"HEUR:Trojan.Script.Generic" is detected by Kaspersky

[spnova1]

### sorry, wrong quotes in previous issue. Files from Tampermonkey are reported here:

"HEUR:Trojan.Script.Generic" is detected from files listed below:

1. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\storage.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

2. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\storage.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

3. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\parser.js

4. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\parser.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

5. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\parser.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

6. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\jgphnjokjhjlcnnajmfjlacjnjkhleah\5.9.20_0\js\background.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

7. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\icon.js

8. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\icon.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

9. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\icon.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

10. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\vendor\forge-sha256\forge-sha256.js

11. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\vendor\forge-sha256\forge-sha256.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

12. D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\vendor\forge-sha256\forge-sha256.js//d:\program files (x86)\google\local\google\chrome\user data\profile 2\extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

And Kaspersky deleted all those files already.
What's wrong with these files and can i trust all this files and recover them?

[derjanb]

This is a false alarm, because Tampermonkey is not a trojan. Most probably this is related to #635 (comment).

I'm not sure how to convince Kaspersky that the extension itself is not a problem.

[filbo]

This may not be a false alarm; instead, it may be that those files are in fact corrupted on @spnova1's system.

If they are corrupted, it was done by some sort of malware which has nothing directly to do with Tampermonkey. TM is just a victim.

@spnova1, do you have a way to retrieve the files? Anti-malware packages may either completely remove files, or 'quarantine' them in some package-specific way. If you don't know, maybe Kaspersky support or some sort of FAQ can help you find them.

The files it listed are mostly fairly straightforward. I am curious to see the contents of one, let us say:

D:\Program Files (x86)\Google\Local\Google\Chrome\User Data\Profile 2\Extensions\dhdgffkkebhmkfjojejmpbldmpobfkfo\4.8_0\background.html

This should be a file of about 1 kilobyte with 35 text lines, most of which look like:

<script src="something.js"></script>

If it has been changed by malware, the difference should be obvious. If you are able to look at it in a file viewer or text editor, maybe you could paste a screenshot of it here (screenshot should be a sufficiently safe way to pass around potential malware).

[khawlashaikh]

I have got an alert from kaspersky with the same trojan(Trojan HEUR:Trojan.Script.Generic) as mentioned above, however the location is different i.e "C:\Users\xyz\AppData\Local\Google\Chrome\UserData\Default\Extensions\dgpfeomibahlpbobpnjpcobpechebadh\1.5_0\adblock-stats.js" and is flagged with "High" threat level.
Does this mean the "ad block" extension being used in chrome is a infected one. How do i confirm ?

[derjanb]

How do i confirm ?

1. Google for dgpfeomibahlpbobpnjpcobpechebadh
2. Check whether it is (still) in the Web Store (it is not!) -> https://chrome.google.com/webstore/detail/dgpfeomibahlpbobpnjpcobpechebadh

In your case you should remove the extension.

As a side note: this is the Tampermonkey browser extension bugtracker and no Kaspersky support forum. ;-)