Avast Trojan Horse Alert - JS:ScriptPE-inf[Trj]

[sgrace]

A month or so ago I started getting an Avast warning:

hXXp://www.kanecal.net/favicon.gif
JS:ScriptPE-inf[trj]
Trojan Horse
VPS Version: 090331-0

It occurs randomly during my IE sessions.  Of course, it also occurs when I try going to that kanecal.net site, to see what it is.  I've tried doing a repair on Avast (recommended on another posting), but the warning messages continue.  I also deleted all of my temp IE files.

My Avast is up to date and I have firewall protection.  No viruses show up when I run scans via Ad-Aware.

Any help appreciated.

[polonus]

Hi sgrace,


Here you find your answer to what kind of malware this is:
http://forum.avast.com/index.php?topic=43928.0

polonus

[DavidR]

Well this url purports to be the favicon.gif, sneaky, all web pages that load try to find favicon to load into the address bar of the browser, so you have pretty site icon to the left of the url. Someone has substituted the actual image with an html file but just called favicon.gif this has a javascript <script> tag in it which is obfuscated to hid its malicious intent.

After that there are a couple of hidden iframe tags to a dubious domain in Russia, see link below), so this site has been well and truly hacked and avast has saved your butt.
http://www.siteadvisor.com/sites/odmarco.com/postid/?p=1512410

See image of page code, I have edited it to make it easier to see in the image as most of it is on a single line.

[polonus]

Hi DavidR,

Good explanation in detail of what I put there as a general response, during recent month this older exploit was renewed and a 200% increase of this malware vector that works for buggy older browsers has been found up, good avast is a leader in detecting and blocking this online attack vectors, really impressive work done here by the makers of our favourite av-product,

polonus

[sgrace]

Thanks for all of the insights and feedback.

No doubt Avast is working, and I'm glad it is.  The question now is, how do I get rid of the problem altogether? 

Or is there at least a way for me to tell Avast to block the problem in the background, rather than continuing to give me all of the pop-up alerts and requiring me to hit 'Abort' button for each one?  The alerts happen at random times all along during my IE sessions.  The alert sound is quite disturbing, and the relatively frequent interruptions aren't any fun.

Thanks again for facilitation.  It's more than nice having access to such an in-depth base of support knowledge.

[sgrace]

Via Windows 'Search Desktop', I did find a couple of files with kanecal in the name.  Deleted them and deleted them from recycle bin. 

Will see if the problem goes away.

[DavidR]

Thanks for all of the insights and feedback.

No doubt Avast is working, and I'm glad it is.  The question now is, how do I get rid of the problem altogether? 

Or is there at least a way for me to tell Avast to block the problem in the background, rather than continuing to give me all of the pop-up alerts and requiring me to hit 'Abort' button for each one?  The alerts happen at random times all along during my IE sessions.  The alert sound is quite disturbing, and the relatively frequent interruptions aren't any fun.

Thanks again for facilitation.  It's more than nice having access to such an in-depth base of support knowledge.

You're welcome.

So to simply ignore that the warning/problem exists is like the ostrich sticking its head in the sand, the site is infected and there is absolutely no way I would want to just deal with a problem silently as all you will know is that a site isn't working and not that it is infected. Getting infected is even less funny as it could seriously impact not just your browsing but the ability to use your system.

You can't get rid of the problem unless you are the webmaster of the site in which case you would have to remove the offending scripts, replacing it with the correct favicon.jpg file.

If you aren't the owner or web master the only thing you can do is reported to them and stay away for a while until it is resolved by them.

As far as the random nature of the alerts, you are only reporting one site so unless it is on the same site all the time I can't offer any suggestions other than the other sites could well be hacked also, this is becoming more prevalent as polonus mentions.

[sgrace]

Greetings all.

After deleting a couple of files yesterday with 'kanecal' in the name, today I'm still getting the Avast 'Abort Connection' messages.

To clarify, I'm not visiting the offending/infected site.  That's why the Avast warning messages were such a mystery when they first started popping up.  I would have no idea that my PC is trying to connect to kanecal if not for the Avast alert messages.

Additional info: 

I didn't recognize the name of the kanecal site when Avast first started issuing the warnings about a month ago, and I definitely wasn't trying to go there.  After several days of the recurring error messages, realizing that they weren't transient, I Googled to see if others were having the same problem.  There were only a couple of hits, one of which suggested 'repair' on Avast via MS Control Panel, and I did that.  But the Avast messages have kept coming.

Finding no Google hits about a 'bad' kanecal site, I then (and only then) tried to access the actual site, to find out more, and perhaps determine if Avast had been issuing false positives.  Avast blocked access, providing the same error/alert message I had been getting before, when not trying to access the site.   

The Avast messages always occur two at a time, and for each of the duplicate messages, I select the 'Abort connection' option.  The messages routinely appear as soon as I bring up IE, and then at seemingly random times during my IE session.

