TR/Kazy trojan infection

[TK421]

Greetings,

Avira detects ever-increasing numbers/variations of TR/Kazy. Malwarebytes doesn't seem to be picking it up at all. The laptop in question has only recently come into my possession so I can't speak to the previous users security habits (I suspect lack thereof!) Trying to clean it up for a family member to use as a second laptop. Logs from dds pasted below per instructions.

Thanks in advance!

***********

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 10.21.2

Run by Patrick at 17:38:27 on 2013-05-04

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1916.1336 [GMT -4:00]

.

AV: Avira Desktop *Disabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}

.

============== Running Processes ================

.

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Avira\AntiVir Desktop\sched.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\igfxsrvc.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Avira\AntiVir Desktop\avgnt.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\LSI SoftModem\agrsmsvc.exe

C:\Program Files\Avira\AntiVir Desktop\avguard.exe

C:\Program Files\Java\jre7\bin\jqs.exe

C:\Program Files\Avira\AntiVir Desktop\avshadow.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\system32\msdtc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\WINDOWS\System32\svchost.exe -k netsvcs

C:\WINDOWS\system32\svchost.exe -k NetworkService

C:\WINDOWS\system32\svchost.exe -k LocalService

C:\WINDOWS\system32\svchost.exe -k LocalService

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://www.google.com/

BHO: Adobe PDF Link Helper: {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

mRun: [igfxTray] c:\windows\system32\igfxtray.exe

mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe

mRun: [Persistence] c:\windows\system32\igfxpers.exe

mRun: [RTHDCPL] RTHDCPL.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min

dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE

dRunOnce: [_nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N

uPolicies-Explorer: NoDriveTypeAutoRun = dword:323

uPolicies-Explorer: NoDriveAutoRun = dword:67108863

uPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDrives = dword:0

mPolicies-Explorer: NoDriveTypeAutoRun = dword:323

mPolicies-Explorer: NoDriveAutoRun = dword:67108863

IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe

Notify: igfxcui - igfxdev.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SecurityProviders: SecurityProviders = msapsspc.dll, schannel.dll, credssp.dll, digest.dll, msnsspc.dll

LSA: Security Packages = kerberos msv1_0 schannel wdigest tspkg

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\documents and settings\patrick\application data\mozilla\firefox\profiles\tumpc62e.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_169.dll

FF - plugin: c:\windows\system32\npDeployJava1.dll

FF - plugin: c:\windows\system32\npptools.dll

FF - ExtSQL: 2013-05-04 13:59; {20a82645-c095-46ed-80e3-08825760534b}; c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\DotNetAssistantExtension

.

============= SERVICES / DRIVERS ===============

.

R0 iastor7;iastor7;c:\windows\system32\drivers\iastor7.sys [2012-3-17 470808]

R0 mv61xxmm;mv61xxmm;c:\windows\system32\drivers\mv61xxmm.sys [2012-3-17 13616]

R0 mv64xxmm;mv64xxmm;c:\windows\system32\drivers\mv64xxmm.sys [2012-3-17 5632]

R0 mvxxmm;mvxxmm;c:\windows\system32\drivers\mvxxmm.sys [2012-3-17 13616]

R1 avkmgr;avkmgr;c:\windows\system32\drivers\avkmgr.sys [2013-5-4 37352]

R2 AntiVirSchedulerService;Avira Scheduler;c:\program files\avira\antivir desktop\sched.exe [2013-5-4 86752]

R2 AntiVirService;Avira Real-Time Protection;c:\program files\avira\antivir desktop\avguard.exe [2013-5-4 110816]

R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2013-5-4 84744]

R3 ramdisk;Windows RAM Disk Driver;c:\windows\system32\drivers\ramdisk.sys [2012-5-29 10431]

S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2013-5-4 1691480]

.

=============== Created Last 30 ================

.

