Avast WEBforum

Other => Viruses and worms => Topic started by: deemo119 on April 15, 2013, 04:19:52 PM

Title: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 04:19:52 PM

Hi, avast is detecting "JS:Includer-FR [Trj]" at the rate of 1 to 4 PER SECOND.  There were 18 detections in the time I typed that first sentence.  Now 39... please help!

It started yesterday morning after a scheduled nighttime scan, so I ran a full boot-time scan yesterday (literally over 20 hours long, thanks to a couple huge hard drives), and it found 6 of those same Trojans, plus one "Java:CVE-2013-0422-Y[Expl]" and one "Java:Malware-gen

", all of which were deleted. Avast: Program version:  8.0.1483 Virus def version:  130415-0 Number of def's:  4,346,135 running Windows 7 home premium Please help it's found over 200 since I've been writing!  Thank you!

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Asyn on April 15, 2013, 04:21:51 PM

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR..!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 04:28:33 PM

I have to download 5 different things in order to attach my logs??  Sorry, I've never been through this before...

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 04:31:11 PM

And also... according to the instructions I'll have to run a couple more scans for these other programs... the last one took over 24 hours... is there anyway of attaching logs for THAT scan before I go through 2 more days of scanning?  Thanks

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Asyn on April 15, 2013, 04:31:47 PM

Quote from: deemo119 on April 15, 2013, 04:28:33 PM

I have to download 5 different things in order to attach my logs??

Only 4 "things"... ;)

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Asyn on April 15, 2013, 04:33:25 PM

Quote from: deemo119 on April 15, 2013, 04:31:11 PM

And also... according to the instructions I'll have to run a couple more scans for these other programs... the last one took over 24 hours... is there anyway of attaching logs for THAT scan before I go through 2 more days of scanning?  Thanks

Please reread Reply #1.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Pondus on April 15, 2013, 04:34:33 PM

Quote from: deemo119 on April 15, 2013, 04:31:11 PM

And also... according to the instructions I'll have to run a couple more scans for these other programs... the last one took over 24 hours... is there anyway of attaching logs for THAT scan before I go through 2 more days of scanning?  Thanks

these scans will not take 24 hours if you follow the instructions....
like Malwarebytes quick scan ....    ;)

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 04:46:15 PM

Here's the first one:


# AdwCleaner v2.200 - Logfile created 04/15/2013 at 10:39:28
# Updated 02/04/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : Michael - DEMARIAPHOTO-PC
# Boot Mode : Normal
# Running from : C:\Users\Michael\Desktop\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\MiniEvony
Folder Deleted : C:\Users\Michael\AppData\Local\Conduit
Folder Deleted : C:\Users\Michael\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Michael\AppData\LocalLow\MiniEvony

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\MiniEvony
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{B9B9F072-8425-4897-B5E5-4438ECE6587D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2697877
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{B9B9F072-8425-4897-B5E5-4438ECE6587D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\MiniEvony
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{B9B9F072-8425-4897-B5E5-4438ECE6587D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID\{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{97359E82-3808-47F6-8790-0771AEDBC8FA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B5E07FD1-38EB-48F3-B2D1-906C9BB19453}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MiniEvony Toolbar
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E7435878-65B9-44D1-A443-81754E5DFC90}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]

***** [Internet Browsers] *****

-\\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\\ Google Chrome v26.0.1410.64

File : C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

*************************

AdwCleaner[S1].txt - [4885 octets] - [15/04/2013 10:39:28]

########## EOF - C:\AdwCleaner[S1].txt - [4945 octets] ##########

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Asyn on April 15, 2013, 04:55:40 PM

Please attach your logs. Thanks.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 05:00:40 PM

You mean you don't want me to paste them in replies like I just did?  How do I attach them?

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Asyn on April 15, 2013, 05:07:04 PM

Quote from: deemo119 on April 15, 2013, 05:00:40 PM

You mean you don't want me to paste them in replies like I just did?  How do I attach them?

If you reply here you'll find the option below the text box -> "Attachments and other options"

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 06:12:58 PM

Ok here are 4 of the 5 logs you asked for... thank you very much!

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 06:16:29 PM

I cannot attach the 5th log (MBR.dat), it says it's an invalid file type to attach.  And I can't open it from my desktop to save it as another file type.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Pondus on April 15, 2013, 06:19:07 PM

Quote

I cannot attach the 5th log (MBR.dat)

not a log....we want aswmbr.txt

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 06:26:03 PM

Sorry, found it... here's the 5th log.  Thanks.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 07:11:31 PM

Still non-stop detections of this Trojan, probably a couple thousand this morning... has anyone seen this?

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: essexboy on April 15, 2013, 07:32:27 PM

Let me know if this clears it please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  (https://dl.dropbox.com/u/73555776/OTL_Fix.GIF)
  
  

Code: [Select]

:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3612433894-2427630151-739255536-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 08:19:15 PM

I was excited for a minute, after the reboot there were no detections for 5 min or so, then they started back up.  Here's the new OTL log, and also the log that popped up after rebooting.   What if I just went back to a restore point prior to a couple days ago??

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: essexboy on April 15, 2013, 08:36:08 PM

Yes try a restore point from a few days ago, but you will need to disable Avast self protection.  Screenshot below.  If that fails to remove it will need to check autorun entries

 

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 15, 2013, 09:16:25 PM

What exactly is the avast self-defense module?  And could this "Trojan" be some kind of false positive?  I'm wondering if it's really a real issue.  Did you see something in the logs that points to me having an actual problem?  Thanks again...

