DIY: Add Combofix to your security toolkit

If you're trying to remove a virus, Trojan, rootkit, malware, etc., Jack Wallen says Combofix is one tool that will not fail. Read his cautionary advice about using this powerful tool.

Combofix is a free tool that removes rootkits, Trojans, and malware better than any application I've tried. It is not, however, a real-time scanner. I'm very careful not to let this powerful tool get into the hands of end users. After using Combofix on a client machine, the first thing I do upon completion of the task is delete Combofix. I do not mock Combofix; I do not wag a finger at Combofix; I do not complain to or rush Combofix.

Combofix works on these platforms:

  • Windows XP (32-bit only)
  • Windows 2000 (32-bit only)
  • Windows Vista (32-bit/64-bit)
  • Windows 7 (32-bit/64-bit)

During the process of running, Combofix will delete files in these locations (there is no way to prevent this):

  • Windows Recycle Bin
  • Temporary Internet Files
  • Temp Folder

Instructions for using Combofix

Step 1: Download the .exe file.

You should download Combofix from Bleeping Computer. Do not download the tool from or or -- if you do, you're playing with fire. In fact, when you run Combofix, you should see a warning that the tool is in no way affiliated with

To make sure I remember to delete the Combofix file, I always download the .exe file to the desktop and then drag it to a spot where it stands out.

Step 2: Stop any antivirus on the machine.

This is where the real fun begins, especially if the antivirus in question is AVG. If AVG is running, you should remove it by downloading the AVG Remover Tool and removing AVG antivirus completely (rather than turning it off or using the uninstall entry in the AVG menu).

Step 3: Double-click the .exe file. This will start up the tool. Caveat: If you are running a remote session, the session will be terminated; there is no way around it. I recommend warning the client or department manager that the connection will be terminated, and then stating that you will walk them through the process. Before starting Combofix, you should explain exactly what is going to happen. I usually stay on the phone until Combofix begins the first of its 51 passes it will make on the system. I ask the client to call me once the 51 passes have completed, at which point, I walk them through the final steps. Step 4: Agree to the license.

Once Combofix completes its run, it will seem like nothing is happening, but that is not the case; Combofix is not complete until the log file opens in Notepad. Until then, no other application should be run.


Combofix will help you cure more infections than you care to know about. If Combofix is one of the primary tools in your DIY toolkit, you'll wind up being an IT security hero.