trojan:script/foretype.a!ml attached to Chrome???? False?? Is it gone now? How to remove/ensure safety?

Question

Okay so this morning I got an alert from Windows Defender, out of nowhere, that they detected a threat on my device and quarantined it. When I checked it read to be "trojan:script/foretype.a!ml" located at C:\Users\Name\AppData\Local\Google\Chrome\User Data\Profile 1  and Quota Manager or something like that. 

I immediately let Windows Defender remove it, before re-activating and installing Webroot along with Malware Bytes Premium + Privacy. 

HOWEVER. I do not know how to tell if the "removal" actually worked. I don't know how the heck I even GOT a Trojan. It wasn't detected or anything until today, apparently. And I haven't done anything on my computer at all today. I'm very careful about my online security. I don't click on strange emails, links, nothing. The only thing I can think of is my boyfriend and I used a somewhat questionable site last night to watch anime, but in virustotal nothing has shown up for it in the past and I've never had any issues with it (the site being gogoanime.so) 

I'm not certain if it was a false positive or not either. Regardless, Webroot & Malware Bytes aren't detecting anything, after like 2 deep scans, plus highlighting and scanning EVERYTHING in the Chrome folder as well. 

Would deleting Chrome entirely help? Does Profile 1 allude to WHICH google chrome profile was infected?

What the heck IS the Quota Manager?

What type of Trojan is this???

I'm so confused. And google is NOT helping whatsoever.

UPDATE:

Found out Profile 1 is my personal/irl account for google and I did NOT use that one for watching anime last night. And I never use that profile for anything like anime on sus websites or other things. So I genuinely have no idea.

Answer 1

Hi Synyx. I'm Greg, an eleven years awarded MVP, Volunteer Moderator, and Independent Advisor here to help you until this is resolved.

There is more about that trojan which appears to be removed here:

https://www.microsoft.com/en-us/wdsi/threats/th...

You don't need the 3rd party antivirus. Defender found and took out the trojan. For second opinions and periodic on-demand scanning you only need the free Malwarebytes scanner which is the final word since nothing else comes close to it's thoroughness. Be sure and enable Root Kit scans in Malwarebytes Scan settings, and you can disable the premium real time which is unnecessary in Account settings.

If you want to add one other tool I'd add AdwCleaner free on-demand scanner from http://www.bleepingcomputer.com/download/adwcle... which finds other lower-grade adware and PUPs that especially infect browser add-on's.

If you think you were infected then it's also always a good idea to check System Files for damage by running System File Checker from Step 10 in this checklist:

http://answers.microsoft.com/en-us/windows/wiki...

I hope this helps. Based on what you report back I can answer any questions and may have other steps to perform. If you'll wait to rate whether my post was helpful, I will keep working with you until it's resolved.

______________________________________________

Standard Disclaimer: There are links to non-Microsoft websites. The pages appear to be providing accurate, safe information. Watch out for ads on the sites that may advertise products frequently classified as a PUP (Potentially Unwanted Products). Thoroughly research any product advertised on the sites before you decide to download and install it.

Answer 2

YES IT HAPPENS TO ME BUT NOTHING HAPPENS I JUST ALLOW THAT TYPE OF TROJAN

IDK BECAUSE ALL OF MY TROJAN THREATS ARE ALLOWED HAHHAHAHAHA BUT NOTHING HAPPENS BTW EVEN MY PROTECTION IS TURNED OFF BUT NOTHING HAPPENS IT SUCH LIKE FAKE THREAT OR SOMETHING SO BTW HOW TO DELETE THIS TYPE OF TROJAN

Trojan:Script/Foretype.A!ml

STATUS: ACTIVE 

DATE: 02/02/21 11:49AM

AFFECTED FILE:

file: C:\Windows\System32\Tasks\oqvwdlwfnvhnbjoblvh->(UTF-16LE)

file: C:\Windows\Temp\fcrbl.exe

process: pid:3016,ProcessStart:132567094800194224

regkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks{2C244742-B1C5-40B6-94B9-5B3E3958256F}

Answer 3

IT MAYBE BECAUSE OF DOWNLOADING SUS FILE LIKE RAR,EXE,APK,ETC

ITS POSSIBLE THAT IT HAPPENS LIKE ME THAT TYPE OF THREAT IS NOT HARM YOUR DEVICE BUT IT WILL SAYS ON THE WINDOWS DEFENDER THAT CAN EXECUTING SOME OF FILES BUT I ALLOW THAT THREAT AND NOTHING HAPPENS AND MY WIN10 PRO IS ALWAYS ACTIVE AND RUNNING NORMAL

Answer 4

Oh my god thank you so much! This was such a big help. 

Truly, thank you so so so much ❤️

God bless and hope you have a wonderful holiday season and a good night/day as well!

Answer 5

If it has gotten your documents you would know it because they'd be locked up and you'd have a ransom note. Defender blocked it before it could do this.

Having corrupted System Files is not that uncommon and can be caused by many things. As long as it can repair them then there is no lasting damage. If it cannot then what usually works is a Repair Install - which is an Upgrade over itself with the latest version, also the best way to install a new Version Update.

So you are good. My compliments for your thoroughness and paying attention to detail. It will help you in the long run with matters like these. No reason to fear when you stay on top of it.

Let me know if there's anything else.

Also when ready please mark the post which helped most as the Answer (or Resolved), to help others. A rating is also appreciated.