Avast WEBforum
Other => Viruses and worms => Topic started by: Viewpoint on March 20, 2010, 05:30:28 PM
-
Hello, Thank you for clicking on my post.
Recently I fully scanned my computer with Avast and it found the following threats:
Threat: JS:downloader-FT [Trj]
Location: Windows/Temporary internet Files/Low/Content.IE5/4IOA5RG9/go[1].htm
Severity: High
And
Threat: JS:downloader-FE [Trj]
Location: Windows/Temporary internet Files/Low/Content.IE5/KJ35SUOL/in[1].htm
Severity: High
I tried the ''Delete, Move to Chest, and Repair'' options and every time I clicked apply I get: Error: Access is Denied (5)
So then I tried looking for them manually but I couldn't find the folder cause it didn't exist. So then I thought avast deleted already, so I rescanned and it found it again. Can someone please help me remove these Trojans?
P.S. Thank you very much for your time.
Edit- My other Anti-virus programs don't find them. ''Clean''. \
Edit- it also found to more threats:
Threat: Jave:Agent-B [Trj]
&
Threat: Jave:Agent-B [Trj]
Edit- I am using Vista
-
Clear your browser cache/temp internet files.
I doubt that this JS:downloader-FE [Trj] malware is detected by many other AVs as it is contained within the javascript in .htm pages.
Where were the Jave:Agent-B [Trj] detections found, file name and location, thanks ?
What avast version are you using 4.8 or 5.0 ?
- If you have Win2k, XP, vista or Win7 (all 32bit), you could enable a boot time scan.
For 4.8 - Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php). Don't opt for deletion (you have no options left), always send to the chest and investigate.
Look in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.
For 5.0 - From the avast UI, Scan Computer, Boot-time Scan, Schedule Now button and reboot. Send any detections to the chest.
-
Clear your browser cache/temp internet files.
I doubt that this JS:downloader-FE [Trj] malware is detected by many other AVs as it is contained within the javascript in .htm pages.
Where were the Jave:Agent-B [Trj] detections found, file name and location, thanks ?
What avast version are you using 4.8 or 5.0 ?
- If you have Win2k, XP, vista or Win7 (all 32bit), you could enable a boot time scan.
For 4.8 - Right click the avast icon, select Start avast! Antivirus, a memory scan will take place followed by the opening of the Simple User Interface, Menu, 'Schedule boot-time scan...' Or see http://www.digitalred.com/avast-boot-time.php (http://www.digitalred.com/avast-boot-time.php). Don't opt for deletion (you have no options left), always send to the chest and investigate.
Look in the C:\Program Files\Alwil Software\Avast4\DATA\report\aswBoot.txt file, check this file using notepad and copy and past the info on the detection.
For 5.0 - From the avast UI, Scan Computer, Boot-time Scan, Schedule Now button and reboot. Send any detections to the chest.
Thank you very much for your reply, I am using 5.0
It says bootscan is for 34bits only
Java's location: Appdata/Locallow/sun/java/deployment/cache/6.0/36/4ba76d23-115af355l>myf/y/appletx.class
&
Appdata/Locallow/sun/java/deployment/cache/6.0/36/4ba76d23-115af355l>myf/y/LoaderX.class
Where do I go to clear the browser Cache?
P.S. Thank you so much.
-
Where do I go to clear the browser Cache?
You can use ATF cleaner http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
click the red download link
-
Where do I go to clear the browser Cache?
You can use ATF cleaner http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
click the red download link
Thank you! =)
-
Where do I go to clear the browser Cache?
You can use ATF cleaner http://www.atribune.org/index.php?option=com_content&task=view&id=25&Itemid=25
click the red download link
I ran it it removed some stuff, then it said No Files Where Removed, I rescan'd and I still have the same 4 threats =\
-
Are you using Firefox or Opera ? see the toolbar on top of the program
-
In post #1 you say
Edit- My other Anti-virus programs don't find them. ''Clean''. \
What do you mean " other antivirus program " are you running moore than one ?
