JS:LockyDownloader [Trj] Detected

[Pholover]

Hi, this afternoon I was expecting an email of a javascript file from someone who I work with, to be used on my website.  When I got this email, Avast detected JS:LockyDownloader [Trj] and now it's Quarantied in the Virus Chest.  I'm wondering did this person really attach this virus to this .js file that I need or is it clean, so that I can use it?  I did manage to download the zip file that contains the *.js files to my Desktop and ran a scan of this *.zip with Avast again and it didn't detect anything.

Does avast perhaps tag any file attachment containing *.js files as being JS:LockyDownloader [Trj]?  Could it be a false positive? 

Appreciate your help in advance.  I've also attached screenshots for more details.  My email and such are blocked for obvious reasons.  Thanks!

[Be Secure]

Could it be a false positive?

NO.
It is a DeepScreen of avast!,who blocks it is a Ransomware and you should submit  it to Avast! lab via viruschest.And wait for Malware expert.

[dbrisendine]

Absolutely put that file in quarantine and submit to Avast.  Locky is a javascript ransomware that will encrypt your files and I do not believe that there is a decrypter for it presently.

After locking that file away, please follow the steps in the following link:

Please follow the directions for scans in this topic and attach as many of the logs as you can run.
Logs to assist in cleaning malware

FRST.txt, Addition.txt, Malwarebytes Anti-Malware log and aswMBR.txt.  Thanks.

[Pholover]

The file is in quarantine and submitted to Avast for potential malware and potential false positive.  I still have the file on my desktop but I have not extracted it and I'll keep it as is.

I've ran all the scans for which you asked and attached them.  Please have a look thanks.

[dbrisendine]

FIRST >>>

Please uninstall QuickTime 7 from your system.  Aplle has stopped supporting or updating this software and there are some known vulnerablities in this software.

SECOND >>>

Open notepad by pressing the Windows Key + R Key, typing in Notepad in the Run dialog and then pressing Enter.  Please copy the contents of the Code box below.  To do this highlight the contents of the box by clicking [Select] next to Code: , then right click on any of the highlighted text and select copy.  Paste this into the open notepad. Save it to your desktop as fixlist.txt
 

Code: [Select]

Start
CreateRestorePoint:
CloseProcesses:
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
Handler: WSIEChrome - {6D02ED5F-FD0D-4C4C -  No File
FF Session Restore: -> is enabled.
FF Plugin HKU\S-1-5-21-376512887-29430351-839405759-1000: @alibaba.com/nptrademanager;version=1.0 -> "C:\Program Files\TradeManager\nptrademanager.dll" [No File]
FF Plugin HKU\S-1-5-21-376512887-29430351-839405759-1000: @alibaba.com/npwangwang;version=1.0 -> "C:\Program Files\TradeManager\npwangwang.dll" [No File]
FF Plugin HKU\S-1-5-21-376512887-29430351-839405759-1000: @onlive.com/OnLiveGameClientDetector,version=1.0.0 -> C:\Program Files\OnLive\Plugin\npolgdet.dll [No File]
CHR Extension: (MozBar) - C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Extensions\eakacpaijcpapndcfffdgphdiccmpknp [2016-03-06]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Main\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-02]
U4 AvastVBoxSvc; "C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe" [X]
C:\Program Files\AVAST Software\Avast\ng\vbox\AvastVBoxSVC.exe
U4 VBoxAswDrv; \??\C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys [X]
C:\Program Files\AVAST Software\Avast\ng\vbox\VBoxAswDrv.sys
C:\Users\Main\AppData\Local\Temp\RoboForm-Setup.exe
CustomCLSID: HKU\S-1-5-21-376512887-29430351-839405759-1000_Classes\CLSID\{004B49B7-11B9-5058-FF22-08DD093ADC4B}\InprocServer32 -> {1F53EDD2-9468-D082-847D-22EE85889A47} => No File
CustomCLSID: HKU\S-1-5-21-376512887-29430351-839405759-1000_Classes\CLSID\{994B47B9-7DB9-5058-EE22-08DD039ADC4B}\InprocServer32 -> {1F53D6C4-9468-D082-9246-22EE85889A47} => No File
CustomCLSID: HKU\S-1-5-21-376512887-29430351-839405759-1000_Classes\CLSID\{DD0822EE-9A03-4BDC-B947-4B99B97D5850}\InprocServer32 -> {5F5E2F8A-9468-D082-DCBF-2FAE85889A47} => No File
CustomCLSID: HKU\S-1-5-21-376512887-29430351-839405759-1000_Classes\CLSID\{DD0822FF-3A09-4BDC-B749-4B00B9115850}\InprocServer32 -> {5F07ECA5-9468-D082-F37C-76AE85889A47} => No File
Task: {DEEFF7E4-715C-4326-B8E6-B7B1F08BB088} - System32\Tasks\{810BBE8E-1D35-465C-9497-CB89CFF8F7A3} => pcalua.exe -a "C:\Program Files\OANDA - MetaTrader\uninstall.exe" -d "C:\Program Files\OANDA - MetaTrader"
Shortcut: C:\Users\Main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ICQ\icq.com.lnk -> hxxp://www.icq.com/ (No File)
C:\Users\Main\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ICQ\icq.com.lnk
AlternateDataStreams: C:\ProgramData\TEMP:05EE1EEF [144]
cmd: ipconfig /flushdns
cmd: netsh advfirewall reset
cmd: netsh advfirewall set allprofiles state on
Reg: reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
Reg: reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f
CMD: bitsadmin /reset /allusers
RemoveProxy:
EmptyTemp:
Reboot:
end

NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

Run FRST by right clicking on the FRST.exe file, selecting "Run as Administrator..".  The User Account Control may open up; if it does, select Yes to continue to let FRST open and load. 

The tool will check for an updated version of itself every time it loads; please allow it to do this and the program will either inform you it is downloading an updated copy (and to wait until it is safe to continue) or show nothing (meaning there is no update found) and you can continue on.  Press the Fix button just once and wait.  The tool will create a restore point, process the script and ask for a restart of your system.



If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.

When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply post.  Also, tell me how your system is running now.

[Pholover]

What will running this fix do?  When I inspect the files/folders in the fixitlist.txt they seem files of programs that don't have any security concern.  Also Oanda Metatrader uninstall is not something I'd like to uninstall.  I can't just run this without knowing what is being done is what I'm saying.  Have you detected and virii or is this just a clean up of some sort?

Thank you

[dbrisendine]

I asked you uninstall Apple software QuickTime 7; you can leave OANDA - MetaTrader as I have no problem with that software and didn't ask for it to be uninstalled.

As to the Fixlist, any line or item in it that has either a [X] or [No File] means that the file that line refers to does not exist in your file system and the line is useless (non-active) but still being processed.  We usually remove these lines to lessen the chance that malware could find and use one of these process points.

You do not have to run any of the steps here; they are voluntary and suggestions to help a user clean there system.  There are no signs of the LockyDownloader having loaded a payload on your system.  But if it was my system, I would be imaging it and waiting for a response from Avast on the file uploaded.

[Pholover]

I saw the "C:\Program Files\OANDA - MetaTrader\uninstall.exe" -d string and assumed that meant it was a command for uninstall.  I've removed Quicktime 7.

Thanks for the explanation of

• and [no file]

I've attached Fixlog.txt    My system has not been acting up since the detection of that virus so it's the same as before.  Last night there was a windows update, some relating to registry and not sure of the others.  I performed the FRST fix this morning.  Don't know if that affects anything with our tests/scans/fixes

[dbrisendine]

The log looks great and the updates did not affect anything on the fix.  If your system is running fine then let's remove the tools and get you on your way.  Looks like Avast caught the Locky file in time (yeah!!!) .


Clean up of Malware Removal Tools
Now that we are through using these tools, let's clean them off your system so that should you ever need to have malware removed again (we hope not) fresh, updated copies will be downloaded.

