Combo Fix and Hijack this Log Review

Rogue killer identified Zero Access Root Kit, and I was hoping someone could look at my post combofix logs to see if any additional steps should be taken. After combo fix, rogue killer no longer identified Zero Access. The logs are attached. Thank you in advance for your time. ComboFix.txt
 hijackthis.log
ckleavitt2Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
Combofix's log shows it had deleted the ZeroAccess folder and files so that's good.
Hijackthis log looks okay but then that doesn't mean the system is clean because a lot of nasties can now hide from its scan, An OTL log or DSS log show much more than Hijackthis log.

Just curious what this file below that starts when PC starts, do you know that  program? If so, then that's okay.
C:\TW\KDISBridge.exe

Did the RogueKiller log show any active hidden partition or did it just show something like below:

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!



Can you upload and scan the driver below and see if its clean, I have no info on that file, it could be part of your scanners but better to make sure.
c:\windows\system32\drivers\drkrgcqmxwim.sys

http://virusscan.jotti.org/en
http://www.virustotal.com/
0
ckleavitt2Author Commented:

Thanks for the reply, and look over RPG.....

Q: Just curious what this file below that starts when PC starts, do you know that  program? If so, then that's okay.
C:\TW\KDISBridge.exe

A: This file appears to be associated with Kodak Imaging for capturing XRAYs, which would be completely normal, as this machine was used to capture XRAYS at one time.




Q:  Did the RogueKiller log show any active hidden partition or did it just show something like below:

¤¤¤ Infection : ZeroAccess ¤¤¤
[ZeroAccess] (LOCKED) windir\NtUpdateKBxxxx present!

A: YES, and I am  attaching the original RogueKiller log.


Q: Can you upload and scan the driver below and see if its clean, I have no info on that file, it could be part of your scanners but better to make sure.
c:\windows\system32\drivers\drkrgcqmxwim.sys

A: Scanned with the first link, and nothing found
scanned at virustotal, and only RISING returned with a date of 2011.12.16 with result of: RootKit.Win32.Undef.ov

 RKreport.txt
0
rpggamergirlCommented:
Thanks for posting that, it looks okay, just checking if the log shows an active hidden partition(like below) but there's none.

1 - [ACTIVE] NTFS [HIDDEN!] Offset (sectors): 312576705 | Size: 2 Mo


That random driver just keep an eye on that one, you can even rename to drkrgcqmxwim.sys.old to disable it but sounds harmless to me if only Rising flagged it.

How's the PC going?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ckleavitt2Author Commented:
You are Awesome! Thanks for the help.
0
rpggamergirlCommented:
No problem.
Thank you for using Experts-Exchange!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.