Avast log file infected with 'JS:ScriptSH-inf [Trj]'

Hi, I’d be very grateful for help with this question.

System:
Windows XP Home Edition SP3 (fully patched)
Internet Explorer 8 (IE7 until last week)
Zonealarm 8.0.298.000
Avast Home edition 4.8.1335 (VPS file 090502-0, although I was running the next previous file at the time of infection)
Adaware Free Anniversary Edition 8.0.4 (used for manual scans only)
Google Spyware Doctor 6.0.0.386 (used for manual scans only)

I’ve been using Avast for some time, running a Standard Scan (not checking archive files), and never finding anything suspicious. Adaware and Spyware Doctor never find anything either. I also run regular scans with the Kaspersky and Panda online scanners, again finding nothing.

However, yesterday for the first time I ran an Avast Thorough Scan (not checking archive files) and found an infection:

‘Sign of “JS:ScriptSH-inf [trj]” has been found in “C:\Program\Alwil Software\Avast4\DATA\log\unp98037715.tmp.mdmp” file.’

I sent a copy of the quarantined file to Avast. Being only a log file I then deleted it.

Rebooting in Safe Mode, I then ran a nine-hour Thorough Scan (checking archive files), which revealed no infections. Since then Panda has given me a clean bill of health too.

I don’t understand how Avast’s own log file can have been infected. Is this a false positive? If it was an infection, am I now in the clear?

Many thanks in advance,

Escy

-= It would be better if you sent it to virustotal for better checking…

-= If you still feel unsure, you may download Trend Micro Hijack This & post an Hijack This log file…

Hi and thanks for getting back to me.

Unfortunately I can’t submit the file to Virustotal because, as I said in my previous post, I sent the file to Avast and then deleted my copy. In retrospect, I know I should have kept it in quarantine but in the heat of the moment I deleted it.

I was wondering if the threat - JS:ScriptSH-inf [trj] – was a false positive because Googling suggests it relates only to Avast scans. Another thread on the Avast forum discusses the same issue:

hxxp://forum.avast.com/index.php?PHPSESSID=c82a2bdf4ee744ba7143a77b78b86766&topic=44698.0

Anyway, here’s my HijackThis log file. (I’ve replaced all ‘http’ references with ‘hxxp’). I’d be really grateful for any comments you may have:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:48, on 2009-05-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program\Alwil Software\Avast4\aswUpdSv.exe
C:\Program\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program\ALWILS~1\Avast4\ashDisp.exe
C:\Program\HP\hpcoretech\hpcmpmgr.exe
C:\Program\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program\Bonjour\mDNSResponder.exe
C:\Program\Java\jre6\bin\jqs.exe
C:\Program\McAfee\SiteAdvisor\McSACore.exe
C:\Program\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program\Canon\CAL\CALMAIN.exe
C:\Program\Alwil Software\Avast4\ashMaiSv.exe
C:\Program\Alwil Software\Avast4\ashWebSv.exe
C:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.guardian.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = hxxp://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program\Delade filer\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: McAfee SiteAdvisor BHO - {B164E929-A1B6-4A06-B104-2CD0E90A88FF} - c:\program\mcafee\SITEAD~1\mcieplg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: McAfee SiteAdvisor Toolbar - {0EBBBE48-BAD4-4B4C-8E5A-516ABECAE064} - c:\program\mcafee\SITEAD~1\mcieplg.dll
O4 - HKLM..\Run: [avast!] C:\Program\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [HP Component Manager] “C:\Program\HP\hpcoretech\hpcmpmgr.exe”
O4 - HKLM..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘LOKAL TJÄNST’)
O4 - HKUS\S-1-5-20..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User ‘Default user’)
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\Program\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Program\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - hxxp://acs.pandasoftware.com/betaactivescan/cabs/as2stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232557404136
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1232745844796
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - hxxp://dl8-cdn-09.sun.com/s/ESD7/JSCDL/jdk/6u13-b03/jinstall-6u13-windows-i586-jc.cab?e=1238490320174&h=fbba28e611c812faeb8c915b042504e2/&filename=jinstall-6u13-windows-i586-jc.cab
O18 - Protocol: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\program\mcafee\SITEAD~1\mcieplg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program\Delade filer\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour-tjänst (Bonjour Service) - Apple Inc. - C:\Program\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program\Canon\CAL\CALMAIN.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee SiteAdvisor Service - Unknown owner - C:\Program\McAfee\SiteAdvisor\McSACore.exe
O23 - Service: NMSAccessU - Unknown owner - C:\Program\CDBurnerXP\NMSAccessU.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program\Spyware Doctor\pctsSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


End of file - 8312 bytes

This file:

‘Sign of “JS:ScriptSH-inf [trj]” has been found in “C:\Program\Alwil Software\Avast4\DATA\log\unp98037715.tmp.mdmp” file.’

Tells me that there was a problem with an avast scan (possibly crashed on that file) of the unp98037715.tmp file and the unp98037715.tmp.mdmp is a memory dump of that file which is retained, I guess for debug purposes.

Unfortunately, it looks like this .tmp file was infected and the problem may have occurred much earlier when unpacking an archive that is where the unp99999999.tmp file name comes from.

So I wouldn’t worry about it at all, having sent it to the chest and then delete it as it is effectively a redundant file.

Thanks for the explanation (and I’m glad to hear the deleted file was redundant).

Is there anything problematic with the contents of the HijackThis log file?

I didn’t look at it as the problem reported I feel didn’t have anything which I would have thought need the posting of an HJT log.

I also usually let the person calling for the HJT log to do the analysis.


While I did not call of the HJT log, I looked at it and saw nothing to be concerned about.

There was one questionable entry that belonged to Panda Active Scan but it should be OK.

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - hxxp://acs.pandasoftware.com/betaactivescan/cabs/as2stubie.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.


DavidR and CharleyO, thanks very much for your help!

CharleyO, doesn’t that ActiveX object just relate to Panda’s online scanner (the beta version since I’m using IE8), or have I misunderstood something?

You’re welcome.

Personally I would fix the Panda entry and not use their on-line scanner as it dumps its ‘unencrypted’ virus signatures in the system32 folder (it creates a sub-folder). This makes it more difficult to remove them as system restore would create a restore point, but the whole issue is that avast detects these unencrypted virus signatures, scaring the user. If you did delete the panda folder within system32 avast would also detect this within the system volume information _restore point created by system restore.

So all in all I think there are better on-line scanning options that don’t dump files in the system folders or ‘fail’ to encrypt their signatures to prevent false detection by other AVs.

On-line Virus Scanners and other useful Links Security-Ops.eu.tt


I second David’s above post.


Thanks to you both again.

That’s everything cleared up (and I’ll be doing my online scanning elsewhere in the future :)).

No problem, glad I could help.

A belated welcome to the forums.


Happy to have helped … welcome to the forums. :slight_smile:

Please come back often, learn more, and maybe help others.