Hi, an intorduction + zeroaccess rootkit.
Posted 09 April 2012 - 10:18 PM
A first time poster and have been using combofix very successfully on my own, and not really aware of the forum or this community's 'protocol' about using combofix for a few years.
The problem I have run into today is that I have run a removal utility that had found and removed zeroaccess.rootkit from a windows XP SP3 32bit PC.
It appears that I have actually removed the problem as multiple utilities Kaspersky(rescuedisk),Symantec,Webroot,MWB etc. etc. claim it's gone
I have run these other utilities that say the system is clean free & clear however Combofix (and only Combofix) continues to detect and say that it's infected with
So unless Combofix is somehow superior to all these other utilities in detection of zeroaccess, this seems to be some kind of false positive.
Or my lack of know-how and inability to use this on my own successfully has suddenly kicked in today and I need to ask for help with it.
There is currently no anti-malware software installed or running on the system and background services and processes are at a minimum.
The system seems to work just fine and is very responsive.
More than asking for "help" or for help fixing my individual system I'd prefer to ask & learn how I can get combofix to tell me WHY and HOW it is making this determination.
(is it logging why it thinks this malware is on the system?) and how to I read it.
More than anything really I'm looking for guidance as to how I might be able to better understand WHAT combofix is looking for and detecting when it
is finding and reporting this particular rootkit is present.
By the time I get a response, I'm likely to have already moved on and formated the drive (restored from a backup image), unfortuantely this is a bugger of a problem I can't trust myself that it's truly fixed yet and I'm out of learning time with it.
Maybe a little shove into the right area of information where I can work myself to become much better with
combofix to the point where I can help others as well as myself a little better than this.
Another issue I've run into recently is that Combofix frequently will detect AVG 2012 on a system that I have carefully removed the software on, all processes files and registry entries
on the systems (AVG is practically gone) yet it still has some *secret* way that it goes out onto the system and determines that AVG is still there.
I'd like to know what it is actually finding to determine this so I can remove it.
(I wonder if it logs enough data to tell me this) by default, or it it can be turned up to show this type of detail.
That's another topic for another day, but just an example to show I'd like to learn how to read the logs and see WHY it is doing or determining things if that's possible.
Thank you for putting up with my LONG intro and asking for more information.
That's 2 of 50 topics I could start aside from the intro :-)
Again.. thanks for tuning in!
Edit: Moved topic from XP to the more appropriate forum. ~ Animal
BC AdBot (Login to Remove)
Posted 10 April 2012 - 07:28 AM
As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or if there is a problem with the computer caused by running the tool. This is because people should not be using ComboFix without being advised to do so by a trained expert (see here) who is assisting them deal with a malware problem.
With that said, if you receive a message that "Combofix has detected the presence of rootkit activity and needs to reboot", you should have been instructed to write down the list of any files present in the message before continuing, and then to provide that information to the Helper who instructed you to run the tool.
Detecting "rootkit activity" is not the same as detecting an actual malicious rootkit which would show in the Stealth MBR rootkit section of a log if it were present.
Discussion pertaining to how Combofx works, what it can or cannot do, what the log results mean, any future plans, updates, etc is not available to the public in order to safeguard and protect the integrity of the tool from malware writers. As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions.
I'd prefer to ask & learn how I can get combofix to tell me WHY and HOW it is making this determination.
Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read forum topics looking for clues on how to circumvent our tools. We don't want to provide any information they can use against us so we deliberately limit discussion which sometimes may appear vague or not fully address a specific question. That's the decision by the creator of ComboFix so we hope you understand and it should not be taken personal.
The only public information that is available can be found in this authorized guide: How to use ComboFix.
If you want to learn more about ComboFix you will have to enroll in the Malware Removal Training Program here at BC (if space is available) or one of the other various Unite Schools where such training is offered. In that environment experts will train those interested in assisting others with malware removal and how to use specialized fix tools like ComboFix. Once training has been completed, you will have access to the ComboFix discussion thread to learn more specific information about the tool and ask any questions.
Member of UNITE, Unified Network of Instructors and Trusted Eliminators
Posted 10 April 2012 - 09:14 PM
I really do appreciate that you took the time.
And although I have read many of the posts here on the forums where the same questions and answers recur over & over & over.
For the first time I see the issue of intended information witholding from the proper perspective of keeping CF's innter workings
behind closed doors and for the purpose of not sharing with the malware authors how things work here, as opposed to how I tended
to view the issue as simply holding the information close because the author/private community *can*.
All makes a lot more sense now.
I'll ask for proper help here when I need it and share with others however I can.
And i'll take the training soon as I can schedule it.
I'm happy with combofix and what I've done with it for 3 years.
But it would be nice to be even more skilled with it.
I really do enjoy the challenge of staying ahead or at least being effecting at eliminating the latest & greatest malware variants.