Combofix has been infected with Sality! Do Not use!

By +Warwagon
in Smart Home, Network & Security

 Share

Recommended Posts

Grand Master

+Warwagon MVC

Posted
  • MVC
Posted

Combofix has been infected with Sality! Do Not use!!!!

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333

e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:<p>

http://www.bleepingcomputer.com/forums/topic483431.html

Grand Master

farmeunit

Posted
Posted

Just downloaded and used combo fix yesterday. Also scanned with MSE, Malwarebytes, and Spybot afterwards. None of the scans picked up anything but i'm scanning with ESET's Online Scanner now just in case.

Thanks for the heads up warwagon.

Luckily, you got it before the infection if you downloaded yesterday.

Grand Master

+Warwagon MVC

Posted
  • Author
  • MVC
Posted

Yeah but it seems I'm infected anyhow.

Yr2GFFj.png

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

Grand Master

soldier1st

Posted
Posted

Those might not be infections per say, just the exploit files left over in your java cache folder. What are the locations of those files?

He should turn off java's temp file option. I used to see those exploit names on users pc's, but since i turn off the temp file option, i haven't seen those appear.

Grand Master

Marshall Veteran

Posted
  • Veteran
Posted

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

Quote from BleepingComputer Admin:

ComboFix is now live, clean, and available to download from its normal links.

They have it sorted apparently, the executable is now live again at BleepingComputer.

Read More Here

Grand Master

goretsky Supervisor

Posted
  • Supervisor
Posted

Hello,

I am unsure of how that might have helped in this particular situation. From what I understand of the issue, it was the build machine that was infected.

Regards,

Aryeh Goretsky

Grand Master

HawkMan

Posted
Posted

Yeah but it seems I'm infected anyhow.

Yr2GFFj.png

How all these scanners I've used and they all missed all at...smh I guess its been a few years since I formatted anyway.

That's not sality, trust me :)I cleaned a few computers from it, and it's specifically say w32 something sality. it'll also start writing stuff to any USB stick you put in it.

The only tool that managed to get rid of it was the Kaspersky sality killer, followed by the Sality remover which I believe is form AVG based on the logo.

I'm guessing this was an unsigned executable? Time to get a code signing certificate.

Thing is, if you had an infected combofix, it didn't actually run, it'd just give an error that it was invalid, but sality would still infect since it had taken over the exe, but combofix itself wouldn't run with the infected file.

Good thing they got it fixed anyway, since it's the absolute best tool to clean computers.

the computer I cleaned g in with sality got it from somewhere else though, since that person wouldn't know a virus cleaner if it slapped her in the face. over 600 infected files, a lot of them sality, but also a whole bunch of other stuff.

be warned that sality does appear to somehow get through even with autplay off. if you're cleaning. Her computer will need a full recovery though, hopefully it doesn't infect the recovery partition.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Microsoft Edge gets tons of security features, including AI model that can see your screen

      By tsupersonic · Posted

      did they not learn anything from the Recall fiasco?
    • Internet Download Manager (IDM) 6.43 Build 2

      By Copernic · Posted

      Internet Download Manager (IDM) 6.43 Build 2 by Razvan Serea Internet Download Manager (IDM) is a tool to increase download speeds by up to 8 times due to its smart dynamic file segmentation technology. Unlike other download managers and accelerators, Internet Download Manager segments downloaded files dynamically during download process, and it reuses available connections without additional connect and login stages to achieve the best possible acceleration performance. Comprehensive error recovery and resume capability will restart broken or interrupted downloads due to lost connections, network problems, computer shutdowns, or unexpected power outages. All popular browsers are supported IDM integrates seamlessly into Google Chrome, FireFox, Microsoft Edge, Opera, Safari, Internet Explorer, Maxthon and all other popular browsers to automatically handle your downloads. You can also drag and drop files, or use Internet Download Manager from command line. The program supports proxy servers, ftp and http protocols, firewalls, redirects, cookies, authorization, MP3 audio and video content processing. IDM includes web site spider and grabber IDM downloads all required files that are specified with filters from web sites, for example all pictures from a web site, or subsets of web sites, or complete web sites for offline browsing. It's possible to schedule multiple grabber projects to run them once at a specified time, stop them at a specified time, or run periodically to synchronize changes. Easy downloading with one click When you click on a download link in a browser, IDM will take over the download and accelerate it. You don't need to do anything special, just browse the Internet as you usually do. IDM will catch your downloads and accelerate them. IDM supports HTTP, FTP, HTTPS and MMS protocols. Changes in Internet Download Manager 6.43 Build 2: Resolved the problem that caused a "403 Forbidden" error when downloading some files Fixed a problem causing IDM download panel not to appear on some websites Fixed a bug that caused a crash when converting some TS files to MP4 Download: Internet Download Manager 6.43 Build 2 | 11.9 MB (Shareware) Links: Internet Download Manager Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Windows 11 is getting redesigned taskbar settings in new build

