Keep getting a Windows message about .js

[zacRupnow]

It asks me "how do you want to open this file" and if I select anything it does nothing or says the file doesn't exist. I selected foobar last time cause that shows me a exact location. It goes to an empty folder in C:\ProgramData. It might only happen while Chrome is open but I haven't tested (in normal use for me chrome is always open) and if anyone just straight up knows what this is and how to stop or fix it than that would be great.

[Minzo]

Can you take a print screen?

[zacRupnow]

Can you take a print screen?

Is that the key next to Scroll Lock? Do I have to press a function key with it?

[Minzo]

Is that the key next to Scroll Lock? Do I have to press a function key with it?

 

Yes, next to it. No, I don't think so! Just paste the print into a site like imgur and show us.

[zacRupnow]

Yes, next to it. No, I don't think so! Just paste the print into a site like imgur and show us.

done, but is it preferred to use imgur over the forums gallery function in the future (I prefer limiting the accounts I have to sites I actually use)? 

[Minzo]

done, but is it preferred to use imgur over the forums gallery function in the future (I prefer limiting the accounts I have to sites I actually use)? 

 

I don't have the solution to your problem, just wanted to let others help you. You don't need an imgur account to upload pictures and I'm not sure which one is preferred. I just like imgur.

[Robin88]

.js is a JavaScript file, do you know what that file is for exactly? If you don't then I would do a malware scan, cause you really shouldn't be getting asked to open a .js script from Windows like that.

.js files are usually only used from within your browser, and by default your browser should know what to do with it.

[zacRupnow]

.js is a JavaScript file, do you know what that file is for exactly? If you don't then I would do a malware scan, cause you really shouldn't be getting asked to open a .js script from Windows like that.

.js files are usually only used from within your browser, and by default your browser should know what to do with it.

I've done full scans with AVG and Malwarebytes, nothing. Could it be leftover from Dregol? - A browser hijacker I had to get rid of after someone clicked an update popup window on Chrome. Never got the messages before that, but I was able to remove that completely, if this is left over its just a script leading nowhere, like I said it goes to an empty folder. Would re-installing Java fix it?

[Robin88]

I've done full scans with AVG and Malwarebytes, nothing. Could it be leftover from Dregol? - A browser hijacker I had to get rid of after someone clicked an update popup window on Chrome. Never got the messages before that, but I was able to remove that completely, if this is left over its just a script leading nowhere, like I said it goes to an empty folder. Would re-installing Java fix it?

It most likely is, browser hijackers seem to like using JavaScript, but I seriously doubt that reinstalling Java would help, JavaScript is separate from Java, but update Java anyway or uninstall the browser version, you most likely don't need it and using it is a security vulnerability that you're better off without. If you use Java for Minecraft or development, you can disable the browser portion in the control panel for Java and that should be fine.

See if you can find the file that is trying to run and delete it, you may need to use the command prompt to do so, but also remove the folder it goes to even if it is empty.

It most likely is to do with that hijacker you got hit with, and you shouldn't just leave it, while ever that file is trying to be run your computer is still at risk and you leave yourself open to further malware attacks until you remove it.

[zacRupnow]

It most likely is, browser hijackers seem to like using JavaScript, but I seriously doubt that reinstalling Java would help, JavaScript is separate from Java, but update Java anyway or uninstall the browser version, you most likely don't need it and using it is a security vulnerability that you're better off without. If you use Java for Minecraft or development, you can disable the browser portion in the control panel for Java and that should be fine.

See if you can find the file that is trying to run and delete it, you may need to use the command prompt to do so, but also remove the folder it goes to even if it is empty.

It most likely is to do with that hijacker you got hit with, and you shouldn't just leave it, while ever that file is trying to be run your computer is still at risk and you leave yourself open to further malware attacks until you remove it.

Alright, I've uninstalled all Java stuff and set Chrome to not allow any site to run java. Do I need it on Chrome? Turning it off messes up a lot of older sites ymail, facebook...

 

I'll watch for the message for the rest of the day and If it works you win the prize!

 

Click the obvious malware link to claim your prize after a short 1000 subscription survey!

[zacRupnow]

---

Nope just got the message again  

[Robin88]

Nope just got the message again  

Okay, the file is still on your system and it seems that Dregol is still causing issues somewhere.

