Author Topic: Which program in which order?  (Read 3726 times)

0 Members and 1 Guest are viewing this topic.

cromag

  • Guest
Which program in which order?
« on: April 13, 2009, 09:38:02 AM »
Hi.  I'm running Windows XP Home SP3 on an IBM ThinkCentre 8195-26U.  While cruising the internet earlier in search of pictures of zebras (pretty innocent, I thought) I clicked on an image in a Google image search and Avast! 4.8 Home Edition popped up a warning that a virus had been found, offered me the opportunity to abort the connection, and looks like it quarantined something.  The file it apparently found was identified as "JS:ScriptIP-inf[trJ]."

I'm not very well versed at this, but it looks like a Javascript file (?).

I disconnected from the internet and did a full scan with MBAM just to double check, and all appears normal.

Here's my question -- I'm using Firefox 3.0.8 with NoScript and Cookie Whitelist addons, among others.  If this was, in fact, a Javascript trojan, should NoScript have caught it?  Are there any other addons for Firefox that might be helpful in protecting my computer?

Can anyone provide any additional info on what Avast! caught?  I'm trying to learn more so I can take a more effective part in keeping myself safe.

Thanks.

« Last Edit: April 13, 2009, 09:40:33 AM by cromag »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86676
  • No support PMs thanks
Re: Which program in which order?
« Reply #1 on: April 13, 2009, 03:39:54 PM »
First the alert would be by the web shield and your only option 'Abort Connection' this should block the file being saved to your system and being ruin. So it isn't too surprising nothing was found.

With the information you provide there is absolutely no way to tell, no URL, no way to investigate.

All the NoScript does is block scripts from running on site you haven't specifically allowed, avast doesn't know or care about NoScript, it just sees the malicious javascript and alerts based on its content not its execution.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cromag

  • Guest
Re: Which program in which order?
« Reply #2 on: April 13, 2009, 07:35:00 PM »
Thanks for the reply, DavidR.

Yes, at the time I was still a bit anxious about a previous experience with malware.  The alert was unexpected (the way it always happens, I suppose) and I was concentrating on following Avast!'s instructions -- and I didn't write down the address.  If this happens again I'll try to keep my head and take down more info.

However, it does look like Avast! quarantined the object.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86676
  • No support PMs thanks
Re: Which program in which order?
« Reply #3 on: April 13, 2009, 08:37:22 PM »
Not so much quarantine as that implies it keeps a copy which it doesn't by default.

The web shield is between the web and your browser display, this is known as a localhost proxy a temporary area were files from the internet are scanned and if clean saved to your browser cache so they can be displayed (Internet - Web Shield - Browser).

So when avast detects something it alerts, blocking the download, the file is in this temporary location. When you select abort connection, that download connection is dropped and the file removed from the temp (proxy) so it doesn't get into your browser cache.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cromag

  • Guest
Re: Which program in which order?
« Reply #4 on: April 13, 2009, 10:34:49 PM »
I hope I don't get too tedious, as I am trying to learn.  I don't believe I messed with any of the operational aspects or defaults of Avast!

That being the case, I do seem to have caught something in quarantine.  When I run Avast!'s user interface and open the virus chest there's a new item in there that matches the time of the alert and shows as a JS:ScriptIP-inf[trj] -- under name it shows "D7DA14BCd01" and the size is "16892."

Again, I'm not panicked -- it looks like everything worked right.  I've run a couple of updated MBAM scans and Avast! scans and everything looks clean.

I'm just trying to learn what happened and what I've got.

Thanks!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67241
Re: Which program in which order?
« Reply #5 on: April 13, 2009, 11:46:18 PM »
Should NoScript have caught it?
First the script are scanned by WebShield and then passed to the browser (and NoScript).

Are there any other addons for Firefox that might be helpful in protecting my computer?
Polonus could make more suggestions. I think the average users could stay with NoScript only.
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86676
  • No support PMs thanks
Re: Which program in which order?
« Reply #6 on: April 14, 2009, 12:41:28 AM »
Well location you gave is a) incomplete and b) not a URL so is unlikely to be related to that detection. You should also check the time and date of detection to see if it were the same. The D7DA14BCd01 is more likely to be a folder name (even then there is no path to the folder) than a file as there is no file type after it, possibly .htm would be the likely file type.

What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ? 
Check the avast! Log Viewer (right click the avast 'a' icon), Warning section, this contains information on all avast detections.

Or check the source file using notepad C:\Program Files\Alwil Software\Avast4\DATA\log \Warning.log this would make it easier to copy and paste the complete information on the particular entry in the warning.log.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cromag

  • Guest
Re: Which program in which order?
« Reply #7 on: April 14, 2009, 05:41:58 AM »
Thanks for telling me where to find the warning logs!

The last entries are:

Code: [Select]
4/13/2009 12:58:19 AM 1239598699 SYSTEM 296 Sign of "JS:ScriptIP-inf [Trj]" has been found in "http://members.optusnet.com.au/%7Epwgr2/Sheena/Sheena-home.htm" file. 
4/13/2009 12:58:42 AM 1239598722 SYSTEM 296 Sign of "JS:ScriptIP-inf [Trj]" has been found in "C:\Documents and Settings\Kevin\Local Settings\Application Data\Mozilla\Firefox\Profiles\x7vx2cpb.default\Cache\D7DA14BCd01" file. 


This makes sense -- the picture I was looking for was probably from a "Sheena" TV episode or movie, showing a woman riding a (faked) zebra.


Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86676
  • No support PMs thanks
Re: Which program in which order?
« Reply #8 on: April 14, 2009, 04:05:46 PM »
Well the first alert is on the actual Sheena-home.htm page and it was that which had the malicious code injected into it.

The full path shows that this is in the firefox browser cache and that uses file names randomly generated (so they aren't the same as the original) and don't have file types added (a security measure I believe).

Whilst the two seem related as there are only 23 seconds between the alerts, but I don't know if firefox has completed the download even though you clicked the Abort Connection in the first alert.

However, if both were sent to the chest then there is no problem, they are in a place where they can do no harm.
There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

cromag

  • Guest
Re: Which program in which order?
« Reply #9 on: April 16, 2009, 06:13:19 AM »
Thanks very much, DavidR!  I feel better when I have an idea of what happened!

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 86676
  • No support PMs thanks
Re: Which program in which order?
« Reply #10 on: April 16, 2009, 03:26:10 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.5.6015 (build 22.5.7263.730) UI 1.0.711/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security