sessionstore-1.js

Dear Forum,

I just received the message ‘Suspicious files have been detected using a heuristic method. This may be a sign of malware infection. Please allow the files to be submitted to our virus lab for analysis’.

File name: c:\documents and settings\user\application data\Mozilla\Firefox\Profiles\ujad1jel.default\sessionstore-1.js

The file size is 0 bytes. I tried to upload the file to Jotti’s Malware and Virustotal. However, this is impossible given the file size.

The only actions available are ‘ignore’ or ‘delete’. (Not quarantine???). Only with ignore or delete can I send it to Avast for analysis.

Your advice would be much appreciated.

Avastfan1

God morgon grabben, hur mår ni :wink:

well it is detected as Suspicious…
meaning you ignore and send it to avast, then the file remain on your computer but will be checked by avast lab
if they find it to be malware, then they will add detection for it and the file will be detected again, this time with a malware name…
so it is not smart to delete it before you know what it is :wink: but maybe just an error since the file size is 0kb

Tack ska du ha! Det går rätt fint här! :slight_smile:

I sent it to Avast. I made a copy of the file into C:\SUSPECT and selected ‘delete’. I don’t think there was an error. The file seemed to be 0 bytes.

A quick scan with MBAM turned up nothing. Otherwise, I think it was just heuristic ‘noise’.

With both Avast and MBAM resident, my machine has not reported or even displayed any untoward behaviour.

Hence, I think I am clean :slight_smile:

Strange as sessionstore.js files are excluded in the FSS.

So what scan actually detected this ?
Sounds like the avast anti-rootkit scan 8 minutes after boot, does that roughly equate to when it happened ?

If so it is even more strange for a .js to be considered suspect by the anti-rootkit scan.
Check the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\aswAr.log using notepad that should show what was detected.

Remember there was an issue in the past also concerning this: http://forum.avast.com/index.php?topic=61836.0
and see this: http://forums.mozillazine.org/viewtopic.php?f=38&t=1542035&start=0

polonus

Thank you both for the replies.

It must have been the heuristic scan DavidR, as the message said Suspicious files have been detected using a heuristic method…'.

My computer had been on for much longer than eight minutes after booting. However, I still checked the aswAr.log file. Unfortunately, it showed the results for Wednesday (today) - so it must have already wiped the one from yesterday.

For the record it showed:
Hidden files found: 0
Hidden registry items found: 0
Hidden processes found: 0
Hidden services found: 0
Hidden boot sectors found: 0

I also notice that the Avast user from Polonus’ link also tried to upload a 0 byte file to Virustotal. That gives me heart, as my file also was 0 bytes.

Would be grateful for advice how I should proceed.

Thanks in advance,

Avastfan1

Well there are different scans that use heuristics and it is fairly important to get the right scan/shield so that we can take action on it.

The aswAr.log is overwritten after every anti-rootkit scan or the file would become very large.

All you can do is check the other logs for shields or scans in the C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\report folder.

Thanks for the response.

Unfortunately, there are lots of files with loads of confusing information :frowning:

These files are in the directory: C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\log:

ashwebsv.ws
ashwebsv.ws.ori
aswAr
aswAr1 (15MB!!!)
aswBoot
autosandbox
Chest
Logging
Mail
nshield
selfdef
Setup
unp12348324.tmp.mdmp
unp32483242.tmp.mdmp
usntr

Your guidance as to which ones I should concentrate on would be much appreciated! :slight_smile:

To start with you should uncheck the Hide extensions for known file types, this is without doubt the worst default setting in windows explorer, it causes nothing but confusion.

Windows Explorer, Tools, Folder Options, Hidden files and folders, uncheck Hide extensions for known file types, etc. see image.

You should then be able to see the .txt (most shield reports are this type) or .log

You aren’t looking in the report folder that I suggested.

Thank you again for your advice.

Unhid the file extensions. Looked in C:\Documents and Settings\All Users\Application Data\Alwil Software\Avast5\report.

Unfortunately, none of the files showed any suspicious entries. All they had was e.g.

  • avast! Real-time Shield Scan Report
  • This file is generated automatically
  • Started on: Tuesday, March 08, 2011 10:17:28 AM

Thanks anyway for your help! :slight_smile:

Which almost confirms that it was the anti-rootkit scan 8 minutes after boot, which gets overwritten after each AR scan.

Great advice as always from this board. That’s why I am a member :slight_smile:

Keep up the sterling work! ! !