Hi, I’d be very grateful for help with this question.
System:
Windows XP Home Edition SP3 (fully patched)
Internet Explorer 8 (IE7 until last week)
Zonealarm 8.0.298.000
Avast Home edition 4.8.1335 (VPS file 090502-0, although I was running the next previous file at the time of infection)
Adaware Free Anniversary Edition 8.0.4 (used for manual scans only)
Google Spyware Doctor 6.0.0.386 (used for manual scans only)
I’ve been using Avast for some time, running a Standard Scan (not checking archive files), and never finding anything suspicious. Adaware and Spyware Doctor never find anything either. I also run regular scans with the Kaspersky and Panda online scanners, again finding nothing.
However, yesterday for the first time I ran an Avast Thorough Scan (not checking archive files) and found an infection:
‘Sign of “JS:ScriptSH-inf [trj]” has been found in “C:\Program\Alwil Software\Avast4\DATA\log\unp98037715.tmp.mdmp” file.’
I sent a copy of the quarantined file to Avast. Being only a log file I then deleted it.
Rebooting in Safe Mode, I then ran a nine-hour Thorough Scan (checking archive files), which revealed no infections. Since then Panda has given me a clean bill of health too.
I don’t understand how Avast’s own log file can have been infected. Is this a false positive? If it was an infection, am I now in the clear?
Unfortunately I can’t submit the file to Virustotal because, as I said in my previous post, I sent the file to Avast and then deleted my copy. In retrospect, I know I should have kept it in quarantine but in the heat of the moment I deleted it.
I was wondering if the threat - JS:ScriptSH-inf [trj] – was a false positive because Googling suggests it relates only to Avast scans. Another thread on the Avast forum discusses the same issue:
Anyway, here’s my HijackThis log file. (I’ve replaced all ‘http’ references with ‘hxxp’). I’d be really grateful for any comments you may have:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:30:48, on 2009-05-03
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
‘Sign of “JS:ScriptSH-inf [trj]” has been found in “C:\Program\Alwil Software\Avast4\DATA\log\unp98037715.tmp.mdmp” file.’
Tells me that there was a problem with an avast scan (possibly crashed on that file) of the unp98037715.tmp file and the unp98037715.tmp.mdmp is a memory dump of that file which is retained, I guess for debug purposes.
Unfortunately, it looks like this .tmp file was infected and the problem may have occurred much earlier when unpacking an archive that is where the unp99999999.tmp file name comes from.
So I wouldn’t worry about it at all, having sent it to the chest and then delete it as it is effectively a redundant file.
While I did not call of the HJT log, I looked at it and saw nothing to be concerned about.
There was one questionable entry that belonged to Panda Active Scan but it should be OK.
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - hxxp://acs.pandasoftware.com/betaactivescan/cabs/as2stubie.cab
Check if you know this site and fix it if you do not. Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed.
Personally I would fix the Panda entry and not use their on-line scanner as it dumps its ‘unencrypted’ virus signatures in the system32 folder (it creates a sub-folder). This makes it more difficult to remove them as system restore would create a restore point, but the whole issue is that avast detects these unencrypted virus signatures, scaring the user. If you did delete the panda folder within system32 avast would also detect this within the system volume information _restore point created by system restore.
So all in all I think there are better on-line scanning options that don’t dump files in the system folders or ‘fail’ to encrypt their signatures to prevent false detection by other AVs.