I’m having the same problem as this person http://forum.avast.com/index.php?topic=118769.0
I’ll just be copying parts of the post.

Please help me to fix this…

I inserted an usb drive into my laptop and scanned it while opening the drive many files are not visible, and folders were displayed as shortcuts.
after that i could see that below 2 urls are invoked at regular intervals and blocked by avast
hxtp://nnh42.name/a/
hxtp://jsh37.net/a/

Also i could see a lot of windows update icon in system tray. I can’t install Malwarebyte and OTL is closing as soon as opened.

I downloaded OTM as was suggested in the forum link of the person who had the same problem but then the steps to remove gets specific for that person’s system. Can I get some help please?

hey and welcome to the forum.

you could try in safemode to gt the otl up and running.

http://forum.avast.com/index.php?topic=53253.0

Thanks for the welcome.

Yeah I did the safe mode thing as I saw in the post of the person who had the same problem. I guess I should have posted the logs, or would I have to rerun it first? Well here’s what I have from the OTL I did earlier today.

Edit: Forgot to attach the aswMBR. It’s there now.

OK this is that darned JS malware… It is hard to kill

Run this from safe mode

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\system32\XDva365.sys -- (XDva365)
IE - HKCU\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678
IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found
O2 - BHO: (Codecv Class) - {B7E80F30-8568-4929-AE5B-4B454B40117A} - C:\ProgramData\Codecv\bhoclass.dll ()
O4 - HKCU..\Run: [155] C:\Users\Javane\AppData\Roaming\034\155.js ()
O4 - Startup: C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4f4.js ()
[2013/03/28 03:37:03 | 000,000,000 | -HSD | C] -- C:\Users\Javane\AppData\Roaming\034
[2013/03/28 03:37:02 | 000,000,000 | -HSD | C] -- C:\02b
[2013/03/29 08:40:49 | 000,000,000 | ---- | M] () -- C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4f4.js
[2013/03/29 08:00:05 | 000,000,000 | ---- | C] () -- C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4f4f4.js
[2013/03/28 03:37:03 | 000,000,000 | -HSD | M] -- C:\Users\Javane\AppData\Roaming\034
@Alternate Data Stream - 120 bytes -> C:\ProgramData\TEMP:B623B5B8
@Alternate Data Stream - 114 bytes -> C:\ProgramData\TEMP:AA9519A6

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I couldn’t run OTL on reboot. Had to run in safe mode to do the quick scan.

OK the startup js file is still there lets try a different approach

1. Please download The Avenger by Swandog46 to your Desktop.
   [*]Right click on the Avenger.zip folder and select “Extract All…”
   [*] Follow the prompts and extract the avenger folder to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

https://dl.dropbox.com/u/73555776/avenger.jpg

Begin copying here: 
Files to replace with dummy:
C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4516.js

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

[*] Right click on the window under Input script here:, and select Paste.
[*] You can also click on this window and press (Ctrl+V) to paste the contents of the clipboard.
[*] Click on Execute
[*] Answer “Yes” twice when prompted.

4. The Avenger will automatically do the following:
   [*]It will Restart your computer. ( In cases where the code to execute contains “Drivers to Delete”, The Avenger will actually restart your system twice.)
   [*]On reboot, it will briefly open a black command window on your desktop, this is normal.
   [*]After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
   [*] The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a freshOTL log .

This thing is persistent. When I tried to use avenger avast gave me the malicious url blocked prompt again and I wasn’t able to use avenger. I had to use it in safemode.

When the machine rebooted the logs basically said it couldn’t find the file and I was still unable to run OTL so had to use in safe mode to get the fresh log as well.

Edit: I’m wondering if the failure to remove it could be occurring because I follow what you suggest in “safe mode with networking” since I have to copy your instructions. Does it make a difference if I use regular safe mode or safe mode with networking?

No it is the nature of this beast

Do not reboot at all during this process
Could you go to C:\Windows\system32\wscript.exe
Delete that file to the recycle bin but do not empty the bin as we will need to restore that file later

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:processes
killallprocesses 

:OTL
O4 - HKCU..\Run: [155] C:\Users\Javane\AppData\Roaming\034\155.js ()
O4 - Startup: C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4616.js ()
[2013/03/29 15:32:11 | 000,000,000 | -HSD | C] -- C:\Users\Javane\AppData\Roaming\034
[2013/03/29 15:32:07 | 000,000,000 | -HSD | C] -- C:\02b

:Files
C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4616.js 
C:\Users\Javane\AppData\Roaming\034
C:\02b

:Commands

[*]Then click the Run Fix button at the top
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Took a while because I had to figure out how to get permission to delete the file. After running the script you gave me in OTL the computer also rebooted despite you saying I shouldn’t reboot but I had no control over that. I started it up in safe mode just to be sure I could run OTL without having to reboot again.

OK same again this should not reboot, if it does then go straight to safe mode

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
O4 - Startup: C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4716.js ()
[2013/03/29 17:22:54 | 000,048,965 | ---- | C] () -- C:\Users\Javane\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4716.js
[2012/08/28 01:10:10 | 000,000,165 | ---- | M] ()(C:\Windows\System32\?c?^??) -- C:\Windows\System32\?c?^??
[2012/08/28 01:10:09 | 000,000,165 | ---- | C] ()(C:\Windows\System32\?c?^??) -- C:\Windows\System32\?c?^??

[*]Then click the Run Fix button at the top
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

I was in safe mode already after the unintended reboot just to ensure that OTL would work. Here’s the log.

OK final run (Fingers crossed) this time allow to boot to normal mode then let me know if OTL will run

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF

:OTL
[2013/03/08 23:24:43 | 000,000,000 | ---D | C] -- C:\Program Files\Java
[2013/03/08 23:29:50 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Progress! Avast hasn’t given me the malicious url notifs and OTL runs fine in normal mode. There are also no longer multiple update icons in the system tray. The scan did take a lot longer than usual though.

Now what do I do with the file I deleted earlier? And do I just download McShield to fix my flash drive?

I will give McShield instructions in a mo

But first some numpty (me) emptied the temp files.

So… Download this file and place in your C:\Windows\system32 folder https://dl.dropbox.com/u/73555776/wscript.exe

At least I now know how to kill this beastie and next time I will be able to do it a lot faster

Download McShield to your desktop and install
It will initially run a scan and show the result as a toaster by the system clock
Then in the control centre select scanner and tick unhide items on flash drives

https://dl.dropbox.com/u/73555776/mcshield%20unhide.JPG

Plug in the drive and McShield will start a scan

Then get the log which will be here :

Start > all programs > MCShield > logs > all scans

And post that

Then let me know how the computer is behaving now

So far so good I think. Thanks so much for the help! Here’s the log.

Any further problems before I tidy up ?

Nope. Everything’s running fine

Thanks for your forbearance in this, I will now be able to remove it faster ;D

Subject to no further problems

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[]Click OK.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe

Once again, thank you so much for the help. I’ll take your suggested precautions to have better protection in the future.

My pleasure ;D