Author Topic: Getting Process... is infected by "JS:ScriptSH-inf [Trj]" virus." - REPEATEDLY  (Read 6820 times)

Offline cashonly

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
For the last few days, on my nightly scan, I've been getting the following 3 messages:

File "Process 3776, memory block 0x01220000, block size
1310720" is infected by "JS:ScriptSH-inf [trj]" virus.
"Scan Drives C: and F:" task used
Version of current VPS file is 090512-0, 05/12/2009

File "Process 3776, memory block 0x055A0000, block size
1310720" is infected by "JS:ScriptSH-inf [trj]" virus.
"Scan Drives C: and F:" task used
Version of current VPS file is 090512-0, 05/12/2009

File "Process 3776, memory block 0x00E20000, block size
1310720" is infected by "JS:ScriptSH-inf [trj]" virus.
"Scan Drives C: and F:" task used
Version of current VPS file is 090512-0, 05/12/2009

Can anyone tell me why Avast is not getting rid of it and how I can get rid of it?

Offline igor

  • avast! team
  • Serious Graphoman
  • *
  • Posts: 11333
  • Gender: Male
    • AVAST Software
    • Personal Message (Offline)
When you open Task Manager and look for process with PID 3776 (provided you didn't restart the machine yet) - what is it?

Offline cashonly

  • Newbie
  • *
  • Posts: 7
    • Personal Message (Offline)
Never thought of doing that!

Actually, it's SpyBot's TeaTimer

Shouldn't this be safe?

Thx,

Cash

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64881
  • Gender: Male
    • Personal Message (Offline)
Isn't SpyBot encrypting their signatures? ???
The best things in life are free.

Offline igor

  • avast! team
  • Serious Graphoman
  • *
  • Posts: 11333
  • Gender: Male
    • AVAST Software
    • Personal Message (Offline)
Well, it's a memory scan... so the signatures are probably encrypted on disk, but decrypted in memory.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64881
  • Gender: Male
    • Personal Message (Offline)
Well, it's a memory scan... so the signatures are probably encrypted on disk, but decrypted in memory.
Sure, but how it should be to avast do not detect it as a false positive? ???
The best things in life are free.

Offline igor

  • avast! team
  • Serious Graphoman
  • *
  • Posts: 11333
  • Gender: Male
    • AVAST Software
    • Personal Message (Offline)
I'm afraid it's not possible to prevent.

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64881
  • Gender: Male
    • Personal Message (Offline)
I'm afraid it's not possible to prevent.
But how does it work until now?
Why does other antispyware do not do the same (result), for instance, MBAM or SAS...
The best things in life are free.

Offline Kyuzo

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
This is similar to the warning I have been receiving after yesterday's update of my Spyware Terminator/ClamAV. An Avast! trojan horse warning on the same script item, "JS:ScriptSH-inf[trj]" keeps occurring on my machine at start-up. Avast! seems to be seeing this script item after ClamAV's 5/12/09 update. I and another poster mentioned it (he had a problem with Avast! seeing the script in ClamWin) .
« Last Edit: May 13, 2009, 02:39:01 PM by Kyuzo »

Offline rdmaloyjr

  • Super Poster
  • ***
  • Posts: 1865
  • The beatings will continue until morale improves!
    • The Cross
    • Personal Message (Offline)
avast! reports "JS:ScriptSH-inf [trj]" - REPEATEDLY & I don't have SpyBot S & D on my computer.
"If you want to make a Conservative angry, tell him a lie. If you want to make a Liberal angry, tell him the truth." - Rush Limbaugh

avast! Free    Mbam Pro   Privatefirewll  WinPatrol Plus               Pentium Dual-Core  Windows 7 64bit SP1  8 gigs of RAM

Offline Kyuzo

  • Newbie
  • *
  • Posts: 11
    • Personal Message (Offline)
I'm no software guru, but I am a reasonably good guesser. My take is that Spybot, ClamAV and ClamWin have updated their signature files with a (perhaps non-encrypted) signature of this script/trojan. Avast! now seems to be seeing this signature and warning of an infection.

Oddly, while my Avast! warning pop-up says my computer is infected with a trojan horse, the warning band at the bottom of the screen on start-up says that the file spotted has a "sample of JS:ScriptSH-inf[trj]".


 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now