I am not sure if I am clean since it looks like this virus may have took down Avast or Avast did not restart after I turned it on 17 minutes prior to the infection. I deleted IE cache and reset it to default settings and deleted Java Runtime cache that had the infected files. Then performed a Windows 7 system restore from two days prior.

Is a system restore enough? Here is the sequence of events.

1. I had turned Avast off for a little while to troubleshoot a Mysql issue and then thought I turned it back on.
2. 17 minutes later I visit space.com site. Immediately Avast red alerts JS:Pdfka-gen
3. I see Java runtime load in taskbar notification area.
4. I then notice Avast has an exclamation point on it’s taskbar icon. I click on Avast and it shows the web shield disabled.

Despite all this, the web shield log shows Avast webshield was started prior to infection and the fact that it alerted appears to have worked, I think?

Here is the order in the log:

Shield stopped: Shield Scan Report: Started on: 1/9/2011 1/9/2011 ht tp://testimsok.co.cc/manual.pdf [L] JS:Pdfka-gen [Expl] (0)

The log shows Avast was started prior to the infection. But like I said at time of infection I notice the exclamation point on the Avast icon. Clicking on Avast showed the web shield was off.

At the same time and after the attack I see these log events (edited).

Fault bucket 1458569222, type 5 Event Name: MSHTMLLAYOUTHARDASSERT Response: Not available Cab Id: 0

Problem signature:
P1: iexplore.exe
P2: 8.00.7600.16385 (win7_rtm.090713-1255)
P3: mshtml.dll
P4: 8.00.7600.16385 (win7_rtm.090713-1255)
Attached files:

These files may be available here:
C:\Users\mike\AppData\Local\Microsoft\Windows\WER\ReportArchive\NonCritical_iexplore.exe

The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.

The description for Event ID 1904 from source HHCTRL cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

I saved a copy of the virus files from java runtime. Except for showing an IP address they are unreadable.
Anyone know how to read these files so I can determine what it may have infected or can provide some insight into this virus?
Full scan after system restore does not show any sign of virus. But you would think Avast would have alerted on the backup copy of java runtime cache of the virus so this scares me.

Windows 7 64 bit Home Premium - fully patched prior to attack.
Avast 5 and fully updated prior to attack
Adobe Reader version 9.4.1 current and prior to attack.

hey i would suggest a repair of avast might do the trick.

start-this computer-add/remove program-avast-hit uninstall -when avast pop up hit the repair option.

i also recomend a scan with malwarebytes antimalware to get a second opion.

http://filehippo.com/download_malwarebytes_anti_malware/

good luck and let us know how it goes, or if you need more support.

After the reboot Avast web shield shows enabled. Full Avast scan, Malwarebytes and Windows Defender do not show infection.

My question is whether my actions were good enough to be sure there is no undetected backdoor:

1. Am I clean because of actions: deleting IE cache and resetting IE to default settings, deleting java runtime cache and then using a Windows 7 system restore point prior to the incident.

2. What does this particular virus do and is anyone familiar with decoding compiled java runtime files? They are not text so I cannot see what is in them and also do not want to reinfect my computer. The point of doing this would be to read the code to determine what it may have infected.

3. It looks to me that it disabled Avast in this case. Therefore perhaps this variant is new to Avast? I had Avast do a full scan and it did not detect the backed up virus code. However I just tried a direct scan of the files that it originally reported as JS:Pdfka-gen. It now lists it as separate viruses.

Java:Agent-BJ [Expl]
Java:Agent-BW [Trj]
Java:Agent-BM [Expl]

Anyone?