2013-05-04 21:02:05 -------- d-sha-r- C:\cmdcons

2013-05-04 21:00:34 98816 ----a-w- c:\windows\sed.exe

2013-05-04 21:00:34 256000 ----a-w- c:\windows\PEV.exe

2013-05-04 21:00:34 208896 ----a-w- c:\windows\MBR.exe

2013-05-04 20:08:24 -------- d-----w- c:\windows\system32\XPSViewer

2013-05-04 19:46:53 -------- d-sh--w- c:\documents and settings\patrick\PrivacIE

2013-05-04 19:16:49 -------- d-----w- c:\documents and settings\patrick\application data\Malwarebytes

2013-05-04 19:16:40 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-05-04 19:16:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-05-04 19:16:40 -------- d-----w- c:\documents and settings\all users\application data\Malwarebytes

2013-05-04 18:55:10 -------- d-----w- c:\windows\ie8updates

2013-05-04 18:54:54 -------- d-----w- c:\program files\MSXML 4.0

2013-05-04 18:50:27 -------- d--h--w- c:\windows\$hf_mig$

2013-05-04 18:42:46 -------- d-----w- c:\documents and settings\patrick\application data\Avira

2013-05-04 18:38:15 -------- d-----w- c:\windows\system32\NtmsData

2013-05-04 18:36:57 84744 ----a-w- c:\windows\system32\drivers\avgntflt.sys

2013-05-04 18:36:57 37352 ----a-w- c:\windows\system32\drivers\avkmgr.sys

2013-05-04 18:36:56 -------- d-----w- c:\program files\Avira

2013-05-04 18:36:56 -------- d-----w- c:\documents and settings\all users\application data\Avira

2013-05-04 18:36:32 2193408 -c----w- c:\windows\system32\dllcache\ntoskrnl.exe

2013-05-04 18:36:32 2149888 -c----w- c:\windows\system32\dllcache\ntkrnlmp.exe

2013-05-04 18:36:32 2070016 -c----w- c:\windows\system32\dllcache\ntkrnlpa.exe

2013-05-04 18:36:32 2028544 -c----w- c:\windows\system32\dllcache\ntkrpamp.exe

2013-05-04 18:25:49 630272 -c----w- c:\windows\system32\dllcache\msfeeds.dll

2013-05-04 18:25:49 55296 -c----w- c:\windows\system32\dllcache\msfeedsbs.dll

2013-05-04 18:25:48 743424 -c----w- c:\windows\system32\dllcache\iedvtool.dll

2013-05-04 18:25:48 247808 -c----w- c:\windows\system32\dllcache\ieproxy.dll

2013-05-04 18:25:48 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll

2013-05-04 18:25:47 522240 -c----w- c:\windows\system32\dllcache\jsdbgui.dll

2013-05-04 18:25:47 2005504 -c----w- c:\windows\system32\dllcache\iertutil.dll

2013-05-04 18:23:06 12928 -c----w- c:\windows\system32\dllcache\usb8023x.sys

2013-05-04 18:17:53 144896 ----a-w- c:\windows\system32\javacpl.cpl

2013-05-04 18:17:46 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-05-04 18:15:00 -------- d-----w- c:\documents and settings\patrick\local settings\application data\Sun

2013-05-04 18:14:48 96664 ----a-w- c:\program files\mozilla firefox\webapprt-stub.exe

2013-05-04 18:14:48 770384 ----a-w- c:\program files\mozilla firefox\msvcr100.dll

2013-05-04 18:14:48 74136 ----a-w- c:\program files\mozilla firefox\breakpadinjector.dll

2013-05-04 18:14:48 421200 ----a-w- c:\program files\mozilla firefox\msvcp100.dll

2013-05-04 18:14:48 26520 ----a-w- c:\program files\mozilla firefox\plugin-hang-ui.exe

2013-05-04 18:14:48 170232 ----a-w- c:\program files\mozilla firefox\webapp-uninstaller.exe

2013-05-04 18:12:38 -------- d-----w- c:\documents and settings\patrick\local settings\application data\Mozilla

2013-05-04 18:12:23 -------- d-----w- c:\windows\system32\SoftwareDistribution

.

==================== Find3M ====================

.

2013-05-04 19:07:07 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-04 19:07:07 691592 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-05-04 18:17:20 866720 ----a-w- c:\windows\system32\npDeployJava1.dll

2013-05-04 18:17:20 788896 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-08 08:35:47 293376 ----a-w- c:\windows\system32\winsrv.dll

2013-03-07 01:32:25 2149888 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-07 00:50:30 2028544 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-02 02:05:19 920064 ----a-w- c:\windows\system32\wininet.dll

2013-03-02 02:05:18 43520 ----a-w- c:\windows\system32\licmgr10.dll

2013-03-02 02:05:18 1469440 ----a-w- c:\windows\system32\inetcpl.cpl

2013-03-02 01:31:30 1876224 ----a-w- c:\windows\system32\win32k.sys

2013-03-02 01:08:57 385024 ----a-w- c:\windows\system32\html.iec

2013-02-12 00:32:23 12928 ----a-w- c:\windows\system32\drivers\usb8023.sys

.

============= FINISH: 17:38:50.14 ===============

*****************

.

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.

IF REQUESTED, ZIP IT UP & ATTACH IT

.

DDS (Ver_2012-11-20.01)

.

Microsoft Windows XP Professional

Boot Device: \Device\HarddiskVolume1

Install Date: 5/4/2013 1:51:14 PM

System Uptime: 5/4/2013 4:57:43 PM (1 hours ago)

.

Motherboard: TOSHIBA | | Portable PC

Processor: Intel® Pentium® Dual CPU T3400 @ 2.16GHz | CPU | 2161/667mhz

.

==== Disk Partitions =========================

.

C: is FIXED (NTFS) - 298 GiB total, 282.273 GiB free.

D: is CDROM ()

E: is Removable

.

==== Disabled Device Manager Items =============

.

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}

Description:

Device ID: ACPI\TOS1901\2&DABA3FF&0

Manufacturer:

Name:

PNP Device ID: ACPI\TOS1901\2&DABA3FF&0

Service:

.

==== System Restore Points ===================

.

RP1: 5/4/2013 1:55:11 PM - Installed Microsoft .NET Framework 2.0 Service Pack 2

RP2: 5/4/2013 1:56:41 PM - Installed Windows KB971276-v3.

RP3: 5/4/2013 1:56:49 PM - Printer Driver Microsoft XPS Document Writer Installed

RP4: 5/4/2013 1:56:52 PM - Installed RGB9RAST

RP5: 5/4/2013 1:56:59 PM - Installed Microsoft .NET Framework 3.0 Service Pack 2

RP6: 5/4/2013 1:59:11 PM - Installed Microsoft .NET Framework 3.5 SP1

RP7: 5/4/2013 1:59:49 PM - Installed Microsoft .NET Framework 4 Client Profile

RP8: 5/4/2013 2:01:57 PM - Installed Microsoft .NET Framework 4 Extended

RP9: 5/4/2013 2:17:05 PM - Removed Java 7 Update 4

RP10: 5/4/2013 2:44:31 PM - Software Distribution Service 3.0

RP11: 5/4/2013 3:29:04 PM - Software Distribution Service 3.0

RP12: 5/4/2013 3:33:24 PM - Software Distribution Service 3.0

RP13: 5/4/2013 3:42:25 PM - Software Distribution Service 3.0

RP14: 5/4/2013 3:46:32 PM - Software Distribution Service 3.0

RP15: 5/4/2013 4:38:21 PM - Software Distribution Service 3.0

.

==== Installed Programs ======================

.

Adobe Flash Player 11 ActiveX

Adobe Flash Player 11 Plugin

Adobe Reader X (10.1.3)

Adobe Shockwave Player 11.6

Avira Free Antivirus

CCleaner

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)

Hotfix for Windows XP (KB2779562)

Hotfix for Windows XP (KB971276-v3)

Intel® Graphics Media Accelerator Driver

Java 7 Update 21

Java Auto Updater

Malwarebytes Anti-Malware version 1.75.0.1300

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Microsoft Games for Windows - LIVE Redistributable

Microsoft Games for Windows Marketplace

Microsoft Silverlight

Microsoft Visual C++ 2005 Redistributable

Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6276

Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219

Mozilla Firefox 20.0.1 (x86 en-US)

Mozilla Maintenance Service

MSXML 4.0 SP3 Parser (KB2758694)

QT Lite 4.1.0

Realtek High Definition Audio Driver

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2604111)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2657424)

Security Update for Microsoft .NET Framework 3.5 SP1 (KB2736416)

Security Update for Windows Internet Explorer 8 (KB2817183)

Security Update for Windows XP (KB2655992)

Security Update for Windows XP (KB2691442)

Security Update for Windows XP (KB2698365)

Security Update for Windows XP (KB2705219-v2)

Security Update for Windows XP (KB2712808)

Security Update for Windows XP (KB2719985)

