How to use ComboFix for removing the most stubborn malware and rootkits in Windows XP, Vista, 7 and 8
ComboFix is another free program that helps in removing most stubborn malware and rootkits. It is a really powerful testing and fixing tool that should be used only if your anti-virus programs and anti-malware programs are unable to remove some really nasty malicious program.
ComboFix works in Windows XP, Vista, 7 and 8 only; 8.1 and 10 are not supported. Alternatives include RKill for detecting and stopping active malware services and processes (the scan takes only about 5 minutes!) and then using Malwarebytes 3 to get rid of the infection.
There are known conflicts between many anti-virus programs and ComboFix - ComboFix will not run while AVG or Avast is installed. McAfee's heuristics engine Artemis often pops up a false detection alarm about ComboFix, please add combofix.exe to the list of exclusions to work around this problem. The best approach is temporarily uninstalling anti-virus software to let ComboFix do its job properly.
Downloading ComboFix
Note: always download ComboFix right before performing a malware scan from BleepingComputer's web page as this program gets updated frequently to include removal of newest malware!
Do not visit combofix.org or combofixdowload.com, these sites are not really related to this program and ComboFix itself warns about those sites.
Please save the program, do not run it right away - ComboFix works best while Windows is running in Safe Mode.
Running ComboFix in Windows Safe Mode
After downloading is complete, always restart your computer and start Windows in Safe Mode. Safe Mode ensures that most malware is unable to load and is therefore easier to detect and remove.
Find ComboFix in your My Documents, Documents or Downloads folder (or the folder you saved it to).
Windows XP users should just double-click the ComboFix.exe file.
Windows Vista, 7 and 8 users should right-click the ComboFix.exe file and select Run as administrator. Of course, the magnificent User Account Control will kick in and ask whether you are really-really sure you want to run the program. Click Yes or OK there.
Windows Vista, 7 and 8 users should right-click the ComboFix.exe file and select Run as administrator. Of course, the magnificent User Account Control will kick in and ask whether you are really-really sure you want to run the program. Click Yes or OK there.
In case ComboFix will not load at all, there is certainly some malware on your Windows computer and it blocks ComboFix from starting. Open your My Documents, Documents or Downloads folder (or the folder you downloaded ComboFix to) and rename ComboFix.exe to some other name - ff33.exe or GetOut.exe, just make sure to keep the ".exe" part in the end of the filename, this makes the file executable.
After renaming, double-click the file and ComboFix will load.
A disclaimer dialog appears, click I Agree.
If you have any anti-virus or anti-spyware program active in the background, you will see the two warning dialogs. You can safely ignore them by clicking OK. If the program stops working after this, you need to uninstall your antivirus tool temporarily and then run ComboFix again.
A Command Prompt window with blue background opens. This stage will probably take some time to finish, be patient.
Unless some malware has disabled System Restore on your computer, ComboFix will create a System Restore point before checking your computer:
In Windows XP, ComboFix will then offer to install Windows Recovery Console. Click No here.
Finally, ComboFix will start scanning and removing malware and rootkits. During scanning, disappearing and reappearing of Desktop, Desktop icons and Taskbar will take place a few times. This is normal. The scan usually takes 10 to 30 minutes. Do not do anything else on your computer during the scan! And please stand by during the scan - some actions might be needed for deeply infected computers.
The number of last scanning stage is 50 and first few stages take longer to complete.
The number of last scanning stage is 50 and first few stages take longer to complete.
If your computer is badly infected, ComboFix will restart your computer. Use the F8 key for starting Windows in Safe Mode again. ComboFix will launch automatically after logging in to Windows. Follow the steps described above and wait until the scan is complete.
After scanning is complete, ComboFix will prepare a report with an overview of your computer. Again, your Desktop, Desktop icons and Taskbar may disappear for a while, this is normal activity. This preparation might easily take several minutes and ComboFix will look for any suspicious program launches during that time.
Almost done here (actually, it still takes a few more minutes to finish).
A maximized log report window will open. You may read it, but as you are probably not an IT specialist, it will really say nothing much to you. 
Just close the window by using keyboard shortcut ALT+F4 or by clicking the X button on the top right.
Just close the window by using keyboard shortcut ALT+F4 or by clicking the X button on the top right.
By now your computer should be free of malware and rootkits. 
Restart your computer and let Windows start normally. If everything is ok, do not forget to uninstall ComboFix - read on for this.
Restart your computer and let Windows start normally. If everything is ok, do not forget to uninstall ComboFix - read on for this.Restoring settings that ComboFix changes to default
ComboFix sometimes changes Desktop background image to Windows' default.
It also tends to turn off the displaying of known file extensions (named Hide extensions for known file types), read about restoring the setting in the folder views and options article.
ComboFix always sets Internet Explorer as your default browser. In case you like alternatives such as Mozilla Firefox, Google Chrome or Opera more, change your favorite one back to the default web browser.
Uninstalling ComboFix
ComboFix creates several folders and many files before scanning and during threat removal. After Windows starts normally, you should remove ComboFix and the folders it created.
To do that, open Run menu using keyboard shortcut WINDOWS KEY+R. Alternatively for Windows XP, click Start button and then click Run.
Windows Vista and 7 users can also use Start menu's Search Box as an alternative.
In Windows 8, use keyboard shortcut WINDOWS KEY+X to open Quick Links menu and choose Run.
To do that, open Run menu using keyboard shortcut WINDOWS KEY+R. Alternatively for Windows XP, click Start button and then click Run.
Windows Vista and 7 users can also use Start menu's Search Box as an alternative.
In Windows 8, use keyboard shortcut WINDOWS KEY+X to open Quick Links menu and choose Run.
Type combofix /uninstall and click OK or press ENTER on your keyboard. Please note that there is a space between "x" and "/".
In case you had to rename ComboFix program file to something else in previous steps, use the renamed version instead of "combofix". For example, if you renamed the file to "ff33.exe", type ff33 /uninstall instead.
In case you had to rename ComboFix program file to something else in previous steps, use the renamed version instead of "combofix". For example, if you renamed the file to "ff33.exe", type ff33 /uninstall instead.
ComboFix will load as usual. Click I Agree.
And again you will see two warnings about anti-virus and anti-malware programs running. Click OK there.
After several seconds, a dialog will pop up saying that ComboFix is now uninstalled. Click OK.
And that's it!
No comments:
Post a Comment