Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Running ComboFix on Windows 8.1 VM


  • Please log in to reply
6 replies to this topic

#1 TimothyWeldon24

TimothyWeldon24

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 26 June 2018 - 10:08 AM

Hello Bleepingcomputer Forums,

 

My name is Timothy Weldon, I am a Network Security Community College Student, and I am doing a presentation on three antivirus programs, ESET online Scanner, Spy-bot: Search and Destroy, and of course the most important of all, ComboFix.

 

I come to the forums today to ask a few questions to ensure that what happened last time doesn't happen again. ComboFix is my part of the project, and I will say that I had a past with it before I was selected (at random mind you) for this project. In order to complete some points on the presentation, I need to get some pictures. I've chosen to run this on Virtual Workstation 14 because I'll be damned if I have to wipe and download windows 7 and sit through the updates again. If there are some brains who have experience with running ComboFix on a VM, I'd like some tips. I'm thinking of just running it as soon as the machine logs on and downloading it. Personally, this will be a Windows 8.1 VM, and I'm not sure if ComboFix will even run on 8.1. Anyway, give me a shout if you can.

 

Thanks,

Timothy Weldon.


Edited by hamluis, 26 June 2018 - 11:38 AM.
Moved from Win 8 to AV/AM Software - Hamluis.


BC AdBot (Login to Remove)

 


#2 hamluis

hamluis

    Moderator


  • Moderator
  • 56,287 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:07:31 PM

Posted 26 June 2018 - 11:37 AM

https://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

 

Louis



#3 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:31 PM

Posted 30 June 2018 - 07:09 PM

...I am a Network Security Community College Student, and I am doing a presentation on three antivirus programs, ESET online Scanner, Spy-bot: Search and Destroy, and of course the most important of all, ComboFix.

ComboFix is not an anti-virus...it is a specialized first responder tool that has the ability to deal with multiple malware infections and has built in removal functionality which makes it very powerful. Combofix is intended by its creator to do two things: 1) automatically remove known infections and 2) provide a detailed system report similar to FRST/DDS that a trained expert can use to further investigate and remove malicious files and registry entries.

On first run ComboFix can automatically detect and remove a lot of malware from various locations where it is known to hide. Further, much of what ComboFix does is completed upon reboot as part of its routine. ComboFix also provides a wealth of information about many areas of the operating system and registry in the comprehensive logs it creates. That information can provide advanced users a strategy for planning additional malware removal steps using other alternative tools.

ComboFix is safe to use by someone trained in how to use it or when following instructions provided by a trained expert helper (see here) who is assisting them deal with a malware problem. Combofix was never meant to be used as a general purpose malware scanner like Malwarebytes, Zemana AntiMalware, SuperAntispyware, AdwCleaner, etc which scan individual drives, different folders, the registry, etc on a computer for malware...nor was it designed to be a remote support tool, though many use it as such.

Since ComboFix is not supported on Windows 8.1/Windows 10 (and most likely never will be), malware removal experts are using other compatible alternatives such as FRST (Farbar Recovery Scan Tool) which uses Directives/Commands and Zoek which uses Scripts.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#4 TimothyWeldon24

TimothyWeldon24
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 02 July 2018 - 08:57 AM

 

...I am a Network Security Community College Student, and I am doing a presentation on three antivirus programs, ESET online Scanner, Spy-bot: Search and Destroy, and of course the most important of all, ComboFix.

ComboFix is not an anti-virus...it is a specialized first responder tool that has the ability to deal with multiple malware infections and has built in removal functionality which makes it very powerful. Combofix is intended by its creator to do two things: 1) automatically remove known infections and 2) provide a detailed system report similar to FRST/DDS that a trained expert can use to further investigate and remove malicious files and registry entries.

On first run ComboFix can automatically detect and remove a lot of malware from various locations where it is known to hide. Further, much of what ComboFix does is completed upon reboot as part of its routine. ComboFix also provides a wealth of information about many areas of the operating system and registry in the comprehensive logs it creates. That information can provide advanced users a strategy for planning additional malware removal steps using other alternative tools.

ComboFix is safe to use by someone trained in how to use it or when following instructions provided by a trained expert helper (see here) who is assisting them deal with a malware problem. Combofix was never meant to be used as a general purpose malware scanner like Malwarebytes, Zemana AntiMalware, SuperAntispyware, AdwCleaner, etc which scan individual drives, different folders, the registry, etc on a computer for malware...nor was it designed to be a remote support tool, though many use it as such.

Since ComboFix is not supported on Windows 8.1/Windows 10 (and most likely never will be), malware removal experts are using other compatible alternatives such as FRST (Farbar Recovery Scan Tool) which uses Directives/Commands and Zoek which uses Scripts.

