Hi… I have an old XP machine I am getting ready to de-comission. Seldom used, except to update Windows, ect about once per month. No surfing, ect.

Today, Avast found Win 32 Turla G. I have no idea how it got there, as I said, the machine is seldom used.

Avast put the infected file in the chest, and did a boot scan which came up 0 infections. I then ran Hitman Pro, zero, Malwarebytes, zero.

I rebooted, and ran Avast again. The infection was back! I removed the machine from the internet.

If anyone could advise me, I would appreciate it.

Thanks

Where is the detected file located…full file path?

See the logs guide above your post… attach OTL and aswMBR diagnostic logs

Many thanks for your kind reply.
Attached, please find OTL and ASW logs.
Full path is difficult …can’t use block and copy. C:\System Volume Information\catalog.wci\00000002.ps2
I first moved it to the chest, then deleted. Now Avast says Error process can’t access.
I cannot figure this out, seldom used machine, no porn, nothing… I have removed from internet.

Hi,

1. Please download ComboFix by sUBs from here and save it to your Desktop.
   If you are unsure how ComboFix works please read this guide carefully.
   Note: ComboFix must be downloaded to your Desktop.

2. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
   If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.

3. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

• ComboFix will check if there is a newer version of ComboFix available.
  Click Yes if prompted to download.[/size]
  -If Recovery Console is not installed, ComboFix will offer download & installation.
  Click Yes to allow ComboFix to install Recovery Console.
• ComboFix will scan your computer in stages, total of 50 stages.
  Do not mouse-click around while ComboFix is running.
  Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
  [/i]

4. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
   Attach log reports ( ComboFix.txt) back to topic.

C:\System Volume Information\catalog.wci\00000002.ps2

Running ComboFix… appears stuck on Stage 48?

Made it to Stage 50.

Took three hours, but finally made it. Please see attached ComboFix log.
Sorry for the delay…
Ran Avast Quick, infection is still there.
Thanks

What security products are installed on your system. Do you know that more than one antivirus or more than one firewall product is not good.

I see following two Antivirus products installed: Avast and Avg
Two firewall products too: Zone Alarm and Online Armor

You need to make a choice and leave only one of the kind.

Why Using Multiple Antivirus Programs is a Bad Idea
https://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/

removal tool for security saftwares found here
http://singularlabs.com/uninstallers/security-software/
http://singularlabs.com/uninstallers/other-software/

I noticed AVG and Zone Alarm in there. I have no idea why these are appearing… only Avast and Online Armor are installed.

Malwarebytes Free is used as an on-demand scanner. I also have Spyware Blaster. That’s it.

Zone Alarm and AVG were deleted a long time ago. AVG was eliminated with their removal tool.

then run removal tools to clear leftover files…

OK… downloaded AVG and Zone Alarm removal tools and ran them.
Avast quick still reports the infection. This time, I was able to move it to the virus chest.

K… downloaded AVG and Zone Alarm removal tools and ran them.
Avast quick still reports the infection. This time, I was able to move it to the virus chest.

Do you still have warnings? PC seems clean…

Thanks… I am glad that PC looks clean. I am very careful about web security.
However, when I do a scan, the file is flagged as an infection. I put it in the virus chest. There must be a way to get rid of it…

is it still located at the same place… in a restore point?

if so clear your restore points and create a new…

What file? You didn’t told us what file is detected? I see no infection in the reports.

Yes, I did. See my second post: C:\System Volume Information\catalog.wci\00000002.ps2 Won’t go away.

How do you clear the restore points?

Thanks

http://windows.microsoft.com/en-us/windows/delete-restore-point#1TC=windows-7
You can also press Windows button+Break key and go to system protection settings on the left.
After you’ve deleted all restore points, be sure to immediately create a new one.