Can you follow the guide here and when you've done this for all the browsers on your system, can you check if the issue remains please?

If that doesn't fix it then you will need to uninstall all of your browsers except IE and delete the folders for them in "C:\Users\User_Name\AppData\Local" "C:\Users\User_Name\AppData\Local Low" and "C:\Users\User_Name\AppData\Roaming" (Replace "User_Name" with your Windows username) and check in "C:\Program Data" for any folders to do with your browsers, and delete them too and finally rerun MBAM in safe mode to make sure that there really is nothing left on your system.

The AppData folder is hidden by default as is the Program Data folder, if you copy those location links without the quotes and paste them into the address bar of Windows Explorer and press enter they will take you straight to the folders in question. Just make sure you replace User_Name with your actual username first

I won't reply until later today as its currently 1.20AM here and I'm shattered, so good luck and I hope you can get it sorted and I will reply later on today.

[zacRupnow]

Okay, the file is still on your system and it seems that Dregol is still causing issues somewhere.

Can you follow the guide here and when you've done this for all the browsers on your system, can you check if the issue remains please?

If that doesn't fix it then you will need to uninstall all of your browsers except IE and delete the folders for them in "C:\Users\User_Name\AppData\Local" "C:\Users\User_Name\AppData\Local Low" and "C:\Users\User_Name\AppData\Roaming" (Replace "User_Name" with your Windows username) and check in "C:\Program Data" for any folders to do with your browsers, and delete them too and finally rerun MBAM in safe mode to make sure that there really is nothing left on your system.

The AppData folder is hidden by default as is the Program Data folder, if you copy those location links without the quotes and paste them into the address bar of Windows Explorer and press enter they will take you straight to the folders in question.

I won't reply until later today as its currently 1.20AM here and I'm shattered, so good luck and I hope you can get it sorted and I will reply later on today.

I think it came from Dregol but its something different, I already removed all the codes and scripts for that manually last weekend

[Robin88]

I think it came from Dregol but its something different, I already removed all the codes and scripts for that manually last weekend

Something tells me that some of the files relating to Dregol haven't been completely removed, or you have more than just Dregol on your system causing issues, can you boot into safe mode and try running MBAM again and see if it finds anything.

I'm stuck atm, without knowing the file name it's difficult to figure out where the file could be, the only place it could be is in your browsers profile, and while it isn't ideal to delete your user profile from Chrome and IE and Firefox if you have it, it may be the only way you can remove it.

If you can also try and find the files actual name, we can search for it and delete the file and maybe find out what else is causing issues. The problem with that is that I cannot find anything to do with a .js file causing this issue.

[zacRupnow]

I think it's over now but I may be wrong

I deleted everything related to chrome after installing and importing bookmarks to Firefox. Then I uninstalled Chrome, re-installed it and imported my bookmarks and uninstalled Firefox.

I fucking hate Chromes new bookmark UI menus. 

 

EDIT:

STILL NOT FIXED.

[Beltboy]

Have a look at your extensions in chrome, some browser hijackers will leave an extension behind that will try to download it again.

[Robin88]

Have a look at your extensions in chrome, some browser hijackers will leave an extension behind that will try to download it again.

The thing is, is that he has already been through his browsers extensions, even removed the browsers that are affected and deleted the profiles for them, so I really don't know at this point, whatever it is, it's one hell of a persistant bitch and without knowing the file name we'll be stuck at this impasse until someone far more kowledgeable than us can figure it out.

It's one of those frustrating issues that probably has a stupidly easy fix, but without access to his computer directly it's impossible to figure it out.

@zacRupnow

I sincerely apologise for not having the answer you're looking for, I've never come across this issue before and I can appreciate just how frustrating it must be for you, I loathe not being able to fix any issue, and it appears that for the moment this is one of those times where I can't help you, and I don't really know at this point what else to do.

I hate having to ask someone to do this, but could you keep an eye on what programs are open, what background tasks are running and what changes in task manager just before the popup appears. Also could you take a look inside the startup tab of Task Manager and write down here what you've got running at startup, there might be something there that can point us in the right direction.