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: essexboy on April 15, 2013, 09:39:08 PM

This shows the characteristics of a recent Java exploit, however it did not have the usual traces.  You need to turn off self defence as when you restore Avast will be broken

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Pondus on April 15, 2013, 10:00:45 PM

Quote

What exactly is the avast self-defense module?

many malware will try to turn off / disable your AV

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 16, 2013, 01:43:12 AM

Crap.  I did a restore point to last Thursday.  Everything looked fine.  I've been using my computer for the past couple hours, then all the sudden the constant detections started up again (same Trojan).... UGH.  :(

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Pondus on April 16, 2013, 01:50:20 AM

attach a screenshot of the detection.....

then run a new OTL diagnostic log....

Essexboy will be back tomorrow and check the log

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 16, 2013, 01:58:09 AM

Here is a screenshot of the detection that occurs every half-second or so.

By the way, does anyone know if this JS:Includer-FR is an actual issue??  Or some sort of false positive from Avast???

And I'm not 100% certain but I believe this started right after a new version of Avast was downloaded... my Avast interface looks drastically different and I now apparently went from the free version to the PRO ANTIVIRUS trial... is there a way of going back to the plain'ol free version?

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: Pondus on April 16, 2013, 02:09:18 AM

Quote

I now apparently went from the free version to the PRO ANTIVIRUS trial.

yes that seems to happen when using system restore.....dont know why

i guess you need to reinstall, but i would wait with that until essexboy is done..

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 16, 2013, 03:06:43 PM

This is literally driving me insane... and something in my gut tells me it's not even a real issue but something to do with the new Avast version causing a false positive... I have program version 8.0.1455, engine version 130410-2, released 4/10/13 4:54PM.  The restore point I did was back to last Thurs (4/11).

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: essexboy on April 16, 2013, 03:28:49 PM

If it was a false positive then you would not be the only one

The Avast popup shows that is being generated by an E-mail on your system

Could you empty your deleted e-mail folder and any other e-mails you no longer need

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 16, 2013, 05:27:59 PM

Oh, interesting... well I assume it's an email that's come in since this started, right?  I mean I have thousands of older emails that I need to keep for business records.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 16, 2013, 05:30:02 PM

...actually I have quite a lot of emails from the past few days, is there a way for me to narrow it down?  Thanks!

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: essexboy on April 16, 2013, 07:21:13 PM

Could you go to the chest and expand the path so that we can see it in its entirety

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on April 17, 2013, 05:30:02 PM

GOT IT!  So the resolution was SO simple... and downloading those diagnostic programs and collecting all the logs turned out to be completely unnecessary (and, in this case, non-helpful).  Thank you essexboy for the heads-up that it was an email causing the issue, once I posted a screenshot of the detection (and thank you Pondus for suggesting that I do that).  I stupidly hadn't looked closely at the full path of the Object in the detection notification before... but once essexboy mentioned it was an email problem I hovered over the detection Object, saw the full path, which showed the email folder in my Windows Live Mail that the problem email was in.  It happened to be an old folder that I didn't need to save, so I deleted all the emails in there, then deleted them from the deleted folder.  And bam, detections instantly stopped, and here 24 hours later so far so good.

It does seem strange to me that it was an old email in an old folder that was causing the issue (more than 2 years old).  Does anyone suggest anything at this point to make sure I'm clear?  Thanks again.

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: essexboy on April 17, 2013, 07:04:53 PM

That is the beauty of the chest, if you expand it you can see the actual culprit  ;D

Subject to no further problems   :)

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems 

Now the best part of the day ----- Your log now appears clean  :thumbsup:

A good workman always cleans up after himself so..The following will implement some cleanup procedures as well as reset  System Restore points:

Run OTL and hit the cleanup button.  It will remove all the programmes we have used plus itself. 

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button
(https://dl.dropbox.com/u/73555776/disc%20clean.JPG)


: Keep Java Updated :

WARNING: Java is the #1 exploited program at this time. The Department of Homeland Security recommends that computer users disable Java
See this article (http://www.forbes.com/sites/eliseackerman/2013/01/11/us-department-of-homeland-security-calls-on-computer-users-to-disable-java/) and this article (http://www.nbcnews.com/technology/technolog/us-warns-java-software-security-concerns-escalate-1B7938755).
I would recommend that you completely uninstall Java unless you need it to run an important software.
In that instance I would recommend that you disable Java in your browsers until you need it for that software and then enable it. (See How to diasble Java in your web browser (http://www.geekstogo.com/2600/how-to-disable-java-in-your-web-browser/) and How to unplug Java from the browser (http://krebsonsecurity.com/how-to-unplug-java-from-the-browser/))

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

(http://img233.imageshack.us/img233/7729/mbamicontw5.gif) Malwarebytes (http://www.malwarebytes.org/mbam-download.php).

Update and run weekly to keep your system clean

Download and install FileHippo update checker (http://www.filehippo.com/updatechecker/) and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport  (http://www.trusteer.com/Products/Trusteer-Rapport-for-Online-Banking)

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit

• Microsoft Windows Update (http://windowsupdate.microsoft.com)

To learn more about how to protect yourself while on the internet read our little guide  How did I get infected in the first place ? (http://www.geekstogo.com/forum/topic/225044-preventing-malware-and-safe-computing/)Keep safe  :wave:

Title: Re: JS:Includer-FR [Trj] ...constant (several per second) detections
Post by: deemo119 on May 28, 2013, 03:02:53 PM

Hmmm, oops never saw this last post.  I had already uninstalled the diagnostic programs (through add/remove programs).  I hope that was ok.  BTW, once I deleted the infected email I haven't had an issue since.  It was SUCH a simple fix, no diagnostic tools of any kind were needed.  In fact, all those diagnostic tools and tests couldn't find the problem!!  What a waste of time!