ComboFix is an Anti-Malware tool used by advanced malware technicians
specifically trained in its use.
Please DO NOT USE COMBOFIX on your own without supervision!!!
We ask that you obey the warnings about using this tool. Why? The warnings are given for a reason and one of them is to inform our members about the consequences that may occur when using ComboFix in an unsupervised environment. Yes, ComboFix is an excellent but powerful tool. I liken it to Acetaminophen (Tylenol). Used correctly, the drug will help with your aches and pains. Used incorrectly, it can destroy your liver and eventually kill you. The same scenario applies to ComboFix. Used in untrained hands this tool can disable your computer and in some cases can make it unbootable. Further, trained helpers prefer to see preliminary scans from other tools like DDS, FRST, OTL, Zoek and RSIT before asking anyone to run Combofix because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows checking for the presence of rootkits, planning an strategy for effective disinfection and a determination if using ComboFix is necessary.
A few comments from one of our malware experts, Papakid:
Running ComboFix by yourself is like performing open heart surgery on yourself--the scalpel and other surgical tools that is ComboFix is meant to be wielded by a highly trained surgeon only in emergencies or dire circumstances. When the surgeon is thru s/he leaves the room. So combofix should be removed from a system once it has accomplished its job, unlike an AV that is there to protect you from future infections. . . CF does make some alterations to your system if you run it. Even if you had no malware removed and run the uninstall command, some things may be different now on your system. I can tell you that one thing is that all your restore points will be flushed out and a new one created. There is a good reason to do that when you have a severe infection--but if you aren't infected you might need those restore points.
Read and abide by the disclaimer people. It's there for a reason. Stick to running and protecting yourself with a good AV and firewall and an anti-malware scanner or two. If you feel you need a second opinion, try running online scans. If you feel you might need surgery, come here to BC and ask for help--that is what we're here for.
I am a firm believer that if you're unsure how to use a particular security tool or interpret any logs it generates, then you probably should not be using it. Users often panic when they see log results they do not understand. Some security tools are intended for advanced users, those who are knowledgeable of the Windows registry or to be used under the guidance of an expert who can interpret the log results and investigate it for malicious entries before taking any removal action. Some security tools will show everything they find that is a possible problem but you need to know what to remove and what not to remove. Incorrectly removing legitimate entries could lead to disastrous problems with your operating system.
As a general policy, Bleeping Computer does not offer advice on how to run ComboFix unless we asked someone to run it or if there is a problem with the computer caused by running the tool. We recommend that people should not be using ComboFix without being advised to do so by a trained expert who is assisting them deal with a malware problem. When issues arise due to complex malware infections, problems running ComboFix (i.e. stalling, hanging, crashing) or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment.
The following is a typical warning provided by the staff when we see its' use mentioned outside of the Virus, Trojan, Spyware, and Malware Removal Logs Forum:
No one should be using ComboFix unless specifically instructed to do so by a Malware Removal Expert who can interpret the logs. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. ComboFix was never meant to be used as a general purpose malware scanner like SuperAntispyware or Malwarebytes' Anti-Malware which scan individual drives or different folders on a computer for malware...nor was it designed to be a remote support tool. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. When issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment. Please read Combofix's Disclaimer.
ComboFix is provided as is, without warranty of any kind. All
implied warranties are expressly disclaimed. If you do not agree to the
terms stipulated by sUBs, use of his tool is at your own risk.
Bleeping Computer and sUBs will not be responsible for any damage caused to your machine by misusing or running ComboFix on your own.
While our policy is not to offer advice on running ComboFix unless we asked someone to run it, we are willing to assist with resolving problems caused after using it and we are certainly willing to help with malware disinfection. Only the BC Staff or members of the Malware Respond Team are permitted to provide such assistant or answer questions related to ComboFix.
Questions about ComboFix and how it works:
Sorry but discussions pertaining to how Combofx works, the routines it performs, what it can or cannot do, what the log results mean, future plans, development, etc is not available to the public in order to safeguard and protect the integrity of the tool from malware writers. As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions. The only public information that is available can be found in this authorized guide: How to use ComboFix.
ComboFix System Requirements:
System requirements for ComboFix are provided in the Authorized How to guide and on the authorized download page.
At this time ComboFix can only run on the following Windows versions:
Windows XP (32-bit only)
Windows Vista (32-bit/64-bit)
Windows 7 (32-bit/64-bit)
Windows 8 (32-bit/64-bit)
Windows 8.1 and Windows 2000 are NOT supported by ComboFix.
