Combofix has been infected with Sality! Do Not use!

[+Warwagon MVC]

Combofix has been infected with Sality! Do Not use!!!!

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:<p>

• Scan your computer with ESET's Online Scanner.
  
• Download and scan your computer with the Kaspersky Rescue Disk
  
• Use SalityKiller if you are unable to use the above tools for some reason. When using this tool, you should disconnect from your network first.
  
• Use AVG Sality Remover Tool. When using this tool, you should disconnect from your network first.
  

http://www.bleepingcomputer.com/forums/topic483431.html

[Colin McGregor]

Isn't combofix a virus remover? LOL

[Brandon H Supervisor]

well ****.

at least he was fairly quick to react and take it down as soon as he found out. i wonder how that could have happened though

[fusi0n]

Thanks for the heads up!

[Roxkis]

Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.

[farmeunit]

Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.

Luckily, you got it before the infection if you downloaded yesterday.

[Raa]

I can't remember when I last used this. Seemed to cause more problems than it fixed.

Well, at least someone's onto the problem^

[Charisma Veteran]

Wow, that's crazy. Thanks for the heads-up, warwagon.

[Roxkis]

Luckily, you got it before the infection if you downloaded yesterday.

Yeah but it seems I'm infected anyhow.

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

[+Warwagon MVC]

Yeah but it seems I'm infected anyhow.

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

[soldier1st]

Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

He should turn off java's temp file option. I used to see those exploit names on users pc's, but since i turn off the temp file option, i haven't seen those appear.

[Marshall Veteran]

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

Quote from BleepingComputer Admin:

ComboFix is now live, clean, and available to download from its normal links.

They have it sorted apparently, the executable is now live again at BleepingComputer.

Read More Here

[Argi]

I'm guessing this was an unsigned executable? Time to get a code signing certificate.

[goretsky Supervisor]

Hello,

I am unsure of how that might have helped in this particular situation. From what I understand of the issue, it was the build machine that was infected.

Regards,

Aryeh Goretsky

[HawkMan]

Yeah but it seems I'm infected anyhow.

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

That's not sality, trust me :)I cleaned a few computers from it, and it's specifically say w32 something sality. it'll also start writing stuff to any USB stick you put in it.

The only tool that managed to get rid of it was the Kaspersky sality killer, followed by the Sality remover which I believe is form AVG based on the logo.

I'm guessing this was an unsigned executable? Time to get a code signing certificate.

Thing is, if you had an infected combofix, it didn't actually run, it'd just give an error that it was invalid, but sality would still infect since it had taken over the exe, but combofix itself wouldn't run with the infected file.

Good thing they got it fixed anyway, since it's the absolute best tool to clean computers.

the computer I cleaned g in with sality got it from somewhere else though, since that person wouldn't know a virus cleaner if it slapped her in the face. over 600 infected files, a lot of them sality, but also a whole bunch of other stuff.

be warned that sality does appear to somehow get through even with autplay off. if you're cleaning. Her computer will need a full recovery though, hopefully it doesn't infect the recovery partition.