ComboFix detecting ZeroAccess.Rootkit

Windows XP computer.

ComboFix says that ZeroAccess.Rootkit is found but doesn't seem to get rid of it. It also says that AVG is still installed but that was removed and I have also ran the AVG Removal Tool.

There are no other symptoms of the rootkit.

We have ran all of the standard programs and some other programs none of them are reporting any rootkit and there is no suspicious network activity.

 

I have attached the most resent ComboFix log.

 

I have already ran TDS Killer and MBR Fix. I have also read and done everything on the other post.

 

MBR Check

 

Sorry for the delay, here is the file

 

I took care of the problem finally. I downloaded and ran RootRepeal. It found a file locked in one of the $ntuninstallkb...$ folders. The file was locked and could not be deleted with RootRepeal or another program we use called unlocker. The entire folder structure of that folder was inconsistent with what you would normally find in the $ntuninstallkb...$ folders. Between the two of them (force wipe in RR, attempting to delete the file in RR, and then deleting the file in unlocker) I was able to delete the file.

Once the file deleted, Combofix ran with the normal AVG still installed error, but didn't detect any rootkit activity. After it completed, I ran it again just to see what would happen and it finally stopped showing the AVG still installed error.

Hopefully someone else with the same problem finds this thread and it helps them out since most of the threads I have found with this sequence of problems end with no solution.

 

I understand what you're saying, but I'm just letting everyone know what worked for me. We've had this computer for over a week now and after doing our standard cleaning procedure and a ton of extra researching (checking file validity, network activity, etc...), still had Combofix reporting an infection when no other programs would show. I've found several posts on several forums from people having this same issue. Most go unsolved, or no one posts what steps they finally went through to remove it. My hope was that someone might find this thread and it helps them locate something that is unusually difficult to find even for very very seasoned techs(been doing this since the late 80's).

The crazy part is that Combofix would detect the infection, and activity, but wouldn't list anything about it in the log. That's the same issue I found on other threads as well. I can't even list the number of utilities/scans we ran that all showed no signs of infection at all. The computer showed no symptoms of anything either. Gotta love that Combofix at least detected it. I didn't want to get it back to my customer until I was convinced that there was nothing left on the machine.



(Side note)
Kestrel13!: I attached the two logs you specifically asked for, though the 2nd was a little later in the day. I'm not accustomed to going to others for assistance, so maybe I am not good at following the instructions, but I couldn't figure out what other logs you were talking about. The Read Me First is a very good list of things to attempt, but doesn't give a clear idea of which logs you would be looking to get from me. A simple clear list of the ones you were asking for would have been a little more helpful in my case.

That being said, you all do a wonderful job for people on this forum, and the work you do is very much appreciated. Just reading your responses got me to a place where I found a program I hadn't heard of or used before that helped me find the files causing the problem.

Thanks again