Can Running ComboFix Make the Situation Worse?

Posted on 2010-08-23
Last Modified: 2013-11-22
I have used ComboFix multiple times to successfully clean PCs infected w/ malware. However, in the past 2 months I had two separate experiences where running ComboFix seems to have cause the systems to become even slower & more unstable than they were originally. In both cases, they were older laptops (about 5 years old) running Windows XP Home w/ SP2 or SP3.

Has anyone else experienced this?
Question by:anuneznyc
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
  • 2
  • +3
LVL 24

Expert Comment

by:B H
ID: 33505424
sometimes that happens - combofix does a lot... but usually only good things.  

you can have situations where combofix removes a virus that was so embedded, that windows is never the same without the virus.  in some cases, if the virus was a device driver, windows might not even boot up anymore

i haven't seen anything that i can nail down to a specific OS service pack or update, or even specific viruses... just seems to be case by case, you just never know.

i only run combofix when everything else fails, it's either combofix or a reinstall anyway, so can't hurt that much if i've already blocked out the time to do a reinstall
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33505468
There could be some other reason(s) for system to go slow, however I have never seen Combofix causing system to slow down.


Author Comment

ID: 33507433
Bryon, curious to know what other anti-spyware programs you run and in what order. In the past I have successfully used Malware Bytes to remove spyware, but in some cases had to also run ComboFix to clean infections that MB did not remove. But now that I've had these 2 negative experiences, thinking I should take your approach and only run CF as a last resort.
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 27

Assisted Solution

Jonvee earned 100 total points
ID: 33508387
You should find this article by rpggamergirl helpful>

See under sub-heading "Download the Tools and start the cleanup".  
Some users may opt for not initially running Cleaners(or not even at all) and starting with Malwarebytes, leaving ComboFix until last (as you intimated).

My own more recent thoughts are to run Malwarebytes, followed by Hitman Pro 3 a 'Second Opinion Malware Scanner'    
which uses Scan Cloud ....well worth reading this whole article:
LVL 27

Expert Comment

ID: 33508454
Further thoughts ... imho i believe that running ComboFix does present a ~very slight~ risk to a system, but it's a risk worth taking especially when a machine is suspected to be quite infected ....but i'm not aware of any slowness caused by running ComboFix, and it has to date proved to be an excellent tool ... i think of it as being 'one of the big guns' perhaps!
LVL 24

Accepted Solution

B H earned 250 total points
ID: 33509591
usually i go in an order like this - of course it varies depending on what symptoms are present

1. kill all running processes that dont belong there - if one keeps coming back, make a note of it
2. check the common regedit startup locations (user/machine/winlogon-notify) and liberally delete things (adobe, java, viruses, etc)
3. kill the common temp places: locals~1\temp, locals~1\tempor~1, windows\temp, windows\prefetch
4. kill anything weird in programfiles
5. run malwarebytes (goes faster after 1-4 above
6. deal with anything left over, like a repeating process from #1
     (find that process on the drive, loop a batch file "del %1, if exist repeat, if not exist quit" while ending the process manually, that way it really really goes away
7. if symptoms are still present (popups, clickjacks, redirects, etc) then we have to use tdsskiller
8. if symptoms are still present, it's a driver that tdsskiller can't get so at that point, combofix slash repair install
9. i've had things live thru a repair install - well not necessarily live past but the network drivers were still destroyed because one virus might like to change all your windows/inf files - at that point it's easier to just format/reinstall

that whole process 1-7 above usually takes me about 20-30 minutes depending on temp files.  combofix can be another 30 minutes.

after i'm confident the machine is clean, i'll usually recommend the client buy malwarebytes so we can leave it auto-run, auto-update, auto-scan, auto-delete, while watching connections 24x7.  i'll also remove whatever crap antivirus they used to have (usually norton) and replace it with the free version of avast - then i'll set avast to auto-chest > auto-delete without asking and without notification - so the user can't accidentally let the virus live next time.

