I use PDF Annotator in a lot of my classes to take notes. Today I was writing down my physics notes, and at the end of class, I went to save it as “Ch.2 Notes”, but Avast caught it as a virus/trojan named “JS:Pdfka-gen [Expl]”
I let avast do its thing, thinking maybe the name might’ve thrown it off for whatever reason, so I attempted to save it twice more under different names, both times getting the same message.
To double check to see if I was infected, I opened up PDF Annotator in a new window, made a new file and saved it, this time with no problems.
My notes were the only ones to get this message, another three PDFs I had open for the class saved with no problem. They weren’t downloaded off of a site, I wrote them on a new page, by myself with nothing but my school’s email service open.
So I’m wondering if avast is off its rocker or if I’ve got a trojan. Any help is appreciated.
I have never used pdf annotator, so I don’t know exactly what it does. It may be in that modifying a .pdf file that may be suspicious to avast and why it is caught by a generic (JS:Pdfka-gen, the -gen bit) signature.
You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here the URL in the Address bar of the VT results page. You can’t do this with the file securely in the chest, you need to extract it to a temporary (not original) location first, see below.
Create a folder called Suspect in the [b]C:[/b] drive. Now exclude that folder in the File System Shield, Expert Settings, Exclusions, Add, type (or copy and paste) C:\Suspect*
That will stop the File System Shield scanning any file you put in that folder.
If only GData and avast detect it - GData uses avast as one of its two scanners so counts as 1 detection and almost certainly an FP.
Send the sample to avast as a False Positive:
Open the chest and right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
In the meantime (if you accept the risk), add it to the exclusions lists: File System Shield, Expert Settings, Exclusions, Add and avast Settings, Exclusions
Restore it to its original location, periodically check it (scan it in the chest), there should still be a copy in the chest even though you restored it to the original location. When it is no longer detected then you can also remove it from the File System Shield and avast Settings, exclusions lists.
Send the sample/s to avast as a Undetected Malware:
Open the chest and right click in the Chest and select Add, navigate to where you have the sample and add it to the chest (see image). Once in the chest, right click on the file and select ‘Submit to virus lab…’ complete the form and submit, the file will be uploaded during the next update.
I followed the procedure and in addition to Avast, Avast5, and GData showing it as a positive, also showed Exploit_c.KJH via AVG. However, none of the others showed a positive at www.virustotal.com so can I presume it is a false positive? Thanks.
Without knowing what the infected file name, location and the circumstances of the detection we can’t make that assumption. It is always better the link to the VT Results page as it can give us other information.
Thanks, I was hoping there might be some other additional/supplementary information or links, etc. unfortunately not.
So yes you should have sent it to avast for further investigation as a possible false positive, though I would leave it in the chest for the time being and not exclude it.
Periodically check it (scan it in the chest), there should still be a copy in the chest, when it is no longer detected then you can restore it to its original location.
C:\Users\Guest\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IC6KJEHO\eco15on[1].pdf was where i found it originally while doing a full system scan. My main concern is that it could have compromised the security of my PC in some way? Thanks
I doubt it would have compromised security if a) unless it is/was a good detection and b) you didn’t actually open it.
Now given its location in the temp internet files folder it is theoretically possible to have opened it whilst browsing. I don’t allow my browser to open PDF files, if I want to view one it must be downloaded which would mean it should be scanned. It is going to be run under my control using a PDF reader that is less of a risk than using Adobe PDF Reader (I use FoxIt PDF Reader), which is a huge target for exploitation by malware.
Also given its location it isn’t such an issue being a Temporary location if a future avast scan of it in the chest there is no need to restore it as it isn’t a crucial file.
Thanks. I have no idea whether it was opened or not because the guest account was being used by someone else at the time, and that was quite a while ago.
The reason why I ask is because I want to create a disk image backup of my PC but dont want to end up backing up a compromised system. If it is likely that it was a false positive, or that it would not have had a lasting effect on the system anyway, not being the kind of virus that carries that kind of payload, then I would not be worried about it.
before making any disk image backup I would suggest that you clear all temp files/folders as there is little point in backing up temp data (that would have taken care of this particular one anyway). You can use something like CCleaner to remove the temp data.