Combo Fix and Hijack this Log Review

Rogue killer identified Zero Access Root Kit, and I was hoping someone could look at my post combofix logs to see if any additional steps should be taken. After combo fix, rogue killer no longer identified Zero Access. The logs are attached. Thank you in advance for your time. ComboFix.txt
 hijackthis.log
ckleavitt2Asked:
Who is Participating?
 
rpggamergirlCommented:
Thanks for posting that, it looks okay, just checking if the log shows an active hidden partition(like below) but there's none.

1 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 312576705 | Size: 2 Mo


That random driver just keep an eye on that one, you can even rename to drkrgcqmxwim.sys.old to disable it but sounds harmless to me if only Rising flagged it.

How's the PC going?
0
 
rpggamergirlCommented:
Combofix's log shows it had deleted the ZeroAccess folder and files so that's good.
Hijackthis log looks okay but then that doesn't mean the system is clean because a lot of nasties can now hide from its scan, An OTL log or DSS log show much more than Hijackthis log.

Just curious what this file below that starts when PC starts, do you know that  program? If so, then that's okay.
C:\TW\KDISBridge.exe

Did the RogueKiller log show any active hidden partition or did it just show something like below:

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!



Can you upload and scan the driver below and see if its clean, I have no info on that file, it could be part of your scanners but better to make sure.
c:\windows\system32\drivers\drkrgcqmxwim.sys

http://virusscan.jotti.org/en
http://www.virustotal.com/
0
 
ckleavitt2Author Commented:

Thanks for the reply, and look over RPG.....

Q: Just curious what this file below that starts when PC starts, do you know that  program? If so, then that's okay.
C:\TW\KDISBridge.exe

A: This file appears to be associated with Kodak Imaging for capturing XRAYs, which would be completely normal, as this machine was used to capture XRAYS at one time.




Q:  Did the RogueKiller log show any active hidden partition or did it just show something like below:

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

A: YES, and I am  attaching the original RogueKiller log.


Q: Can you upload and scan the driver below and see if its clean, I have no info on that file, it could be part of your scanners but better to make sure.
c:\windows\system32\drivers\drkrgcqmxwim.sys

A: Scanned with the first link, and nothing found
scanned at virustotal, and only RISING returned with a date of 2011.12.16 with result of: RootKit.Win32.Undef.ov

 RKreport.txt
0
 
ckleavitt2Author Commented:
You are Awesome! Thanks for the help.
0
 
rpggamergirlCommented:
No problem.
Thank you for using Experts-Exchange!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.