Trojan:JS/Flafisi.D

Step by step instructions on how to remove this. Not good with computers 

Trojan:JS/Flafisi.D 

Affected items:

file: C:\User\Mike & Linda\AppData\Local\Packages

\MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache

\8EBUU0A6\FlashPlayer[1].hta

Answer
Answer

Microsoft, I can confirm this behavior two times in the last two weeks with MSN.  On two separate occasions, while view an article that was on MSN, the browser would start redirecting to a strange URL.  I immediately closed Edge when I saw this.  My settings are to clear temporary storage from Edge when I close the browser.  

It seems advertisements are still becoming plagued with drive-by downloads.  Some of the reason users resort to ad blockers is to avoid this kind of issue.   What is Microsoft doing about plagued advertisements?

Good question, ErolD.IT. I set up a thread specifically to bring this malvertising on the MSN news pages to Microsoft’s attention.

Important Update

The following thread is now being monitored by a member of the MSN Engineering team, and you can report any malware that you're currently seeing on MSN pages directly to the investigator here:  

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/im-seeing-trojanjsflafisid-detections-and-tech/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f

And that discussion thread was “escalated” by Community Moderator bhringer in this thread, but to no avail:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/is-trojanjsflafisid-from-windows-10-defender-it/f0d42e70-7e7c-4d58-8941-6fd3ceb471d9

But it’s the present thread that’s getting all of the hits for the issue, just because it appears at the top of search results for “Trojan:JS/Flafisi.D” – so the scope of the problem on the MSN news pages isn’t being fully appreciated. And it’s amazing that this thread actually made it to the top of the list, with all of those pages and pages of SpyHunter-sponsored sites that turn up in the search results for “Trojan:JS/Flafisi.D”. So the whole default “Windows experience” is getting just a little too uncomfortable for me.

GreginMich

4 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

Answer
Answer

When I run windows defender scans it shows this same Trojan JS/Flatis:D virus or whatever you want to call it on my computer.  It quarantine

  it and then I have to clear the windows defender history to get rid of it. But it keeps coming back.  I use a voice over internet program called "Discord" and I play a WWII multiplayer online game called Fighter.be.   I'm not sure where this Trojan is coming from but I need to get rid of it for good.  Tell us how to remove it and keep it off our hard drives please,

The fake Adobe Flash Player update page isn’t being spawned by any malware residing on the local system drive – the webpage that you’re on is simply being redirected to a malware site with a JavaScript forced redirect – where window.top.location = "http://malware.com" is being set from a cross-domain advertising iframe:

https://blog.confiant.com/how-bad-ads-hijack-your-browser-with-one-simple-trick-712ad3590a13

There are several different versions of the fake Adobe Flash Player update that you might encounter, depending on the browser and the specific website, and there are also several other “fake update” templates out there. The one that’s currently being delivered on MSN portal pages is detected as Trojan:JS/Flafisi.D, which is specifically a detection for the FlashPlayer.hta file associated with the KovCoreG malvertising group. And since this fake update is being delivered via a compromised advertising domain that's been connected to the host site – the detection will recur frequently upon returning to the host site, without indicting the presence of any persistent malware:

https://www.bleepingcomputer.com/news/security/malvertising-group-spreading-kovter-malware-via-fake-browser-updates/

For Microsoft Edge, the best defense against these malvertising redirects is to install uBlock Origin, or another ad-blocker extension, directly from the Edge Settings menu:

Settings and more > Extensions > Get extensions from the Store

The documentation for uBlock Origin, and the instructions for installing it on other browsers, are available here:

https://github.com/gorhill/uBlock

We’ve had a couple of reports indicating that uBlock Origin isn’t consistently blocking the fake Adobe Flash Player update page. If this becomes an issue, then consider trying the frame-blocking option:

https://github.com/gorhill/uBlock/wiki/Dynamic-filtering:-Benefits-of-blocking-3rd-party-iframe-tags

The logic underlying this recommendation is elaborated in this thread:

https://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning-windows_7/google-chrome-critical-error-red-screen/052123a3-ef9f-4561-a91a-79e43c9b6a4c

And also note that Google Chrome has implemented an internal redirect-blocker to deal with this issue:

https://blog.chromium.org/2017/11/expanding-user-protections-on-web.html

If you’re seeing any malware or scam pages specifically on MSN pages, then you can report the name of the malware, and the name of the MSN host page, directly to the member of the MSN Engineering team who’s investigating the issue:

https://answers.microsoft.com/en-us/protect/forum/protect_defender-protect_scanning-windows_10/im-seeing-trojanjsflafisid-detections-and-tech/8fbe8eaf-1af0-4e76-9ab0-57828f631a5f

GreginMich

3 people were helped by this reply

·

Did this solve your problem?

Sorry this didn't help.

Great! Thanks for marking this as the answer.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this response?

Thanks for your feedback.

 
 

Question Info


Last updated January 21, 2020 Views 12,787 Applies to: