Today on Blogcritics
Home » ComboFix Should Be In Your Security Toolbox

ComboFix Should Be In Your Security Toolbox

Please Share...Tweet about this on Twitter0Share on Facebook0Share on Google+0Share on LinkedIn0Pin on Pinterest0Share on TumblrShare on StumbleUpon0Share on Reddit0Email this to someone

ComboFix (which you can download directly here) has been floating around the Internet for a couple of years now, and has been recommended by security pros as a tool of last resort when dealing with some of the more frustrating entanglements with viruses and malware. As these have been on the rise where I work lately — about a new infection every other week now — finding the right malware killer for the job can be tricky.

Among some of the better ones are Malwarebytes.org's Anti-Malware, Spybot's Search & Destroy (if for the Hosts blacklist update alone!), Avast! Antivirus, McAfee's Stinger, Vipre Antivirus, Trojan Remover, SuperAntiSpyware, and CCleaner (mainly for cleaning up the leftovers). But just a couple weeks ago we ran into a system that had a variant of the Backdoor.bot Trojan on it that was finding ways around all of these tools and popped back up to redirect Google search results within a matter of minutes of a cleaning we thought had finally expunged the unwanted code. It's worth mentioning that we have Symantec Endpoint Security running on these machines, and while it occasionally quarantined an infected file, it wasn't doing a damn thing about the root of the problem, which has generally been my experience of late with Norton/Symantec: great at telling you something's wrong, but worthless at doing anything about it. Not at all worth the asking price.

BSOD!Finally a co-worker reminded me of ComboFix. I figured it was worth a shot, though I hadn't personally had to use it or had any experience with it working on systems at home. The Windows XP system in question was particularly hard to clean because whenever we'd try to boot into Safe Mode to clean with minimal drivers and other software loaded, we'd just get an unsightly blue screen of death.

After running ComboFix — which only takes a few minutes — it spat out a text file with a result of everything it had found and done to resolve those items. Lo and behold, one of the .sys files required for Windows to boot into Safe Mode had been corrupted by the Trojan as a self-preservation mechanism. I swear, the bugs and the miscreants making them are getting smarter all the time. After spending days upon days running scans with a dozen other programs, ComboFix was the one that finally cleaned its clock and got the system back to where it needed to be. No more redirections. No more unexpected pages of porn coming up while at the office.

In the weeks since, I've gradually eroded my approach from my standbys (many of the programs mentioned above, which are still excellent at what they do), heading straight to ComboFix, which seems to get the job done right the first time more often than not, and quickly. Everything to altered home pages and redirections to scareware popup warnings and extremely bogged down system performance, it's tidied up every one of them.

ComboFix to the rescue! It's not a tool to be used haphazardly, as the how-to on BleepingComputer.com warns (if you're not a truly savvy PC user, I don't recommend going in blind), but if all else fails and the Geek Squad tells you there's no other recourse than to wipe your hard drive, this would be a great time to give ComboFix a shot. Honestly, I've been fixing computers for over a decade and have yet to encounter a virus or malware infection that absolutely required wiping the entire system hard drive. There may be a few bugs out there that are that bad, but by and large, those kinds of one-size-fits-all broadsword solutions are offered by companies that don't want to be bothered actually solving the problem with precision. Plus, they're overcharging you like crazy. Want proof? Every single program in this article is absolutely free; some offer subscriptions or additional functionality for a fee, but will work just fine at no cost for at least short-term scanning and cleanup purposes. That surely beats the $80/hr they're probably charging you to hit the nuke button.

ComboFix still sees regular updates, and sometimes will only run at "reduced functionality" if it thinks it's out of date, so it's always good to keep that link to the most recent file bookmarked. The regular updates are a blessing though, as new threats emerge daily and are added to the program for detection and removal. Having used it on at least a dozen infected machines lately and seeing nothing but spectacular results, I can't recommend a better tool for cleaning a bug-ridden PC. Check it out, read the tutorial, and keep it handy. You never know when some rogue script out there will make your computer sick.

About Mark Buckingham

  • http://blogcritics.org/writers/a-geek-girl/ A Geek Girl

    Symantec, McAfee, AVG — the anti-virus apps might be good at catching viruses, but they really come up short when it comes to catching and actually hanging onto trojans and malware, don’t you think? Probably because they load before the anti-virus starts or just disable AV completely.

    I had a hard time with the koobface virus recently. Had to download and update malwarebytes on a memory stick, start my computer in safe mode and then run it. It caught the koobface, but I forgot to plug in my external hard drive when I ran malwarebytes- so I got re-infected as soon as I plugged it in. Frgggg

    Had to do the whole procedure again, but with the external drive included in the scan.

    McAfee, didn’t catch it. (ironic that it’s the free AV facebook is offering) Adaware didn’t catch it either. spybot caught it, but couldn’t quarantine it. Only malwarebytes worked, and only in safe mode.

    It’s always good to have a full arsenal of tools, and patience. No telling what they’ll be sending out next.

    I’ve never tried combofix before. Best to get familiar with it beforehand. You just never know. Thanks for this.

    ~T

  • http://blogcritics.org/scitech/ Mark Buckingham

    Malwarebytes is a must-have, for sure. And yes, many antivirus programs overlook some significant loopholes. Avast can do a boot-time scan while the system is still pre-Windows, and that can catch a number of bugs as well before they have a chance to start up.

  • Poyol

    Combofix, is the be all and end all of almost all Malware. As BleepingComputer and sUBs state; it can be dangerous to your system to use it, without relevant experience. There’s at least one piece of malware that stops your PC being able to be booted if removed with Combofix, so just be careful!

    I think you also missed out an essential AV – Avira. I run Avira and MalwareBytes along side each other and have not been infected… As yet! If you look for comparisons you’ll see Avira is creme de la creme of Anti Virus scanners! And just pips Microsoft’s Security Essentials to the post!

    All in all people who specialise in Malware Removal at particular forums around the internet know a “helluva” lot about Malware and the likes and suggest you don’t just hit Combofix’s Nuke button without being advised to!

  • http://blogcritics.org/scitech/ Mark

    Correct. If not used wisely or cautiously, some problems may occur, but in my experience using it, these are few and very far between. No tool is perfect, but it does a very good job.

  • Chris Kidd

    You used to never see a virus load in safe mode, but now they do. I had one today and even ComboFix would not run. When I clicked on shortcuts to already installed MalwareBytes and SAS, it opened the Vista Security Scanner. The only way to get rid of it, was when I uninstalled my spyware programs, then the PC restarted good as new. Then I had to reinstall MB and SAS and they fixed it. It’s something new every week, but yes, these idiots, who are actually brilliant enough to make a fortune if they used their minds in the right manner, are getting better at writing these viruses.

  • clintst

    I agree Mark that combofix does an excellent job catching some of the nastiest trojans…I use it all the time and have yet to see comboxfix make thing any worse. Awesome tool! Will they make it available for servers?

  • Mark

    Clint, I’m not sure what development is going on with the software these days other than further updates for better detection.

  • Todd Clemmer

    Combofix is a life saver. I just got done running it on a clients machine that had a compromised safe-mode. Broke the chain which allowed me to clean up the rest for good.