If you attempt to use ComboFix on Windows 8.1, it should provide a message alert: ComboFix is not meant to run in 'Compatibility Mode' and exit.
This message is intentional by design when attempting to run ComboFix on that operating system.
-- if used on Windows 2000, ComboFix will display this message:
ComboFix logs, where should I post them?
ComboFix logs are not permitted outside the Virus, Trojan, Spyware, and Malware Removal Logsl forum and then only when requested by a Malware Response Team member. However, if you ran ComboFix on your own due to malware infection, please be aware that a ComboFix log is only one part of the disinfection process. Therefore we ask that you please read the pinned topic titled "Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help". When you have done that, post the required logs to include your ComboFix log in that forum, NOT here, for assistance by the Malware Response Team Experts.
A Statement about Malware Removal:
There are no guarantees when it comes to malware removal and that includes the scanning and specialized fix tools we use. Infections will vary and some will cause more harm to your system than others. Thus, sometimes it takes several efforts with different, the same or more powerful tools to do the job. Even then, with some types of malware infections, the task can be arduous and can produce disasterous results after using the available tools and security scanners for disinfection. How can that happen?
All scanning tools are susceptible to glitches, bugs and false positive detections and removal of critical files from time to time resulting in computers that become unbootable or get stuck in an endless reboot loop. Even major anti-virus vendors are not immune to such issues either and here are just a few reported examples.
- McAfee false-positive deletes critical svchost.exe causing system crashes and reboot loops
- McAfee false-positive glitch on crucial system files fells PCs worldwide
- Symantec false positive on system files cripples thousands of Chinese PCs
- Kaspersky False Positives Quarantine or Kill Windows Explorer in Windows Vista
- AVG virus scanner removes critical Windows file and renders machines unbootable
- Malwarebytes Atapi.sys and Registry False Positives
In most cases when these problems occur, the anti-virus vendors and security tool developers take quick action to correct the problem and provide support to those users who have been affected.
I used ComboFix on my own and encountered problems. What should I do?
Take responsibility for your decision to use ComboFix despite the numerous warnings that are provided not to use the tool in an unsupervised environment rather than attribute blame to others. We understand that even under the supervision of an expert, something can go wrong to include false positives on critical system files resulting in unbootable machines or other issues. If such a scenario happened with you, here are some basic guidelines to follow:
- Start a new topic here, give it a relevant title and provide a description of your problem and a summary of all steps that you have performed on your own.
- Please be specific and describe exactly what happened when you ran ComboFix. Include any error messages that you received. If your machine is bootable, providing a How to take and share a screen shot in Windows can be useful in helping to resolve your problem.
- If you need individual assistance with a malware infection, please follow the instructions in the Preparation Guide For Requesting Help and post your logs in the Virus, Trojan, Spyware, and Malware Removal Logs forum, NOT here, for assistance by the Malware Response Team Experts.
- After starting your topic, please be patient as it may take time to get an answer. False postives, glitches and bugs resulting in computer problems have to be reported first to the tool's developer and then investigated before anyone can advise what corrective action needs to be taken. That may require the developer to conduct some testing and obtain sample files for analysis. Also keep in mind that staff members are all volunteers and we assist other members as well as you when time permits. No one is paid for their work or assistance to members of our community.
- Unless you are an expert, do not reply to someone else's topic with instructions, especially if they are already in the process of getting help from a member of the Malware Response Team or trusted staff. If you have a similar issue, the solution could be different based on the kind of hardware, software, system requirements, etc. and the presence of other malware so please start your own topic. Those awaiting assistance, please read the pinned sticky How do I get help? Who is helping me?. It's important that you know who you should trust to take advice from.
Again, we ask that you please be patient. It may take a while to get a response but your problem will be reviewed and answered as soon as possible.
The BC Staff
Note if you find ComboFix unavailable: There may be times when the developer will remove ComboFix
in order to update or fix reported bugs so the tool may be unavailable for download.
Never attempt to download ComboFix from sites other than the authorized How to use ComboFix Guide.
Other sites hosting ComboFix are not authorized mirrors and are hosting outdated copies of ComboFix.
These outdated copies can contain bugs that may render some machines unbootable.
Using unauthorized mirrors of ComboFix puts your computer at risk of not booting again.
Always wait for the official version to be fixed and released again.
Edited by quietman7, 22 February 2015 - 08:53 AM.