JS:Includer-FR [Trj] ...constant (several per second) detections

system · April 15, 2013, 2:19pm

Hi, avast is detecting “JS:Includer-FR [Trj]” at the rate of 1 to 4 PER SECOND. There were 18 detections in the time I typed that first sentence. Now 39… please help!

It started yesterday morning after a scheduled nighttime scan, so I ran a full boot-time scan yesterday (literally over 20 hours long, thanks to a couple huge hard drives), and it found 6 of those same Trojans, plus one “Java:CVE-2013-0422-Y[Expl]” and one “Java:Malware-gen [tr][td]”, all of which were deleted.

Avast:
Program version: 8.0.1483
Virus def version: 130415-0
Number of def’s: 4,346,135

running Windows 7 home premium

Please help it’s found over 200 since I’ve been writing! Thank you![/td][/tr]

Asyn · April 15, 2013, 2:21pm

Please attach your logs. (AdwCleaner, MBAM, OTL and aswMBR…!!)
Instructions: http://forum.avast.com/index.php?topic=53253.0

system · April 15, 2013, 2:28pm

I have to download 5 different things in order to attach my logs?? Sorry, I’ve never been through this before…

system · April 15, 2013, 2:31pm

And also… according to the instructions I’ll have to run a couple more scans for these other programs… the last one took over 24 hours… is there anyway of attaching logs for THAT scan before I go through 2 more days of scanning? Thanks

Asyn · April 15, 2013, 2:31pm

Only 4 “things”…

Asyn · April 15, 2013, 2:33pm

Please reread Reply #1.

Pondus · April 15, 2013, 2:34pm

these scans will not take 24 hours if you follow the instructions…
like Malwarebytes quick scan …

system · April 15, 2013, 2:46pm

Here’s the first one:

AdwCleaner v2.200 - Logfile created 04/15/2013 at 10:39:28

Updated 02/04/2013 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : Michael - DEMARIAPHOTO-PC

Boot Mode : Normal

Running from : C:\Users\Michael\Desktop\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Folder Deleted : C:\Program Files (x86)\Common Files\Software Update Utility
Folder Deleted : C:\Program Files (x86)\Conduit
Folder Deleted : C:\Program Files (x86)\MiniEvony
Folder Deleted : C:\Users\Michael\AppData\Local\Conduit
Folder Deleted : C:\Users\Michael\AppData\LocalLow\Conduit
Folder Deleted : C:\Users\Michael\AppData\LocalLow\MiniEvony

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Conduit
Key Deleted : HKCU\Software\AppDataLow\Software\MiniEvony
Key Deleted : HKCU\Software\AppDataLow\Toolbar
Key Deleted : HKCU\Software\Conduit
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats{B9B9F072-8425-4897-B5E5-4438ECE6587D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID{6C259840-5BA8-46E6-8ED1-EF3BA47D8BA1}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\dnu.EXE
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdate
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUIBrowser.1
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController
Key Deleted : HKLM\SOFTWARE\Classes\dnUpdater.DownloadUpdController.1
Key Deleted : HKLM\SOFTWARE\Classes\Toolbar.CT2697877
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib{92380354-381A-471F-BE2E-DD9ACD9777EA}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{B9B9F072-8425-4897-B5E5-4438ECE6587D}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\Software\MiniEvony
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{3C471948-F874-49F5-B338-4F214A2EE0B1}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{7B089B94-D1DC-4C6B-87E1-8156E22C1D96}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{B9B9F072-8425-4897-B5E5-4438ECE6587D}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\CLSID{E15A9BFD-D16D-496D-8222-44CADF316E70}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Classes\Interface{E7435878-65B9-44D1-A443-81754E5DFC90}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{97359E82-3808-47F6-8790-0771AEDBC8FA}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy{B5E07FD1-38EB-48F3-B2D1-906C9BB19453}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\MiniEvony Toolbar
Key Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\SoftwareUpdUtility
Key Deleted : HKLM\SOFTWARE\Classes\Interface{660E6F4F-840D-436D-B668-433D9591BAC5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface{E7435878-65B9-44D1-A443-81754E5DFC90}
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]
Value Deleted : HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]
Value Deleted : HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar [{1AEC5771-FCD6-4537-A6B7-5F1935FD527C}]

***** [Internet Browsers] *****

-\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\ Google Chrome v26.0.1410.64

File : C:\Users\Michael\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.

AdwCleaner[S1].txt - [4885 octets] - [15/04/2013 10:39:28]

########## EOF - C:\AdwCleaner[S1].txt - [4945 octets] ##########

Asyn · April 15, 2013, 2:55pm

Please attach your logs. Thanks.

system · April 15, 2013, 3:00pm

You mean you don’t want me to paste them in replies like I just did? How do I attach them?

Asyn · April 15, 2013, 3:07pm

If you reply here you’ll find the option below the text box → “Attachments and other options”

system · April 15, 2013, 4:12pm

Ok here are 4 of the 5 logs you asked for… thank you very much!

system · April 15, 2013, 4:16pm

I cannot attach the 5th log (MBR.dat), it says it’s an invalid file type to attach. And I can’t open it from my desktop to save it as another file type.

Pondus · April 15, 2013, 4:19pm

I cannot attach the 5th log (MBR.dat)

not a log....we want aswmbr.txt

system · April 15, 2013, 4:26pm

Sorry, found it… here’s the 5th log. Thanks.

system · April 15, 2013, 5:11pm

Still non-stop detections of this Trojan, probably a couple thousand this morning… has anyone seen this?

essexboy · April 15, 2013, 5:32pm

Let me know if this clears it please

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found.
O3 - HKU\S-1-5-21-3612433894-2427630151-739255536-1001\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

system · April 15, 2013, 6:19pm

I was excited for a minute, after the reboot there were no detections for 5 min or so, then they started back up. Here’s the new OTL log, and also the log that popped up after rebooting. What if I just went back to a restore point prior to a couple days ago??

essexboy · April 15, 2013, 6:36pm

Yes try a restore point from a few days ago, but you will need to disable Avast self protection. Screenshot below. If that fails to remove it will need to check autorun entries

system · April 15, 2013, 7:16pm

What exactly is the avast self-defense module? And could this “Trojan” be some kind of false positive? I’m wondering if it’s really a real issue. Did you see something in the logs that points to me having an actual problem? Thanks again…