JS:ScriptXE-inf [Trj] -- Returns every 2 minutes

[3dgb]

Avast Home Edition, on Vista Ultimate, 2 computers and three laptops, none, of which are networked in anyway. Every 2 minutes this notice pops up saying there is a virus. I've tried sendind it the the vault, and deleting, doesn't matter, 2 minutes later it pops up again. Says it is located in my temporary internet folder, which I delete, then 2 minutes later, pops up again, even without browsing the internet. ( have kept it on MSN Homepage). I used to really like this program ( Avast), however, this isn't good, if we can't fix it, it's on to another program. Any help ? Thanks.

[DavidR]

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections. C:\Program Files\Alwil Software\Avast4\ashLogV.exe
 
- Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log\Warning.log and copy and paste the entry.
####
When posting URLs to suspect sites, change the http to hXXp so the link isn't active (clickable) avoiding accidental exposure.

[Jtaylor83]

I suggest you use MBAM or SuperAntiSpyware Free.

[3dgb]

It says a warning of " Sign ofJS:ScriptXE-inf ( Tri) has been found in xxxxx-Temporary Internet Files".
 Intresting that it's on 5 computers, not connected to each other.

[mathboyx215]

Try clearing your temp file with ccleaner
http://www.ccleaner.com/download/builds/downloading-slim

If that doesn't work,then download the programs suggested by jtaylor83.Install the program and update them.Then run a full scan and delete every infected item they find.Then post back a log.

[3dgb]

I run cc cleaner after every instance of going online. Downloaded and ran both of the programs above ( after updating), nothing detected. Also shut down system restore, rebooted, etc. As soon as I log online, it pops up right away. Never had this problem with avast before, not until this morning. In 5 minutes of online time, ,it's poped up maybe 6 times. I delete it, it pops right back up. I move it to the vault, it pops right back, I delete my temp internet files, it pops right back up. I've made no changes to my system, no new programs, files, , etc. Time for a better antivirus program I guess, sure can't work like this...Btw, I'm not a newbie to computers by any means.

[3dgb]

Ok, does this log help at all?



9/12/2009 9:13:45 AM   SYSTEM   1716   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SA9BEZOK\favicon[2].htm" file. 
9/12/2009 9:26:50 AM   SYSTEM   1716   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SA9BEZOK\favicon[2].htm" file. 
9/12/2009 9:27:24 AM   SYSTEM   1716   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZF4ZJFRL\favicon[5].htm" file. 
9/12/2009 9:33:55 AM   SYSTEM   1716   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CZ4WHLCI\favicon[1].htm" file. 
9/12/2009 9:43:04 AM   SYSTEM   1716   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SA9BEZOK\favicon[2].htm" file. 
9/12/2009 9:43:57 AM   SYSTEM   1716   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\90YK13I2\favicon[3].htm" file. 
9/12/2009 2:45:35 PM   SYSTEM   1688   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CZ4WHLCI\favicon[4].htm" file. 
9/12/2009 2:56:21 PM   SYSTEM   1688   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SA9BEZOK\favicon[4].htm" file. 
9/12/2009 2:57:10 PM   SYSTEM   1688   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CZ4WHLCI\favicon[4].htm" file. 
9/12/2009 3:00:26 PM   SYSTEM   1688   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\90YK13I2\favicon[6].htm" file. 
9/12/2009 3:01:21 PM   SYSTEM   1688   Sign of "JS:ScriptXE-inf [Trj]" has been found in "C:\Users\Anna\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CZ4WHLCI\favicon[4].htm" file. 

[Lisandro]

Close your browsers and use this:

Try clearing your temp file with ccleaner
http://www.ccleaner.com/download/builds/downloading-slim

[DavidR]

There could well be something on your system that is hidden or undetected and that is what is infecting .htm files. There are a few pieces of malware that do this and some are particularly nasty.

Please download, update and run the applications Jtaylor83 gave in Reply #2 and post the contents of their logs.

[3dgb]

Tech ? Haha, figures, I said I DO run cc cleaner after every instance of going online. ( get it? go online, then go off, closing your browser, then run cc cleaner). Just curious, who are you a tech for? lol...

Jaytaylor83, thanks, will run them again and post shortly. ( uh, should i close my browser first? lol...)

[DavidR]

I won't hurt to close your browser/s first.

[3dgb]

It was a joke. I don't like being treated like I'm stupid, especially by someone who is supposed to be a "Tech". For the record, I'm much more than a tech. Next I figure you'll ask if my computer has been turned on. Whatever the problem is, Avast let it through, bottom line. It seems the program has issues.

[3dgb]

My apologies for loosing my temper here. This " issue" just cost me a deadline, and a job.
Seems the problem may be coming from a site I visit,


hxxp://denver.craigslist.org/


Again, my apologies, and thanks for the help, really.

[Jtaylor83]

Be careful of using Craigslist. Some of the Craigslist posts may contain malware. Also beware of the scams.

Best recommendation: Firefox with NoScript, AdBlock Plus, and BetterPrivacy.

[FreewheelinFrank]

avast! is not alone in detecting these favicon files:

http://uktsupport.ipbhost.com/index.php?showtopic=13530

I'd guess that you have some sites bookmarked in Internet Explorer which have this exploit file as their favicon.

Possibly IE retrieves the favicon and triggers the alert every time you go online, so the problem could be coming from any of the sites you have bookmarked.

Actually avast! seems to be ahead of the field in detecting this threat:

http://virscan.org/report/346a4509ff8da4b09666e2da49750c05.html

What AV are you thinking of changing to? One that doesn't detect this threat? Hardly avast!'s fault if IE is downloading the malicious file every two minutes.

Have you tried going online with Firefox or Opera? Do you have the same detection? If not, look at the sites you have bookmarked in IE very carefully- one of them may have a malicious favicon.