Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix - Rmbr.3xe has encountered a problem...


  • Please log in to reply
6 replies to this topic

#1 Uridium

Uridium

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Budapest
  • Local time:11:20 AM

Posted 08 September 2014 - 09:18 AM

Hi,

 

This if my very first post. I begin with that I understand that you at Bleeping Computer do not recommend anyone to use ComboFix on his/her own and you do not offer advice on how to run ComboFix unless you asked someone to run it.

 

Sorry for asking an exception. It is because I am an experienced computer expert and I have been working in my own computer repair service shop for fifteen years, so I really know what I am doing. Additionally I have never ever seen a malware (especially rootkits) that I could have not removed. Please, excuse me, I don't want to be bumptious, but I really do this work for a living and I know I am really good at it.

 

There is an interesting issue emerged on one of my own office desktop computers which I would like to share. Maybe it can help to improve the detection mechanism of the powerful system of Combofix, maybe for others to manage this error message... or just I will learn something new.

 

 

- My computer was (and still is) working normally, XP Professional SP3, updated. No symptoms of any kind of malfunctions, no malware, no hijacker, adware or spyware, only a perfectly and smoothly working system.

- I use the newest Avira Antivirus which updates regularly.

 

- Some days ago I accidentally opened a simple PDF file that came attached in email to me from an unknown sender. It was opened in Adobe Reader XI (V11.0.08, updated) without the well known security restrictions that I intentionally switched off previously to test a function of another file.

- A couple seconds later I closed Adobe Reader and checked the PDF file whether it contained an executable stream and I found its malicious payload hidden, encoded and obfuscated.
- Avira did not alert me of course, it is not yet prepared for this kind of threat (and neither are the other leader viruskiller softwares).

- Virustotal.com noted the PDF file absolutely clean.

- Malwaretracker.com/pdf.php site analyzed my uploaded PDF and stated it really had malicious payload in it. (Maybe a rootkit dropper.)

 

- I checked all of my tasks in task manager at once. Everything was normal.

- I looked through my temp folders for newly created trojan droppers (exe, bat, vbs, anything). I discoverered nothing.

- I checked my services list: services.msc. For years I know every line of them by head so I quickly realized there was nothing new.

- I checked msconfig for autostart items. No problems, just my own stuff.

- I ran Hijackthis and went through its lines just as it would have been a customer's repair case. No clue.

- I curiously ran Kaspersky TDSSKiller, Kaspersky Security Scan, HitmanPro, Avast aswMBR, Malwarebytes Antimalware. My system was totally clear as they stated.

- I even ran OTL by Oldtimer in standard mode just to see deeper and clearly. After analyzing the log I determined the diagnose was absolutely negative. No threats could be found.

- I rebooted the OS and repeated all the above procedures. Nothing changed.

 

- Finally I ran Combofix which I knew well and had been using it for many years from the beginning it had been started. I do know what potential changes it can make to the filesystem (if any) and how, which kind of folders it will move. rename or delete, which registry settings it wil reset, host file, IE default setting etc. Avira was completely deactivated before starting it (including its process protection option).

- Combofix should have run without any errors as it did formerly anytime on this machine.

 

- However this time I got an error message: Rmbr.3xe has encountered a problem and needs to close. We are sorry for the inconvenience. (I use Hungarian XP.)
 

Combofix.png


- Right after I pressed CLOSE a new window popped up with ROOTKIT PRESENCE DETECTED! warning in its header and with a dialog box in it: Combofix has detected the presence of rootkit activity and needs to reboot the machine.

 

- I was amazed how could a new rootkit lifeform avoid all of my tests and attention? I rebooted. A couple minutes later Combofix finished its work in 53 steps and found nothing. No files, no folders or services had been removed. It just gave out its clean log.

- I restarted Combofix and it did the same. RMBR.3XE closed, right after it the ROOTKIT warning popped up and a REBOOT was initiated. After then combofix was looking for malwares with no avail. I repeated this reboot procedure once more just for try.

- I made a clean boot (only DCOM and RPC services left checked). With no services and drivers loaded Combofix produced the same result: about a mysterious Rootkit presence only it could recognize.

- I booted from another hard disk to Windows 7 and did a comprehensive check on the (this way secondary) XP hard disk. It was reported clean in every utils.

 

The question is am I infected with something new kind of threat or this note of rootkit presence is just a false positive? I thought that probably Daemon tools can cause this anomally even during a clean boot but formerly it just has not occured ever.

I understand that you at Bleeping Computer do not recommend anyone to use ComboFix on his/her own and you do not offer advice on how to run ComboFix unless you asked someone to run it.

 

 

Maybe someone else has experienced the same problem I've described.

 

I am ready to run any tests or give you more details if I will be asked for. Thank you advance for your assistance.

 

Regards,

Uridium

 


BC AdBot (Login to Remove)

 


m

#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 AM

Posted 08 September 2014 - 09:48 AM

:welcome: to Bleeping Computer.

I have reported the error to the developer (sUBs) and provided a link to your topic. If he needs to see the log (ComboFix.txt) or anything else, I will advise you where to submit it.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Uridium

Uridium
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Budapest
  • Local time:11:20 AM

Posted 08 September 2014 - 09:51 AM

Thank you very much.

 

Regards,

Uridium



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 AM

Posted 08 September 2014 - 09:54 AM

Not a problem. I will let you know when I heard back from sUBs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 AM

Posted 08 September 2014 - 02:25 PM

sUBs advised this error is not something he can fix...rMBR.exe is Gmer's mbr.exe.

Combofix is optimized to run from normal mode where it is most effective. However, you can try running it in safe mode if you are having trouble getting it to run or loading Windows in normal mode.

BTW...CF detecting "rootkit activity" is not the same as detecting an actual malicious rootkit which would show in the Stealth MBR rootkit section of a log if it were present. Since nothing is showing in your logs, then it appears you are not dealing with an actual rootkit and the cause of this activity lies elsewhere. It is normal for a Firewall, some anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. That hooking can cause the "rootkit activity" message when running ComboFix in normal mode.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Uridium

Uridium
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Budapest
  • Local time:11:20 AM

Posted 09 September 2014 - 02:22 AM

Thank you for your kind support, as well as the precise and detailed answers that were very useful for me. I appreciate them!

 

Now I understand what behaviour can cause this phenomena and I can distinguish the real warning from the hooking caused one in the future. Within a couple of days I will investigate further what program / service / driver has got such a hooking (even in a clean boot state) to the OS kernel that interferes with CF.

 

If I discover the culprit I will post it.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,606 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:05:20 AM

Posted 09 September 2014 - 07:38 AM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users