Trojan detected by Avast, JS:FakeAV-FL [Trj.]

[SafeSurf]

I suspect it was in a system restore point.  Try disabling it, then restore it.  Clean your system (CCleaner and TLC).  Reboot.  Then do a boot-time scan and see if it returns or not...it shouldn't.  If not, we have something else to work on.  But for now...leave the April99Win32.exe in the Chest.

[RONIN2010]

I will do just that. 

[DavidR]

The big question is where it keeps showing up ?

I doubt the alert is on the file in the chest, as the contents of the chest are encrypted and from the outside of the chest (check using windows explorer, see image), the file name are also changed, so it wouldn't be detecting the original file name but the name of the file in the chest from external view. These are just two of the methods to protect the chest from external access, etc.

[SafeSurf]

RONIN2010,

I've asked Essexboy, our Certified Malware Expert, to take a look at your issue.  Keep an eye for his post here in the thread as he may be instructing you to do things different from what we have been doing.  Thank you.

[essexboy]

Hi Ronin could you give me an update please

OTL - Download or alternative link here and here to your desktop

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
• Select All Users
  
• Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%\*.*
%systemroot%\Fonts\*.com
%systemroot%\Fonts\*.dll
%systemroot%\Fonts\*.ini
%systemroot%\Fonts\*.ini2
%systemroot%\Fonts\*.exe
%systemroot%\system32\spool\prtprocs\w32x86\*.*
%systemroot%\REPAIR\*.bak1
%systemroot%\REPAIR\*.ini
%systemroot%\system32\*.jpg
%systemroot%\*.jpg
%systemroot%\*.png
%systemroot%\*.scr
%systemroot%\*._sy
%APPDATA%\Adobe\Update\*.*
%ALLUSERSPROFILE%\Favorites\*.*
%APPDATA%\Microsoft\*.*
%PROGRAMFILES%\*.*
%APPDATA%\Update\*.*
%systemroot%\*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config\*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu\*.lnk /x
%systemroot%\system32\config\systemprofile\*.dat /x
%systemroot%\*.config
%systemroot%\system32\*.db
%PROGRAMFILES%\Internet Explorer\*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
%USERPROFILE%\Desktop\*.exe
%PROGRAMFILES%\Common Files\*.*
%systemroot%\*.src
%systemroot%\install\*.*
%systemroot%\system32\DLL\*.*
%systemroot%\system32\HelpFiles\*.*
%systemroot%\system32\rundll\*.*
%systemroot%\winn32\*.*
%systemroot%\Java\*.*
%systemroot%\system32\test\*.*
%systemroot%\system32\Rundll32\*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

• Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    
  • Please Attach both logs

[RONIN2010]

Hello all and thank you David and SafeSurf for all your help and time, it is much appreciated.

Hello Essexboy. I haven't changed anything since my last post. I go to work from 7pm-7am CST, so it's limited what I've been able to look into on my down-time. However I have DL'd OTL and am running the scan as per your instructions. I have someone who will be watching the scan at home, as it progresses. I will make sure to post both logs, once it is complete. Thanks for your time.

[RONIN2010]

Scan has completed. The results of both logs are as follows:

[RONIN2010]

Edit: Disabled URL's

Also I was just reviewing the OTL log and is this what I think it is?

O1 - Hosts: 127.0.0.1   hxxp://www.100sexlinks.com
O1 - Hosts: 127.0.0.1   hxxp://100sexlinks.com

I'm not savvy when it comes to understanding these reports, however judging by the context of these it seems pretty clear to me.. Does this mean, these are sites that have been visited? I have a 16 year old son who uses this PC and has access to my administrator account. I also have another account setup on the PC, for my wife and my mother who drops by and uses it occasionally. I know for a fact 2 can be excluded, if this is the case. I know this isn't your venue but this is now the 3rd time I've had to clean a virus from this PC (If there is a virus, this would make it 3). The 1st which was about a year and a half ago, was a porn popup virus that I had to get professionally removed. This was a result from him downloading various programs and visiting malicious sites, per the Tech. The second time I actually had to seek help from you guys. Now I'm here again.. Don't get me wrong, as you guys are fantastic and a great help but this is getting ridiculous. Other than banning my son's use of the computer altogether, as he has schoolwork and other things he has to use it for, is there a way I can block this type of activity? I tried finding ways but the only thing I can come up with is blocking all traffic on the internet altogether through my firewall. Sorry to jump off topic but if anyone has dealt with something like this I'd greatly appreciate your feedback as well.

