help.artaro.eu

Content

ComboFix

Tip: keyboard shortcut Ctrl+F searches in the page contents

ComboFix is another free program that helps in removing most stubborn malware and rootkits. The program used to work fine only in 32-bit Windows XP (and it was my favorite anti-malware tool!), but in late 2010 it was updated to cover both 32-bit and 64-bit versions of Windows XP, Vista and 7. Nice!

ComboFix should be used only if your anti-virus programs and anti-malware programs are unable to remove some really nasty malicious program.

There are known conflicts between AVG Anti-Virus and ComboFix - ComboFix will not run while AVG is installed. For AVG Free users, I recommend using avast! Free Antivirus or Microsoft Security Essentials instead, because these programs actually provide better protection.

Note: always download ComboFix right before performing a malware scan from a well-known webpage as this program gets updated frequently to include removal of newest malware!
Do not visit combofix.org or combofixdowload.com, these sites are not really related to this program and ComboFix itself warns about those sites.

Downloading ComboFix

Go to ComboFix download page, find section "Using ComboFix" and click on any of the download links:

Downloading from BleepingComputer opens another page. Click ComboFix Download Link within next 10 minutes.

Click the Save button. Do not use Run this time, as it is recommended to run ComboFix from Windows' Safe Mode.

Internet Explorer 8 users might see the Save As dialog, save the file to your My Documents (Windows XP) or Documents (Windows Vista and 7) folder by clicking on Save button:

After downloading, Internet Explorer 9 users might see a SmartScreen Filter warning dialog "ComboFix.exe is not commonly downloaded and could harm your computer". Just ignore the dialog - ComboFix is not a malicious program.

Running ComboFix (in Windows Safe Mode, please!)

After downloading is complete, always restart your computer in Safe Mode. Read our instructions for Windows XP, Windows Vista and Windows 7.
Safe Mode ensures that most malware is unable to load and is therefore easier to detect and remove.

Find ComboFix under your My Documents, Documents or Downloads folder (or the folder you saved it in).
Windows XP users should just double-click the ComboFix.exe file.
Windows Vista and 7 users should right-click the ComboFix.exe file and select Run as administrator. Of course, the magnificent User Account Control will kick in and ask whether you are really-really sure you want to run the program. Click Yes or OK there.

In case ComboFix will not load, there is certainly some malware on your Windows computer and it blocks ComboFix from starting. Open your My Documents, Documents or Downloads folder (or the folder you downloaded ComboFix to) and rename ComboFix.exe to some other name - "ff33.exe" or "GetOut.exe", just make sure to keep the ".exe" part in the end of the filename, this makes the file executable.
After renaming, double-click the file and ComboFix will load.

A disclaimer dialog appears, click I Agree there:

If you have any anti-virus or anti-spyware program active (and you should!), you will see two warning dialogs, but you can safely ignore them by clicking OK:

Then a blue background command prompt window will open:

Unless some malware has disabled System Restore service on your computer, ComboFix will create a System Restore point before checking your computer:

For Windows XP, ComboFix will then offer to install Windows Recovery Console. Actually, you do not need that because Recovery Console is well accessible by booting from Windows XP CD.
Click No.

Finally, ComboFix will start scanning and removing malware and rootkits. During scanning, disappearing and reappearing of Desktop, Desktop Icons and Taskbar will take place a few times. This is normal. The scan usually takes 10 to 20 minutes. Do not do anything else on your computer during the scan! And please stand by during the scan - some action might be needed for deeply infected computers!

If your computer is badly infected, ComboFix will restart your computer. Make sure you start  Windows in Safe Mode again! ComboFix will start again after logging in to Windows. Follow the steps described above and wait until the scan is complete.

After scanning and removing is complete, ComboFix will prepare a report with an overview of your computer and removed or disinfected files. Again, your Desktop, Desktop Icons and Taskbar may disappear for a while, this is normal activity. This preparation might easily take several minutes.

Almost done here (actually, it still takes a few more minutes to finish):

A maximized log report window will open. You may read it, but as you are probably not an IT specialist, it will really say nothing much to you. Just close the window by using keyboard shortcut Alt+F4 or by clicking the X button on the top right:

By now your computer should be free of malware and rootkits. Restart your computer and let Windows start normally this time (no need to enter Safe Mode again!).

Restoring settings that ComboFix changes to default

ComboFix sometimes changes Desktop background image to Windows' default. Choose your own background again, remember instructions for Windows XP, Windows Vista or Windows 7?

It also tends to turn off the displaying of known file extensions (named Hide extensions for known file types), read about restoring the setting for Windows XP, Windows Vista or Windows 7.

ComboFix always sets Internet Explorer as your default Internet browser. In case you like alternatives such as Mozilla Firefox, Google Chrome, Opera or Apple Safari more, change your favorite one back to the default web browser.

Uninstalling ComboFix

ComboFix creates several folders and many files before scanning and during threat removal. After Windows starts normally, you should remove ComboFix and the folders it created.
To do that, open Run menu by using keyboard shortcut Windows Key+R. Alternatively for Windows XP, click Start button and then click Run. Windows Vista and 7 users can use Start menu's Search Box as an alternative.

Type combofix /uninstall and click OK or press Enter on your keyboard. Please note that there is a space between "x" and "/".
In case you had to rename ComboFix program file to something else in previous steps, use the renamed version instead of "combofix". For example, if you renamed the file to "ff33.exe", type ff33 /uninstall instead.

ComboFix will load as usual:

And again you will see two warnings about anti-virus and anti-malware programs running. Click OK there.

After several seconds, a dialog will pop up saying that ComboFix is now uninstalled. Click OK.

And that's it!

 Comments? Suggestions? Ideas? Let us know! 

Your name (public):

Your e-mail (will not be displayed):

Title:

Notify me of new comments to this page:

Your comments/suggestions/ideas (no HTML code!)
By adding a comment you agree that help.artaro.eu owners are not responsible in any way for your comment's contents. You take the full responsibility for your comments.
help.artaro.eu owners reserve the right to remove comments that they find unacceptable because of strong language, inappropriate contents, advertising or spamming.
Our Privacy Policy