ComboFix is another free program that helps in removing most stubborn malware and rootkits. It is a really powerful testing and fixing tool that should be used only if your anti-virus programs and anti-malware programs are unable to remove some really nasty malicious program.
There are known conflicts between AVG Anti-Virus and ComboFix - ComboFix will not run while AVG is installed. For AVG Free users, I recommend using avast! Free Antivirus or Microsoft Security Essentials instead, because these programs actually provide better protection.
McAfee's heuristics engine Artemis often pops up a false detection alarm about ComboFix. Please add combofix.exe to the list of exclusions.
avast! Antivirus users should temporarily turn off all shields (right-click System Tray icon, expand avast! shields control and click Disable until computer is restarted) to let ComboFix run correctly. Also, avast! Antivirus users must run ComboFix in normal mode of Windows instead of Safe Mode: ComboFix loads and then exits without any scanning while avast! Antivirus is installed.
ComboFix works in Windows XP, Vista and 7. Although there is no official note about this, the program also works in Windows 8 (thanks Techy for letting me know!).
ComboFix does not yet run on Windows 8.1 devices. Alternatives include RKill for detecting and stopping active malware services and processes (the scan takes only about 5 minutes!) and then using Malwarebytes Anti-Malware to get rid of the infection.
Note: always download ComboFix right before performing a malware scan from BleepingComputer's web page as this program gets updated frequently to include removal of newest malware!
Do not visit combofix.org or combofixdowload.com, these sites are not really related to this program and ComboFix itself warns about those sites.
Go to ComboFix download page, find section "Using ComboFix" and click ComboFix Download Link.
Downloading from BleepingComputer opens another page. Click Download Now within next 10 minutes.
Please save the program, do not run it right away - ComboFix works best in Windows' Safe Mode.
After downloading is complete, always restart your computer and start Windows in Safe Mode. Safe Mode ensures that most malware is unable to load and is therefore easier to detect and remove.
If you are using avast! Antivirus, please run ComboFix in Windows normal mode instead. Also, stop all shields (right-click avast! System Tray icon, expand avast! shields control and click Disable until computer is restarted) temporarily before opening ComboFix. Make sure to restart your PC to re-enable shields after running ComboFix, or use the Enable all shields command in System Tray icon optons.
Find ComboFix in your My Documents, Documents or Downloads folder (or the folder you saved it in).
Windows XP users should just double-click the ComboFix.exe file.
Windows Vista and 7 users should right-click the ComboFix.exe file and select Run as administrator. Of course, the magnificent User Account Control will kick in and ask whether you are really-really sure you want to run the program. Click Yes or OK there.
In case ComboFix will not load at all, there is certainly some malware on your Windows computer and it blocks ComboFix from starting. Open your My Documents, Documents or Downloads folder (or the folder you downloaded ComboFix to) and rename ComboFix.exe to some other name - "ff33.exe" or "GetOut.exe", just make sure to keep the ".exe" part in the end of the filename, this makes the file executable.
After renaming, double-click the file and ComboFix will load.
A disclaimer dialog appears, click I Agree.
If you have any anti-virus or anti-spyware program active in the background, you will see the two warning dialogs. You can safely ignore them by clicking OK.
A Command Prompt window with blue background opens. This stage will probably take some time to finish, be patient.
Unless some malware has disabled System Restore on your computer, ComboFix will create a System Restore point before checking your computer:
For Windows XP, ComboFix will then offer to install Windows Recovery Console. Click No here.
Finally, ComboFix will start scanning and removing malware and rootkits. During scanning, disappearing and reappearing of Desktop, Desktop Icons and Taskbar will take place a few times. This is normal. The scan usually takes 10 to 20 minutes. Do not do anything else on your computer during the scan! And please stand by during the scan - some action might be needed for deeply infected computers!
The number of last scanning Stage is 50 and first few Stages take a longer time to complete.
If your computer is badly infected, ComboFix will restart your computer. Make sure you start Windows in Safe Mode again (unless you have avast! Antivirus installed)! ComboFix will launch automatically after logging in to Windows. Follow the steps described above and wait until the scan is complete.
After scanning is complete, ComboFix will prepare a report with an overview of your computer. Again, your Desktop, Desktop Icons and Taskbar may disappear for a while, this is normal activity. This preparation might easily take several minutes and ComboFix will look for any suspicious program launches during that time.
Almost done here (actually, it still takes a few more minutes to finish).
A maximized log report window will open. You may read it, but as you are probably not an IT specialist, it will really say nothing much to you. Just close the window by using keyboard shortcut Alt+F4 or by clicking the X button on the top right.
By now your computer should be free of malware and rootkits. Restart your computer and let Windows start normally.
ComboFix sometimes changes Desktop background image to Windows' default. Choose your own background again as instructed in the Change Desktop background in Windows article.
It also tends to turn off the displaying of known file extensions (named Hide extensions for known file types), read about restoring the setting in the folder views and options article.
ComboFix always sets Internet Explorer as your default browser. In case you like alternatives such as Mozilla Firefox, Google Chrome or Opera more, change your favorite one back to the default web browser.
ComboFix creates several folders and many files before scanning and during threat removal. After Windows starts normally, you should remove ComboFix and the folders it created.
To do that, open Run menu using keyboard shortcut Windows Key+R. Alternatively for Windows XP, click Start button and then click Run. Windows Vista and 7 users can also use Start menu's Search Box as an alternative.
Type combofix /uninstall and click OK or press Enter on your keyboard. Please note that there is a space between "x" and "/".
In case you had to rename ComboFix program file to something else in previous steps, use the renamed version instead of "combofix". For example, if you renamed the file to "ff33.exe", type ff33 /uninstall instead.
ComboFix will load as usual. Click I Agree.
And again you will see two warnings about anti-virus and anti-malware programs running. Click OK there.
After several seconds, a dialog will pop up saying that ComboFix is now uninstalled. Click OK.
And that's it!