This if my very first post. I begin with that I understand that you at Bleeping Computer do not recommend anyone to use ComboFix on his/her own and you do not offer advice on how to run ComboFix unless you asked someone to run it.
Sorry for asking an exception. It is because I am an experienced computer expert and I have been working in my own computer repair service shop for fifteen years, so I really know what I am doing. Additionally I have never ever seen a malware (especially rootkits) that I could have not removed. Please, excuse me, I don't want to be bumptious, but I really do this work for a living and I know I am really good at it.
There is an interesting issue emerged on one of my own office desktop computers which I would like to share. Maybe it can help to improve the detection mechanism of the powerful system of Combofix, maybe for others to manage this error message... or just I will learn something new.
- My computer was (and still is) working normally, XP Professional SP3, updated. No symptoms of any kind of malfunctions, no malware, no hijacker, adware or spyware, only a perfectly and smoothly working system.
- I use the newest Avira Antivirus which updates regularly.
- Some days ago I accidentally opened a simple PDF file that came attached in email to me from an unknown sender. It was opened in Adobe Reader XI (V11.0.08, updated) without the well known security restrictions that I intentionally switched off previously to test a function of another file.
- A couple seconds later I closed Adobe Reader and checked the PDF file whether it contained an executable stream and I found its malicious payload hidden, encoded and obfuscated.
- Avira did not alert me of course, it is not yet prepared for this kind of threat (and neither are the other leader viruskiller softwares).
- Virustotal.com noted the PDF file absolutely clean.
- Malwaretracker.com/pdf.php site analyzed my uploaded PDF and stated it really had malicious payload in it. (Maybe a rootkit dropper.)
- I checked all of my tasks in task manager at once. Everything was normal.
- I looked through my temp folders for newly created trojan droppers (exe, bat, vbs, anything). I discoverered nothing.
- I checked my services list: services.msc. For years I know every line of them by head so I quickly realized there was nothing new.
- I checked msconfig for autostart items. No problems, just my own stuff.
- I ran Hijackthis and went through its lines just as it would have been a customer's repair case. No clue.
- I curiously ran Kaspersky TDSSKiller, Kaspersky Security Scan, HitmanPro, Avast aswMBR, Malwarebytes Antimalware. My system was totally clear as they stated.
- I even ran OTL by Oldtimer in standard mode just to see deeper and clearly. After analyzing the log I determined the diagnose was absolutely negative. No threats could be found.
- I rebooted the OS and repeated all the above procedures. Nothing changed.
- Finally I ran Combofix which I knew well and had been using it for many years from the beginning it had been started. I do know what potential changes it can make to the filesystem (if any) and how, which kind of folders it will move. rename or delete, which registry settings it wil reset, host file, IE default setting etc. Avira was completely deactivated before starting it (including its process protection option).
- Combofix should have run without any errors as it did formerly anytime on this machine.
- However this time I got an error message: Rmbr.3xe has encountered a problem and needs to close. We are sorry for the inconvenience. (I use Hungarian XP.)
- Right after I pressed CLOSE a new window popped up with ROOTKIT PRESENCE DETECTED! warning in its header and with a dialog box in it: Combofix has detected the presence of rootkit activity and needs to reboot the machine.
- I was amazed how could a new rootkit lifeform avoid all of my tests and attention? I rebooted. A couple minutes later Combofix finished its work in 53 steps and found nothing. No files, no folders or services had been removed. It just gave out its clean log.
- I restarted Combofix and it did the same. RMBR.3XE closed, right after it the ROOTKIT warning popped up and a REBOOT was initiated. After then combofix was looking for malwares with no avail. I repeated this reboot procedure once more just for try.
- I made a clean boot (only DCOM and RPC services left checked). With no services and drivers loaded Combofix produced the same result: about a mysterious Rootkit presence only it could recognize.
- I booted from another hard disk to Windows 7 and did a comprehensive check on the (this way secondary) XP hard disk. It was reported clean in every utils.
The question is am I infected with something new kind of threat or this note of rootkit presence is just a false positive? I thought that probably Daemon tools can cause this anomally even during a clean boot but formerly it just has not occured ever.
I understand that you at Bleeping Computer do not recommend anyone to use ComboFix on his/her own and you do not offer advice on how to run ComboFix unless you asked someone to run it.
Maybe someone else has experienced the same problem I've described.
I am ready to run any tests or give you more details if I will be asked for. Thank you advance for your assistance.