Author Topic: ScriptPE-inf? (Read 3370 times)

REDACTED · « **on:** March 21, 2018, 08:04:16 PM »

Heya, need a bit of help with this alert that Avast is constantly popping up when I have Firefox open. It's consistently giving a message of

"We've moved recovery.jsonlz4 to your Virus Chest because it was infected with JS:ScriptPE-inf [Trj]"
File path: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4
Process: F:\Program Files (x86)\Mozilla Firefox\firefox.exe
Detected by: Fire Shield

I've run both Malwarebytes (Safe Mode and normal) and Avast, but neither have picked up anything. Irregularly, Avast will stop picking this up, but as one might understand it's still rather concerning! I attached the Addition and FRST text from the Fanbar tool as well.

Pondus · « **Reply #1 on:** March 21, 2018, 08:37:10 PM »

Quote

I've run both Malwarebytes (Safe Mode and normal) and Avast, but neither have picked up anything.

Safe mode does not give any better detection, in fact it can be worse. Malware that is detected by behavior may not run in safemode
Malwarebytes is not designet to run in safe mode, it will run but crippled as all drivers are not loaded
Malwarebytes also does not target script / doc / media files, it target executable files

Have you tried to clear your firefox browsing history / cache ?
You may run AdwCleaner >> https://www.malwarebytes.com/adwcleaner/

Malware expert is notified, it may take hours before he is online

REDACTED · « **Reply #2 on:** March 21, 2018, 09:12:12 PM »

Whaaat. I have been grossly misinformed regarding safe mode and malware scans, alas! Well, live and learn.

That AdwareCleaner picked up a few things - Two in registry, two or three other bits - and cleaned them out. Happenstance or otherwise, no Avast alerts so far! Hopefully that was all that was needed but expert help would be much appreciated.

Pondus · « **Reply #3 on:** March 21, 2018, 09:20:16 PM »

Quote

Whaaat. I have been grossly misinformed regarding safe mode and malware scans, alas! Well, live and learn.

What it may give is better removal of some stubborn infections.
Today most malware removal tool will give you a message after scan ... you need to reboot for removal of this and that ...

You may also attach AdwCleaner log so that @Sass Drake can see when he is online

Sass Drake · « **Reply #4 on:** March 21, 2018, 10:09:05 PM »

I don't see anything malicious in logs so I cany say AdwCleaner saved me from making fix.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

REDACTED · « **Reply #5 on:** March 21, 2018, 10:29:28 PM »

Hmm, I spoke too soon.

I ran the tool that Sass mentioned, and when I reopened Firefox I got Avast popping up again. Same issue. I guess it was too much to hope for a quick and easy fix!

Sass Drake · « **Reply #6 on:** March 21, 2018, 10:32:05 PM »

Redownload FRST to Desktop and do this:

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

FF Session Restore: Mozilla\Firefox\Profiles\9ovjb02n.default -> is enabled.
FF Extension: (Classic Theme Restorer) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2017-11-14] [Legacy]
FF Extension: (ChatZilla) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2016-11-10] [Legacy]
FF Extension: (TLS 1.3 gradual roll-out) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\features\{5cd812a8-f655-4945-9941-5ebba1897b41}\tls13-rollout-bug1442042@mozilla.org.xpi [2018-03-20] [Legacy]

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED · « **Reply #7 on:** March 21, 2018, 10:43:52 PM »

Done and done!

Pondus · « **Reply #8 on:** March 22, 2018, 12:00:51 AM »

You did not attach the fix log

REDACTED · « **Reply #9 on:** March 22, 2018, 12:54:49 AM »

Ack, sorry, I hit Scan instead of Fix! Still got pops from Avast, if that's any indication of things.

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Rando (21-03-2018 19:52:17) Run:1
Running from C:\Users\Rando\Desktop
Loaded Profiles: Rando & DefaultAppPool (Available Profiles: Rando & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
FF Session Restore: Mozilla\Firefox\Profiles\9ovjb02n.default -> is enabled.
FF Extension: (Classic Theme Restorer) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2017-11-14] [Legacy]
FF Extension: (ChatZilla) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2016-11-10] [Legacy]
FF Extension: (TLS 1.3 gradual roll-out) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\features\{5cd812a8-f655-4945-9941-5ebba1897b41}\tls13-rollout-bug1442042@mozilla.org.xpi [2018-03-20] [Legacy]
*****************

"Firefox Session Restore" => removed successfully
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi => moved successfully
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} => moved successfully
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\features\{5cd812a8-f655-4945-9941-5ebba1897b41}\tls13-rollout-bug1442042@mozilla.org.xpi => moved successfully

==== End of Fixlog 19:52:34 ====

Sass Drake · « **Reply #10 on:** March 22, 2018, 09:15:41 PM »

Open Notepad (click Start button -> type notepad.exe -> press Enter)
Copy text from code block below and paste it into Notepad

Code: [Select]

VirusTotal: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups

Go to File -> Save As
Make sure that UTF-8 is selected as Encoding (left side of Save button)
Save it as fixlist.txt on Desktop
Open again FRST and click on button Fix
Wait until FRST finishes
fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

REDACTED · « **Reply #11 on:** March 23, 2018, 02:24:51 AM »

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Rando (22-03-2018 21:23:45) Run:2
Running from C:\Users\Rando\Desktop
Loaded Profiles: Rando & DefaultAppPool (Available Profiles: Rando & DefaultAppPool)
Boot Mode: Normal
==============================================

fixlist content:
*****************
VirusTotal: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups
*****************

VirusTotal: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4 => https://www.virustotal.com/file/8da43fd6cae490616df792010c173945b104f5b5590b4cbca2d649baa6f9ba1d/analysis/1521768226/
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups => moved successfully

==== End of Fixlog 21:23:47 ====

Sass Drake · « **Reply #12 on:** March 23, 2018, 11:11:18 AM »

What is status now?

REDACTED · « **Reply #13 on:** March 24, 2018, 03:12:50 PM »

So far, so good! I haven't had Avast popping up in any fashion since that last fix.

Thank you very much, all!

Sass Drake · « **Reply #14 on:** March 24, 2018, 06:24:32 PM »

Glad to hear that.

• The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
Remove disinfection tools
Create registry backup
Purge System Restore
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:\DelFix.txt)

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Author Topic: ScriptPE-inf? (Read 3370 times)

REDACTED

ScriptPE-inf?

Pondus

Re: ScriptPE-inf?

REDACTED

Re: ScriptPE-inf?

Pondus

Re: ScriptPE-inf?

Sass Drake

Re: ScriptPE-inf?

REDACTED

Re: ScriptPE-inf?

Sass Drake

Re: ScriptPE-inf?

REDACTED

Re: ScriptPE-inf?

Pondus

Re: ScriptPE-inf?

REDACTED

Re: ScriptPE-inf?

Sass Drake

Re: ScriptPE-inf?

REDACTED

Re: ScriptPE-inf?

Sass Drake

Re: ScriptPE-inf?

REDACTED

Re: ScriptPE-inf?

Sass Drake

Re: ScriptPE-inf?