-
<snip>
Thank you very much for your reply, I am using 5.0
It says bootscan is for 34bits only
Java's location: Appdata/Locallow/sun/java/deployment/cache/6.0/36/4ba76d23-115af355l>myf/y/appletx.class
&
Appdata/Locallow/sun/java/deployment/cache/6.0/36/4ba76d23-115af355l>myf/y/LoaderX.class
Where do I go to clear the browser Cache?
You're welcome.
Unfortunately it will be a little while longer before the boot-time scan will be available for 64bit OSes in avast, it is hoped it will be in avast 5.1 when released around the Summer of this year, though no firm dates are given.
Looks like your Java version may not be fully up to date as this is normally how Java exploits get in.
- I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/).
-
Are you using Firefox or Opera ? see the toolbar on top of the program
Given the info in the first post (IE), the detection was found in the IE temp internet files location:
Location: Windows/Temporary internet Files/Low/Content.IE5/KJ35SUOL/in[1].htm
-
<snip>
Thank you very much for your reply, I am using 5.0
It says bootscan is for 34bits only
Java's location: Appdata/Locallow/sun/java/deployment/cache/6.0/36/4ba76d23-115af355l>myf/y/appletx.class
&
Appdata/Locallow/sun/java/deployment/cache/6.0/36/4ba76d23-115af355l>myf/y/LoaderX.class
Where do I go to clear the browser Cache?
You're welcome.
Unfortunately it will be a little while longer before the boot-time scan will be available for 64bit OSes in avast, it is hoped it will be in avast 5.1 when released around the Summer of this year, though no firm dates are given.
Looks like your Java version may not be fully up to date as this is normally how Java exploits get in.
- I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/ (http://secunia.com/software_inspector/).
Thank you very much DavidR
Aside from the Java one, what should I do about the Other [Trj]
I clean'd the temp files and it is still there.
Regards,
Viewpoint
-
In post #1 you say
Edit- My other Anti-virus programs don't find them. ''Clean''. \
What do you mean " other antivirus program " are you running moore than one ?
Well Runing as in scanning not Real-Time Protection.
Mcafee is the one running on Real time scanning
The ones I used to scan where: Mcafee, Malwarebytes, Avast, Superantispyware, and Avast Anti-rootkit
(Running a spybot scan as we speak.)
-
Are you using Firefox or Opera ? see the toolbar on top of the program
I am using Firefox with a Crawler Search toolbar
-
<snip>
Thank you very much DavidR
Aside from the Java one, what should I do about the Other [Trj]
I clean'd the temp files and it is still there.
There may be something else protecting it or restoring:
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file). I don't know for sure if these work on 64bit OS you will need to check.
- 1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
-
Are you using Firefox or Opera ? see the toolbar on top of the program
I am using Firefox with a Crawler Search toolbar
Get rid of the crawler search tool bar, it brings nothing to the table that isn't already there and it gathers marketing information that could result in targeted adverts.
-
<snip>
Thank you very much DavidR
Aside from the Java one, what should I do about the Other [Trj]
I clean'd the temp files and it is still there.
There may be something else protecting it or restoring:
If you haven't already got this software (freeware), download, install, update and run it and report the findings (it should product a log file). I don't know for sure if these work on 64bit OS you will need to check.
- 1. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe (http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe), right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
- 2. SUPERantispyware (http://www.superantispyware.com) On-Demand only in free version.
Don't worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie (http://en.wikipedia.org/wiki/HTTP_cookie).
I already have this program downloaded, I tried looking where the reports are stored (Using 5.0) I couldn't find it.
Regards,
Viewpoint
-
<snip>
Mcafee is the one running on Real time scanning
The ones I used to scan where: Mcafee, Malwarebytes, Avast, Superantispyware, and Avast Anti-rootkit
(Running a spybot scan as we speak.)
