Trojan detected by Avast, JS:FakeAV-FL [Trj.]

Viruses and worms
21

Hello All.

Just finished checking my MS updates and no critical updates are pending. However I am having an issue running PSI. I installed the app but cannot get it to scan. When I click “start scan” , it starts, jumps to 93%, then a pop-up appears, saying “scan aborted”. I tried uninstalling, then reinstalling but same result.

22

Hello all.

Please disregard previous post… I was able to get to get PSI to scan, after registering. Imagine that… ::slight_smile: However I seem to have opened a new can of worms with that app… I’ve managed to get all programs updated except for one in particular. Adobe SVG Viewer 3.x. I updated this by uninstalling what was there and installing the current version and still can’t get it to disappear from the threat list. Maybe due to the fact that it’s at it’s end-of-life? Also I deleted the system restore point that had the KillIt.exe mentioned, as well as deleted the KillIt.exe from the chest. What I would like to know however, is how can I keep this from coming up in future boot scans, when it hits this file? Other than that I’m running a MBAM scan just for extra measure, to make sure all is well. Thanks again so much for your help and patience.

23

@ Sarakael,

We do have someone here named Essexboy…see his post on the Sticky on the top of the Virus and Worms section of this forum, who has helped many people with malware removal. I am not implying that I am the certified expert. Thank you.

24

you asked for what?
http://s45.radikal.ru/i107/1008/2c/d21111f480b6.gif

Don't longer waste my time with guys like you

yeah go burn in hell

25

RONIN2010,

After you deleted the system restore, did you reboot? Then restart your system restore again?

If a program is at the “end of it’s life” and there is no update for it with PSI, then we have no choice but to wait for an update or use a different software. Also, after you update a program there and reboot, some people rescan to make sure is successful.

You mentioned earlier that KillIt.exe is something that is in your machine being used by Hp, however David mentioned that Avast is detecting it as a PUP.

Perhaps David can offer more assistance with this.

Question: Do you by any chance have the Teatimer on for Spybot SD? Many have reported problems with this and Avast.

26

You shouldn’t have to delete it as it is there to perform a legit function if it is in the HP recovery process which I suspect because of its location C:\HP\bin\ this also assume you have an HP system.

However if you don’t want to delete it then you would have to exclude it from on-demand scans, avast settings, exclusions.

27

Thanks David and SafeSurf for responding.

No ma’am. Actually I did not reboot after deleting the system restore point. Matter of fact I didn’t even have system restore disabled. I did however restore the HP/Bin/KillIt.exe from the chest before I deleted the entry in the virus chest, per David’s earlier instruction. Sorry I wasn’t specific on that. And yes I have had problems in the past with Avast detecting Teatimer.exe as a virus. However I had submitted it to Avast, who released a patch, with this as an exclusion in 4.8. Haven’t had any problems lately with it but since Spybot doesn’t seem necessary at this point I’m likely going to remove it anyway.

28

You’re welcome.

29

Sounds like a good idea considering the amount of people we’ve had here with problems with it. Let us know how things progress. Glad we can help. :slight_smile:

30

Yeah I’m starting to get that feeling lol. Spybot doesn’t seem to be moving forward innovatively, in the last few years. I guess my last question would be, would you have any suggestions on what could be done about the file that was flagged as infected in my MSDN directory? “April99Win32.exe” Other than leaving it in the chest. I am a little curious as to why it keeps showing up on boot time scans, if this file has already been quarantined. My lack of knowledge regarding the quarantine process is speaking here… :-[ That and since I did not disable system restore before I deleted the restore point that was in the chest, was it even removed? Thanks again for your help through all this, as you all have been very helpful and it’s greatly appreciated!

31

I suspect it was in a system restore point. Try disabling it, then restore it. Clean your system (CCleaner and TLC). Reboot. Then do a boot-time scan and see if it returns or not…it shouldn’t. If not, we have something else to work on. But for now…leave the April99Win32.exe in the Chest.

32

I will do just that. :slight_smile:

33

The big question is where it keeps showing up ?

I doubt the alert is on the file in the chest, as the contents of the chest are encrypted and from the outside of the chest (check using windows explorer, see image), the file name are also changed, so it wouldn’t be detecting the original file name but the name of the file in the chest from external view. These are just two of the methods to protect the chest from external access, etc.

