I didn’t get a rootkit alert when I rebooted but the virus is still in the chest. All I got was the routine database update. Does this mean I’m clean, if so, I can’t thank you enough, I’m happy to donate after a week or two, just to make sure performance resumes as usual, I can never really trust paypal so I can’t donate at the minute.

EDIT: A random ‘The internet’ shortcut has appeared on my desktop, doubt it’s malicious, seems to just load IE8, however, I haven’t opened it.

• just a side note,
  I looked through my scans (OTS, Combofix, etc…) and they look clean, Is there a possibility that the rootkit is hiding? and if so, should I just reformat to be safe?
  Also just looking around, others seem to have this problem, also, Avast and the other antivirus that uses the Avast engine(GPD I think , the name escapes me) are the only ones detecting this as malware on VT, I honestly don’t think it’s malicious.

Hi guys,

I’m scared 'cause I found the same thing on my system. . and here’s the thing. . I accidentally stumbled on to some crazy-@$$ webpage. I’m generally really careful about which websites I choose to go to and what links I click on, but I was browsing “getrichslowly.org” and like a dummy, I followed a link to what I though was an article, a financial analysis. I knew better than to just click on the link, but I genuinely thought it was safe.

So, I click on this link and I am taken to a page that has a really weird, music playing in the background, and it mentions something about a virus and hackers. I didn’t really read it because as soon as I saw this crazy picture, I knew something was up. I exited the page, cleared my browser data, and exited my browser immediately.

My avast was running a scan at the time and I then noticed that it reported two infected files. (There weren’t any pop-up warnings or sounds or anything like that. I just happened to look down where it says “number of infections,” and it read that there were two.

One file is: ShutdownPerformanceDiagnostics_SystemData.bin, and the other is similar to what the Original Poster described. For me, the file goes like this: S-1-5-21-569128899-123734256-211263397_UserData.bin

I’m really freaked out because, like most of us, I don’t want anything to happen to my computer. Unfortunately, I use it for a lot of things. I’m running windows 7 on a Toshiba Satellite. . and man, I should have stuck with Ubuntu. . -.-* Sigh.

GOOD NEWS!

It’s now reporting no virus!

Hoorah for Avast and their panic attack inducing false positives!

NerdrageXZ you did have some malware on your system

File C:\Users\Gwylim\AppData\Local\20xYJkS83BHk4
File C:\ProgramData\20xYJkS83BHk4

essexboy,

Would you mind helping me? -I have a similar–if not the same–suspicious file, reported by NerdrageXZ. I’m really upset about this.

The file was detected during a routine scan that I started. The file’s original location was: C:\Windows\System32\wdi{86432a0b-3c7d-4ddf-a89c-172faa90485d} The report says the file was changed on 5/17/2011 and that its transfer time was 5/20/2011. The file name S-1-5-21-56912-8899-123734256-2112633975-1001_UserData.bin Avast did not give me a specific warning, or any kind of pop-up. After the scan was completed, it said that it had found two files (one mentioned above, plus one called “ShutdownPerformanceDiagnostics_SystemData.bin” in C:\Windows\System32\wdi) that indicated “Win32:KillAV-AHY [Rtk]” infection. I have scanned these two files from the Avast - Virus Chest window, and it displays the messages “scan complete,” “–no virus.” :-\ I have never heard of Jotti, so I am a little weary, but I did not use Jotti because I had moved the infected files to Avast’s virus chest. I’m afraid to extract the two files from the chest.

They may have been false positives - if you have updated the virus definitions and they are reported clean then restore the files

I have updated my definitions and am running a scan right now. I have not yet extracted the two suspicious files from the chest, but I will once my scan is done.

Thank you, essexboy. : )

My pleasure

Ok, I ran a full scan, it’s not showing any malware, those items you saw essexboy, I think they were from a previous antivirus software that made them dormant, are those files for fake AV’s? If so, my last antivirus(spyware doctor) mad them inoperable.

EDIT: On researching, yes that was the false AV crapware that I had over a year ago. Nothing to worry about, it was blocked on entry to my PC.

Those two folders were still active before removal

So it looks like they are removed then.

Should I be worried?

It does seem the date when I had that crapware, it got quaranteened by spyware doctor and I think they performed some fix on it. It came from early 2010 and I’ve never been keylogged so there is little to no chance it’s a keylogger.

Again, it seems to be one of those scam av’s that never got past my file shield. I don’t have adware, I definatley don’t have a scam AV atm and nothing is reason for concern.

Whatever it is, I think it’s always been inactive.

Those folders are the type that automated tools can not find as they are so random, a small infection could reactivate them

So they are gone now and I shoulden’t be concerned?

Or do you mean a small infection now could trigger them to be created again?

If there is a chance I’m not secure because of these, I’m probably willing to reformat to be on the safe side, should I reformat?

No they are now gone - history

As to a reformat the choice is yours - but I can see no reason for that, unless you want a fresh system

Thanks, you truly are a saint