Well, my AVAST antivirus software has detected a Rootkit in the background check. I’ve done the boot scan and it comes out clean. Did all the checks and scans listed in the forums (except for the one not available for windows 8.1), I can’t get it to go away. The file name always changes, but the location is always the same. (screenshots attached).

I have another issue, dunno if its directly related: A couple of days back I noticed that my screen suddenly flickers and I’m left with a black screen and my mouse pointer on. Everything else is invisible. I can’t ALT+TAB or CTRL+ALT+DEL or anything like that. Still, I know processes are running in the background cause I’ve seen the AVAST pop ups (Updates) go off even when the screen is black. I’ve read around, and know there was a blackscreen problem on windows 8.1, but mine didn’t happen until 2 weeks after I installed 8.1, and i’ve tried all the power management fixes I can find and nothing solves it. It appears to be pretty random, although I noticed its triggered when I have a browser open (Firefox), cause I’ve never seen it happen when I’m playing games or any other activity.

I’ve tried updating the drivers for the integrated graphics (Intel HD 4000) as they are used while browsing and non-gaming/design activities, to no avail. Will try wiping both video cards and reinstalling from scratch as well.

I’m running:
Lenovo Y580
Intel i7 2.4GHZ
Intel HD 4000 (integrated)
Nvidia Geforce 660M
8 GB RAM
1TB HDD

Posting OTL in second post.

Trying to post the OTL Log but as its 3.9 MB, it exceeds the permited file size for an attachment on this forum.

Uploading to Google Drive and posting the link.:

https://drive.google.com/file/d/0ByppjIFSysdGMnlYTGZnMUJDQkk/edit?usp=sharing

Oh yeah, thanks for any help you can give me. I work with my computer and would rather not have to backup, format and redownload everything.

well it is located in a Temp folder

download and run TFC http://www.geekstogo.com/forum/files/file/187-tfc-temp-file-cleaner-by-oldtimer/

malware expert are notified and will check Your logs

Yes, please follow Pondus advice. TFC should clean it up.

When you’re done with the TFC, run JRT tool as well:

http://imageshack.us/a/img841/7292/thisisujrt.gif
Please download Junkware Removal Tool to your desktop.

[]Shut down your protection software now to avoid potential conflicts.
[]Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select “Run as Administrator”.
[]The tool will open and start scanning your system.
[]Please be patient as this can take a while to complete depending on your system’s specifications.
[]On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
[]Post the contents of JRT.txt into your next message.

THEN

Re-run OTL, just hit QuickScan button and post me fresh created OTL.txt logreprot.

Here’s the JRT Tool’s Log, and attaching OTL log as well:

Junkware Removal Tool (JRT) by Thisisu
Version: 6.0.8 (11.05.2013:1)
OS: Windows 8.1 x64
Ran by antel_000 on Fri 11/08/2013 at 13:44:49.26

~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-2221389536-2373522540-207742647-1002\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{21DD2260-44F1-4B86-9482-01F18EF43690}



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\WINDOWS\syswow64\ai_recyclebin"



~~~ FireFox

Emptied folder: C:\Users\antel_000\AppData\Roaming\mozilla\firefox\profiles\b6hjiazo.default\minidumps [1 files]



~~~ Event Viewer Logs were cleared

It seems it. We shall use OTL to remove some orphan toolbar key + for another confirmation of deleting temp files.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:OTL
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No CLSID value found.

:FILES
dir C:\ProgramData\{60E17BBA-9D2D-4E1B-BDCF-1D654329EA31} /c
dir C:\ProgramData\{7B507839-38D8-4587-A29F-FE5A5EC55A03} /c

:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

Ok a few things… While OTL was running the Fix, I got the AVAST pop up again with the RootKit message.

Same location, different filename. I figured I’d let the OTL fix finish. It asked me to reboot, and I did. When I logged back on, I had a black screen with cursor on (after the login screen) for about 5-6 mins.

I was actually typing all this in from my phone when my desktop came back. As I open a new Firefox tab to link you the OTL fix log (its again, 3.31 mb), I get yet another AVAST pop-up with the Rootkit warning.

I’ve also uninstalled and rein-stalled both my Intel HD 4000 and Nvidia Geforce 660M video adapters (right before this last reboot).

https://drive.google.com/file/d/0ByppjIFSysdGX09VNFNGcFBOZE0/edit?usp=sharing

Thus, to clarify.

Avast are detecting potentially dangerous files. These files can be used both for legitimate purposes, as well as malicious.
Okay, I admit that such a large amount od .tmp files certainly looks suspicious. Therefore, let’s run some additiona scanner.

Run one more time OTL with this script and post me here created logs. OTL shall re-run cleaning temp files. Then, MBAR shall scan system for rootkits.

Re-run OTL.exe.

[*]Copy and paste the following text written inside of the quote box into the Custom Scans/Fixes box.

