Skip to main content

ComboFix - Malware Removal Tool

Again, I am writing this down more for my own future reference, with the hope that it will benefit others Googling for this info as well.

ComboFix is a relatively unknown but surprisingly good anti-malware tool. I had in the past received a number of computers from relatives/friends that have been infected with malware. The general characteristics are that the machines boots OK into Windows, but runs erratically eg. displays fake error messages, prevents you from running certain executables, logs you off after awhile etc.

In my experience, it was impossible to get the existing antivirus software to perform a proper scan, or to install a new antivirus software because the system ran so erratically. Offline antivirus software that runs off a CD didn't help much either. I have a collection of them and none of them had helped on the computers I was trying to fix.

Enter ComboFix, which was able to get the computers back into good enough working condition so that I can reinstall the antivirus software and perform a proper scan. I am not sure what's the exact magic behind the program. It seems to "implement a collection of pre-made fixes for large amount of known malware and hunts down all files associated with it". Sounds good to me!

Windows Repair (All In One) is also helpful after running ComboFix. Some malware messes up all kinds of stuff, and functions like "Set Windows Services To Default Startup" is invaluable for straightening the system.

Of course, some people will tell you it's best to wipe the machine when it has been compromised. From a technical point of view, I would totally agree and will do it with my own machines. But in the real world with real people, that's not always the ideal solution for them. So I am glad ComboFix and Windows Repair AIO has enabled me to help some people along the way.

Comments

Popular posts from this blog

Adding "Stereo Mixer" to Windows 7 with Conexant sound card

This procedure worked for my laptop (Thinkpad E530) with a Conexant 20671 sound card, but I suspect it will work for other sound cards in the Conexant family. I was playing with CamStudio to do a video capture of a Flash-based cartoon so that I can put it on the WDTV media player and play it on the big screen in the living room for my kids. The video capture worked brilliantly, but to do a sound capture, I needed to do some hacking. Apparently, there was this recording device called "Stereo Mixer" that was pretty standard in the Windows XP days. This allowed you to capture whatever was played to the speaker in all its digital glory. Then under pressure from various organizations on the dark side of the force, Microsoft and soundcard makers starting disabling this wonderful feature from Windows Vista onwards. So after much Googling around, I found out that for most sound cards, the hardware feature is still there, just not enabled on the software side. Unfortunately, to

Attiny85 timer programming using Timer1

This Arduino sketch uses Timer1 to drive the LED blinker: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 /* * Program ATTiny85 to blink LED connected to PB1 at 1s interval. * Assumes ATTiny85 is running at 1MHz internal clock speed. */ #include <avr/io.h> #include <avr/wdt.h> #include <avr/sleep.h> #include <avr/interrupt.h> bool timer1 = false , led = true ; // Interrupt service routine for timer1 ISR(TIMER1_COMPA_vect) { timer1 = true ; } void setup() { // Setup output pins pinMode( 1 , OUTPUT); digitalWrite( 1 , led); set_sleep_mode(SLEEP_MODE_IDLE); // Setup timer1 to interrupt every second TCCR1 = 0 ; // Stop timer TCNT1 = 0 ; // Zero timer GTCCR = _BV(PSR1); // Reset prescaler OCR1A = 243 ; // T = prescaler / 1MHz = 0.004096s; OCR1A = (1s/T) - 1 = 243 OCR1C = 243 ; // Set to same value to reset timer1 to

Hacking an analog clock to sync with NTP - Part 5

This is how it looks after I have put everything together. The Arduino sketch is available here . The 2 jumper wires soldered to the clock mechanism are connected to pins D0 and D1 on the ESP-12 (in any order). When the device first boots up, it presents an access point which can be connected to via the PC or smartphone. Once connected, the captive portal redirects the web browser to the configuration page:     A custom field has been added to the WiFi configuration page to enter the current clock time in HHMMSS format. Try to set the clock time to as close to the current time as possible using the radial dial at the back of the clock so the clock will have less work to do catching up. In the config page, the HTML5 Geolocation API is also used to obtain your current location (so if your web browser asks if you would like to share your location, answer "yes"). This is then passed to the Google Time Zone API to obtain the time and DST offset of your time z