Question

Posted

[b]Combofix has been infected with Sality! Do Not use!!!![/b]

[quote]Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

SHA256 Hashes of known affected versions are:

[b]4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8[/b]

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:<p>


[list]
[*]Scan your computer with [url="http://www.eset.com/us/online-scanner/"]ESET's Online Scanner[/url].
[*]Download and scan your computer with the [url="http://rescuedisk.kaspersky-labs.com/rescuedisk/updatable/kav_rescue_10.iso"]Kaspersky Rescue Disk[/url]
[*]Use [url="http://support.kaspersky.com/1874"]SalityKiller[/url] if you are unable to use the above tools for some reason. When using this tool, you should disconnect from your network first.
[*]Use [url="http://free.avg.com/us-en/remove-sality"]AVG Sality Remover Tool[/url]. When using this tool, you should disconnect from your network first.
[/list]
[/quote]

http://www.bleepingcomputer.com/forums/topic483431.html
5 people like this

Share this post


Link to post
Share on other sites

14 answers to this question

  • 0

Posted

Isn't combofix a virus remover? LOL

Share this post


Link to post
Share on other sites
  • 0

Posted

well ****.

at least he was fairly quick to react and take it down as soon as he found out. i wonder how that could have happened though

Share this post


Link to post
Share on other sites
  • 0

Posted

Thanks for the heads up!

Share this post


Link to post
Share on other sites
  • 0

Posted

Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Roxkis' timestamp='1359505559' post='595488984']
Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.
[/quote]

Luckily, you got it before the infection if you downloaded yesterday.

Share this post


Link to post
Share on other sites
  • 0

Posted

I can't remember when I last used this. Seemed to cause more problems than it fixed.
Well, at least someone's onto the problem^

Share this post


Link to post
Share on other sites
  • 0

Posted

Wow, that's crazy. Thanks for the heads-up, warwagon.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='farmeunit' timestamp='1359506546' post='595489024']
Luckily, you got it before the infection if you downloaded yesterday.
[/quote]
Yeah but it seems I'm infected anyhow.
[img]http://i.imgur.com/Yr2GFFj.png[/img]

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Roxkis' timestamp='1359510167' post='595489098']
Yeah but it seems I'm infected anyhow.
[img]http://i.imgur.com/Yr2GFFj.png[/img]

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.
[/quote]

Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='warwagon' timestamp='1359510595' post='595489108']
Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?
[/quote]
He should turn off java's temp file option. I used to see those exploit names on users pc's, but since i turn off the temp file option, i haven't seen those appear.

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote]
Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.
[/quote]

[quote]
Quote from BleepingComputer Admin:

ComboFix is now live, [b]clean[/b], and available to download from its normal links.
[/quote]


They have it sorted apparently, the executable is now live again at [url="http://www.bleepingcomputer.com/download/combofix/"]BleepingComputer[/url].

Read More [url="http://www.bleepingcomputer.com/forums/topic483431.html/"]Here[/url]
1 person likes this

Share this post


Link to post
Share on other sites
  • 0

Posted

I'm guessing this was an unsigned executable? Time to get a code signing certificate.

Share this post


Link to post
Share on other sites
  • 0

Posted

Hello,

I am unsure of how that might have helped in this particular situation. From what I understand of the issue, it was the build machine that was infected.

Regards,

Aryeh Goretsky

Share this post


Link to post
Share on other sites
  • 0

Posted

[quote name='Roxkis' timestamp='1359510167' post='595489098']
Yeah but it seems I'm infected anyhow.
[img]http://i.imgur.com/Yr2GFFj.png[/img]

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.
[/quote]

That's not sality, trust me :)I cleaned a few computers from it, and it's specifically say w32 something sality. it'll also start writing stuff to any USB stick you put in it.

The only tool that managed to get rid of it was the Kaspersky sality killer, followed by the Sality remover which I believe is form AVG based on the logo.

[quote name='chAos972' timestamp='1359690466' post='595493958']
I'm guessing this was an unsigned executable? Time to get a code signing certificate.
[/quote]

Thing is, if you had an infected combofix, it didn't actually run, it'd just give an error that it was invalid, but sality would still infect since it had taken over the exe, but combofix itself wouldn't run with the infected file.

Good thing they got it fixed anyway, since it's the absolute best tool to clean computers.

the computer I cleaned g in with sality got it from somewhere else though, since that person wouldn't know a virus cleaner if it slapped her in the face. over 600 infected files, a lot of them sality, but also a whole bunch of other stuff.

be warned that sality does appear to somehow get through even with autplay off. if you're cleaning. Her computer will need a full recovery though, hopefully it doesn't infect the recovery partition.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.