Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

AV stopped "trojan" after visiting website

torjan website

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 1 posts
Hi everyone
whenever I visit one particular website, after about 1 second my antivirus software (AV in the following) notifies me that it removed a threat:
Trojan:Downloader.JS/Vdehu.A at file:C:\Users\xxxxx\AppData\Local\Chromium\User Data\Default\Cache\f_003655
This never happened before and only occurs at that paritular website. Please advise whether I may publicly post this potentially dangerous website.
After some testing, I noticed that the AV only complains when I visit the website using Chrome (Iron, v75) or Opera (latest). Firefox (latest) does not cause the behaviour. I can replicate the behaviour on a second (Win10) computer. Both computers are in the same local network but otherwise independent.
Being aware that my Chrome based browser (Iron, v75) is not up-to-date, I wanted to try a newer version. I downloaded the archive (ungoogled, up-to-date) from here: https://chromium.woolyss.com/ Right after launching chrome.exe I suddenly got another AV notification: this time it was:
Behavior:Win32/Cerber.gen!A!:rsm  No file path is given.
I downloaded the latest Kaspersky Rescue Disk (USB boot thingy) and did a complete scan: no results.
Meanwhile I have booted the computer several times. I keep an eye on the task manager and TCPView (probably giving me some false sense of security).  I have not noticed anything different.
1) I did read http://www.geekstogo...cleaning-guide/. However, it requires to run FRST as admin. Before I do that, may I kindly ask, whether it is possible that malware can spy on the act of entering the admin password and then get elevated rights? Alternatively, would a non-admin report suffice?
2) Ideally, you would allow me to post the alledgely malicious website and somebody could try to replicate the AV warning. It is a job advert of a large known corporation redirected from a website owned by a government institution.
3) I also would like to make sure that it is a client issue at all - which the first download trojan may not really suggest. As for the second ransom trojan, if you have one Chrome version installed and then try to run another portable version it accesses the profile data of the installed version. Since the installed Chrome version is a stripped down fork (Iron), it may miss those features of the portable one that triggers the ransom trojan. Differently put, the ransom trojan may sit in the Chrome user data directory, trying to do its thing but fails due to missing admin rights / AV intervention.
I am a bit scared to further investigate the ransome trojan. Is there a way to run an exe with a very limited set of permissions or so (like limiting write access to the chrome user data folder)? Or anything else I can **safely** do to learn from where the ransom trojan originates.
4) Please let me know if you need further informaiton.
Some details:
Win7 64 (latest)
Microsoft SEcurity Essentials (latest)
Best wishes
Several edits: I should include the malware name in the title but the title length is too limited.

Edited by JanTro, 20 November 2019 - 04:18 AM.

  • 0


Similar Topics

Also tagged with one or more of these keywords: torjan, website

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP