ComboFix (which you can download directly here) has been floating around the Internet for a couple of years now, and has been recommended by security pros as a tool of last resort when dealing with some of the more frustrating entanglements with viruses and malware. As these have been on the rise where I work lately — about a new infection every other week now — finding the right malware killer for the job can be tricky.
Among some of the better ones are Malwarebytes.org's Anti-Malware, Spybot's Search & Destroy (if for the Hosts blacklist update alone!), Avast! Antivirus, McAfee's Stinger, Vipre Antivirus, Trojan Remover, SuperAntiSpyware, and CCleaner (mainly for cleaning up the leftovers). But just a couple weeks ago we ran into a system that had a variant of the Backdoor.bot Trojan on it that was finding ways around all of these tools and popped back up to redirect Google search results within a matter of minutes of a cleaning we thought had finally expunged the unwanted code. It's worth mentioning that we have Symantec Endpoint Security running on these machines, and while it occasionally quarantined an infected file, it wasn't doing a damn thing about the root of the problem, which has generally been my experience of late with Norton/Symantec: great at telling you something's wrong, but worthless at doing anything about it. Not at all worth the asking price.
Finally a co-worker reminded me of ComboFix. I figured it was worth a shot, though I hadn't personally had to use it or had any experience with it working on systems at home. The Windows XP system in question was particularly hard to clean because whenever we'd try to boot into Safe Mode to clean with minimal drivers and other software loaded, we'd just get an unsightly blue screen of death.
After running ComboFix — which only takes a few minutes — it spat out a text file with a result of everything it had found and done to resolve those items. Lo and behold, one of the .sys files required for Windows to boot into Safe Mode had been corrupted by the Trojan as a self-preservation mechanism. I swear, the bugs and the miscreants making them are getting smarter all the time. After spending days upon days running scans with a dozen other programs, ComboFix was the one that finally cleaned its clock and got the system back to where it needed to be. No more redirections. No more unexpected pages of porn coming up while at the office.
Article comments
1 - A Geek Girl
Symantec, McAfee, AVG -- the anti-virus apps might be good at catching viruses, but they really come up short when it comes to catching and actually hanging onto trojans and malware, don't you think? Probably because they load before the anti-virus starts or just disable AV completely.
I had a hard time with the koobface virus recently. Had to download and update malwarebytes on a memory stick, start my computer in safe mode and then run it. It caught the koobface, but I forgot to plug in my external hard drive when I ran malwarebytes- so I got re-infected as soon as I plugged it in. Frgggg
Had to do the whole procedure again, but with the external drive included in the scan.
McAfee, didn't catch it. (ironic that it's the free AV facebook is offering) Adaware didn't catch it either. spybot caught it, but couldn't quarantine it. Only malwarebytes worked, and only in safe mode.
It's always good to have a full arsenal of tools, and patience. No telling what they'll be sending out next.
I've never tried combofix before. Best to get familiar with it beforehand. You just never know. Thanks for this.
~T
2 - Mark Buckingham
Malwarebytes is a must-have, for sure. And yes, many antivirus programs overlook some significant loopholes. Avast can do a boot-time scan while the system is still pre-Windows, and that can catch a number of bugs as well before they have a chance to start up.
3 - Poyol
Combofix, is the be all and end all of almost all Malware. As BleepingComputer and sUBs state; it can be dangerous to your system to use it, without relevant experience. There's at least one piece of malware that stops your PC being able to be booted if removed with Combofix, so just be careful!
I think you also missed out an essential AV - Avira. I run Avira and MalwareBytes along side each other and have not been infected... As yet! If you look for comparisons you'll see Avira is creme de la creme of Anti Virus scanners! And just pips Microsoft’s Security Essentials to the post!
All in all people who specialise in Malware Removal at particular forums around the internet know a “helluva” lot about Malware and the likes and suggest you don’t just hit Combofix’s Nuke button without being advised to!
4 - Mark
Correct. If not used wisely or cautiously, some problems may occur, but in my experience using it, these are few and very far between. No tool is perfect, but it does a very good job.
5 - Chris Kidd
You used to never see a virus load in safe mode, but now they do. I had one today and even ComboFix would not run. When I clicked on shortcuts to already installed MalwareBytes and SAS, it opened the Vista Security Scanner. The only way to get rid of it, was when I uninstalled my spyware programs, then the PC restarted good as new. Then I had to reinstall MB and SAS and they fixed it. It's something new every week, but yes, these idiots, who are actually brilliant enough to make a fortune if they used their minds in the right manner, are getting better at writing these viruses.
6 - clintst
I agree Mark that combofix does an excellent job catching some of the nastiest trojans...I use it all the time and have yet to see comboxfix make thing any worse. Awesome tool! Will they make it available for servers?
7 - Mark
Clint, I'm not sure what development is going on with the software these days other than further updates for better detection.