This article shares an experience I had with a stubborn virus and spyware imbed; hopefully, this will help you.
As an IT Specialist, I know how to keep my computers as spyware and virus free as possible. But sometimes a few sneak by that even the best Antispyware and Antivirus programs cannot detect.
The Symptoms
I noticed immediately these symptoms on my PC
- An NT Authority\System Dialog window popped alerting that "This system is shutting down. Windows must now restart because the Remote Procedure Call (RPC) service terminated unexpectedly." I have seen this many years before and I easily dealt with it. This was different.
- My Firefox web browser was uninstalled and the shortcut on my desktop no longer worked.
- All of my Anti-spyware programs where rendered inactive and would not run. Therefore, I could not scan for spyware.
- All Anti-Spyware programs had to be reinstalled after every attempt to use them.
This was a particularly malicious trojan and proved very difficult and challenging to isolate and remove.
My Fix
After hours of trying different things, one thing and one program did the trick: and the program is free. It is called ComboFix. ComboFix is a freeware (a legitimate spyware remover created by sUBs), ComboFix was designed to scan a computer for known malware, spyware (SurfSideKick, QooLogic, and Look2Me as well as any other combination of the mentioned spyware applications) and remove them.
ComboFix allows the manual removal of spyware infections. It ‘s a specialized effective cleaning tool, which is useful compared to other malware and spyware removers. After ComboFix finished,a report will be created. You can use this report to search and remove infections which are not automatically removed.
Please use caution when using ComboFix as it is a very powerful program.
Here is a guide that will walk you through using it.
Step 1
Download ComboFix To Your Desktop For Easy Access
Step 2
Close All Programs Running on Your Computer and Disable All Running Antivirus and Antispyware Programs and the Firewall.
(Go Here to Learn How To Disable Your Firewall).
(Go Here to Learn How To Disable Your Antivirus Program).
(Go Here To Learn How to Disable Your Anti-Malware Scanner).
Step 3
Start ComboFix. If ComboFix detects running programs that will affect it’s ability to do it’s job, it will alert you. In this example, I am running McAfee VirusScan and I will need to temporarily turn it off before using ComboFix.
.png)
.png)
Step 4
ComboFix is now preparing to run.
Step 5
ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
Step 6
Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
Step 7
At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.
Step 8
You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.
ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
Step 9
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
Step 10
At the time of this writing there are a total of 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.
Step 11
When ComboFix has finished running, you will see a screen stating that it is preparing the log report as shown below.
Step 12
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.
Step 13
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you as shown below.
I M P O R T A N T N O T IC E
If you find that ComboFix hangs up during the preparation stage (Step 4), please reboot your computer up into the SAFE-MODE with Networking and try the procedure again. You will find detailed instructions on booting up in the SAFE-MODE here. (Thanks Kerry)
What Next?
After ComboFix did it’s thing, I was then able to run my Antispyware programs to scan and remove any spyware that crept into my computer. (Incidentally, I use a combination of Malwarebytes, Spybot Search and Destroy, and Super AntiSpyware to deal with spyware removal. All three programs are free and work wonderfully.)
See this article on where to download and use these programs.
I re-installed Firefox, Malwarebytes, Spybot Search and Destroy, and Super AntiSpyware.
I then re-enabled by McAfee VirusScan program and scanned by computer.
I credit ComboFix. It removed the culprit that killed my Firefox web browser and Antispyware programs.
{ 2 comments… read them below or add one }
Thanks, Ron! This has been so helpful! I am sharing my experience and how combofix helped it in case others have a similar problem, but I couldn't have done it without your help! You rock!!
I was trying to fix my brother-in-law's computer. The computer symptoms were no virus scans or logging/analyzing tools were working, windows update wasn't working, virus scan monitors shut down, and every time an internet browser window was opened, it routed to some bogus website (said POPEO auction). Lots of weird stuff like Word not working right, icons showing up on the desktop, etc., etc.
I downloaded and ran GMER.EXE. I could not do a full scan, as it would crash the computer (blue screen of death), but it's initial scan showed 2 rootkits, SKYNET and something that started with UAC. I googled those rootkits and found a sit that told you where all the files were to be deleted, but could only be done using the Windows XP recovery console, as they are hidden (of course) from Windows. I was able to remove all files after finding this post that listed the location of all the files.
As a side note, I tried booting off the XP CD to run the recovery console, but it kept saying it couldn't find the hard drive. If you have a Dell with a SATA drive, you have to change your SATA drive controller setting in BIOS from AHCI to Combination. Then you can run the installation CD and it will recognize your hard drive and you can use the repair console if you know how.
After getting to the repair console and removing all the designated SKYNET and UAC files I had read about, a few things were fixed, but I still could not run anti-virus tools or analyzers (such as Hijackthis). I could download and install them (which I could not do before) but could not run them.