      By Captain_Eric · Posted

      It's in Experimental (26H2). Settings->Windows Update->Windows Insider Program. Then a) select Experimental, b) below that, select "Advanced Options" (where you will see the three options for "Experimental" builds -> select 26H2 (name change from 25H2 is rolling; so might be 25H2)
    • Why it's almost impossible to produce a smartphone in the United States

      By Shadow8 · Posted

      I am not a US citizen nor a Trump fan. Respect to both left and right. But I will, for the sake of fun, predict something for my own. There will come a day when the US and China will collide like titans ( over Taiwan or anything else ). Then, on that day, some people in this comment section will realize how good an idea it was to become independent in areas like that. ( Or atleast try )
    • Microsoft Edge gets tons of security features, including AI model that can see your screen

      By Usama Jawad96 · Posted

      Microsoft Edge gets tons of security features, including AI model that can see your screen by Usama Jawad Microsoft Edge may not be the most popular browser out there, but it does receive quite frequent updates that sometimes bring surprising new features and axe others that are not as popular. Now, Microsoft has detailed some of the new security enhancements that it has introduced in Edge for Business, typically used by commercial customers. Microsoft has emphasized that security features are baked into Edge for Business and offer native integration with security and governance tools like Defender and Purview. Browser sessions are governed by default on managed devices but can also be governed through dedicated work profiles on unmanaged devices. An important aspect in this area is controlling the use of shadow AI. We have talked about this before, but it essentially restricts employees from using unsanctioned AI apps through data loss prevention (DLP) policies, with Edge redirecting them to trusted AI services like Microsoft 365 Copilot. This feature, available as a pay-as-you-go (PAYG) license, ensures that confidential data never exits AI boundaries set by your organization in Purview. Additionally, Microsoft also has strong DLP policies for contractors. Contractors leveraging a Entra ID-joined work profile provisioned by their contracting company on a device managed by their actual employer can be restricted from downloading files locally. In such scenarios, the file is saved on the contracting firm's OneDrive rather than being downloaded locally. Another useful Edge security feature disallows copying and pasting from unmanaged locations and apps. Similarly, DLP policies can be configured at a granular level to restrict screenshots or downloading of files from certain locations. In the same vein, IT admins can block the installation of extensions, hosted apps, themes and scripts, and control if users can install extensions from external locations. They can also enable the installation of specific extensions and allow users to request access to certain extensions, so that they can be managed on a case-by-case basis. Finally, Edge for Business now has an on-device AI model that uses computer vision to see what's on your screen and block potentially malicious content immediately. This does not rely on site reputation, as it simply monitors what is being displayed on your screen, which means that it is effective against malicious content that takes over your screen and employs scareware tactics. Since this is an on-device AI model, it does use your system's resources, so it's enabled by default only on devices with at least 2GB of RAM and four CPU cores. You can find more details in the Microsoft Mechanics video here.

  • Recent Achievements

    • Dedicated
      Zeynel earned a badge
      Dedicated
    • One Month Later
      JKR earned a badge
      One Month Later
    • Dedicated
      Asgardi earned a badge
      Dedicated
    • Conversation Starter
      jessse3334 earned a badge
      Conversation Starter
    • Reacting Well
      JuvenileDelinquent earned a badge
      Reacting Well

  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      +Edouard
      247
    3. 3
      PsYcHoKiLLa
      154
    4. 4
      Steven P.
      86
    5. 5
      macoman
      65
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!