Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


combo fix a hack tool?

  • Please log in to reply
5 replies to this topic

#1 richardvenport


  • Members
  • 2 posts
  • Local time:03:31 AM

Posted 03 August 2009 - 12:42 AM

Hi everyone: a few days ago i took my laptop into a local shop for a free diagnostic. The ran something called combofix on my computer. I was told I had 3 viruses (recyclers) and 1 trojan (autorun) on the computer. They said they would remove them (for a fee) and I told them ok. After removing them the also tried to get me to agree to let them take my Webroot antivirus/spysweeper off and replace it with something called Avast. They said avast would not miss such things. I said no however, since I had just paid a years subscription. Upon taking the computer home and turning it on (not connecting to the internet) my webroot had something on it called "hack tool" which was in quarantine (I deleted it). When I questioned the store about it they said "not to worry about it, it was something that the combo fix must had missed. They also claimed not to have downloaded anything to the computer. My last sweep before I took it in said the computer was clear. I also found something called qoobox in the cookie section which had not been there before (I deleted this also). i am very worried that this store did something not reputable and put something on my computer to steal information. Webroot described this "hack tool" as a password breaker. I also found and exc file for combofix in my prefetch. I also found a "combofix" txt file that the computer says that if it opens I would be exposing my computer. I am NOT computer literate and don't know what to do at this point. How does one know for sure that the computer is "safe" and where could I take it to to find out? the computer also boots up differently. It goes to a screen first that gives a choice between recovery console and xp windows. And I also get a balloon at the bottom which indicates that the antivirus is off when I first start the computer and takes a while for it to go away. Any help would be appreciated Rich

BC AdBot (Login to Remove)


#2 DaChew


    Visiting Alien

  • Members
  • 10,317 posts
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:03:31 AM

Posted 03 August 2009 - 01:02 AM

Click Start > Run and type combofix /u click OK (Note the "space" between combofix and /u)

No. Try not. Do... or do not. There is no try.

#3 richardvenport

  • Topic Starter

  • Members
  • 2 posts
  • Local time:03:31 AM

Posted 03 August 2009 - 02:49 AM

sorry but that did not really answer my question. Can anyone else give advice thanks.

#4 aommaster


    I !<3 malware

  • Malware Response Team
  • 5,294 posts
  • Gender:Male
  • Location:Dubai
  • Local time:11:31 AM

Posted 03 August 2009 - 05:15 AM

What DaChew said was the way to go. Combofix is a tool that is used to by trained members of the malware removal community and generates those files. What you found were it's own quarantine folder, and log file generated. DaChew's command will have you automatically uninstall combofix and any related files. Due to what Combofix does, it is sometimes identified as a false positive by anti-virus programs.

Note here:
ComboFix SHOULD NOT be used unless requested by a forum helper

And from its disclaimer:

You should not run ComboFix unless you are specifically asked to by a helper. Also, due to the power of this tool it is strongly advised that you do not attempt to act upon any of the information displayed by ComboFix without supervision from someone who has been properly trained. If you do so, it may lead to problems with the normal functionality of your computer.

Edit: Corrected a typo.

Edited by aommaster, 03 August 2009 - 11:06 AM.

My website: http://aommaster.com
Please do not send me PM's requesting for help. The forums are there for a reason : )
If I am helping you and do not respond to your thread for 48 hours, please send me a PM

#5 hamluis



  • Moderator
  • 56,272 posts
  • Gender:Male
  • Location:Killeen, TX
  • Local time:02:31 AM

Posted 03 August 2009 - 08:39 AM


The fact that you have already taken your system to an assumedly reliable repair shop...and you question the things which they did...implies to me that you can never be sure that a 3d-party is working in your best interests.

FWIW: ComboFix is a valid application used to deal with malware.

A thread I consider worth reading: http://www.bleepingcomputer.com/forums/ind...p;#entry1159014

<<...the computer also boots up differently. It goes to a screen first that gives a choice between recovery console and xp windows.>>

That screen merely indicates that someone installed the Recovery Console for XP onto your system. The RC is a tool for repairing certain things which go awry in XP and it's a good thing to have installed for many users.

Description of the Windows XP Recovery Console - http://support.microsoft.com/kb/314058

How to use the Windows recovery console. - http://www.computerhope.com/issues/ch000627.htm

<<...I also get a balloon at the bottom which indicates that the antivirus is off when I first start the computer and takes a while for it to go away...>>

Immaterial (probably)...many users who have solid AV programs working (including myself) get that message. It's a glitch in the way that the Security monitor in XP works...it doesn't properly detect all AV programs or firewalls employed. It won't hurt to make sure that this notification is incorrect by doing a visual check of your AV program...before considering the steps in the following link.



Edited by hamluis, 03 August 2009 - 11:48 AM.

#6 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,635 posts
  • Gender:Male
  • Local time:02:31 AM

Posted 03 August 2009 - 10:43 AM

A couple more points...

1. It's obvious that you didn't intentionally use ComboFix (CF) on your own--but the shop you took it too didn't use it properly either. One, CF was developed for people who help victims in fourms like this. Forums like this don't charge for the help--CF is not for commercial use. Also if they knew what they were doing, they would have uninstalled CF before giving the computer back to you. The shop you took it to didn't put anything on your PC to spy on you, but the next time you need to take your PC to a shop, I would take it somewhere else. But before you even do that, come to this forum and ask about your problem--you might get it fixed for free.

2. A hack tool is not always bad. Hacking is just manipulation of your registry and maybe some files, it can either help you or hurt you, depending on what the hack does. Any time an anti-virus or other security scanner flags a file as a hack-tool, they are just informing you that such a tool is present and it is up to you to determine if it is being used the right way--don't delete it if it isn't unwanted. Some other terms are used, such as risk ware, but these indicate only possible threats, not necessarily actual threats. I know this is confusing for those who aren't computer literate--they get alarmed by any detection. Some scanners are worse than others. I consider McAfee to be the worse in this area. Instead of marking files as being possible threats like other scanners do (which I call near-positives), they often will call it an actual virus, which is an outright false positive.

The thing about people

is they change

when they walk away.--Mipso

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users