Trojan detected by Avast, JS:FakeAV-FL [Trj.]

[RONIN2010]

*edit.. Forgot to list:

OS: XP Home SP3
Browser: IE8, Firefox 3.5
AV: Avast Home 4.8, VPS 100814-1
Additional Scanners: Spybot S&D 1.6.2.46, MBAM 1.46 DB Ver. 4427

1. Detected during full scan of PC
2. Located in Temporary Internet Files/Content.IE5.
3. 04/04/2010, was the last time the file was modified, it was detected 08/14/2010.
4. File name is index[1].htm
5. A virus has been detected! Reported by Avast 4.8 scanner.
6. Scanned file again, which is in chest and same result.
7. Sent to Jotti, results are as follows:

[ArcaVir]    
2010-08-15 Found nothing
   
[G DATA]    
2010-08-15 JS:FakeAV-FL

[Avast! antivirus]    
2010-08-14 JS:FakeAV-FL
   
[Ikarus]    
2010-08-14 Found nothing

[Grisoft AVG Anti-Virus]    
2010-08-14 Found nothing
   
[Kaspersky Anti-Virus]    
2010-08-14 Found nothing

[Avira AntiVir]    
2010-08-13 Found nothing
   
[ESET NOD32]    
2010-08-14 Found nothing

[Softwin BitDefender]    
2010-08-15 Found nothing

[Panda Antivirus]    
2010-08-14 Found nothing

[ClamAV]    
2010-08-15 Found nothing

[Quick Heal]    
2010-08-14 Found nothing

[CPsecure]    
2010-08-15 Found nothing

[Sophos]    
2010-08-15 Found nothing

[Dr.Web]    
2010-08-15 Found nothing

[VirusBlokAda VBA32]    
2010-08-13 Found nothing

[Frisk F-Prot Antivirus]    
2010-08-14 Found nothing

[VirusBuster]    
2010-08-14 Found nothing

[F-Secure Anti-Virus]    
2010-08-14 Found nothing


I'm not sure what to make of this.. I had a similar problem with another temp file that avast detected as a virus (JS:FakeAV-EI [trj]), same directory, with a name of index[2].htm, back in 04/14/2010, which was picked up on a full system scan. This file, along with the one mentioned above, is still quarantined in my chest. Just for a little background, here are the jotti results of that file:

[ArcaVir]    
2010-08-15 Found nothing

[G DATA]    
2010-08-15 Found nothing

[Avast! antivirus]    
2010-08-14 JS:FakeAV-EI

[Ikarus]    
2010-08-14 Found nothing

[Grisoft AVG Anti-Virus]    
2010-08-14 Found nothing

[Kaspersky Anti-Virus]    
2010-08-14 Found nothing

[Avira AntiVir]    
2010-08-13 JS/FakeAlert.168219

[ESET NOD32]    
2010-08-14 Found nothing

[Softwin BitDefender]    
2010-08-15 Found nothing

[Panda Antivirus]    
2010-08-14 Found nothing

[ClamAV]    
2010-08-15 Found nothing

[Quick Heal]    
2010-08-14 Found nothing

[CPsecure]    
2010-08-15 Found nothing

[Sophos]    
2010-08-15 Mal/FakeAvJs-A

[Dr.Web]    
2010-08-15 Found nothing

[VirusBlokAda VBA32]    
2010-08-13 Found nothing

[Frisk F-Prot Antivirus]    
2010-08-14 Found nothing

[VirusBuster]    
2010-08-14 Found nothing

[F-Secure Anti-Virus]    
2010-08-14 Found nothing


I ran a malwarebytes scan and spybot scan and no additional results have turned up. I guess my question would be, are these files a possible false positive and if not, since they are temp files, can they safely be deleted? Thanks for any help, as it's greatly appreciated.
     

[Sarakael]

Hi
download 'HiJackThis 2.0.4' and save it in a separate folder, run a scan, save the log and delete all private
informations .
Post the log (copy and paste ) in your next reply.
Think about an update to vers. 5.0.594

Regards
Sarakael

[Pondus]

JS:FakeAV-EI

JS is a javascript malware you can get from a infected website and this may be from a fake scan page or somthing

Web 2.0: Attack of the JavaScript malware
http://www.scmagazineus.com/web-20-attack-of-the-javascript-malware/article/113132/

can they safely be deleted?

yes

2. Located in Temporary Internet Files/Content.IE5.

TFC - Temp File Cleaner by OldTimer
http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/
TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

[SafeSurf]

Now that you have 20 posts, you no longer have to type your Signature in every post.  Just go to PROFILE on the top of the main forum page > Modify Profile > Forum Profile Information > Signature.   Enter information about your system like the Operating System (OS), RAM, browser, security software, what version/product of Avast and firewall you use and other items you wish to mention.  See my signature or others as an example.  This should make life a little easier.  

