Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot completely uninstall ComboFix


  • Please log in to reply
2 replies to this topic

#1 MarkusH

MarkusH

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 02 June 2011 - 08:40 AM

Hi,

having been infected with what turned out to be the TDL4@MBR rootkit, I naively followed the steps outlined in the thread http://forums.malwarebytes.org/index.php?showtopic=57224. I got so far that I downloaded and renamed ComboFix.exe to Combo-Fix.exe on my Desktop (as described in the thread) and ran it (and allowed it to update itself to a newer version when it asked to), before I realized that this wasn't something you should do without professional help.

So I stopped there and started to go through the preparation guide http://www.bleepingcomputer.com/forums/topic34773.html, saw that gmer reported I had TDL@MBR so I downloaded aswMBR.exe from http://digitalchunk.com/tdl4-rootkit-removal.htm, ran it and then the "address blocked" warnings from my ESET NOD32 Antivirus stopped appearing.

Then I tried to uninstall ComboFix as decribed in the original thread (http://forums.malwarebytes.org/index.php?showtopic=57224), but there's still a folder named Combo-Fix on my C:-drive which wasn't removed. So I downloaded ComboFix.exe again and ran ComboFix /Uninstall (didn't help), I downloaded it again and renamed it to Combo-Fix.exe when I saved it to my Desktop (as described in the original thread) and ran Combo-Fix /Uninstall from my Dekstop folder, but the C:\Combo-Fix folder is still there.

Can I just delete the folder or how should I properly get rid of it?

Very greatful for help,

MarkusH

Edited by hamluis, 02 June 2011 - 01:35 PM.
Moved from MRL to AV, Firewall, etc.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,117 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:29 PM

Posted 03 June 2011 - 05:30 PM

You should never follow specific instructions provided to someone else especially if they are almost a year old. Those instructions were most likely given under the guidance of a trained staff helper to fix that particular member's problems, NOT YOURS after careful evaluation of the malware involved. Before taking any action, the helper must investigate the nature of the infection and then formulate a fix for the victim. Although your problem may be similar, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware which means the degree of infection can vary. Using someone else's fix instructions could lead to disastrous problems with your operating system.

Please download OTC by OldTimer and save to your Desktop.
  • Connect to the Internet and double-click on OTC.exe to start the program.
  • Click on the green CleanUp! button.
  • If you get a warning from your firewall or other security programs regarding OTC attempting to contact the Internet, please allow the connection.
  • When it has finished, OTC will ask you to reboot so it can remove itself.
-- Doing this will remove any specialized tools downloaded and used. If OTC does not delete itself, then delete the file manually when done.
-- Any leftover folders/files related to ComboFix which were not remove can be deleted manually (right-click on them and choose delete).

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 MarkusH

MarkusH
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:29 AM

Posted 05 June 2011 - 11:25 AM

Thanks,

for your quick reply. I downloaded OTC to my desktop, ran it and it removed the C:/Combo-Fix folder.

My system feels clean since a few days back. The only thing I've noticed that is different than from before I was infected is that when I log off from a local user account that has a custom wallpaper, that wallpaper does not disappear as it did before, but is still in the background of the login dialog. Does that sound suspisious to you, or it is just some Windows setting (I'm running Windows XP SP3) that has been restored to default by one of the anti-malware tools a ran (some Internet Explorer 7 settings had been reset during the process too)?

As for not following specific instructions provided to someone else, I came to fully understand that during this process, but I kind of panicked at the time I was infected. It started with fake AV tool name XP Anti-Virus 2011. I've had this kind of infection before (SystemTool) and managed to get rid of it, so I thought I could handle it myself this time too. And I thought I had, until my real AV tool started to warn about blocked web addresses and I soon realized I had been infected with a much worse malware/virus and then my only focus became to get rid of it as soon as possible to minimize the damages. Scary experience.

Thanks again for the help!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users