Also If you can, could you see if running your browsers in safe mode stops it from happening, if it doesn't then we can pretty much rule out your browsers completely, and it is most likely occuring elsewhere  on your system.

I hope we can get to the bottom of this, and I really do not want to go down the route of a reinstall, I don't doubt that it will get rid of the issue, but it won't help anyone else who has the issue and is looking for a fix without resorting to a reinstall, and helping others in the same situation is just as important as helping you.

[Beltboy]

The thing is, is that he has already been through his browsers extensions, even removed the browsers that are affected and deleted the profiles for them, so I really don't know at this point, whatever it is, it's one hell of a persistant bitch and without knowing the file name we'll be stuck at this impasse until someone far more kowledgeable than us can figure it out.

It's one of those frustrating issues that probably has a stupidly easy fix, but without access to his computer directly it's impossible to figure it out.

Sorry didn't see you'd gone through that, if you sign into chrome it re-installs all your extensions even dodgy ones(it backs them up to Cloud storage), I've had an issue like this and when you re-install chrome re-downloads the malware.

 

What is the full path/filename of the file it's trying to run? It sounds like you've got rid of the main malware but not got what ever it is that starts it. Can you start msconfig (start > run > msconfig) go to the Services tab, Hide all Microsoft services, and have a look down the list, un-tick anything you don't recognise, or query here/google.

 

Also on task manager on the start-up tab, anything that looks odd > right click on open file location should help you see if its legit.

[Robin88]

Sorry didn't see you'd gone through that, if you sign into chrome it re-installs all your extensions even dodgy ones(it backs them up to Cloud storage), I've had an issue like this and when you re-install chrome re-downloads the malware.

 

What is the full path/filename of the file it's trying to run? It sounds like you've got rid of the main malware but not got what ever it is that starts it. Can you start msconfig (start > run > msconfig) go to the Services tab, Hide all Microsoft services, and have a look down the list, un-tick anything you don't recognise, or query here/google.

 

Also on task manager on the start-up tab, anything that looks odd > right click on open file location should help you see if its legit.

That is a good point actually, I forgot about Chrome reinstating extensions, might be one place to look, but if he uninstalled the dodgy extension (if ther even was one to begin with) before reinstalling Chrome then it shouldn't be amongst the list of extensions to add in when he reinstalled, at least, common sense would dictate that to be the case, but it's still a good point.

And that's another issue, we don't know the file name, if we did I could have shown him how to find it in a femto-second, but unfortunately when the popup shows up it only shows the extension, and there are thousands of .js files that are legitimate OS files, he'd be spending weeks going through each one and verifying each and every one of them, I already looking into searching using windows search and the cmd prompt to find any .js files and that was a dead end because there are usually thousands of them on an average Windows install.

I even googled for the issue already, there is absolutely nothing that is the same as the OP's problem, like I say, I've been down most areas of investigation and the only area left is that point you brought up about Chrome reinstalling extensions, and even then I'm not sure it'll find the culprit.

@zacRupnow

Could you go through your Chrome extensions list and make sure that there is nothing in there that you don't want and remove any that look suspicious please?

And also can you follow Beltboy's suggestion about checking the services tab in msconfig for any services that are not by Microsoft and disbabling them, but make sure that you leave any by nVidia/Intel/AMD and any that are for your antivirus.

[Beltboy]

If when you get the prompt up you use the windows based script host what happens, there are quite a people reporting that generating errors, I'm wondering if part of the removal of Dregol broke the file association which is why you get this error rather than a more common one that others have seen.

[zacRupnow]

Sorry didn't see you'd gone through that, if you sign into chrome it re-installs all your extensions even dodgy ones(it backs them up to Cloud storage), I've had an issue like this and when you re-install chrome re-downloads the malware.

 

What is the full path/filename of the file it's trying to run? It sounds like you've got rid of the main malware but not got what ever it is that starts it. Can you start msconfig (start > run > msconfig) go to the Services tab, Hide all Microsoft services, and have a look down the list, un-tick anything you don't recognise, or query here/google.

 

Also on task manager on the start-up tab, anything that looks odd > right click on open file location should help you see if its legit.

I don't use cloud storage, After I re installed Chrome I put all my customizations back myself but I'll try this soon as I'm home.