What McAfee product ?
So where is avast running as that is also a resident AV ?
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
-
Two antivirus installed
http://www.bleepingcomputer.com/forums/index.php?s=650c478bbb23211597b6e144af56048d&showtopic=260844&view=findpost&p=1441638
Clash Of The Antivirus Apps
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
-
<snip>
I already have this program downloaded, I tried looking where the reports are stored (Using 5.0) I couldn't find it.
Which program there were two mentioned MBAM & SAS ?
If MBAM, Open the program and click the 'Logs' tab, easy to find.
IF SAS, Open and select Preferences, Statistics/Logs.
-
Are you using Firefox or Opera ? see the toolbar on top of the program
I am using Firefox with a Crawler Search toolbar
Get rid of the crawler search tool bar, it brings nothing to the table that isn't already there and it gathers marketing information that could result in targeted adverts.
Uninstalled that toolbar.
-
<snip>
Mcafee is the one running on Real time scanning
The ones I used to scan where: Mcafee, Malwarebytes, Avast, Superantispyware, and Avast Anti-rootkit
(Running a spybot scan as we speak.)
What McAfee product ?
So where is avast running as that is also a resident AV ?
Having two resident scanners installed is not recommended as rather than provide twice the protection it can cause conflicts that could leave you more vulnerable.
McAfee security center
(Kindov confused)
Well, I didn't install the Protection Shields for Avast so they don't conflict with McAFees Rt scanning
How do I know if Avast is running on residential?
Regards,
Tompwnage
-
<snip>
McAfee security center
(Kindov confused)
Well, I didn't install the Protection Shields for Avast so they don't conflict with McAFees Rt scanning
How do I know if Avast is running on residential?
avast is designed to be a resident antivirus, you need only look at the task manager and you will see avastUI.exe and avastSvc.exe running.
The fact that so far you have been lucky is no indication that they don't conflict, resident scanners install low level drivers that are designed to hook files before they run so that they can be scanned. This can be the same as two dogs fighting over one bone.
At best this could be no more than cause scanning duplication as both resident scanners try to hook and scan the same file. At worst the low level drivers could lock your system as one locks a file the other is trying to scan, now if this happens during boot it could lock you out of your system.
So luck rather than design, so I suggest you read the links given by Pondus above in Reply #17.
-
<snip>
McAfee security center
(Kindov confused)
Well, I didn't install the Protection Shields for Avast so they don't conflict with McAFees Rt scanning
How do I know if Avast is running on residential?
avast is designed to be a resident anti-virus, you need only look at the task manager and you will see avastUI.exe and avastSvc.exe running.
The fact that so far you have been lucky is no indication that they don't conflict, resident scanners install low level drivers that are designed to hook files before they run so that they can be scanned. This can be the same as two dogs fighting over one bone.
At best this could be no more than cause scanning duplication as both resident scanners try to hook and scan the same file. At worst the low level drivers could lock your system as one locks a file the other is trying to scan, now if this happens during boot it could lock you out of your system.
So luck rather than design, so I suggest you read the links given by Pondus above in Reply #17.
Yeah that avast thing is running, so best thing to do is uninstall Avast?
In other words those aren't real Trojans or are they? (Avast is the only one that finds them)
If so then how do I remove them
Edit- Question: How do I know before I download a anti-virus that its not a residential one?
P.s. Thank you guys for the constant replys, this forum is very helpful
Regards,
Viewpoint
-
Hitman Pro 3 - Second Opinion Malware Scanner
http://www.surfright.nl/en/hitmanpro
Lots of info on the website so read it
-
@ Viewpoint
I would consider a different option, this being the avast forum and a) it was avast that did the job for you and b) whose support site is giving you all the support ;D
I would say the detections are good, just because avast was the only one to find it as I said avast is one of the few even looking for this type of malware in the JavaScript of .htm pages, much less detect it. The internet is by far the greatest threat of infection in the form of hacked sites (the type of detection in the .htm files you listed) and the Web Shield is all over them like a rash.
