert in Edge and that you have no extensions installed in it? Dear Itman, Yes.. I don't have any extention on the edge. But when we try to serach somthing, it wil appeare. Best Regards, Thisara Link to comment Share on other sites More sharing options...
itman 1,741 Posted March 25, 2020 Share Posted March 25, 2020 (edited) My suggestion again is to go to the malware removal sites I posted previously for assistance. Or, contact your in-country Eset support representative for assistance as long as you are using a paid licensed version of Eset. -EDIT- As far as malwaretips.com and also possibly bleepingcomputer.com, note the following restriction: Quote We will not assist users that are using illegal/pirated software. That being told, if any evidence of illegal OS, software, cracks/keygens or any other will be revealed, any further assistance will be suspended. If you are aware that there is this kind of stuff on your machine, remove it before proceeding! The same applies to any use of P2P software: uTorrent, BitTorrent, Vuze, Kazaa, Ares. All P2P software has to be uninstalled or at least fully disabled before proceeding! https://malwaretips.com/threads/piracy.38446/ Edited March 25, 2020 by itman Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted March 25, 2020 Administrators Share Posted March 25, 2020 I'd also try resetting your router to factory settings, disabling remote administration over WAN, installing the latest version of firmware and setting a more complex password for access to the webadmin console. Link to comment Share on other sites More sharing options...
Bala 0 Posted April 14, 2020 Share Posted April 14, 2020 Hi Thisara, Did you resolve this issue. I am also facing the same issue. if you found the solution could you please post. Thanks and Regards, Bala Link to comment Share on other sites More sharing options...
Most Valued Members Nightowl 206 Posted April 14, 2020 Most Valued Members Share Posted April 14, 2020 3 hours ago, Bala said: Hi Thisara, Did you resolve this issue. I am also facing the same issue. if you found the solution could you please post. Thanks and Regards, Bala If you have tried all up solutions and still having problems then probably you need to follow the last advice from Marcos which is resetting the router because most probably that the router is redirecting to other places. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,234 Posted April 14, 2020 Administrators Share Posted April 14, 2020 The question is if you are g 7 hours ago, Bala said: Did you resolve this issue. I am also facing the same issue. if you found the solution could you please post. I would start off by providing ELC logs collected with also "quarantined files" selected. If I'm able to reproduce the detection, the website was either compromised or a particular website has been cleaned from malware and should be removed from blacklist. Otherwise it'd be likely that the injection occurs between your ISP and your machine / browser. Link to comment Share on other sites More sharing options...
Thisara 0 Posted April 17, 2020 Author Share Posted April 17, 2020 On 4/14/2020 at 1:03 PM, Bala said: Hi Thisara, Did you resolve this issue. I am also facing the same issue. if you found the solution could you please post. Thanks and Regards, Bala Dear Bala, What I did is format the machine.. But as I think after that, i could get the solution. You need access the host file in ( windows, system 32, drivers, etc ) and edit.. remove the www.gstatic.com line.. Then it should be ok.. Try and comment. Best Regards, Thisara Link to comment Share on other sites More sharing options...
Thisara 0 Posted April 20, 2020 Author Share Posted April 20, 2020 On 4/18/2020 at 12:00 AM, Thisara said: Dear Bala, What I did is format the machine.. But as I think after that, i could get the solution. You need access the host file in ( windows, system 32, drivers, etc ) and edit.. remove the www.gstatic.com line.. Then it should be ok.. Try and comment. Best Regards, Thisara Dear Bala, Does it work..? Or the issue remains same..? Best Regards, Thisara Link to comment Share on other sites More sharing options...
Recommended Posts