Navigation


Content

Tip: keyboard shortcut Ctrl+F searches in the page contents.

ComboFix

How to use ComboFix for removing the most stubborn malware and rootkits in Windows XP, Vista and 7

By . Last modified: 2013-09-10.

ComboFix is another free program that helps in removing most stubborn malware and rootkits. It is a really powerful testing and fixing tool that should be used only if your anti-virus programs and anti-malware programs are unable to remove some really nasty malicious program.

There are known conflicts between AVG Anti-Virus and ComboFix - ComboFix will not run while AVG is installed. For AVG Free users, I recommend using avast! Free Antivirus or Microsoft Security Essentials instead, because these programs actually provide better protection.

avast! Antivirus users should temporarily disable the AutoSandbox feature to let ComboFix run correctly. Instructions for this are in this article. Also, avast! Antivirus users must run ComboFix in normal mode of Windows instead of Safe Mode. In Safe Mode, ComboFix loads and then exits without any scanning.

ComboFix does not yet run on Windows 8 and 8.1 devices. You can use RKill for detecting and stopping active malware services and processes (the scan takes only about 5 minutes!) instead. Then use Malwarebytes Anti-Malware to get rid of the infection. 

Note: always download ComboFix right before performing a malware scan from BleepingComputer's web page as this program gets updated frequently to include removal of newest malware!
Do not visit combofix.org or combofixdowload.com, these sites are not really related to this program and ComboFix itself warns about those sites.

Downloading ComboFix

Go to ComboFix download page, find section "Using ComboFix" and click ComboFix Download Link.
ComboFix page at BleepingComputer. Scroll down to the section "Using ComboFix" and click ComboFix Download Link.

Downloading from BleepingComputer opens another page. Click Download Now within next 10 minutes.
ComboFix download page at BleepingComputer. Click Download Now.

Please save the program, do not run it right away - ComboFix works best in Windows' Safe Mode.

Running ComboFix in Windows Safe Mode

After downloading is complete, always restart your computer and start Windows in Safe Mode. Safe Mode ensures that most malware is unable to load and is therefore easier to detect and remove.
If you are using avast! Antivirus, please run ComboFix in Windows normal mode instead. Also, disable the AutoSandbox feature temporarily before opening ComboFix.

Find ComboFix in your My Documents, Documents or Downloads folder (or the folder you saved it in).
Windows XP users should just double-click the ComboFix.exe file.
Windows Vista and 7 users should right-click the ComboFix.exe file and select Run as administrator. Of course, the magnificent User Account Control will kick in and ask whether you are really-really sure you want to run the program. Click Yes or OK there.
ComboFix in Windows Vista and 7. To run ComboFix, right-click the program file and select Run as Administrator.

In case ComboFix will not load at all, there is certainly some malware on your Windows computer and it blocks ComboFix from starting. Open your My Documents, Documents or Downloads folder (or the folder you downloaded ComboFix to) and rename ComboFix.exe to some other name - "ff33.exe" or "GetOut.exe", just make sure to keep the ".exe" part in the end of the filename, this makes the file executable.
After renaming, double-click the file and ComboFix will load.

A disclaimer dialog appears, click I Agree.
ComboFix disclaimer dialog. Click I Agree.

If you have any anti-virus or anti-spyware program active in the background, you will see the two warning dialogs. You can safely ignore them by clicking OK.
ComboFix antivirus scanner detection warning. Click OK. ComboFix antivirus scanner second warning. Click OK.

A Command Prompt window with blue background opens. This stage will probably take some time to finish, be patient.
ComboFix preparing to run

Unless some malware has disabled System Restore on your computer, ComboFix will create a System Restore point before checking your computer:
ComboFix creating System Restore point

For Windows XP, ComboFix will then offer to install Windows Recovery Console. Click No here.
ComboFix offer to install Windows Recovery Console. Click No.