if time allows i'll get them on the right track with microsoft updates, or at least leave them a text document on how to perform basic maintenance.  if they're really nice i'll go a few extra steps and ccleaner their registry and set them up with defragller (god forbid they install it themselves, with all those "optional" checkmarks installing more junk)

in some extreme cases i'll start adding keywords to the avast url block list, like limewire, frostwire, bearshare, etc.

the first time i see limewire caused it, i tell the kid "next time i delete all you're music" and that's usually good... and explain why to their parents.  but if i have to go back after that, i'll make sure they don't get any allowance for a few months - never had to go back after that.
LVL 24

Expert Comment

by:B H
ID: 33509690
in my first comment where i said :sometimes that happens - combofix does a lot... but usually only good things.  

the intent was "combofix does a lot of things" and not "combofix fails a lot".  combofix is a great tool, but it does have a small percentage of a chance to do more harm than good.  which is probably why you have to keep re-downloading it, since the authors made it expire every few days.

i had one users who was like "wow leave me that program i'll run it every day" i was like, no.

i do it in my order above more because if combofix is going to take 30 minutes anyway, i may as well do it by hand so i can see any other issues along the way... and if that fails, then run combofix which is helpful most of the time

i didnt mention disabling system restore but that's up there too pretty early in the list - i usually don't re-enable it because i can count on one finger all the times it actually worked.
LVL 47

Assisted Solution

rpggamergirl earned 100 total points
ID: 33519873
I can't see why running ComboFix would caused the system to slowdown, it has to be something else.
ComboFix removes itself and its files including the backup upon its uninstallation. And yes it's not recommended that ComboFix be kept in the system for safety reason, so there is no chance for the user having to run an outdated ComboFix.

It is much safer to run tools like MalwareBytes, ComboFix etc than doing a manual removal of any infection first, because if you missed their loading points the PC may not boot, whereas using tools like ComboFix it is designed with safety nets.
It actually has more safety nets than most tools,that's why there are times when ComboFix will not try and remove a particular malware unless RC is installed.

It is often advised to be used as a last resort mainly because it's not a generic "cure all" scanner, CF sometimes needs a script to finish the removal. That's why it's supposed to be used only under guidance by a Helper
ComboFix was created to aid malware Helpers in removing malware when other scanners fail.

Assisted Solution

jasonlcss earned 50 total points
ID: 33519917
After running Combofix, I usually run ccleaner as it cleans out all "dead links" in your registry as well as cleans out all your temp data from your temp folders, this I have found speeds up the PC's quite a bit.

Heres a download link:

Author Comment

ID: 33524307
Thanks to everyone who posted their comments. Yeah, I don't know what happened in these 2 instances, but running CF definitely caused the system to slow down even more. Granted, both systems had Windows XP installs that were over 5 years old, which means they were slow & unstable to begin with, but it got worse after CF did its thing.

I'm starting to think that from now on, if I come across a client system w/ a XP install more than 4 yrs old, I'm going to insist on a "backup, wipe & reinstall" approach. Just seems that XP (not to mention Vista) simply become too bloated & unstable after 4 years of use.

Expert Comment

ID: 33524833
Ccleaner would have removed alot of the backup built up over the years...try it you have nothing to loose.

Author Comment

ID: 33524866
I'm skeptical of the actual value of registry cleaners, but I suppose I could give it a try.
LVL 24

Expert Comment

by:B H
ID: 33524990
ccleaner does a really decent job, and it DOES ask you if you want to make a backup.reg file of what's going to be whacked.  if bad things happen after the reboot, just click the backup.reg file that was created in 'mydocuments' and it'll put them all back in there

Author Comment

ID: 33643719
Thank you all.

Author Closing Comment

ID: 33643733

Featured Post

How Do You Stack Up Against Your Peers?

With today’s modern enterprise so dependent on digital infrastructures, the impact of major incidents has increased dramatically. Grab the report now to gain insight into how your organization ranks against your peers and learn best-in-class strategies to resolve incidents.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
svg file 10 122
Virus that hides folders 6 62
WinZIp - quick question 8 40
help with hijackthis log? 11 44
These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question