ScriptPE-inf?

Heya, need a bit of help with this alert that Avast is constantly popping up when I have Firefox open. It’s consistently giving a message of

“We’ve moved recovery.jsonlz4 to your Virus Chest because it was infected with JS:ScriptPE-inf [Trj]”
File path: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4
Process: F:\Program Files (x86)\Mozilla Firefox\firefox.exe
Detected by: Fire Shield

I’ve run both Malwarebytes (Safe Mode and normal) and Avast, but neither have picked up anything. Irregularly, Avast will stop picking this up, but as one might understand it’s still rather concerning! I attached the Addition and FRST text from the Fanbar tool as well.

I've run both Malwarebytes (Safe Mode and normal) and Avast, but neither have picked up anything.
Safe mode does not give any better detection, in fact it can be worse. Malware that is detected by behavior may not run in safemode Malwarebytes is not designet to run in safe mode, it will run but crippled as all drivers are not loaded Malwarebytes also does not target script / doc / media files, it target executable files

Have you tried to clear your firefox browsing history / cache ?
You may run AdwCleaner >> https://www.malwarebytes.com/adwcleaner/

Malware expert is notified, it may take hours before he is online

Whaaat. I have been grossly misinformed regarding safe mode and malware scans, alas! Well, live and learn.

That AdwareCleaner picked up a few things - Two in registry, two or three other bits - and cleaned them out. Happenstance or otherwise, no Avast alerts so far! Hopefully that was all that was needed but expert help would be much appreciated.

Whaaat. I have been grossly misinformed regarding safe mode and malware scans, alas! Well, live and learn.
What it may give is better removal of some stubborn infections. Today most malware removal tool will give you a message after scan ... you need to reboot for removal of this and that ...

You may also attach AdwCleaner log so that @Sass Drake can see when he is online

I don’t see anything malicious in logs so I cany say AdwCleaner saved me from making fix.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.

Hmm, I spoke too soon.

I ran the tool that Sass mentioned, and when I reopened Firefox I got Avast popping up again. Same issue. I guess it was too much to hope for a quick and easy fix!

Redownload FRST to Desktop and do this:

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
FF Session Restore: Mozilla\Firefox\Profiles\9ovjb02n.default -> is enabled.
FF Extension: (Classic Theme Restorer) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2017-11-14] [Legacy]
FF Extension: (ChatZilla) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2016-11-10] [Legacy]
FF Extension: (TLS 1.3 gradual roll-out) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\features\{5cd812a8-f655-4945-9941-5ebba1897b41}\tls13-rollout-bug1442042@mozilla.org.xpi [2018-03-20] [Legacy]
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Done and done!

You did not attach the fix log

Ack, sorry, I hit Scan instead of Fix! Still got pops from Avast, if that’s any indication of things.

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Rando (21-03-2018 19:52:17) Run:1
Running from C:\Users\Rando\Desktop
Loaded Profiles: Rando & DefaultAppPool (Available Profiles: Rando & DefaultAppPool)
Boot Mode: Normal

fixlist content:


FF Session Restore: Mozilla\Firefox\Profiles\9ovjb02n.default → is enabled.
FF Extension: (Classic Theme Restorer) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2017-11-14] [Legacy]
FF Extension: (ChatZilla) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} [2016-11-10] [Legacy]
FF Extension: (TLS 1.3 gradual roll-out) - C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\features{5cd812a8-f655-4945-9941-5ebba1897b41}\tls13-rollout-bug1442042@mozilla.org.xpi [2018-03-20] [Legacy]


“Firefox Session Restore” => removed successfully
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi => moved successfully
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\Extensions{59c81df5-4b7a-477b-912d-4e0fdf64e5f2} => moved successfully
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\features{5cd812a8-f655-4945-9941-5ebba1897b41}\tls13-rollout-bug1442042@mozilla.org.xpi => moved successfully

==== End of Fixlog 19:52:34 ====

  • Open Notepad (click Start button → type notepad.exe → press Enter)
  • Copy text from code block below and paste it into Notepad
VirusTotal: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups
  • Go to FileSave As
  • Make sure that UTF-8 is selected as Encoding (left side of Save button)
  • Save it as fixlist.txt on Desktop
  • Open again FRST and click on button Fix
  • Wait until FRST finishes
  • fixlog.txt should be genereted and opened. Attach it your post and wait further instructions.

Fix result of Farbar Recovery Scan Tool (x64) Version: 14.03.2018
Ran by Rando (22-03-2018 21:23:45) Run:2
Running from C:\Users\Rando\Desktop
Loaded Profiles: Rando & DefaultAppPool (Available Profiles: Rando & DefaultAppPool)
Boot Mode: Normal

fixlist content:


VirusTotal: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups


VirusTotal: C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups\recovery.jsonlz4 => https://www.virustotal.com/file/8da43fd6cae490616df792010c173945b104f5b5590b4cbca2d649baa6f9ba1d/analysis/1521768226/
C:\Users\Rando\AppData\Roaming\Mozilla\Firefox\Profiles\9ovjb02n.default\sessionstore-backups => moved successfully

==== End of Fixlog 21:23:47 ====

What is status now?

So far, so good! I haven’t had Avast popping up in any fashion since that last fix. :smiley: Thank you very much, all!

Glad to hear that.

The following will implement some post-cleanup procedures:

=> Please download DelFix by Xplode to your Desktop.
Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.