Combofix keeps showing infected with rootkit

AlaDes

AlaDes

Active Member
Reaction score
35
Location
White Sulphur Springs, WV
If it were up to me, I'd simply do a N&P on this laptop and re-install everything. However, this is not an option for the owner due to the software that is on the machine and the fact they don't have the installation media.

I have run every scanner I can think of on this unit and everything has came up clean. I have even ran many of them twice. The only one I can't seem to get to completely run is combofix. Every time I run it, combofix reports that the system is infected with the zero access rootkit (tcp/ip stack). I click the OK button and it eventually displays a shorter message regarding the rootkit infection. Once I click the OK button this time, it seems to get stuck on scanning and never proceeds to stage 1. If I mistakenly click the mouse anywhere on the desktop, the entire unit freezes (clock freezes), except the blinking cursor inside of the combofix.

I apologize if this is a short post, but as I have said: I have ran every scanner that I can think of, and all of them have shown everything is clean.
 
If Combofix is the only thing showing this, and you have "run every scanner you can think of", including offline scans, then I would think it's a Combofix issue.

Look for a new version....make sure you have the latest.
 
What other scanners have you run?
What are the specific files that Combofix is finding?
Have you tried to remove them in safe mode as NYJimbo suggested?
Have you tried a manual removal of the files?
Finally, if you still can't track it down and remove the infection, maybe cloning the hard drive and doing a repair install might do the trick. I would still do a series of scans afterwards to be certain it is gone though.
 
HFultzjr said:
If Combofix is the only thing showing this, and you have "run every scanner you can think of", including offline scans, then I would think it's a Combofix issue.

Look for a new version....make sure you have the latest.
Click to expand...
I'm with him. I'm betting a false positive here. Combofix isn't as good as it use to be and I only use it as a last resort. It breaks too many things.
 
nlinecomputers said:
I'm with him. I'm betting a false positive here. Combofix isn't as good as it use to be and I only use it as a last resort. It breaks too many things.
Click to expand...

Agree. Is the PC working as desired? If so, and all other scanners show clean, then it may indeed be a ComboFix issue and the PC is actually OK. (I also only use ComboFix as a last resort.)
 
PCX said:
What other scanners have you run?
What are the specific files that Combofix is finding?
Have you tried to remove them in safe mode as NYJimbo suggested?
Have you tried a manual removal of the files?
Finally, if you still can't track it down and remove the infection, maybe cloning the hard drive and doing a repair install might do the trick. I would still do a series of scans afterwards to be certain it is gone though.
Click to expand...

I have run every scanner available, including Farbar, however I have only begun learning to use Farbar.
I don't know any specifics other than the "zero.access" because it won't get past the scanning files section. In other words, it never starts "stage 1" nor does it perform a log.
I have used process explorer and autoruns to see if there is anything out of place and nothing.
I have tried running combofix in safe mode, with and without networking, and with command prompt. Still the same results.
I have also tried a repair install to no avail.
 
If others are also experiencing false positives and the computer seems to run fine other than those possible false positives, then I would have to say that the computer is probably good to go. That said, you may want to also run MBAR to be on the safe side, if you have not already done so. Also, we do a full scan with Kaspersky Virus Removal Tool, which you can get here.

http://www.kaspersky.com/antivirus-removal-tool?form=1

If neither of those finds anything, then I would say you can probably call it a day as long as everything is functioning properly.
 
Maybe I missed something, but are you only concerned about the positive from Combofix or is there an actual problem that you are still chasing ?
 
You must log in or register to reply here.

Similar threads

Blue House Computer Help
Rootkit scanning and removal
2
Replies
20
Views
616
Sky-Knight
Sky-Knight
LordX
Lenovo laptop not powering on unless CMOS battery disconnected.
Replies
6
Views
275
LordX
LordX
britechguy
Wiping a Microsoft Surface prior to e-recycling
Replies
14
Views
322
fincoder
fincoder
britechguy
ListHotKeys - VBS to PS1 conversion - Why doesn't the latter give me the pop-up?
Replies
0
Views
52
britechguy
britechguy
HCHTech
Opening zipped PDFs in Outlook without extracting
Replies
3
Views
108
frase
frase
Back
Top