topic Re: Remove JS:Adware.Lnkr.E in Endpoint Security

Remove JS:Adware.Lnkr.E

mradamorales — Wed, 24 Mar 2021 18:38:07 GMT

After a running running a full scan we still received email from Cisco AMP the computer is infected.... how i can remove it...

- Event Type: Threat Detected
- Computer: CDCMKTGHJPCL63
- Hostname: CDCMKTGHJPCL63
- IP: 192.168.1.186, 10.101.214.190
- Detection: JS:Adware.Lnkr.E
- File: e7c6af52-44c5-4edf-b2e8-06b400978330.tmp
- File path: \\?\C:\Users\astewart\AppData\Local\Temp\e7c6af52-44c5-4edf-b2e8-06b400978330.tmp
- Detection SHA-256:041d08101884d7d0a91ce2b98cffd8a5ffca75941e4556ddbf5da7bb7f984ac2
- By Application: chrome.exe
- Application SHA-256:bb8b199f504db7e81cf32ce3c458d2a8533beac8dcefa5df024fa79fe132648a
- Severity: Medium
- Timestamp: 2021-03-24 15:54:27 +0000 UTC

Re: Remove JS:Adware.Lnkr.E

ppreenja — Fri, 26 Mar 2021 04:38:03 GMT

Hi,

For the detected SHA-256 value, I don't see any detection on AMP.

Please check for the event details on the AMP console and share the screenshot so that I can suggest accordingly.

Also, please make sure that the email is a genuine email received from AMP.

Note: You can open a TAC case as well to investigate further.

Cheers,

Pratham

Re: Remove JS:Adware.Lnkr.E

cheo.codda — Tue, 13 Jul 2021 15:24:52 GMT

I have this problem too, and it's been going on for some time. No one from Cisco can give me an answer. The SHA changes every few days and is never in VirusTotal. It would be nice if Cisco had a definition of what JS:Adware.Lnkr.E is specifically triggering on.

Re: Remove JS:Adware.Lnkr.E

TruthNotTruth — Wed, 11 Aug 2021 12:40:19 GMT

Imagine you were downloading something from the web, but arbitrarily decided to check the file's integrity only halfway through the download using the .tmp file for the download. A useless and pointless exercise some might say, but every single time I see these (which is what lead me to searching the community) this is what looks to be happening. It guarantees the 'detection' hash is always unique and always useless, and of course the file will never exist at that location after the event - this is the nature of a temp file.

These don't usually appear to be user-initiated downloads in my experience, but rather a user visits some website that uses GZip compressed .JS files and AMP generates a meaningless false positive detection as a result. Curious what others may have done to remedy this as it seems the only solution would be to either exclude the threat category or use a path-based exclusion for 'C:\Users\*\AppData\Local\Temp\*.tmp'.

Re: Remove JS:Adware.Lnkr.E

David Janulik — Thu, 12 Aug 2021 07:58:35 GMT

This is a temp file and it is harmless to delete out from the disk. Do not create any exclusion for the temp file, just keep your Internet browsing safe. I personally think the infection will no longer pops up if the temp directory is cleaned \\?\C:\Users\astewart\AppData\Local\Temp\e7c6af52-44c5-4edf-b2e8-06b400978330.tmp

Re: Remove JS:Adware.Lnkr.E

ccodda — Thu, 12 Aug 2021 15:02:49 GMT

Hey David,

Unfortunately, we've already tried that and it just kept coming up (different file & SHA of course). We removed everything in Temp, rebooted, and disabled all browser plugins. One user we even re-imaged his machine and it came back. Most likely sounds like what user 'TruthNotTruth' had to say about website drive-by. Can you provide what AMP/Secure EndPoint is flagging on these types of events?

Thanks,

Cheo