I have had 3 computers in my shop with rootkit activity detected by combofix. This is after the hard drive was low level formatted with LLF from HDDGuru and a clean load of windows. Some windows updates might need to be installed before the combofix detection. The computers were:
Dell Dimension 2400- http://www.bleepingcomputer.com/forums/topic371370.html
Gigabyte motherboard- Intel P4, Award Bios
Asus motherboard- AMD Athlon X2, Pheonix Bios
On the first two, I was able to clear the rootkit detection by:
-unplug the machine
-Take out the CMOS Battery (Push power button to clear capacitors)
-Install battery and plug machine in
-Flash the bios with a floppy (windows flash did not clear detection)
-LLF harddrive on other machine. (Remember to reboot after LLF)
I use the Apricorn DriveWire, (unplugged from usb on boot)
-Return harddrive to computer and Load windows from trusted disk.
****The rootkit detection has not returned on these computers****
On the Asus, after performing the above tasks. Combofix still detects a rootkit and wants to reboot. After clicking OK, The combofix window and all icons disappear. The mouse is still able to move, but after 15 minutes the computer still does not reboot. I power it down and reboot. Combofix runs but seems to detect nothing.
Could Combofix have a false Detection?
Any other experiences?
Edited by Orange Blossom, 26 January 2011 - 10:49 PM.
Moved to AV forum. ~ OB