Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Malscript!html


  • Please log in to reply
10 replies to this topic

#1 BrokenComputer

BrokenComputer

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 July 2011 - 12:09 PM

For the past few days, my computer's Symantec anti-virus keeps popping up that it has detected Trojan.Malscript!html. They are all .tmp files and then are quarantined, but hundreds of them keep popping up.

I've run Malwarebytes but it picks up nothing. Spybot S&D just keeps picking up RightMedia which I fix, but it reappears. I haven't tried anything else.

How do I fix this?

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 21 July 2011 - 01:51 PM

Trojan.Malscript!html is used by Symantec to identify HTML files that contain malicious JavaScript.

When a browser runs an applet, the Java Runtime Environment (JRE) stores the downloaded files into its cache folder for quick execution later and better performance. Both legitimate and malicious applets, malicious Java class files are stored in the Java cache directory and your anti-virus may detect them as threats. The detection can indicate the presence of malicious code which could attempt to exploit a vulnerability in the JRE. For more specific information about Java exploits, please refer to Virus found in the Java cache directory.

Notification of these files as a threat does not always mean that a machine has been infected; it indicates that a program included the viral class file but this does not mean that it used the malicious functionality. As a precaution, I recommend clearing the entire cache manually to ensure everything is cleaned out:
Also be aware that older versions of Java have vulnerabilities that malicious sites can use to exploit and infect your system. That's why it is important to always use the most current Java Version and remove outdated Java components.You can verify (test) your JAVA Software Installation & Version here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 BrokenComputer

BrokenComputer
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 July 2011 - 02:29 PM

I followed the above instructions, but it continues to pop up. What's the next step?

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 21 July 2011 - 02:43 PM

Please post the results of your last MBAM scan for review (even if nothing was found).

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
  • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
    -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose Copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
Logs are saved to the following locations:
-- XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd
-- Vista, Windows 7, 2008: C:\ProgramData\Malwarebytes\Malwarebytes Anti-Malware\Logs\mbam-log-yyyy-mm-dd



Please download TFC (Temp File Cleaner) by Old Timer and save it to your desktop.
alternate download link
  • Save any unsaved work. TFC will close ALL open programs including your browser!
  • Double-click on TFC.exe to run it. Vista/Windows 7 users right-click and select Run As Administrator.
  • Click the Start button to begin the cleaning process and let it run uninterrupted to completion.
  • TFC will clear out all temp folders (temp, IE temp, Java, FF, Opera, Chrome, Safari) for all user accounts, including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.
  • Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway to ensure a complete clean.
-- Note: It is normal for the computer to be slow to boot after running TFC cleaner the first time.



Please download SUPERAntiSpyware Free and follow these instructions for performing a scan.

  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • Be sure to update the definitions before scanning by selecting "Check for Updates".
    If you encounter any problems while downloading the updates, manually download them from here.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Click Close to exit the program.
  • Please copy and paste the Scan Log results in your next reply.
-- Some types of malware will disable security tools. If SUPERAntiSpyware will not install, please refer to these instructions for using the SUPERAntiSpyware Installer. If SUPERAntiSpyware is already installed but will not run, then follow the instructions for using RUNSAS.EXE to launch the program.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 BrokenComputer

BrokenComputer
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 July 2011 - 02:46 PM

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7223

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

7/21/2011 9:32:37 AM
mbam-log-2011-07-21 (09-32-37).txt

Scan type: Quick scan
Objects scanned: 183438
Time elapsed: 3 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 BrokenComputer

BrokenComputer
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 July 2011 - 03:48 PM

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/21/2011 at 01:20 PM

Application Version : 4.55.1000

Core Rules Database Version : 7440
Trace Rules Database Version: 5252

Scan type : Complete Scan
Total Scan Time : 00:21:20

Memory items scanned : 767
Memory threats detected : 0
Registry items scanned : 10144
Registry threats detected : 0
File items scanned : 24988
File threats detected : 16

Adware.Tracking Cookie
C:\Users\jent\AppData\Roaming\Microsoft\Windows\Cookies\jent@collective-media[1].txt
C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@atdmt[2].txt
C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@doubleclick[2].txt
C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@ad.wsod[2].txt
C:\Users\administrator\AppData\Roaming\Microsoft\Windows\Cookies\administrator@msnportal.112.2o7[1].txt
.2o7.net [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.networksolutions.112.2o7.net [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.winzip.122.2o7.net [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
segment-pixel.invitemedia.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.invitemedia.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
.atdmt.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]
ad.yieldmanager.com [ C:\Users\jent\AppData\Local\Google\Chrome\User Data\Default\Cookies ]

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 21 July 2011 - 04:05 PM

Did you run TFC and has the issued been resolved?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 BrokenComputer

BrokenComputer
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 July 2011 - 04:52 PM

I ran TFC too.

Since the reboot, I haven't had any Symantec anti-virus notifications, so I assume everything worked. I will post again if the issues return. If you don't hear from me again, I just wanted to say thanks for the help! :thumbup2:

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 21 July 2011 - 04:57 PM

You're welcome.

If you get the alerts again you can also refer to
Symantec's Removal Instructions which recommends using Norton Power Eraser (NPE).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 BrokenComputer

BrokenComputer
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Local time:12:14 PM

Posted 21 July 2011 - 08:33 PM

After a few hours, the issues began popping up again. Norton Power Eraser did not find any threats. I ran both the TFC and the SuperAntiVirus again, but I'm assuming I'll be in the same situation again shortly. What else can I do to stop the problem?

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,399 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:14 PM

Posted 22 July 2011 - 07:39 AM

On the Symantec Removal Instruction page there is a link for: Norton Power Eraser did not remove this risk.

However, from reading the information that utility is a Bootable Recovery Tool so I would recommend further investigation. Many of the tools we use in this forum are not capable of detecting (repairing/removing) all malware variants so more advanced tools are needed to investigate. Before that can be done you will need you to create and post a DDS log for further investigation.

Please read the "Preparation Guide".
  • If you cannot complete a step, then skip it and continue with the next.
  • In Step 7 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.
When you have done that, post your log in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the Malware Response Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, please reply back here with a link to the new topic so we can closed this one.

Edited by quietman7, 22 July 2011 - 07:42 AM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users