Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Avast found JS:Downloader-BNI [Trj]

  • Please log in to reply
1 reply to this topic

#1 f300


  • Members
  • 1 posts
  • Local time:08:41 PM

Posted 19 May 2012 - 04:00 AM


I ran a scheduled virus scan this morning and the following object was found and successfully moved to the virus chest:

Filename: C6C06d01
Folder: C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\xp409b04.default\Cache\0\D5\
Filesize: 20545
Last Modification Time: 13/05/2012 05:00:38
Virus Description: JS:Downloader-BNI [Trj]


Avast then recommended a boot time scan which found no infections:

05/19/2012 05:11
Scan of all local drives

Number of searched folders: 10333
Number of tested files: 627643
Number of infected files: 0

I then ran MBAM which also found nothing.

The computer seems to be running normally. Is there anything else I should do to ensure it's clean?

Virus Scanner: Avast! Free v7 fully updated
Browser: Firefox 12
OS: Windows XP SP3 fully updated


BC AdBot (Login to Remove)


#2 Guest_Xircal_*


  • Guests

Posted 19 May 2012 - 05:01 AM

I had this one myself too albeit under a different name as follows:

C:\Documents and Settings\{Username}\Local Settings\Application Data\Mozilla\Firefox\Profiles\ud83camq.default\Cache\7\FB\A57A1d01|>{gzip} is infected by JS:ShellCode-AF [Expl], Deleted
What happened here is that you landed on perhaps a legitimate site which has been compromised and a link to a malware site was loaded in the background. When you land on the malware site, it downloads Javascript Shellcode to the Firefox browser cache where it sits until you browse to a site which contains an exploit. The shellcode will subsequently execute and infect your machine.

I have Avast too, so I would advise you to create a custom scan to scan your Firefox cache every time you use that browser. It's quite simple to create as follows:

  • Open Avast and in the bottom right hand corner you'll see: "Create Custom Scan". Click that.
  • In "Select areas to scan", click the down arrow and then click the "Browse" button.
  • In the next menu, navigate to the same location as the one you posted which will add it to the field at the bottom.
  • Click OK to take you back to the settings menu.
  • In the Scan menu, give it a name (I call mine: "Firefox cache".) and checkmark "Scan all files".
  • Click the "Sensitivity" menu and then click the biggest orange column to change the setting to "High". Checkmark all the boxes since you're only scanning Firefox cache which only takes a minute or two, but heightens security.
  • Click the "Packers" menu and then click the top option to select "All Packers".
  • In the Actions menu, checkmark the top option called "Automatically apply actions during scan" to get the options you can take and then choose either "Delete" or "Move to chest" for all three.
  • In Performance, checkmark both boxes and click the tallest column again to raise it to "High".
  • In the Report menu, checkmark the option to generate a report which is useful to see what was found.
  • In Scheduling, you can choose to run it daily if you want to, but the intention is to run it manually after every browsing session.
  • Click OK to close.
  • Click the "Scan" link to get the scanning options and you should find your custom scan at the bottom.
  • Next, open Firefox and hit ALT to toggle the text links on (if you can't see them already).
  • Click Tools, go to Options, then Advanced.
  • Click the "Network" tab and then click the "Clear Now" button to empty the cache. This will remove the last eight pages of sites which Firefox stores by default because the one you downloaded the Trojan from may be one of them.
  • Click OK to exit the menu.
  • Hit ALT again to toggle the text links off which gives you the oblong orange Firefox button layout again.
You can do the same with other browsers if you use them.

The interesting thing in my particular case is that the file was zipped with GZip which is primarily only used in a UNIX environment and not enabled by default during a normal scan. You'll find it in the "Packers" menu for each individual scan option.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users