Finally, ComboFix will start scanning and removing malware and rootkits. During scanning, disappearing and reappearing of Desktop, Desktop Icons and Taskbar will take place a few times. This is normal. The scan usually takes 10 to 20 minutes. Do not do anything else on your computer during the scan! And please stand by during the scan - some action might be needed for deeply infected computers!
The number of last scanning Stage is 50 and first few Stages take a longer time to complete.
ComboFix scanning for infected files. This might take 10 minutes or more.

If your computer is badly infected, ComboFix will restart your computer. Make sure you start Windows in Safe Mode again (unless you have avast! Antivirus installed)! ComboFix will launch automatically after logging in to Windows. Follow the steps described above and wait until the scan is complete.

After scanning is complete, ComboFix will prepare a report with an overview of your computer. Again, your Desktop, Desktop Icons and Taskbar may disappear for a while, this is normal activity. This preparation might easily take several minutes and ComboFix will look for any suspicious program launches during that time.
ComboFix preparing Log Report with system overview and removed or disinfected files

Almost done here (actually, it still takes a few more minutes to finish).
ComboFix almost done

A maximized log report window will open. You may read it, but as you are probably not an IT specialist, it will really say nothing much to you. Smile Just close the window by using keyboard shortcut Alt+F4 or by clicking the X button on the top right.
ComboFix log report, good for IT specialists only. Close it.

By now your computer should be free of malware and rootkits. Cool Restart your computer and let Windows start normally.

Restoring settings that ComboFix changes to default

ComboFix sometimes changes Desktop background image to Windows' default. Choose your own background again as instructed in the Change Desktop background in Windows article.

It also tends to turn off the displaying of known file extensions (named Hide extensions for known file types), read about restoring the setting in this article.

ComboFix always sets Internet Explorer as your default Internet browser. In case you like alternatives such as Mozilla Firefox, Google Chrome, Opera or Apple Safari more, change your favorite one back to the default web browser.

Uninstalling ComboFix

ComboFix creates several folders and many files before scanning and during threat removal. After Windows starts normally, you should remove ComboFix and the folders it created.
To do that, open Run menu using keyboard shortcut Windows Key+R. Alternatively for Windows XP, click Start button and then click Run. Windows Vista and 7 users can also use Start menu's Search Box as an alternative.

Type combofix /uninstall and click OK or press Enter on your keyboard. Please note that there is a space between "x" and "/".
In case you had to rename ComboFix program file to something else in previous steps, use the renamed version instead of "combofix". For example, if you renamed the file to "ff33.exe", type ff33 /uninstall instead.
ComboFix uninstallation. Use keyboard shortcut Windows Key+R to open Run dialog. Type "combofix /uninstall" and click OK.

ComboFix will load as usual. Click I Agree.
ComboFix disclaimer dialog. Click I Agree.

And again you will see two warnings about anti-virus and anti-malware programs running. Click OK there.
ComboFix antivirus scanner detection warning. Click OK. ComboFix antivirus scanner second warning. Click OK.

After several seconds, a dialog will pop up saying that ComboFix is now uninstalled. Click OK.
ComboFix is uninstalled. Click OK.

And that's it! Smile

Please support winhelp.us:
No PayPal account required!

Comments



 Comments? Suggestions? Ideas? Let me know! 
Your name (public):
Your e-mail (will not be displayed):
Title:
Notify me of new comments to this item: (send e-mail to info[at]winhelp.us to stop receiving)
Your comments/suggestions/ideas (no HTML code!)
winhelp.us owners reserve the right to remove or not publish comments that they find unacceptable because of strong language, inappropriate contents, advertising or spamming.
winhelp.us Privacy Policy.
This is a captcha-picture. It is used to prevent mass-access by robots. (see: www.captcha.net)
Share: Facebook Google+ Twitter LinkedIn StumbleUpon Pinterest E-mail

Browser and plugin check Google Custom Search Donate to keep this site running