Author Topic: Getting Process... is infected by "JS:ScriptSH-inf [Trj]" virus." - REPEATEDLY  (Read 7456 times)

0 Members and 1 Guest are viewing this topic.

Offline cashonly

  • Newbie
  • *
  • Posts: 7
For the last few days, on my nightly scan, I've been getting the following 3 messages:

File "Process 3776, memory block 0x01220000, block size
1310720" is infected by "JS:ScriptSH-inf [trj]" virus.
"Scan Drives C: and F:" task used
Version of current VPS file is 090512-0, 05/12/2009

File "Process 3776, memory block 0x055A0000, block size
1310720" is infected by "JS:ScriptSH-inf [trj]" virus.
"Scan Drives C: and F:" task used
Version of current VPS file is 090512-0, 05/12/2009

File "Process 3776, memory block 0x00E20000, block size
1310720" is infected by "JS:ScriptSH-inf [trj]" virus.
"Scan Drives C: and F:" task used
Version of current VPS file is 090512-0, 05/12/2009

Can anyone tell me why Avast is not getting rid of it and how I can get rid of it?

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11423
    • AVAST Software
When you open Task Manager and look for process with PID 3776 (provided you didn't restart the machine yet) - what is it?

Offline cashonly

  • Newbie
  • *
  • Posts: 7
Never thought of doing that!

Actually, it's SpyBot's TeaTimer

Shouldn't this be safe?

Thx,

Cash

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65987
Isn't SpyBot encrypting their signatures? ???
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11423
    • AVAST Software
Well, it's a memory scan... so the signatures are probably encrypted on disk, but decrypted in memory.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65987
Well, it's a memory scan... so the signatures are probably encrypted on disk, but decrypted in memory.
Sure, but how it should be to avast do not detect it as a false positive? ???
The best things in life are free.

Offline igor

  • Avast team
  • Serious Graphoman
  • *
  • Posts: 11423
    • AVAST Software
I'm afraid it's not possible to prevent.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 65987
I'm afraid it's not possible to prevent.
But how does it work until now?
Why does other antispyware do not do the same (result), for instance, MBAM or SAS...
The best things in life are free.

Offline Kyuzo

  • Newbie
  • *
  • Posts: 11
This is similar to the warning I have been receiving after yesterday's update of my Spyware Terminator/ClamAV. An Avast! trojan horse warning on the same script item, "JS:ScriptSH-inf[trj]" keeps occurring on my machine at start-up. Avast! seems to be seeing this script item after ClamAV's 5/12/09 update. I and another poster mentioned it (he had a problem with Avast! seeing the script in ClamWin) .
« Last Edit: May 13, 2009, 04:39:01 PM by Kyuzo »

Offline rdmaloyjr

  • Super Poster
  • ***
  • Posts: 1864
  • The beatings will continue until morale improves!
    • The Cross
avast! reports "JS:ScriptSH-inf [trj]" - REPEATEDLY & I don't have SpyBot S & D on my computer.
"If you want to make a Conservative angry, tell him a lie. If you want to make a Liberal angry, tell him the truth." - Rush Limbaugh

avast! Free    Mbam Pro   Privatefirewll  WinPatrol Plus               Pentium Dual-Core  Windows 7 64bit SP1  8 gigs of RAM

Offline Kyuzo

  • Newbie
  • *
  • Posts: 11
I'm no software guru, but I am a reasonably good guesser. My take is that Spybot, ClamAV and ClamWin have updated their signature files with a (perhaps non-encrypted) signature of this script/trojan. Avast! now seems to be seeing this signature and warning of an infection.

Oddly, while my Avast! warning pop-up says my computer is infected with a trojan horse, the warning band at the bottom of the screen on start-up says that the file spotted has a "sample of JS:ScriptSH-inf[trj]".