 

Thank you, Mr. Quietman7, I've read a lot about you and it's quite an honor. I want you to know I understand completely what ComboFix is and what it's capable of. I did write the original forum post in haste, and it really shows. My main purpose of this article is to ask if Combo-Fix can be run in a virtual machine. I am not interested in the virus removal, as I understand fully that this thing can search and destroy even the most stubborn viruses like nobodies business. In fact, I did mention something about "what happened last time" and I feel I should clarify. My friend, who graduated from my program, told me about Combo-Fix and how to use it. He warned me of the dangers and gave me explicit instructions to run Combo-Fix safely and efficiently, and it did it's job without a problem. However, later on when I felt it was time to run another virus search and destroy mission, instead of using MalwareBytes, I ran Combo-Fix right out the gate. I did all the wrong things to do, I ran it without running an anti-virus scan, I left Malwarebytes on during the Combo-Fix scan, I didn't run Combo-Fix in safe mode, and I (like a total fool) didn't make a backup before starting. I know full well about how to run Combo-Fix, but the only way I learned was by being cocky and doing something stupid. But back to the topic at hand, I still need to run Combo-Fix during the presentation and I am choosing to run this in a Virtual Machine. Windows 7 Iso hopefully will not be a problem, as my current laptop has windows 7 and runs Combo-Fix. I would also like to get a little more information about Combo-Fix and it's creator sUBs. I read a little from a forum post you made a long time ago, but if you have anything I can present to the class, I'd really appreciate it. Thank you for all you help.

 

Timothy Weldon



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:31 PM

Posted 02 July 2018 - 05:47 PM

ComboFix is optimized to run from normal mode where it is most effective. However, it should run in safe mode if you are having trouble getting it to run or loading Windows in normal mode. ComboFix should also work on a VM. However, if your intention is to infect a VM for the purposes of testing, be aware that not all malware will work in that environment by intention. Malware writers have been able to create malicious files which can detect if it is running in a VM. When detected as such, the malware is able to change its behavior by not running any malicious code which can infect the operating system. This is a deliberate technique to make analysis/detection more difficult for security researchers who use VMs to study infections in order to understand the attack methodology used and develop disinfection solutions. So just because you test a program in a VM and it does not behave maliciously...that does not necessarily mean it is not malicious.General discussions about ComboFix sre permitted but the only official public information that is available can be found in the authorized Guide and tutorial on How to use ComboFix hosted by BleepingComputer and the ComboFix usage, Questions, Help? - Look here thread. Information about the private scripting directives and certain specifics not available to the public (i.e. how Combofx works, the routines it performs, development, etc) is not permitted to be discussed publicly.

Why? Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read these forum topics looking for clues (knowledge) on how to circumvent ComboFix and it's removal techniques. We don't want to provide any information they can use against us so we deliberately do not provide detailed information on the specific inner workings of our tools and how we use them in areas where attackers can see that information. As such, our discussion in public areas is limited and sometimes may appear vague or not fully address a specific question so it should not be taken personally.

You can attempt to contact the developer (suBs) for more informatiom by posting a topic at the Tech Support Forum but these days he is busy working with the Malwarebytes team.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 TimothyWeldon24

TimothyWeldon24
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:07:31 PM

Posted 02 July 2018 - 06:04 PM

ComboFix is optimized to run from normal mode where it is most effective. However, it should run in safe mode if you are having trouble getting it to run or loading Windows in normal mode. ComboFix should also work on a VM. However, if your intention is to infect a VM for the purposes of testing, be aware that not all malware will work in that environment by intention. Malware writers have been able to create malicious files which can detect if it is running in a VM. When detected as such, the malware is able to change its behavior by not running any malicious code which can infect the operating system. This is a deliberate technique to make analysis/detection more difficult for security researchers who use VMs to study infections in order to understand the attack methodology used and develop disinfection solutions. So just because you test a program in a VM and it does not behave maliciously...that does not necessarily mean it is not malicious.

General discussions about ComboFix sre permitted but the only official public information that is available can be found in the authorized Guide and tutorial on How to use ComboFix hosted by BleepingComputer and the ComboFix usage, Questions, Help? - Look here thread. Information about the private scripting directives and certain specifics not available to the public (i.e. how Combofx works, the routines it performs, development, etc) is not permitted to be discussed publicly.

Why? Safeguarding ComboFix from malware writers is necessary and important so that we can continue to use it without attackers having knowledge how to defeat it. Everything we discuss can be read by the bad guys. Yes, they read these forum topics looking for clues (knowledge) on how to circumvent ComboFix and it's removal techniques. We don't want to provide any information they can use against us so we deliberately do not provide detailed information on the specific inner workings of our tools and how we use them in areas where attackers can see that information. As such, our discussion in public areas is limited and sometimes may appear vague or not fully address a specific question so it should not be taken personally.

You can attempt to contact the developer (suBs) for more informatiom by posting a topic at the Tech Support Forum but these days he is busy working with the Malwarebytes team.

 

I had read that in your post from way back that he was so secretive because of this. God, that has got to be tough being hunted by people who make viruses for a living. Quietman7, I cannot thank you enough for your help. I've found this whole journey kinda awesome. Now, I am probably not going to try and run Combo-fix just to get pictures of what it looks like in action, but instead I might just go on google and get some pictures. Let's face the facts, I am not a professional, not yet. Without any real training, ComboFix is dangerous. If you get a hold of sUBs, which I have tried before posting in the public forum, tell them that I love their work and I wish them luck with their future endeavors. Hey, wish me luck. I am presenting tomorrow. Seeyah 'round Quietman7.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,758 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:08:31 PM

Posted 02 July 2018 - 06:06 PM

You're welcome and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users