Windows optimize

DIY: Add Combofix to your security toolkit

If you're trying to remove a virus, Trojan, rootkit, malware, etc., Jack Wallen says Combofix is one tool that will not fail. Read his cautionary advice about using this powerful tool.

Combofix is a free tool that removes rootkits, Trojans, and malware better than any application I've tried. It is not, however, a real-time scanner. I'm very careful not to let this powerful tool get into the hands of end users. After using Combofix on a client machine, the first thing I do upon completion of the task is delete Combofix. I do not mock Combofix; I do not wag a finger at Combofix; I do not complain to or rush Combofix.

Combofix works on these platforms:

  • Windows XP (32-bit only)
  • Windows 2000 (32-bit only)
  • Windows Vista (32-bit/64-bit)
  • Windows 7 (32-bit/64-bit)

During the process of running, Combofix will delete files in these locations (there is no way to prevent this):

  • Windows Recycle Bin
  • Temporary Internet Files
  • Temp Folder

Instructions for using Combofix

Step 1: Download the .exe file.

You should download Combofix from Bleeping Computer. Do not download the tool from combofix.com or combofix.org or combofix.net -- if you do, you're playing with fire. In fact, when you run Combofix, you should see a warning that the tool is in no way affiliated with combofix.org.

To make sure I remember to delete the Combofix file, I always download the .exe file to the desktop and then drag it to a spot where it stands out.

Step 2: Stop any antivirus on the machine.

This is where the real fun begins, especially if the antivirus in question is AVG. If AVG is running, you should remove it by downloading the AVG Remover Tool and removing AVG antivirus completely (rather than turning it off or using the uninstall entry in the AVG menu).

Step 3: Double-click the .exe file. This will start up the tool. Caveat: If you are running a remote session, the session will be terminated; there is no way around it. I recommend warning the client or department manager that the connection will be terminated, and then stating that you will walk them through the process. Before starting Combofix, you should explain exactly what is going to happen. I usually stay on the phone until Combofix begins the first of its 51 passes it will make on the system. I ask the client to call me once the 51 passes have completed, at which point, I walk them through the final steps. Step 4: Agree to the license.

Once Combofix completes its run, it will seem like nothing is happening, but that is not the case; Combofix is not complete until the log file opens in Notepad. Until then, no other application should be run.

Conclusion

Combofix will help you cure more infections than you care to know about. If Combofix is one of the primary tools in your DIY toolkit, you'll wind up being an IT security hero.

About

Jack Wallen is an award-winning writer for TechRepublic and Linux.com. He’s an avid promoter of open source and the voice of The Android Expert. For more news about Jack Wallen, visit his website getjackd.net.

7 comments
Dastover07
Dastover07

I use ComboFix when I've exhausted my options when other tools like MalwareBytes aren't doing the job. I've heard that it's a bit risky because it does such a throughout job. So, I only use it on the really tough infections. It's always been successful for me.

lowcountry.IT
lowcountry.IT

last week I ran into my first ever experience with ComboFix not working as needed. Ran from Safe Mode, it found rootkit activity, rebooted, and after running at the beginning of Normal mode bootup, would crash when trying to delete the rootkit folder. Ended up running GMER to find it was was TLD4@MBR, but GMER couldn't remove it either. Kaspersky TDSS Killer ended up taking care of it though.

benb
benb

Is there a version that is licensed for commercial use? It says this isn't on Bleeping computer...

benb
benb

While warning about it in the article, "You should download Combofix from Bleeping Computer. Do not download the tool from combofix.com or combofix.org or combofix.net ??? if you do, you???re playing with fire. In fact, when you run Combofix, you should see a warning that the tool is in no way affiliated with combofix.org." the link for Combofix at the top of this TR article actually goes to combofix.org - what's up with that?

Craig_B
Craig_B

I've had very good sucess removing malware using Microsoft Safety Scanner (It's basically a stand alone MS Security Essentials). The malware was on Windows 7 and Server 2008 systems where users clicked on something and then allowed the malware to be installed. Symantec is our regular AV solution, it detected the malware and kind of stopped it from doing too much but could not remove it. MSS was able to completely remove the malware.

gharlow
gharlow

Combofix works very well and is particularly adept at getting rid of rootkits. Once the rootkit is gone I run Malwarebytes, cwshredder and a few others. Many machines I deal with now have MBR viruses so after running combofix I run the recovery console and fixmbr to rewrite the boot record. Combofix does a great deal without asking etc, so I am a bit suspicious. gracious too since it is basically the ONLY tool which will clear a root kit infected computer!

AnsuGisalas
AnsuGisalas

Combofix isn't going to restore a hosed MBR for you (really not its job), there's a windows command for that.