[Robin88]

If when you get the prompt up you use the windows based script host what happens, there are quite a people reporting that generating errors, I'm wondering if part of the removal of Dregol broke the file association which is why you get this error rather than a more common one that others have seen.

It could be, you might be right, but I would have thought that breaking the file association for .js would be causing more issues than just this? But then again I've never had this particular issue before so what actually happens when .js files are disassociated from Windows is beyond my knowledge level.

@zacRupnow

Could you search in C:\Windows for a .js file using File Explorer please and see if .js has a file association assigned to it?

Do this to search for a file of a particular type.

Go to your Desktop, and open File Explorer and navigate to C:\Windows.

Type into the search bar on the upper right corner of the window "*.js" without the quotation marks and press enter.

A list of all files with the type .js and .json should appear.

Right click on 1 of the files with the .js file extension and then left click on Properties.

Look at the "Opens with" portion of the properties page, if it says "Microsoft Windows Based Script Host" then all .js files are correctly associated.

If it says it is assigned to the program above then your problem is different and we're still stuck as to what is causing the issue, if not then follow the guide below to set it to its correct association.

If it says anything else then you need to click on the button titled "Change" and in the window that opens look for the one titled "Microsoft Windows Based Script Host"

If that option isn't visible then click on the arrow next to the words "Other Programs" and look in there.

If it still isn't there then you need to click on Browse and navigate to C:\Windows\system32\wscript.exe and click on the file and then click "OK" then "OK" again and then once more and that should now set all .js files to open with the correct application.

I sincerely hope this fixes your issue, if it doesn't then we're gonna have to really get creative.

I take no credit for this if it works, the credit goes entirely to Beltboy for pointing me in the right direction.

[zacRupnow]

It could be, you might be right, but I would have thought that breaking the file association for .js would be causing more issues than just this? But then again I've never had this particular issue before so what actually happens when .js files are disassociated from Windows is beyond my knowledge level.

@zacRupnow

Could you search in C:\Windows for a .js file using File Explorer please and see if .js has a file association assigned to it?

Do this to search for a file of a particular type.

Go to your Desktop, and open File Explorer.

Type into the search bar on the upper right corner of the window "*.js" without the quotation marks and press enter.

A list of all files with the type .js and .json should appear.

Right click on 1 of the files with the .js file extension and then left click on Properties.

Look at the "Opens with" portion of the properties page, if it says "Microsoft Windows Based Script Host" then all .js files are correctly associated.

If it says it is assigned to the program above then your problem is different and we're still stuck as to what is causing the issue, if not then follow the guide below to set it to its correct association.

If it says anything else then you need to click on the button titled "Change" and in the window that opens look for the one titled "Microsoft Windows Based Script Host"

If that option isn't visible then click on the arrow next to the words "Other Programs" and look in there.

If it still isn't there then you need to click on Browse and navigate to C:\Windows\system32\wscript.exe and click on the file and then click "OK" then "OK" again and then once more and that should now set all .js files to open with the correct application.

I sincerely hope this fixes your issue, if it doesn't then we're gonna have to really get creative.I take no credit for this if it works, the credit goes entirely to Beltboy for pointing me in the right direction.

I'll try it when I'm home, also I'll post a picture of the file, when the window pops up I can select Foobar (yeah the music player) to run it and get the location there. Thing is Foobar finds it but when I go to the location, nothing is there, was deleted when I was first getting rid of Dregol. I really want to solve this crap, it seems browser hijackers are shall I say "coming into style" and I imagine many people will just see the camouflage of flash player updates.

[zacRupnow]

It could be, you might be right, but I would have thought that breaking the file association for .js would be causing more issues than just this? But then again I've never had this particular issue before so what actually happens when .js files are disassociated from Windows is beyond my knowledge level.

 

-snip-

If it says anything else then you need to click on the button titled "Change" and in the window that opens look for the one titled "Microsoft Windows Based Script Host"

I take no credit for this if it works, the credit goes entirely to Beltboy for pointing me in the right direction.

I've done this now, just waiting to see if it worked.

 

EDIT:

NOPE Still happening   

[Beltboy]

I've done this now, just waiting to see if it worked.

 

EDIT:

NOPE Still happening   

Your still getting the prompt asking how to open it?