- Using ComboFix
- Forums to receive help analyzing ComboFix logs
- Manually installing the Windows Recovery Console
- Manually restoring the Internet connection
ntroduction ComboFix is a program, created by sUBs, that scans your computer for known malware, and when found, attempts to clean these infections automatically. In addition to being able to remove a large amount of the most common and current malware, ComboFix also displays a report that can be used by trained helpers to remove malware that is not automatically removed by the program.
At this time ComboFix can only run on the following Windows versions:
- Windows XP (32-bit only)
- Windows 2000 (32-bit only)
- Windows Vista (32-bit/64-bit)
- Windows 7 (32-bit/64-bit)
It should also be noted that when you run ComboFix it will automatically delete files from the following locations:
- Windows Recycle Bin
- Temporary Internet Files
- Temp Folder
Using ComboFix
If you need help with malware removal, then please create a topic at one of the forums listed later in the guide and ask for help. Please note that each forum has different policies, so please be sure to read any pinned topics and rules for the particular forum about how you should go about receiving help. If a ComboFix log has been requested by a helper then please create one by following the instructions below.
The first thing you should do is print out this guide, as we will close all the open windows and programs, including your web browser, before starting the ComboFix program.
Next you should download ComboFix from one of the following URLs:
To download ComboFix, simply left-click on one of the links above and you will see a prompt similar to the figure below.
Download ComboFix Prompt
Click on the Save button, and when it asks you where to save it, make sure you save it directly to your Windows Desktop. An image showing this is below.
Downloading ComboFix to the Desktop
When you have the Save as screen configured to save ComboFix.exe to the Desktop, click on the Save button. ComboFix will now start downloading to your computer. If you are on a dialup, this may take a few minutes. When ComboFix has finished downloading you will now see an icon on your desktop similar to the one below.
ComboFix Icon
We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
- Close all open Windows including this one.
- Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found in this topic.
Once you double-click on the icon, you may see a screen similar to the one below.
Windows Open File Security Warning
Windows is issuing this prompt because ComboFix does not have a digital signature. This is perfectly normal and safe and you can click on the Run button to continue. If you are using Windows Vista, and receive UAC prompt asking if you would like to continue running the program, you should press the Continue button.
You will now see the first ComboFix screen as shown below.
ComboFix is Preparing to Run
ComboFix is now preparing to run and when it has finished you will see a screen showing the authorized locations to download Combofix. On this screen please press the OK button and you will be shown the Disclaimer screen shown below.
ComboFix Disclaimer
If you do not agree to the disclaimer, then click on the No button to exit the program. Otherwise, to continue you should press the Yes button to continue. If you decided to continue, then ComboFix will create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
ComboFix is backing up the Windows Registry
Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
ComboFix Recovery Console
At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console. Once it has finished installing, you will be presented with the screen shown below.
ComboFix Recovery Console Finished
You should now press the Yes button to continue. If at any time during the Recovery Console installation you receive a message stating that it failed to install, please allow ComboFix to continue with the scan of your computer. When it is done, and a log has been created, you can then perform the manual install of the Recovery Console using the steps found in the Manually installing the Windows Recovery Console section.
ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
ComboFix is scanning the computer for infections
While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
Stages of the ComboFix AutoScan
At the time of this writing there are a total of 50 stages as shown in the image below, so please be patient. The amount of stages will go up as time goes on, so if the amount of stages is different when you run it, please do not be concerned.
34th Stage of the ComboFix AutoScan
When ComboFix has finished running, you will see a screen stating that it is preparing the log report as shown below.
ComboFix is preparing the log report
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt. This can be seen in the image below.
ComboFix is almost done!
When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you as shown below.
ComboFix Log File
You should now post this log as a reply to the topic where you were asked to run combofix. Your helper will now analyze this log and let you know what they would like you to do next. If you having problems connecting to the Internet after running Combofix, then please read the Manually restoring the Internet connection section.
It is possible that ComboFix, even on its first run, may have fixed the problems you are having. We strongly suggest that you still post your log into the topic that you are receiving help as you most likely will have infections left over that your helper will need to analyze further.REFERENCES
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