[DavidR]

The actually block those domains, so if there is any attempt to connect to those sites they are redirected to 127.0.0.1 (localhost), which is your local system and obviously nothing would be displayed and you wouldn't end up at that site.

essexboy will be back on the case later, he will be sleeping now as it is just after 2am in the UK right now.

[RONIN2010]

The actually block those domains, so if there is any attempt to connect to those sites they are redirected to 127.0.0.1 (localhost), which is your local system and obviously nothing would be displayed and you wouldn't end up at that site.

essexboy will be back on the case later, he will be sleeping now as it is just after 2am in the UK right now.

Thanks David.

[DavidR]

You're welcome, that's me for the night also, almost 3am.

[SafeSurf]

You're welcome from me as well.    Essexboy will help you greatly as you have some issues going on and he does wonderful work.  Once everything is straightened out, he will also offer you some suggestions to prevent something like this from happening in the future.  Feel free to ask him questions.

[RONIN2010]

You're welcome, that's me for the night also, almost 3am.

Thanks David. You'd think I'd be familiar with timezones by now, due to it being a necessity in my line of work lol. But thanks for taking the time out of your day to help. I sure hope you guys get paid for this!

You're welcome from me as well.    Essexboy will help you greatly as you have some issues going on and he does wonderful work.  Once everything is straightened out, he will also offer you some suggestions to prevent something like this from happening in the future.  Feel free to ask him questions.

Thank you and I will do just that. And I hope I don't sound like a broken record.. But in all honesty I like Avast's software but this forum and it's staff, have been the reason I've stuck with their software as long as I have. With the economy the way it is right now in the States and from the perspective of a parent and the only breadwinner in my household, the type of support you all take the time to provide, is very rare and very valuable. I notice a lot of people don't even take the time to thank you guys.. But from those who really do appreciate it, thank you.

[DavidR]

You're welcome.
We (for the most part) are just avast users like yourself, trying to help other avast users, though there is input from time to time from the avast developers

[essexboy]

OK lets give this a whirl - On completion can you let me know what problems you are experiencing

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  O3 - HKU\.DEFAULT\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-18\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-2664475973-242872999-3650903500-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
  O3 - HKU\S-1-5-21-2664475973-242872999-3650903500-1003\..\Toolbar\ShellBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
  O33 - MountPoints2\{7c2ac3fc-9594-11db-b6f7-0010dcf478f7}\Shell\AutoRun\command - "" = G:\JDLightning\Windows\JDLightning.exe -- File not found
  [2009/03/20 07:44:49 | 000,060,744 | ---- | M] () -- C:\WINDOWS\java\g2mdlhlpx.exe
  [2009/04/25 19:56:51 | 000,000,040 | ---- | M] ()(C:\WINDOWS\System32\??4??) -- C:\WINDOWS\System32\??4??
  [2009/04/25 19:56:51 | 000,000,040 | ---- | C] ()(C:\WINDOWS\System32\??4??) -- C:\WINDOWS\System32\??4??
  [2009/04/25 19:17:52 | 000,061,224 | ---- | M] () -- C:\WINDOWS\java\GoToAssistDownloadHelper.exe
  
  :Files
  ipconfig /flushdns /c
  
  :Commands
  [purity]
  [resethosts]
  [emptytemp]
  [EMPTYFLASH]
  [CREATERESTOREPOINT]
  [Reboot]

  
  
• Then click the Run Fix button at the top
  
• Let the program run unhindered, reboot the PC when it is done
• Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.