FakeAV-EF Trojan [javascript?]

hi everyone. I’ll try to throw out as much info as i can on this one. Somehow My laptop (Gateway Mu-7301) managed to contract this virus, which Avast! identifies as FakeAV-EF[Trj]. the file it says is infected (or the trojan itself) is located in[c:\users\temp\Appdata\local\microsoft\windows\temporaryinternetfiles\low\content.IE5\JAHGEDJD\2[1].html]

So far the computer retains all abilities from what i can see. not locked out of task manager, command line, programs, etc.

From what i could gather for information on this one, It’s a javascript Trojan that leaves backdoors, and the usual behavior of downloading other crap too.

Any help on fixing this would be much appreciated

Oh, and I tried repair, and moving it to the Avast! Virus chest, but neither did anything.

Edit: I forgot to mention i’m running V5 *facepalm for forgetting

welcome to the forum.

have you tried boot scan with avast?

http://www.techiecorner.com/166/avast-how-to-schedule-boot-time-scan-before-window-start/ for v 4.8

http://www.schmahl.net/avastbootscan.php for v.5

if this thoose not solve the problem try to use mbab And/or sas

http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/

good luck and write back on your progress or if you need more help.

Try to empty your Temp files.
you can use ATF cleaner http://download.cnet.com/ATF-Cleaner/3000-18512_4-89432.html

Tried the ATF cleaner, cleaned everything, quick scan showed it was still there in the same spot.

running a boot scan currently, but it’s already found 2 javascript infections, and a corrupted Itunes CAB archive.

I told it too send everything to the chest, hope thats ok.

edit: Boot scans Done. Results are:

5 infected files (all moved to chest)

2[1].htm Location [c:\Users\temp\Appdata\local\microsoft\windows\temporary internet files\low\content.IE5\JAHGEDJD] (original)

myf\y\AppletX.Class Location [C:\Users\Cherie\Appdata\Locallow\Sun\Java\Deployment\Cache\6.0\48\26e14b0-3c6504dd]

myf\y\AppletX.class Location [C:\Users\guys\Appdata\Locallow\Sun\Java\Deplyment\Cache\6.0\26\3a242c1a-19dac87a]

myf\y\LoaderX.class [C:\Users\Cherie\Appdata\locallow\Sun\Java\Deployment\cache\6.0\48\26e14b0-3c6504dd]

myf\y\Loader.class Location [C:\Users\Guys\Appdata\Locallow\Sun\Java\Deployment\Cache\6.0\26\3a242c1a-19dac87a]

If you need logs, just tell me where to look, and i’ll get you them.

I’ll run MBAM after this, and check into Superantispyware…

Edit: Malwarebytes fullscan report:
Malwarebytes’ Anti-Malware 1.45
www.malwarebytes.org

Database version: 3961

Windows 6.0.6002 Service Pack 2
Internet Explorer 8.0.6001.18904

4/6/2010 9:31:08 PM
mbam-log-2010-04-06 (21-31-08).txt

Scan type: Full scan (C:|D:|)
Objects scanned: 223075
Time elapsed: 52 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

double edit: ran SAS and it found some tracking cookies, which i quarantined then deleted

Anyone know if these are fixable/removable? I mean it’s only java script, and i really don’t want to spend hours with a vista install disc…again…

hey again.

those threat you send to the chest during the boot scan can be there sense it does not do any harm to your computer anymore when they are in the chest. you could upload them to virustotal.com and see how many others antivirus detects them as malware. if you do this please post the result here so we can determine if they are threats or not.