34

RONIN2010,

I’ve asked Essexboy, our Certified Malware Expert, to take a look at your issue. Keep an eye for his post here in the thread as he may be instructing you to do things different from what we have been doing. Thank you.

35

Hi Ronin could you give me an update please

http://www.geekstogo.com/misc/guide_icons/OTLI.gif
OTL - Download or alternative link here and here to your desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
%SYSTEMDRIVE%*.*
%systemroot%\Fonts*.com
%systemroot%\Fonts*.dll
%systemroot%\Fonts*.ini
%systemroot%\Fonts*.ini2
%systemroot%\Fonts*.exe
%systemroot%\system32\spool\prtprocs\w32x86*.*
%systemroot%\REPAIR*.bak1
%systemroot%\REPAIR*.ini
%systemroot%\system32*.jpg
%systemroot%*.jpg
%systemroot%*.png
%systemroot%*.scr
%systemroot%*._sy
%APPDATA%\Adobe\Update*.*
%ALLUSERSPROFILE%\Favorites*.*
%APPDATA%\Microsoft*.*
%PROGRAMFILES%*.*
%APPDATA%\Update*.*
%systemroot%*. /mp /s
CREATERESTOREPOINT
%systemroot%\System32\config*.sav
%PROGRAMFILES%\bak. /s
%systemroot%\system32\bak. /s
%ALLUSERSPROFILE%\Start Menu*.lnk /x
%systemroot%\system32\config\systemprofile*.dat /x
%systemroot%*.config
%systemroot%\system32*.db
%PROGRAMFILES%\Internet Explorer*.dat
%APPDATA%\Microsoft\Internet Explorer\Quick Launch*.lnk /x
%USERPROFILE%\Desktop*.exe
%PROGRAMFILES%\Common Files*.*
%systemroot%*.src
%systemroot%\install*.*
%systemroot%\system32\DLL*.*
%systemroot%\system32\HelpFiles*.*
%systemroot%\system32\rundll*.*
%systemroot%\winn32*.*
%systemroot%\Java*.*
%systemroot%\system32\test*.*
%systemroot%\system32\Rundll32*.*
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Please Attach both logs

36

Hello all and thank you David and SafeSurf for all your help and time, it is much appreciated.

Hello Essexboy. I haven’t changed anything since my last post. I go to work from 7pm-7am CST, so it’s limited what I’ve been able to look into on my down-time. However I have DL’d OTL and am running the scan as per your instructions. I have someone who will be watching the scan at home, as it progresses. I will make sure to post both logs, once it is complete. Thanks for your time.

37

Scan has completed. The results of both logs are as follows:

38

Edit: Disabled URL’s

Also I was just reviewing the OTL log and is this what I think it is?

O1 - Hosts: 127.0.0.1 hxxp://www.100sexlinks.com
O1 - Hosts: 127.0.0.1 hxxp://100sexlinks.com

I’m not savvy when it comes to understanding these reports, however judging by the context of these it seems pretty clear to me… Does this mean, these are sites that have been visited? I have a 16 year old son who uses this PC and has access to my administrator account. I also have another account setup on the PC, for my wife and my mother who drops by and uses it occasionally. I know for a fact 2 can be excluded, if this is the case. I know this isn’t your venue but this is now the 3rd time I’ve had to clean a virus from this PC (If there is a virus, this would make it 3). The 1st which was about a year and a half ago, was a porn popup virus that I had to get professionally removed. This was a result from him downloading various programs and visiting malicious sites, per the Tech. The second time I actually had to seek help from you guys. Now I’m here again… Don’t get me wrong, as you guys are fantastic and a great help but this is getting ridiculous. Other than banning my son’s use of the computer altogether, as he has schoolwork and other things he has to use it for, is there a way I can block this type of activity? I tried finding ways but the only thing I can come up with is blocking all traffic on the internet altogether through my firewall. Sorry to jump off topic but if anyone has dealt with something like this I’d greatly appreciate your feedback as well.

39

The actually block those domains, so if there is any attempt to connect to those sites they are redirected to 127.0.0.1 (localhost), which is your local system and obviously nothing would be displayed and you wouldn’t end up at that site.

essexboy will be back on the case later, he will be sleeping now as it is just after 2am in the UK right now.

40

Thanks David.