:COMMANDS
[EMPTYTEMP]

[*]Then click the Run Fix button at the top.
[*]Let the program run unhindered; it will reboot the system when it is done and open notepad with logreport. Attach here that logreport.

If the log doesn’t appear, it can be found here:

c:_OTL\MovedFiles\mmddyyyy_hhmmss.log

----------- Then -----------

Please download Malwarebytes AntiRootkit and save it to your desktop.
http://www.malwarebytes.org/products/mbar/

Full instructions how to use MBAR
http://www.bleepingcomputer.com/virus-removal/how-to-use-malwarebytes-anti-rootkit
Please note: This is a beta version so please be sure to read the disclaimer and note of it.

[*] Doubleclick on the MBAR file and allow it to run. It shall unzip/unrar MBAR in a folder to your Desktop
Click OK on the next screen, to allow the package to extract the contents of the file to its own folder named mbar.

[*] mbar.exe will launch automatically…
[*] Click on Next > then on Update button to download fresh definitions.
[*] When database updates click Next
[*] In the following window ensure “Targets” scan for Drivers; Sectors; System are ticked. Then select “Scan button”

[*] If an infection/s are found ensure “Create Restore Point” is checked, then select the “Cleanup Button” to remove threats.
Or if you are sure any entries should not be kept, just untick them. A list of infected files will be listed.

[*] The Clean up procedure will be Scheduled for process.
[*] When complete pop-up will show you. Select the Yes button and the system should re-boot to complete the cleaning process.

Please attach the two following logs from the mbar folder:

system-log.txt
and
mbar-log-year-month-day (hour-minute-second).txt.

Ok, this is odd.

I finished the OTL Fix

https://drive.google.com/file/d/0ByppjIFSysdGZ3NiMGtWNzFMRWs/edit?usp=sharing

I ran the Malware Rootkit, it scanned and finished and said there was no malware to be found. No Rootkits, no cleanup, no reboot, therefore no log.

funny thing is, while I was running it, I got the AVAST pop-up again.

This is getting ridiculous.

@Strages

Attach OTL log as attachment.

It’s too large, 3.31 MB. It won’t let me upload it as the maximum individual size of an attachment in this forum is 512KB.

Here’s another download link:

http://www.filedropper.com/11082013163323

Well, I’ve been running the computer all day and well into the night. Haven’t seen the Rootkit pop-up anymore, nor have I had the black screen glitch anymore.

Thanks a lot for the help, I’ll report back in a couple of days to confirm its been solved, and maybe someone else can benefit from this.

Hi,

Windows 8 uses temp folder for some of his legit program as “file storage” and that’s why avast complains. These files are not malware origin.
However, let’s re-chech that.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Under Optional Scan ensure “List BCD” and “Driver MD5” are ticked.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

EDIT:

Use pastebin site for coping logs if logs are to big for attachment:
http://pastebin.com/

Still using the system with absolutely no problems. Here are the logs you requested.

Hi,

C:\Users\antel_000\IP_Log_Data.js C:\Users\antel_000\Network_Meter_Data.js

Have you created these .js files? Are you familiar with them and there function?
Just curious…why did you set up your HDD partition type as GPT, not MBR?

As for the system and posted logs …well they doesn’t show active malware. Problem with OTL is because it is not fully compatible with Windows 8 (or .1) system and his routine some files on your system detected as bad with or autofix does not work properly.

FRST is Windows 8 compatible. Although FRST doesn’t show malware files, I would like to check some hidden folders. They might me legit or malicious origin.

1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start
Folder: C:\ProgramData\{60E17BBA-9D2D-4E1B-BDCF-1D654329EA31}
Folder: C:\ProgramData\{86A7919A-1CA3-4459-8124-76C789A6402B}
Folder: C:\ProgramData\{447B4BF8-DCC8-4693-A8CD-A6A63F5BC176}
End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.

Those two .js files are used for the network meter gadget I use on my desktop. They just display network activity basically.

As for the partition, I have no idea what those are,that’s how the HDD partition came when I bought the laptop.

Here’s the log you asked for. Thanks for the help.

All these are legit origin. Your PC is malware free. Let’s remove all these used tools shall we?

Please download DelFix by “Xplode” to your Desktop.

Run the tool and check the following boxes below;

[] Remove disinfection tools
[] Create registry backup
[*] Purge System Restore

Now click on “Run” button. Wait for the programme completes his work.
All the tools we used should be gone.
Tool will create and open an log report (DelFix.txt)
Note: The report will also be stored on C:\DelFix.txt

I don’t need DelFix log report.

I recommended to use MCShield if you will.
You may download MCShield from one of the following links:

MyCity - Official download link
Softpedija - Mirror download link

It will prevent infection by computer via USB flash drive, mobile phone or any other memory card.
And not only will prevent infection, but it will immediately clean flash drive, memory card or external HDD.

Thank you and noted, have downloaded MCShield. Will report back in a few days if anything changes. Thanks again!