cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4024
Views
10
Helpful
5
Replies

Remove JS:Adware.Lnkr.E

mradamorales
Level 1
Level 1

After a running running a full scan we still received email from Cisco AMP the computer is infected.... how i can remove it...

 

    • Event Type: Threat Detected
    • Computer: CDCMKTGHJPCL63
    • Hostname: CDCMKTGHJPCL63
    • IP: 192.168.1.186, 10.101.214.190
    • Detection: JS:Adware.Lnkr.E
    • File: e7c6af52-44c5-4edf-b2e8-06b400978330.tmp
    • File path: \\?\C:\Users\astewart\AppData\Local\Temp\e7c6af52-44c5-4edf-b2e8-06b400978330.tmp
    • Detection SHA-256:041d08101884d7d0a91ce2b98cffd8a5ffca75941e4556ddbf5da7bb7f984ac2
    • By Application: chrome.exe
    • Application SHA-256:bb8b199f504db7e81cf32ce3c458d2a8533beac8dcefa5df024fa79fe132648a
    • Severity: Medium
    • Timestamp: 2021-03-24 15:54:27 +0000 UTC

 

5 Replies 5

ppreenja
Cisco Employee
Cisco Employee

Hi,

 

For the detected SHA-256 value, I don't see any detection on AMP.

Please check for the event details on the AMP console and share the screenshot so that I can suggest accordingly.

Also, please make sure that the email is a genuine email received from AMP.

 

Note: You can open a TAC case as well to investigate further.

 

Cheers,

Pratham

 

cheo.codda
Level 1
Level 1

I have this problem too, and it's been going on for some time. No one from Cisco can give me an answer. The SHA changes every few days and is never in VirusTotal. It would be nice if Cisco had a definition of what JS:Adware.Lnkr.E is specifically triggering on.

Imagine you were downloading something from the web, but arbitrarily decided to check the file's integrity only halfway through the download using the .tmp file for the download. A useless and  pointless exercise some might say, but every single time I see these (which is what lead me to searching the community) this is what looks to be happening. It guarantees the 'detection' hash is always unique and always useless, and of course the file will never exist at that location after the event - this is the nature of a temp file.

 

These don't usually appear to be user-initiated downloads in my experience, but rather a user visits some website that uses GZip compressed .JS files and AMP generates a meaningless false positive detection as a result. Curious what others may have done to remedy this as it seems the only solution would be to either exclude the threat category or use a path-based exclusion for 'C:\Users\*\AppData\Local\Temp\*.tmp'.

David Janulik
Cisco Employee
Cisco Employee

This is a temp file and it is harmless to delete out from the disk. Do not create any exclusion for the temp file, just keep your Internet browsing safe. I personally think the infection will no longer pops up if the temp directory is cleaned \\?\C:\Users\astewart\AppData\Local\Temp\e7c6af52-44c5-4edf-b2e8-06b400978330.tmp

Cyber security escalation engineer

Hey David,

Unfortunately, we've already tried that and it just kept coming up (different file & SHA of course). We removed everything in Temp, rebooted, and disabled all browser plugins. One user we even re-imaged his machine and it came back. Most likely sounds like what user 'TruthNotTruth' had to say about website drive-by. Can you provide what AMP/Secure EndPoint is flagging on these types of events?

 

Thanks,

Cheo