Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Joined for feedback

  • Please log in to reply
1 reply to this topic

#1 DecSkipfZero


  • Members
  • 1 posts
  • Local time:08:48 PM

Posted 18 August 2014 - 04:17 PM

Ref. Combofix

I'm fine with this capable program clearing the temp directories. That would be "\tmp" and "\temp".


But it should be mentioned in the documents and ref materials that Combofix will also treat

"\x" as a temp directory and CLEAR IT. Perhaps others? I don't know. It should be clearly delineated behavior.


This hidden feature wiped 50GB of data I was using during an ISP switch. It will take days to recover.

It spent over six hours scanning the files and then promply erased them all.


Yes, I understand "Don't use the program unless directed to" or some such. But that is no cover for

an omission of functionallity this large. Check the forum logs for this to be mentioned. I've not seen it.


The only temp directories-folders are "\tmp" and "\temp" as set in the environmental variables.


Thanks for reading..



(60K line log file of deletes.. sigh.)



It should also be noted that when you run ComboFix it will automatically delete files from the following locations:

  • Windows Recycle Bin
  • Temporary Internet Files
  • Temp Folder

Edited by hamluis, 18 August 2014 - 05:04 PM.
Moved from Introductions to AV/AM Software - Hamluis.

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,087 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:07:48 PM

Posted 18 August 2014 - 06:10 PM

Your feedback is noted.

I can tell you that temp folders are a common hiding place for malware. I would like to say more but all discussions about Combofix...how it works, the routines it performs, what it can or cannot do, what the log results mean, future plans, development, etc, are in private areas not for the general public to read. Why? Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read these forum topics looking for clues (knowledge) on how to circumvent our tools and removal techniques. We don't want to provide any information they can use against us so we deliberately do not provide specific information on the specific inner workings of our tools and how we use them in areas where attackers can see that information. As such, our discussion in public areas is limited and sometimes may appear vague or not fully address a specific question so it should not be taken personal.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users