The Avast alert mesages do not occur when I bring up Firefox, and they haven't occurred during any of my Firefox sessions, but those are usually relatively brief, about an hour, compared to my customary all-day use of IE.

Apparently the kanecal site held something of interest for me a few years ago, because the two kanecal files I found and deleted yesterday were bookmarks.   

Maybe a kanecal-related bad actor is running on my PC, trying occasionally through IE to connect to the kanecal server in the background.  Is that kind of thing technically possible and, if so, why isn't it detected by my MalwareBytes or other full-system virus scans?

All of my system, firewall and virus software is up to date - Win XP Pro with IE7. The only thing I haven't updated is Win XP - still running SP2, not SP3.

Thanks for your interest and cycle time.

[DavidR]

Deleting the files on your system will have no impact as if you continue to visit the site you will continue to get the alerts (or rather something on your system tries to connect).

What is your firewall ?
If it is the XP windows firewall, frankly it is about as much use as a chocolate fireguard as it provides zero unauthorised outbound protection.

You won't find anything bad about the site, as I said this is what appears to be a legit site that has been hacked and a common file that is always accesses replaced with a malicious one.

SP2 will not only leave your system more vulnerable to exploit and we don't know what is causing this attempt to connect, which is a bit strange as whatever is on your system would have to know that the site had been hacked.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).

• 1. SUPERantispyware On-Demand only in free version.
• 2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.

[sgrace]

Hello DavidR.

Thanks for info and directives.  No clear confirmation yet, but the problem appears to have been resolved.  No Avast warnings during IE7 sessions today.  Unfortunately for others who may encounter the same problem, I can't pinpoint exactly what did the trick.  Nevertheless, I'll offer what I can.

Over the past few days, I had started getting another Avast warning in addition to the one for JS:ScriptPE-inf[trj], this time for HTML:Iframe-inf, supposedly a virus/worm, and at a different site (that I haven't been visiting), but which also happened to be in my fairly long list of IE bookmarks.  Maybe a coincidence, but not a good sign.

I downloaded and ran SuperAntiSpyware in safe mode, per your recommendation.  Already had run MalwareBytes.  Neither found anything beyond the typical tracking cookies, but I did quarantine and then delete everything that was found. I don't use IE bookmarks anymore, so deleted all of them, just for grins.  Then emptied the Recycle Bin.

Also per your recommendation, I updated XP Pro to SP3, plus all of the other critical MS XP updates subsequent to SP3.  Still was getting the Avast alerts during IE7 sessions.  Meanwhile, Outlook 2007 was squirrelly with SP3, so I manually applied all of the identified MS Office fixes subsequent to SP3.

Oddly, that's when the Avast warnings seem to have disappeared from IE.  Maybe it was related to MS Office.  Or maybe MS put on some fixes at shutdown last night.  Or maybe something else related to all of the restarts, for instance, perhaps power down clears some things that restart doesn't.

In any event, I appreciate all of the info, interest, and cycle time from you and from Polonus.  I'll be back to report more if the Avast alerts reappear.

Best,
Grace

[DavidR]

You're welcome.

Security Updates close vulnerabilities and although they may seem unrelated could well help. The main thing it to keep on top of it so your system is up to date and more secure.

[sgrace]

Hello again.

Bad news and good news.

The bad news is that the Avast warnings reappeared, for the same two sites.

The good news is that they only stayed for a day or two.  So..  My latest theory about their absence is related to the fact that I started manually blocking cookies and opting to have them added to the IE block list.  That, of course, was manually intensive, but only until I had hit most of my commonly visited sites.

I'm no MS or IE person, but if cookie-blocking was actually the answer, then apparently some sites that look fine are actually sending cookies that attempt to redirect IE to infected sites, or at least enable that potentiality so that some other background process(es) can initiate it. 

Others may want to try cookie-blocking if they're getting the same types of warning messages from Avast.

The additional bad news is that my Outlook 07 is still acting funky and crashing fairly often.  Maybe related to Connector, which I hope I can uninstall.

Will repost if the Avast warning messages begin again.

Best,
Grace

[DavidR]

Sorry but cookies aren't a security risk, more of a minor privacy issue if you don't what that site to store information about your activity on 'that' site, browsing, settings, preferences, log-on, etc...

Cookies are text files, that can't execute instructions to redirect, so it is something else, like what was discussed relating to your first first posts.

[Lisandro]

sending cookies that attempt to redirect IE to infected sites

Like David said, this is not a work for cookies...

[sgrace]

Hmm..

So far the Avast warning messages haven't recurred for the two offending sites, or for any others.

Considering your recent comments, the most likely thing I might surmise is that MS patches subsequent to SP3 may have resolved some type of IE loophole. 

I will, of course, post again if problem recurs.

Best to you all,

Grace R