Spyware Removal – Pain followed by success

Posted March 20th, 2009 by Jason

I was working on a PC for someone that had some real issues with spyware on his system.  The main symptom that he found was that his computer would hang after boot up.  The mouse could move around, but you couldn’t do anything with the Start Menu, desktop icons, or the keyboard.  My task was to get the system responsive again and do my best to remove what was causing it.

At first things didn’t go well.  I was able to work around the boot up problem by starting into Safe Mode.  When I copied over the installer for Malwarebytes I found that the program wouldn’t execute.  I used Autoruns from Sysinternals to see what was firing up on boot and removed several things that shouldn’t have been there.  I rebooted into Windows normally and I could use the system again.  However, IE started popping up and it was attempting to connect to a bogus URL.  Better, but not great.  I tried to run the install for Malwarebytes again.  No luck.  Back into safe mode, more clean up, back into normal mode and the desktop hangs again.  Worse luck.

At this point none of the removal tools I have are working, removing things from startup aren’t working and I’m getting really frustrated.  It was late, so I tried again the next day.  I started looking at doing a repair installation of Windows XP to work around the issue, but due to problems with RAID card drivers the effort failed.  I went back to looking for a way to deal with the system without the repair install.

The first sign of progress was when I renamed the installer for Malwarebytes.  I executed the renamed file and the installer fired right up!  Everything went fine until the actual executable for Malwarebytes started.  Then the installer froze and had to be killed.  I did some searching for the symptoms and found a tool called ComboFix.  I did some quick research and the tool appeared to be legitimate.  I booted into Safe Mode and renamed the exectable for ComboFix.exe to 1ComboFix.exe.  Execution of the renamed file took off and it started scanning.

Fairly quickly it found some stuff that it deemed Rootkits.  Joy.  It listed them as:

c:\windows\system32\drivers\UACrjnkvrnp.sys
c:\windows\system32\UACqfuirjuv.dll
c:\windows\system32\UACtfbsky.dat
c:\windows\system32\UACwsnlkjjbj.dll
c:\windows\system32\UACalotomap.dll
c:\windows\system32\UACqhhmqhcl.dll
c:\windows\system32\UACogswwuya.log
c:\windows\system32\UACogixetrb.log
c:\windows\system32\UACbftmxewp.log
c:\windows\system32\UACpxtfqxqm.dll

It rebooted, removed the files and then came up in regular mode.  It continued scanning and removed more files flagged as spyware.  One more reboot and the process completed.  I fired up the Malwarebytes installer and had no problems during install.  I ran a full scan of the system and it found another 23 items.  Most of these were registry entries, but some were actual files that looked pretty suspect.  One more reboot to complete the scan was needed.  The machine came up normally and cleanly.  I ran another scan and it came up clean.  I did several more reboots, started Internet Explorer, and ran several other programs.  Everything looked great and the system was responding well.  It looks like a happy ending for this computer.

Do I completely trust that everything was removed and the system is 100% clean again?  No, I don’t.  There was way too much installed on it to make me feel any confidence about that.  However, ComboFix and Malwarebytes took a machine that couldn’t even finish start up and got it back up and running again.  So while I have my reservations, I can at least have a better chance of giving a customer a reasonably responsive system and explain the risks as they now are.  And I found a new tool that seems to have done a great job.  That’s never a bad thing.

Technorati Tags: combofix, malwarebytes, spyware removal

Tags: combofix, malwarebytes, spyware removal