A few things I noticed in your post that will help increase your security:
1. Update your Firefox (FF) to the current version, which is 3.6.8
2. Update or do an uninstall/clean install of Avast to 5.0.594
3. See below for other recommendations

Jotti may not be as accurate/complete as Virus Total (VT), however Avast and G-Data use the same engine so this is considered one-hit.  I would suggest that you update your Avast and MBAM definitions and run a Boot-time scan.  I do not think you need to run a HiJackThis now scan at this time. 

I would also suggest that you use NoScript and BetterPrivacy in FF, which will disable scripting and delete Flash LSO's (as well as other LSO's...you can read more about it in the add-on) for better security to help prevent this Java script malware.

Also make sure your MS Updates are current.  Check your to make sure your software is current with free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since this is another way for malware to become vulnerable.

If you find that after doing the updates you still come out infected, please post and we will work with you on checking your machine for malware with other tools.  Thank you.

Edit: typo

[RONIN2010]

Thank you all for your recommendations, especially you SafeSurf. I completely forgot about the sig.. I'll start out today by doing a clean install of avast 5.0 and updating MBAM and FF. I have all my MS updates, which I just completed yesterday. I normally do not use IE but due to other people in my household, Que Sera Sera.. I also, will definitely look into the two add ons you were referring to, for FF. I'll run the boot time scan, once this is complete and post my results. Thank you also Pondus, for that JS article you pointed out! That does help shed a lot of light on just how malicious malware is getting. As for the temp files I've heard of TFC by Old Timer but I've grown quite fond of CCleaner. Thanks for the suggestion though!

[SafeSurf]

Your welcome. 

How to uninstall of Avast and CLEAN install:

1. Save a copy of newest version of Avast (5.0.594) for the version you need and save it to your HDD:
Free – http://files.avast.com/iavs5x/setup_av_free.exe
2. Download the Avast Uninstall Utility, aswClear5.exe http://www.avast.com/uninstall-utility and save it to your HDD (it has uninstall tools for both 4.0 and 5.0).
3. Disconnect from the Internet at this time.
4. Uninstall Avast through "Add/Remove Programs" through Control Panel if possible. 
5. Boot into Safe Mode (hit F8 repeatedly) and run the Avast Uninstall Tool.
6. Reboot twice.
7. Clean your computer up (clean up cache, temporary Internet files, etc.) with CCleaner.
8. Install the newest version of Avast and reboot.
9. Get Internet access and update Avast definitions.
10. Register your copy or add the license key for Free -
    http://www.avast.com/registration-free-antivirus.php

Let us know how things work out and I'll look forward to your next post.  Thanks.

[Pondus]

@RONIN2010

As for the temp files I've heard of TFC by Old Timer but I've grown quite fond of CCleaner. Thanks for the suggestion though!

TFC works a bit different, it will clean ALL and ONLY temp files, so very usefull when you have a bug located there.
CCleaner does not clean all temp files, but will also clean lots of other stuff...
on one of my systems TFC found 8mb of tempfiles after running CCleaner.... so i use both

[SafeSurf]

Pondus is correct.  I also use TFC to get rid of extra stuff left behind when I really want to clean out things.  I normally use CCleaner regularly, but this gets a little bit extra out of your machine.  Might be worth a try...a clean machine is a happy machine. 

[RONIN2010]

Okay. I'll give it a go, can't hurt anything! I favor CCleaner for it's DOD-compliant deletion method. Other than that I don't really use it for much else, except for cleaning out browser caches and cookies. But I'll definitely give TFC a go and keep you all updated, either way. Thanks again!

[DavidR]

Now you see why a forums signature comes in handy:
- You seem to like old software, firefox 3.6.8 is the latest version (unless your reporting of your firefox 3.5 is a typo) and closes a number of security vulnerabilities. avast is now at avast 5.0.594 and has been out for seven months, since your OS is supported by avast5 I would advise you download avast 5.0 and install that.

http://files.avast.com/iavs5x/setup_av_free.exe

- Registration avast5: How to register avast 5 free on page 8
http://files.avast.com/files/documentation/quick-start-guide-free-en-ww.pdf also see http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=459.

Since you have the latest version of MBAM I doubt that Spybot S&D will bring much to the party.

I would also suggest a visit to this site, which scans your system for out of date programs that have patches to close vulnerabilities, http://secunia.com/software_inspector/.

[RONIN2010]

Hello all.

I have followed your directions to a "T" SafeSurf and have installed 5.0 and registered it. I am now running a boot scan.

And thank you Pondus for mentioning TFC, which is now one of my favorites. TFC, removed over roughly 2 Gigs of Temp files..

David, you would be correct. The version I recorded was actually one of my FF themes. I do have 3.6.8. However.. I did notice a lot of nasty Java Toolkit plugins, that even Mozilla did not like. I decided to go ahead and remove FF and do a fresh install, installing the add ons SafeSurf had mentioned.

I've had a few hits on my boot scan and am currently only at 15% complete. Here are the hits I've received so far. All files have been moved to the chest. I will post the rest of the results, once the scan is complete. Thanks again all, for your patience and help.