Security Update for Windows XP (KB2723135-v2)

Security Update for Windows XP (KB2727528)

Security Update for Windows XP (KB2753842-v2)

Security Update for Windows XP (KB2757638)

Security Update for Windows XP (KB2758857)

Security Update for Windows XP (KB2770660)

Security Update for Windows XP (KB2780091)

Security Update for Windows XP (KB2802968)

Security Update for Windows XP (KB2807986)

Security Update for Windows XP (KB2808735)

Security Update for Windows XP (KB2813170)

Security Update for Windows XP (KB2820917)

swMSM

Update for Microsoft .NET Framework 3.5 SP1 (KB963707)

Update for Windows XP (KB2661254-v2)

Update for Windows XP (KB2736233)

Update for Windows XP (KB2749655)

WebFldrs XP

.

==== Event Viewer Messages From Past Week ========

.

5/4/2013 3:28:47 PM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: iastor7

5/4/2013 3:27:02 PM, error: sr [1] - The System Restore filter encountered the unexpected error '0xC0000001' while processing the file '' on the volume 'HarddiskVolume1'. It has stopped monitoring the volume.

5/4/2013 2:40:02 PM, error: VolSnap [25] - The shadow copy of volume C: was aborted because the diff area file could not grow in time. Consider reducing the IO load on this system to avoid this problem in the future.

5/4/2013 2:39:14 PM, error: VolSnap [12] - The shadow copy of volume C: became low on diff area space before it was properly installed.

5/4/2013 2:16:59 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).

5/4/2013 1:51:29 PM, error: Setup [60055] - Windows Setup encountered non-fatal errors during installation. Please check the setuperr.log found in your Windows directory for more information.

.

==== End Of File ===========================

[Maniac]

Hello TK421! My name is Maniac and I will be glad to help you solve your malware problem.

Please note:

• If you are a paying customer, you have the privilege to contact the help desk at Consumer Support. If you choose this option to get help, please let me know.
  
• I recommend you to keep the instructions I will be giving you so that they are available to you at any time. You can save them in a text file or print them.
  
• Make sure you read all of the instructions and fixes thoroughly before continuing with them.
  
• Follow my instructions strictly and don’t hesitate to stop and ask me if you have any questions.
  
• Post your log files, don't attach them. Every log file should be copy/pasted in your next reply.
  
• Do not perform any kind of scanning and fixing without my instructions. If you want to proceed on your own, please let me know.
  

• Download on the desktop RogueKiller
  
• Quit all programs
  
• Start RogueKiller.exe
  
• Wait until Prescan has finished ...
  
• Click on Scan. Click on Report and copy/paste the content of the notepad in your next reply.

[TK421]

Hi Maniac,

Thanks so much for your help. Here's the report from RogueKiller:

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy

mail : tigzyRK<at>gmail<dot>com

Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/

Website : http://tigzy.geekstogo.com/roguekiller.php

Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version

Started in : Normal mode

User : Patrick [Admin rights]

Mode : Scan -- Date : 05/04/2013 19:37:33

| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤

[HJPOL] HKLM\[...]\System : DisableRegistryTools (0) -> FOUND

[HJ DESK] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤

SSDT[25] : NtClose @ 0x805BC538 -> HOOKED (Unknown @ 0xA471657C)

SSDT[41] : NtCreateKey @ 0x8062423A -> HOOKED (Unknown @ 0xA4716536)

SSDT[50] : NtCreateSection @ 0x805AB3D0 -> HOOKED (Unknown @ 0xA4716586)

SSDT[53] : NtCreateThread @ 0x805D1038 -> HOOKED (Unknown @ 0xA471652C)

SSDT[63] : NtDeleteKey @ 0x806246D6 -> HOOKED (Unknown @ 0xA471653B)

SSDT[65] : NtDeleteValueKey @ 0x806248A6 -> HOOKED (Unknown @ 0xA4716545)

SSDT[68] : NtDuplicateObject @ 0x805BE010 -> HOOKED (Unknown @ 0xA4716577)

SSDT[98] : NtLoadKey @ 0x8062645E -> HOOKED (Unknown @ 0xA471654A)

SSDT[122] : NtOpenProcess @ 0x805CB456 -> HOOKED (Unknown @ 0xA4716518)