- See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/ (http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/).
Add to that avast regularly gets better rankings in detection tests, like av-comparatives.org than McAfee.
-
@ Viewpoint
I would consider a different option, this being the avast forum and a) it was avast that did the job for you and b) whose support site is giving you all the support ;D
I would say the detections are good, just because avast was the only one to find it as I said avast is one of the few even looking for this type of malware in the JavaScript of .htm pages, much less detect it. The internet is by far the greatest threat of infection in the form of hacked sites (the type of detection in the .htm files you listed) and the Web Shield is all over them like a rash.
- See http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/ (http://www.scmagazineus.com/Every-36-seconds-a-website-is-infected/article/140414/).
Add to that avast regularly gets better rankings in detection tests, like av-comparatives.org than McAfee.
Alright, thank you so much. I love avast, is there I was I can get a stand alone scanner version of Avast that won't effect my anti-virus?
P.S Sorry for the endless amount of Questions, Thank you so much.
Regards,
Viewpoint
-
There is no on-demand version of avast, it is built for resident always on protection.
-
There is no on-demand version of avast, it is built for resident always on protection.
Darn :( I can't put it on this computer but Ill put it on my labtop. ;D
-
So let me get this straight... ???
In conclusion these [Trj] are just the result of two anti-viruses colliding and aren't any threat what so ever?
(Folders don't exist)
Edit- http://www.avast.com/pr-online-ads-put-web-users-at-risk <-- I am thinking that's what these are.
I am sorry about the many questions. :-[
Regards,
Viewpoint
-
No they are the result of avast detecting them and McAfee not detecting anything.
No, as your detections don't have the same malware name JS:Prontexi.
Avast! Virus Labs have named this attack vector JS:Prontexi. It is a JavaScript code which acts as a channel for malware attacks on vulnerable software such as Adobe and a range of zero-day exploits.
That article is reporting that on-line ads are now being exploited to try an infect your system. As I said the internet is now the most common means to attack your system. The fact is that both the Web Shield and the Network Shield go a very long way to prevent infection getting on to your system from this attack method. The other link on that page goes to the avast blog which gives a more technical report from one of the avast Virus Labs guys.
-
Hi Viewpoint,
Crawler manual removal:
Delete registry values:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\CustomizeSearch=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\CustomizeSearch=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Bar=[site address]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\SearchAssistant=[site address]
HKEY_CLASSES_ROOT\CMail.CMailClass
HKEY_CLASSES_ROOT\ctbcommon.Buttons
HKEY_CLASSES_ROOT\ctbr.R404Pro
HKEY_CLASSES_ROOT\CToolbar.TB4Client
HKEY_CLASSES_ROOT\CToolbar.TB4Script
HKEY_CLASSES_ROOT\CToolbar.TB4Server
HKEY_CLASSES_ROOT\Weather4.WeatherObj
HKEY_CLASSES_ROOT\CLSID\{183643C8-EE67-4574-9A38-927852E34163}
HKEY_CLASSES_ROOT\CLSID\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
HKEY_CLASSES_ROOT\CLSID\{1DDA201E-5B42-4352-933E-21A92B297E3B}
HKEY_CLASSES_ROOT\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
HKEY_CLASSES_ROOT\CLSID\{4D25FB7A-8902-4291-960E-9ADA051CFBBF}
HKEY_CLASSES_ROOT\CLSID\{54ECA872-DB2A-4C6B-BBB2-F3777C6786CC}
HKEY_CLASSES_ROOT\CLSID\{786C6F15-0D85-46FB-9A31-0AA0E93C88FF}
HKEY_CLASSES_ROOT\CLSID\{8736C681-37A0-40C6-A0F0-4C083409151C}
HKEY_CLASSES_ROOT\CLSID\{B1CF6225-211E-4B4C-B466-5F224E348FF3}
