Another tool I’ll often use to remove malware from PCs is ComboFix. It’s an excellent program that works great for removing malicious software from your computer like viruses, trojans, rootkits & spyware. This tutorial will guide you on how to download, install and use the ComboFix program to scan your PC for infections. Of course no single anti-virus program will catch or be able to remove 100% of the viruses being found today, but between this and Malwarebytes’ Anti-Malware, you’ve got a great chance at getting your computer running smoothly again.
- How-to video
- Downloading ComboFix
- Installing ComboFix
- Using ComboFix
To get right into it, I have a 6½ minute video that goes over everything I’m about to cover in the post below. There’s really no version number displayed, but the file version I downloaded was 22.214.171.124, so if yours look a little different when you run the program, then you may be running a newer version than what I made the demo with and they may have changed some things around.
There’s only 1 version of this program available, and it’s completely free (for non-commercial use only according to the disclaimer).
Free Version: To download the free version you should get it directly from BleepingComputer.com. They’re the official place to download ComboFix from.
Once you’ve downloaded the file you need to run it to start the installation, so you need to browse to where you saved the file and typically you can just double-click on it to execute it and that’ll start the installation process. (Alternatively, you may have been prompted to “Run” or “Save” when downloading it. If you selected the “Run” option, then the installation process will begin automatically after it’s downloaded.)
The installation is really easy. Once you agree to the disclaimer, then it starts extracting all the files to the hard drive. That’s it. After it finishes extracting them, it automatically starts up.
After the program has been installed on your computer, the installation will automatically start the program for you.
Before ComboFix makes any attempts at removing anything from your computer, the first thing it does is create a system restore point. This way, if there are any issues afterwards, you can always restore your computer to the state it was in before ComboFix made any changes. System Restore is supposed to back up the registry, important Windows files, and other miscellaneous files I’m not sure of. It doesn’t touch your documents though.
The next step in the process is to install the Microsoft Windows Recovery Console. If you already have it installed, then you most likely won’t see the prompt for it, unless there’s an updated version of it. If you don’t, then ComboFix will prompt you to install it and even do it for you automatically. The recovery console is important because after you run Combofix, if the computer is not able to boot back up into Windows, then you can boot into the Recovery Console and get to a command prompt to make further repairs.
Without the recovery console installed, ComboFix will not do as thorough a job or be as aggressive as it typically would, so installing the recovery console is highly recommended. You simply have to click Yes to the End User License Agreement (EULA) and ComboFix will install it automatically for you.
At this point you have ComboFix downloaded, installed & running. It’s gone through creating a system restore point and installed the Windows Recovery Console. Now it’s going to scan your computer for any malicious files and infections. It goes through about 50+ stages and can take up to 10 minutes, or sometimes longer for badly infected machines. It’ll list them as it finishes them… “Completed Stage_1“, “Completed Stage_2“, … “Completed Stage_50“, etc… Some stages go really quick, and others will take longer, so if it appears to have stopped after completing a stage, just give it some time and it should resume with the completion messages once it gets through that stage.
Sometimes you’ll see messages in between the stage completion notices that tell you something it did, like if it deleted some files. In the video it deleted the Cache folder and showed us that right after stage 50.
After it’s done scanning it’ll prepare a log report with the details of its findings. It can sometimes take quite a while to prepare the report. There were many times I was wondering if the program just got hung up and then the log file popped up. So be a little patient with this part too. The log report will open up automatically in Notepad. It gets saved to the computer also at C:\ComboFix.txt. The log report details what it did (like deleting the Cache folder as it did in the video), and also gives a lot more information that a technician can look at to see if any further action is necessary or recommended. So at this point the computer should be virus free. If you want to run a supplemental scan, I suggest running Malwarebytes’ Anti-Malware to see if there are any additional malicious items that it can clean up.