Distrust Combofix.

Often, when someone mentions that xyr computer has been infected by a worm or a virus, someone else comes along and says:

I used Combofix to remove the malware. It's really great. You should use it.

This is the Frequently Given Answer to such advice.

Don't take it.

This advice is always given by people who hide behind pseudonyms. They never tell you who they are, or why you should trust their word. There's no way to know that they really did use Combofix, or that these pseudonyms aren't simply "astroturfing", a campaign of using throwaway pseudonymous accounts (The accounts, you might notice, often have very few if any other contributions to the places where they pop up out of nowhere to recommend Combofix.) to make it seem that there's a whole load of people who have used this software when really there is not.

Indeed, the author of Comboxfix xyrself hides behind the pseudonym "SUBs". Unlike the case of legitimate malware removal tools, which (whatever one may think of them) at least can be traced to some identifiable person or company who is willing to put xyr name behind xyr product, there's no way to determine the true authorship of Combofix.

When pressed, the pseudonymous Combofix proponent(s) will tell you that you must deactivate all of your anti-virus tools before downloading and running Combofix, because otherwise "it won't work". "Trust me, I'm an authorized Combofix helper." they cry. These people often claim to be "Malware Removal Experts". This is in fact just an affectation of some people on one particular minor WWW message board. It's not a real qualification, like — for example — Kaspersky Labs' ATC certification or Sophos training, where one actually has to take some form of course. It's just some hokum made-up title that people with pseudonyms on a single message board like to award one another. If, in response to your doubting that "Malware Removal Expert" is a title with any weight or meaning, a person with a pseudonym comes and tells you that xe is a "Microsoft MVP in security", point to Microsoft's list of the people who actually are Microsoft MVPs at the moment and ask the person hiding behind the pseudonym to identify which one xe is, and name xyrself. Don't be surprised if you don't get a response, or are attacked by other pseudonyms in order to distract attention from the fact that you don't get a response, though.

Why does Combofix require that you disable all of your anti-virus softwares? Because Combofix is a Rootkit. Anti-virus softwares will variously identify and have variously identified it as as a specific Trojan horse program (Win32.Trojan.Agent or the RBot backdoor program in the reports hyperlinked-to here, notice) or as generally "suspicious".

That's right. A person hiding behind a pseudonym has told you that the best thing for your computer is to disable all of your anti-virus softwares, download a rootkit written by an author who also hides behind a pseudonym, that isn't digitally signed by someone you trust, from a WWW site that you've no reason to trust, and run it. But if you don't open up your system, and trust the people who give you no reason to trust them, this amazing rootkit that will purportedly cure all your ills won't work. Fancy that, eh?

Furthermore, if you don't do exactly this, then the person hiding behind the pseudonym blames you for not blindly trusting the people with the pseudonyms. It is the fault of you, the victim, that you screwed things up whenever you installed Combofix. Your system became even more messed up? You obviously didn't do things properly.

It's also common to blame some mysterious conspiracy against the poor mystery author of Combofix. Notice that no anti-virus program gives Combofix a clean bill of health, or ever has. That is, the pseudonymous proponent(s) claim(s), because all of the anti-virus software manufacturers are ganging up on Combofix. It's a "false positive" caused by the fact that the big corporate manufacturers don't like the little guy. Ask yourself this: How come every malware detection tool makes this false positive, then? Is every single malware detection software manufacturer — despite the fact that they compete amongst themselves like crazy in other areas — magically coöperating to label the poor Mystery Combofix Author? Or is it more likely that there's no massive improbable conspiracy at all, and that this program really is the malware that everyone who has tested it states it to be?

Don't become credulous just because something is claimed to be an anti-virus program that will rescue you from your currently dire straits. You wouldn't (or at least you shouldn't) trust a program from an unnamed author, that isn't signed, that you are required to download from a WWW site with no obvious associations that you have no reason to trust, on the recommendation of a passing stranger with a pseudonym, if it were — say — a program to help you calculate your taxes. So don't do so because someone came along, said "Trust me! I'm a pseudonym.", and told you to download and run such a program to fix your computer.


© Copyright 2011 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.