SSDT[128] : NtOpenThread @ 0x805CB6E2 -> HOOKED (Unknown @ 0xA471651D)

SSDT[177] : NtQueryValueKey @ 0x8062245E -> HOOKED (Unknown @ 0xA471659F)

SSDT[193] : NtReplaceKey @ 0x8062630E -> HOOKED (Unknown @ 0xA4716554)

SSDT[200] : NtRequestWaitReplyPort @ 0x805A2D7E -> HOOKED (Unknown @ 0xA4716590)

SSDT[204] : NtRestoreKey @ 0x80625C1A -> HOOKED (Unknown @ 0xA471654F)

SSDT[213] : NtSetContextThread @ 0x805D2C1A -> HOOKED (Unknown @ 0xA471658B)

SSDT[237] : NtSetSecurityObject @ 0x805C0636 -> HOOKED (Unknown @ 0xA4716595)

SSDT[247] : NtSetValueKey @ 0x806227AC -> HOOKED (Unknown @ 0xA4716540)

SSDT[255] : NtSystemDebugControl @ 0x8061820E -> HOOKED (Unknown @ 0xA471659A)

SSDT[257] : NtTerminateProcess @ 0x805D22D8 -> HOOKED (Unknown @ 0xA4716527)

S_SSDT[549] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0xA47165AE)

S_SSDT[552] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0xA47165B3)

¤¤¤ HOSTS File: ¤¤¤

--> C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: WDC WD3200BPVT-35JJ5T0 +++++

--- User ---

[MBR] 97419417c56473f521e8f553db42b9a6

[bSP] 99e01cb843e2e1908b8edaf5cdf3aa67 : Windows XP MBR Code

Partition table:

0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 305234 Mo

User = LL1 ... OK!

User = LL2 ... OK!

Finished : << RKreport[1]_S_05042013_02d1937.txt >>

RKreport[1]_S_05042013_02d1937.txt

[Maniac]

Looks good.

Please run a free online scan with the ESET Online Scanner

Note: You will need to use Internet Explorer for this scan

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install
  
• Click Start
  
• Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, you may close the window
  
• Use Notepad to open the logfile located at C:\Program Files\ESET\Eset Online Scanner\log.txt
  
• Copy and paste that log as a reply to this topic
  

[TK421]

Avira continues to detect the same issue, but I notice all detections point here: "C:\System Volume Information\_restore" Is this from old restore points? ESET found nothing, log file here:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner.ocx - registred OK

# version=8

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=d4b3bd591fdace44aae0ea9a93c4c423

# engine=13755

# end=stopped

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-05-05 12:33:31

# local_time=2013-05-04 08:33:31 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1799 16775165 100 97 0 0 0 0

# scanned=8308

# found=0

# cleaned=0

# scan_time=485

# version=8

# iexplore.exe=8.00.6001.18702 (longhorn_ie8_rtm(wmbla).090308-0339)

# OnlineScanner.ocx=1.0.0.6920

# api_version=3.0.2

# EOSSerial=d4b3bd591fdace44aae0ea9a93c4c423

# engine=13755

# end=finished

# remove_checked=false

# archives_checked=false

# unwanted_checked=true

# unsafe_checked=false

# antistealth_checked=true

# utc_time=2013-05-05 01:06:19

# local_time=2013-05-04 09:06:19 (-0500, Eastern Daylight Time)

# country="United States"

# lang=1033

# osver=5.1.2600 NT Service Pack 3

# compatibility_mode=1799 16775165 100 97 0 0 0 0

# scanned=49848

# found=0

# cleaned=0

# scan_time=1901

[Maniac]

It is a good idea. Let's clean almost all of them.

http://support.microsoft.com/kb/555367

Then restart your computer and let me know.

[TK421]

Deleted all but the most recent restore point. Then ran quick scans with Avast and Malwarebytes. No detections!

[Maniac]

So everything is fine now?

[TK421]

It seems fine now. No more detections since the old restore points were removed.

[Maniac]

Glad I could help!

Please uninstall ESET Online Scanner and then manually delete DDS and RogueKiller.

Some malware prevention tips:

users.telenet.be/bluepatchy/miekiemoes/prevention.html

Safe surfing!

[TK421]

Thanks very much!

[Maniac]

You're welcome!

[Maurice Naggar]

Glad we could help.

If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!