I was working to root out some nasties on a laptop and I ran into a rather persistant little bugger. Even though I had removed everything suspicious I could locate using Revo Uninstaller (another of my favorites), I was not able to run updates or download any spyware or virus protection because calls to those URL’s were being redirected to localhost (127.0.0.1). The redirect in the browser would then, of course, take me to some site where I was told of the dozens of problems with my computer and how I should download their software.
I was able to download both of these applications from another machine, but the redirect simply made it impossible for Spybot and AVG to gather their updates from their respective servers. I was even able to download an installer which was Spybot’s update; however, neither of these applications would actually show their GUI’s (they appeared in the Task Manager but neither made an appearance on-screen).
After a bit of searching I found an article which talked about an application called ComboFix. Turns out it’s a great little utility.
Just to recap: I wasn’t able to run any viral/spyware updates or visit any site (like avg.com or safer-networking.org) because of the re-route to localhost (127.0.0.1); the machine was seriously hijacked; and I couldn’t find anything that would be doing it.
This utility does a pretty brutal scan, reboots the machine automatically, and starts itself up before anything else—and keeps doing that until it’s found nothing at all. It found a rootkit problem and rebooted maybe 3 times before it gave its final report. Only then was I able to run Spybot and AVG, run their updates, and run their respective scans.
You’ll want to pay special attention to the section where the article discusses the recovery console (XP) and recovery environment (Vista), but the whole thing worked great. (I used the XP SP2 recovery console because I could not find one for SP3.)