HKEY_CLASSES_ROOT\Interface\{01C78433-6FDF-4E5A-A82D-B535C32E03DF}
HKEY_CLASSES_ROOT\Interface\{41349826-5C7F-4BF0-8279-5DAF1DE6E9AE}
HKEY_CLASSES_ROOT\Interface\{604EA016-1EDE-41E6-A23E-76CF8F2A4808}
HKEY_CLASSES_ROOT\Interface\{B3BA5582-79A9-464D-A7FA-711C5888C6E9}
HKEY_CLASSES_ROOT\Interface\{E9BBD270-4B87-4EE2-912F-6635674986C0}
HKEY_CLASSES_ROOT\TypeLib\{0085379D-A745-47E0-8642-82A922D9F12D}
HKEY_CLASSES_ROOT\TypeLib\{2BA9A794-DC89-456F-90F4-A29D3E608216}
HKEY_CLASSES_ROOT\TypeLib\{506F578A-91E1-46CE-830F-E2F4268E9966}
HKEY_CLASSES_ROOT\TypeLib\{E79BB61D-7F1A-41DF-8AD0-402795E3B566}
HKEY_CLASSES_ROOT\PROTOCOLS\Handler\tbr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar={4B3803EA-5230-4DC3-A7FC-33638F3D3542}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\""={4B3803EA-5230-4DC3-A7FC-33638F3D3542}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks={CFBFAE00-17A6-11D0-99CB-00C04FD64497}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Crawler Search
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}
HKEY_LOCAL_MACHINE\SOFTWARE\CToolbar
HKEY_CURRENT_USER\Software\CToolbar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CToolbar_UNINSTALL
Delete directories:
C:\Program Files\Crawler
polonus
-
No they are the result of avast detecting them and McAfee not detecting anything.
No, as your detections don't have the same malware name JS:Prontexi.
Avast! Virus Labs have named this attack vector JS:Prontexi. It is a JavaScript code which acts as a channel for malware attacks on vulnerable software such as Adobe and a range of zero-day exploits.
That article is reporting that on-line ads are now being exploited to try an infect your system. As I said the internet is now the most common means to attack your system. The fact is that both the Web Shield and the Network Shield go a very long way to prevent infection getting on to your system from this attack method. The other link on that page goes to the avast blog which gives a more technical report from one of the avast Virus Labs guys.
Alright thanks for all the info. :)
The thing is... :-X How do I remove them :-X
@Polonus Thanks, I already got it it out :)
Regards,
Viewpoint
-
If you are talking about the .htm files in the temp internet files folder, then there are some tools to kill files that are somewhat more stubborn, again I don't know if these tools work on 64bit OSes, a problem you are no doubt still finding out with 64bit OSes.
- MoveOnBoot http://www.download.com/EMCO-MoveOnBoot/3000-2094_4-10397293.html (http://www.download.com/EMCO-MoveOnBoot/3000-2094_4-10397293.html)
- Unlocker http://ccollomb.free.fr/unlocker/ (http://ccollomb.free.fr/unlocker/) is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
There may well be other tools for deletion of locked file, you could try your friend and mine google to see if it brings any others.
-
There may well be other tools for deletion of locked file, you could try your friend and mine google to see if it brings any others.
Malwarebytes > More tools > FileASSASSIN
-
There may well be other tools for deletion of locked file, you could try your friend and mine google to see if it brings any others.
Malwarebytes > More tools > FileASSASSIN
That would do just the trick, but problem is... When I search them they technically don't exist. ??? They are no where when I search or manually look for them. ???
-
Well I did ask for which ones you were talking about before and implied if you were talking about the .htp ones (but you didn't respond to that), so I will ask directly which ones are you talking about that can't be found ?
- Ensure that you have hidden files and folders enabled and disable hide system files in Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.
Note: this might be different in your OS and version og windows explorer, but I'm sure you should be able to fine the relevant area.