I finally tried running Combofix. I know, I know, dangerous tool, at your own risk, blah blah blah. Frankly I don't understand all the warnings. It's not an interactive tool. I would think the repair console is riskier than running a script like Combofix.
I got assurance from my brother-in-law that no data was critical on the computer, so if Combofix boogered everything, I could just reinstall Windows or format the drive.
At any rate, all things pointed to needing to run combofix. The problem was, when I ran it, it immediately detected a rootkit and wanted to reboot. Upon reboot, it would open a command window and say “Preparing to run…” but nothing would happen. I was so frustrated!!
I found this website and e-mailed Ron in desperation. He replied right away suggesting running Combofix in Safe mode with Networking. DUUUUHHHH. I don't know where my head was. That whole too far into the forest to see the trees thing I suppose…
I ran Combofix in safe mode, got the same “Rootkit activity detected and must reboot!!”, but I remembered to hit F8 and reboot into Safe mode with Networking the second time. And, VOILA! Combofix ran without a hitch and fixed EVERYTHING.
After Combofix, I ran Spybot, which found 75 problems and fixed 73 of them (I had to reboot and rescan to get the other 2 fixed). I ran Malware Bytes and it came up clean, and AVG came up clean. PC is running smoothly, and Windows was able to be updated with all the security updates that were not able to be installed previously.
So I say, if you are having the same problem I am, Combofix in Safe Mode with Networking is the way to go. Of course, backup all your data and whatnot in case it totally blows up in your face, but like I said, at the point my brother-in-law was, the computer was unusable, so we had nothing to lose.
Of course, I am not a professional, just a former techie who is now a stay-at-home mom and likes to help her friends and family fix their computer problems.
Thanks, Ron! This has been so helpful! I am sharing my experience and how combofix helped it in case others have a similar problem, but I couldn’t have done it without your help! You rock!!
I was trying to fix my brother-in-law’s computer. The computer symptoms were no virus scans or logging/analyzing tools were working, windows update wasn’t working, virus scan monitors shut down, and every time an internet browser window was opened, it routed to some bogus website (said POPEO auction). Lots of weird stuff like Word not working right, icons showing up on the desktop, etc., etc.
I downloaded and ran GMER.EXE. I could not do a full scan, as it would crash the computer (blue screen of death), but it’s initial scan showed 2 rootkits, SKYNET and something that started with UAC. I googled those rootkits and found a sit that told you where all the files were to be deleted, but could only be done using the Windows XP recovery console, as they are hidden (of course) from Windows. I was able to remove all files after finding this post that listed the location of all the files.
As a side note, I tried booting off the XP CD to run the recovery console, but it kept saying it couldn’t find the hard drive. If you have a Dell with a SATA drive, you have to change your SATA drive controller setting in BIOS from AHCI to Combination. Then you can run the installation CD and it will recognize your hard drive and you can use the repair console if you know how.
After getting to the repair console and removing all the designated SKYNET and UAC files I had read about, a few things were fixed, but I still could not run anti-virus tools or analyzers (such as Hijackthis). I could download and install them (which I could not do before) but could not run them.
I finally tried running Combofix. I know, I know, dangerous tool, at your own risk, blah blah blah. Frankly I don’t understand all the warnings. It’s not an interactive tool. I would think the repair console is riskier than running a script like Combofix.
I got assurance from my brother-in-law that no data was critical on the computer, so if Combofix boogered everything, I could just reinstall Windows or format the drive.
At any rate, all things pointed to needing to run combofix. The problem was, when I ran it, it immediately detected a rootkit and wanted to reboot. Upon reboot, it would open a command window and say “Preparing to run…” but nothing would happen. I was so frustrated!!
I found this website and e-mailed Ron in desperation. He replied right away suggesting running Combofix in Safe mode with Networking. DUUUUHHHH. I don’t know where my head was. That whole too far into the forest to see the trees thing I suppose…
I ran Combofix in safe mode, got the same “Rootkit activity detected and must reboot!!”, but I remembered to hit F8 and reboot into Safe mode with Networking the second time. And, VOILA! Combofix ran without a hitch and fixed EVERYTHING.
After Combofix, I ran Spybot, which found 75 problems and fixed 73 of them (I had to reboot and rescan to get the other 2 fixed). I ran Malware Bytes and it came up clean, and AVG came up clean. PC is running smoothly, and Windows was able to be updated with all the security updates that were not able to be installed previously.
So I say, if you are having the same problem I am, Combofix in Safe Mode with Networking is the way to go. Of course, backup all your data and whatnot in case it totally blows up in your face, but like I said, at the point my brother-in-law was, the computer was unusable, so we had nothing to lose.
Of course, I am not a professional, just a former techie who is now a stay-at-home mom and likes to help her friends and family fix their computer problems.