?
Solved

Combofix rootkit detected, cannot remove

Posted on 2012-08-16
8
Medium Priority
?
797 Views
Last Modified: 2012-08-20
I've removed a LOT of infections from this computer.  TDSSKiller found several rootkits.  I have ran Malwarebytes, Avast! Free Antivirus, SUPERAntiSpyware, and Combofix.  I have done a repair install of Windows XP.  Someone suggested running GMER, but I'm not sure how to read it.  I'm uploading the results.

Combofix will say Rootkit is detected, and then will freeze after that message is displayed.  The only way I can get Combofix to run all the way through is to use the /nombr switch.  I have ran it again after and get the same result.  Any suggestions?
gmer.log
0
Comment
Question by:Scott Thompson
7 Comments
 
LVL 6

Accepted Solution

by:
jacobstewart earned 2000 total points
ID: 38300628
If its that badly infected.  backup the data format and reinstall.  A computer is never the same after being infected like that.

Even if you do get it "clean" and something comes back 3 weeks down the road it will come back to you.
0
 
LVL 32

Expert Comment

by:willcomp
ID: 38301134
Does TDSSKiller still show a rootkit present? If so, which one?

The important thing now is to identify the rootkit.
0
 
LVL 12

Expert Comment

by:ryan80
ID: 38301189
I would wipe that bad boy clean and reinstall.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38301702
Post the TDSSKiller logs. Further did you tried FixTDS from Symantec as well.

FixTDSS Download
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixTDSS.exe
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38302081
I have tried FixTDSS from Symantec.  I will upload the TDSSKiller results, which did not find anything.
TDSSKiller.2.8.6.0-16.08.2012-13.txt
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 38305692
Logs contained in "TDSSKiller.2.8.6.0-16.08.2012-13.txt" wasn't completed, it ends at 13:42:25.0531 3312  [ ca7e42e0b8d117165ed553a7d681352a ] SeaPort, so I would still suggest to run it again and make sure it completed.
0
 
LVL 8

Author Comment

by:Scott Thompson
ID: 38308362
Customer decided to reload.  Thank you for your help!
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
With just a little bit of  SQL and VBA, many doors open to cool things like synchronize a list box to display data relevant to other information on a form.  If you have never written code or looked at an SQL statement before, no problem! ...  give i…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question