Rootkitproblems Win XP

Please attach the log from running ComboFix as I am not finding any malware in your logs.

 

• Please download a ZeroAccess Removal Tool (By Webroot)to your desktop.
• Double click on it to run it (If running Vista or Windows 7, right click on it and select "Run as an Administrator")
• Type y and press enter to run the scan .
• Hit any key to exit once it has finished it's scan.
• Attach the log which will be in the same location as you ran the tool from. (Should be desktop)

 

What issues remain, if any?

 

Run CCLeaner and then download a fresh copy of Combo, let it overwrite your previous version and then run it. Tell me if you still get the message.

 

Very likely a false detection but we will run a couple more scans down below to be sure.

Also, what can I do to make sure the computer has no remaining infections? I installed Comodo internetsecurity, which found some remaining crap. For now I chose not to delete it, to await your answer (see attached screenshot of the log file). Should I let Comodo remove these files?[/quote]

• pcifmdio.dll - is not known to be a problem. This file could be related to any number of legit programs. Some sound card related and another PCI card related. It is likely just be part of some software you are running.
  
• mjfbbimkglkjhppkddbihhgidodbnjnk\1.0_0\plugin.dll - just some unknown plugin for Google. I do not know which plugin but probably not a major issue. If anything, just adware.
  
• serial.sys.vir - is already in the quarantine of Combofix and is not a problem
• pskavs.dll - is just part of PandaActive Scan ( the online scanner ).

You are more than likely already clean from what TimW already had you do, but we will run a few more things below. Mainly just to double check on ComboFix but this is not the first time we have seen ComboFix say there is a ZA infection when there is not. If there were, it should be reporting where it is.

Now please download Farbar Service Scanner and run it on the computer with the issue.

• Put a check mark in each option box on the left side.
• Click "Scan".
• It will create a log (FSS.txt) in the same directory the tool is run.
• Please attach this log to your next reply.

Now please run the below anti-rootkit tool from Malwarebytes.

http://blog.malwarebytes.org/news/2013/05/malwarebytes-anti-rootkit-beta-1-06/

Attach a log from the above.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

 

Okay it appears the Malwarebytes found and reported the leftovers from ZA. Let's cleanup a few more things.


Uninstall the below old versions of software:
Java(TM) 6 Update 30
Java(TM) 7 Update 2

Now install the current version of Sun Java from: Sun Java Runtime Environment Make sure that when you see the form asking about installing Ask Toolbar that you uncheck this.

Please download OTM by Old Timer and save it to your Desktop.

• Run OTM.exe by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).
• Copy the lines from the below codebox to the clipboard by highlighting ALL of them and pressing CTRL + C
  (or, after highlighting, right-click and choose Copy): Do not include the word Code: which is just a title line of
  the code box

Code:

:Processes
explorer.exe

:Services
MFE_RR
:Files
c:\docume~1\GLK\LOCALS~1\Temp\mfe_rr.sys
c:\documents and settings\All Users\Application Data\1253
c:\WINDOWS\$NtUninstallKB34153$
C:\Documents and Settings\GLK\Local Settings\temp\*.*

:Reg
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"MSCPY"=-
:Commands
[purity]
[EmptyTemp]
[start explorer]
[Reboot]

• Return to OTM, right click in the Paste List of Files/Folders to Move window (under the yellow bar
  ) and choose Paste.
• Now click the large http://forums.majorgeeks.com/chaslang/images/MoveIt!.png button.
• If OTM asks to reboot your computer, allow it to do so. The report should appear in Notepad after the reboot.
• Close OTM.

Now navigate to the C:\_OTM\MovedFiles folder ( assuming your Windows drive is C). This is where your log will be
saved in the form of Date and Time mmddyyyy_hhmmss.log. Just look for the most recent .log file. Attach
this log file to your next message.

Now please download Junkware Removal Tool to your desktop.

• Shut down your protection software now to avoid potential conflicts.
• Run the tool by double-clicking it. If you are using Windows Vista or Seven, right-mouse click it and select Run as Administrator.
• The tool will open and start scanning your system.
• Note: That JRT may reset your home page to a google default so you will need to restore your home page setting if this happens.
• Please be patient as this can take a while to complete depending on your system's specifications.
• On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
• Attach JRT.txt to your next message.

Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, Win7 or Win8, don't double click, use right click and select Run As Administrator).

Then attach the below logs:

• the C:\_OTM\MovedFiles log
• C:\MGlogs.zip

Make sure you tell me how things are working now!

 

You're welcome. Your logs look good now.

If you are not having any other malware problems, it is time to do our final steps:

1. We recommend you keep Malwarebytes Anti-Malware for scanning/removal of malware.
2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
   • Press and hold the Windows key http://forums.majorgeeks.com/chaslang/images/Windows_Logo_key.gif and then press the letter R on your keyboard. This opens the Run dialog box.
   • Copy and paste the below into the Run box and then click OK. Note the quotes are required
   • "%userprofile%\Desktop\combofix" /uninstall
     • Notes: The space between the combofix and the /uninstall, it must be there.
     • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
3. Renable your Disk Emulation software with Defogger if you had disabled it in step 4 of the READ & RUN ME.
4. Go to add/remove programs and uninstall HijackThis. If you don't see it or it will not uninstall, don't worry about it. Just move on to the next step.
5. If running Vista, Win 7 or Win 8, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
6. Now goto the C:\MGtools folder and find the MGclean.bat file. Double click ( if running Vista, Win7, or Win 8 Right Click and Run As Administrator ) on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
7. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
8. If you are running Win 8, Win 7, Vista, Windows XP or Windows ME, do the below to flush restore points:
   • Refer to the instructions for your WIndows version in this link: Disable And Enable System Restore​
   • What we want you to do is to first disable System Restore to flush restore points some of which could be infected.
   • Then we want you to Enable System Restore to create a new clean Restore Point.
9. After doing the above, you should work thru the below link:
   • How to Protect yourself from malware!