• Download Delfix from here to your desktop and double click it to start the program
  
• Ensure Remove disinfection tools is ticked
  Also tick:
  
• Activate UAC (Note: yours' is fine as it is; fully activated)
• Create registry backup
• Purge system restore
• Reset system settings (FYI - FRST and other tools sometimes changes the hidden file view; this resets that to default viewing)

• Click Run
  
• The program will run for a few moments and then notepad will open with a log. Note: Please save this log first before rebooting your system (if asked to); DelFix does not save the log as it is trying to remove all traces of our work on your system.  Please attach the log in your next reply.
  

You can delete any log files left on your desktop as these are no longer needed.

[Pholover]

Yep I'm waiting to hear from Avast as well.  I should mention I've ran a bootscan I believe before we started all the checkup scans and there were some more viruses detected all in zipped files sent by email spammers to a server backup.  I deleted all these files manually from my computer and rescanned with avast and no traces could be found but I've attached what the report looks like.  Note the files couldn't be found because I deleted all of them.  Also I ran a normal scan and it detected 1 file on another occassion which was successfully deleted. 

DelFix also attached.

[dbrisendine]

Looks like you have a good grasp on keeping the system clean.  Hopefully, it stays that way.  I look forward to seeing what Avast offers on the file you sent.  But other than that, you are good to go and have a great summer.

[Jiří Šembera]

Hello Pholover,

this particular detection is special because it is not signature-based but algorithmic. That means it can take into account more factors than just the contents of the file. This way we can efficiently detect highly-polymorphic malware such as these JS Locky downloaders. Even though this detection is very successful, FPs are always possible.

In this particular case if the the e-mail/attachment is expected and from a trusted source, it's probably a false positive. The e-mails with Locky downloader attached are in 99.999...% spam. Unfortunately I was not able to find this particular file on our backend systems, but if you post it to VirusTotal I can analyze it for you to be sure it's clean :-)


Jiri

[REDACTED]

to Pholover, i recommend to back up all your audio, video files, photos, docs, pdf, exels; creat a copy of your register with erunt; creat a system restore. And, if you are still sure that you get a file from trusted, very well known source, restore a file from Avast quarantine, put it in exlusion and run it. Still it would be better if You send it virustotal

[Pholover]

Looks like you have a good grasp on keeping the system clean.  Hopefully, it stays that way.  I look forward to seeing what Avast offers on the file you sent.  But other than that, you are good to go and have a great summer.

Thanks for your help dbrisendine.  I will update this thread when we have a conclusion.

Hello Pholover,

this particular detection is special because it is not signature-based but algorithmic. That means it can take into account more factors than just the contents of the file. This way we can efficiently detect highly-polymorphic malware such as these JS Locky downloaders. Even though this detection is very successful, FPs are always possible.

In this particular case if the the e-mail/attachment is expected and from a trusted source, it's probably a false positive. The e-mails with Locky downloader attached are in 99.999...% spam. Unfortunately I was not able to find this particular file on our backend systems, but if you post it to VirusTotal I can analyze it for you to be sure it's clean :-)
Jiri

Hi Jiri,

Thanks for your input, the *.js file is in quarantine or in the Virus Chest, so I don't have access to send it.  I've already notified Avast and working with a specialist on this.  I believe that most likely it's a false positive but I don't want to take any chances at all.

to Pholover, i recommend to back up all your audio, video files, photos, docs, pdf, exels; creat a copy of your register with erunt; creat a system restore. And, if you are still sure that you get a file from trusted, very well known source, restore a file from Avast quarantine, put it in exlusion and run it. Still it would be better if You send it virustotal

Hi Roberto,
That sounds like a good plan except I don't know the details to execute this, and frankly I don't even want to try it for fear making a mistake somewhere in such a procedure.  Hoping that Avast team will guide me on that.  If not I'll come ask for details from you guys to upload to virustotal if required.  Thanks for looking out.