LandzDown Forum

My Avira antivirus found this malware:

JS/FakeAlert.72367

ON the first instance it said "action allowed"  (I did not allow anything that I'm aware of) it and then a minute later, it found it again and it was quarantined.

I ran a MalwareBytes quick scan and and HiJack this scan which turned up nothing.


My question is, do I need to do anything further?

Hard to say without seeing the logs from Avira, HJT, and MBAM.

Avira started detecting that the end of October:  http://www.avira.ro/en/threats/section/vdfhistory/vdf_no/7.10.05.252/7.10.05.252.html

Quote from: AVIRA REPORTS:
Second detection: Today: 7:10:26 pm
The file 'C:\Documents and Settings\Helena\Local Settings\Application Data\Mozilla\Firefox\Profiles\lfoq4mi4.default\Cache\E4FA23C6d01'
contained a virus or unwanted program 'JS/FakeAlert.72367' [virus]
Action(s) taken:
The file was moved to the quarantine directory under the name '4f0a7a51.qua'.

First detection: Today: 7:09:48 pm
Virus or unwanted program 'JS/FakeAlert.72367 [virus]'
detected in file 'C:\Documents and Settings\Helena\Local Settings\Application Data\Mozilla\Firefox\Profiles\lfoq4mi4.default\Cache\E4FA23C6d01.
Action performed: Allow access

HiJackThis log: nothing is checked to be fixed:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:34:09 PM, on 12/7/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\SmileyPad\SmileyPad.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe
C:\PROGRAM FILES\IMAGESHACK\QUICKSHOT\QUICKSHOT.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\Program Files\Secunia\PSI\psi.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\program files\avira\antivir desktop\avcenter.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SmileyPad] C:\Program Files\SmileyPad\SmileyPad.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\SSMMgr.exe /autorun
O4 - HKLM\..\Run: [ImageShackUtil] C:\PROGRAM FILES\IMAGESHACK\QUICKSHOT\QUICKSHOT.EXE
O4 - HKLM\..\Run: [QSmile] C:\PROGRAM FILES\ASEFSOFT\QUICK SMILE 3\QSMILE.EXE  /h
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nView\nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [Sysinternals Desktops] C:\Documents and Settings\Helena\Desktop\desktopsV1.01.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Helena\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6262 bytes


--------------------



Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5268

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

12/7/2010 8:36:34 PM
mbam-log-2010-12-07 (20-36-34).txt

Scan type: Quick scan
Objects scanned: 130496
Time elapsed: 2 minute(s), 39 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

The people at the Avira forums said that the quarantined file is no threat, but I could send it to them to be analyzed to see if it could be a false positive.  They also said that if I cleared my temporary files and cache that I should have no other issues with it even if it was actually malware.

Thought I would report that in case someone else runs across this particular ugly.

I don't use Firefox, perhaps someone else can comment on the file location.  Do you have NoScript?

Sounds like you got the same advice given to this other person:  http://forum.antivir-pe.de/wbb/index.php?page=Thread&postID=1031498&s=9a1637d5b5589abe849f3ffe93a20f8bf258cf64#post1031498

Oh, I didn't see this topic.

You can use TFC which will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder. It also cleans out the %systemroot%\temp folder and checks for .tmp files in the %systemdrive% root folder, %systemroot%, and the system32 folder (both 32bit and 64bit on 64bit OSs). It shows the amount removed for each location found (in bytes) and the total removed (in MB)

Before running, it will stop Explorer and all other running applications. When finished, if a reboot is required the user must reboot to finish clearing any in-use temp files.
-- TFC only cleans temp folders.
-- TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail.

Instructions:

Download TFC by Old Timer from here (direct download):  http://www.itxassociates.com/OT-Tools/TFC.exe

• First, save any files as TFC will close ALL open programs including your browser!
• Double-click on TFC.exe to run it. If you are using Vista/Windows 7 right-click on the file and choose Run As Administrator.
• Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
• Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.

Thanks Corinne,
I ran the program and it did clear FireFox cache files (which I believe is where the malware was deposited)

I do have NoScript, so it puzzles me why I would have had a malicious javascript successfully operate to begin with. 

TFC does a thorough job. 

Quote from: winchester73 on December 10, 2010, 01:45:57 PM
Sounds like you got the same advice given to this other person:  http://forum.antivir-pe.de/wbb/index.php?page=Thread&postID=1031498&s=9a1637d5b5589abe849f3ffe93a20f8bf258cf64#post1031498

Based on the detection log, that advice wasn't to some "other person".  ;)

That's right... that was me. :)

I'll post an update when I hear back from them on the file.

Response from the Avira analysts:

QuoteFilename    Result     4f0a7a51.vir     MALWARE

The file '4f0a7a51.vir' has been determined to be 'MALWARE'. Our analysts named the threat JS/FakeAlert.72367. The term "JS/" denotes a Java scriptvirus.Detection is added to our virus definition file (VDF) starting with version 7.10.13.46

So yeah. Definitely a baddy.

(https://www.landzdown.com/proxy.php?request=http%3A%2F%2F209.85.117.197%2F12415%2F42%2F0%2Fe35531%2F%2Fe35531.png&hash=90b3c7bbda9e2c2ea3ab112846095e62ec918a0b)

I'm guessing I should get rid of old system restore points?

It was good you submitted the file.  The time you took to follow up has helped protect others.  Well done!!! 

It can't hurt to clear SR.  First create a fresh restore point:

1.  Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2.  Click Create a Restore Point, and then click Next.
3.  Name your restore point. (i.e., clean)
4.  Click the Create button.
5.  When the new restore point has been created, click Close.

Now remove the infected restore points:

• Click start-->Run and type cleanmgr into the run box and then click "OK".
  
• Select the drive where Windows is installed (if you have more than one drive) and click "OK".
  
• When the scan completes, check/uncheck desired boxes.
  
• Next, please click the More Options tab at the top.
  
• Click the "Clean up..." button under the System Restore section at the bottom.
  
• Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?", click OK and answer Yes again.
  
• The disk clean up utility will remove the selected items.  When it completes, please restart the computer to properly record the changes made to the hard disk.

Thanks, Corinne :)    Done.

I appreciate your help, guys!