C:\hp\bin\KillIt.exe is infected by Win32:KillApp-W [PUP]

File C:\Program Files\Gemteq\eGems\GemData\MyGems.gmd|>G90.rtf Error 42125 {ZIP archive is corrupted.}

File C:\Program Files\Microsoft Visual Studio\MSDN\2001OCT\1033\PERIOD99.CHM|>html\April99Win32.exe|>AutoPlay HTML.zip|>autorun.inf is infected by INF:AutuoRun-gen [Wrm]

File C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-40321DAD0241}\RP1162\A0194221.exe is infected by Win32:KillApp-W [PUP]

[DavidR]

The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.

The same alert in the C:\System Volume Information\_restore almost certainly is related to this one if it has been moved or deleted, etc. then system restore would save it in a restore point, this you should let avast remove to the chest.

The archive is corrupted, is just a notification that for whatever reason avast can't unpack/scan it, so it believes it must be corrupt. Nothing you can or need to do about it.

I have no information about the April99Win32.exe file, which contains the AutoPlay HTML.zip file, which in turn contains the autorun.inf file (generally autorun.inf files are somewhat suspect as they would normally only be used in removable media).
I did find this article about it though, hope if rings a bell as to why it might be on your system and why avast doesn't like it, http://www.microsoft.com/msj/0499/win32/win320499.aspx.

[RONIN2010]

The HP on isn't a problem, as it is a tool (PUP = Potentially Unwanted Program), but tools can be used for good or evil and this on is part of the HP recovery partition. This tool is used to kill running applications and that is why it got flagged, but no action is required.

The same alert in the C:\System Volume Information\_restore almost certainly is related to this one if it has been moved or deleted, etc. then system restore would save it in a restore point, this you should let avast remove to the chest.

The archive is corrupted, is just a notification that for whatever reason avast can't unpack/scan it, so it believes it must be corrupt. Nothing you can or need to do about it.

Thanks for responding David. I'll restore the KillIt.exe from the quarantine chest and leave the system restore point in the chest. Although I'll more than likely delete the system restore point from the chest, after all is said and done. As for the zip archive error I haven't used that app since I was in College, so I think I'll go ahead and uninstall that, as I  no longer have a need for it.

I have no information about the April99Win32.exe file, which contains the AutoPlay HTML.zip file, which in turn contains the autorun.inf file (generally autorun.inf files are somewhat suspect as they would normally only be used in removable media).
I did find this article about it though, hope if rings a bell as to why it might be on your system and why avast doesn't like it, http://www.microsoft.com/msj/0499/win32/win320499.aspx.

I'm not entirely sure why or what this might be a result of, as it seems it could be anything. Games, software CD's, flash drives and a horrid USB adapter I used some time ago. But the autorun.inf should be on the storage media itself, correct? From what I could tell from the article, it seems like bad design on part of the engineers. But it would seem it's browser-related.

[RONIN2010]

Well, it finished the boot scan. Only results were the 4 that were mentioned earlier:



C:\hp\bin\KillIt.exe is infected by Win32:KillApp-W [PUP]

File C:\Program Files\Gemteq\eGems\GemData\MyGems.gmd|>G90.rtf Error 42125 {ZIP archive is corrupted.}

File C:\Program Files\Microsoft Visual Studio\MSDN\2001OCT\1033\PERIOD99.CHM|>html\April99Win32.exe|>AutoPlay HTML.zip|>autorun.inf is infected by INF:AutuoRun-gen [Wrm]

File C:\System Volume Information\_restore{C3A256EC-F74E-4D1B-B627-40321DAD0241}\RP1162\A0194221.exe is infected by Win32:KillApp-W [PUP]



Not sure which action to take with the KillIt.exe file in the HP directory, as I moved it to the chest but it will not allow me to restore it, as it already exists? The system restore point, that contains mention of the KillIt.exe file I will likely delete from the chest, as long as that's a safe bet. However... The last file, "April99Win32.exe" I'm not sure which action to take with this one..

[SafeSurf]

Not sure which action to take with the KillIt.exe file in the HP directory, as I moved it to the chest but it will not allow me to restore it, as it already exists? The system restore point, that contains mention of the KillIt.exe file I will likely delete from the chest, as long as that's a safe bet. However... The last file, "April99Win32.exe" I'm not sure which action to take with this one..

1. If the KillIt.exe file is in the Chest but also exists on your machine, you can delete it from the Chest.
2. The system restore file you can delete as well since you will not be able to use it anyway.
3. The April99Win32.exe I'd leave in the Chest for now. 

Also, have you done an MS Update since your Boot-time scan to see if it picks up anything that is missing?

To clarify, you are now using Avast 5.0.594 now?

Check your to make sure your software is current with free Secunia Software Inspector http://secunia.com/vulnerability_scanning/personal/ since this is another way for malware to become vulnerable.

Do a quick check to see if any of your software needs to be updated as well.  The PSI is more thorough than the OSI version (both are free).