Eset: "Beware of Combofix - contains infected file"

[VectorFool]

http://www.wilderssecurity.com/showthread.php?t=340693

Eset issues warning for Combofix users

We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well.
We do not recommend downloading and using it until the author remedies the issue.

SHA256 Hashes of known affected versions are: 

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333 
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

Here's what you should do

Spoiler

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

SHA256 Hashes of known affected versions are:

4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:

Scan your computer with ESET's Online Scanner.

Download and scan your computer with the Kaspersky Rescue Disk

Use SalityKiller if you are unable to use the above tools for some reason. When using this tool, you should disconnect from your network first.

Use AVG Sality Remover Tool. When using this tool, you should disconnect from your network first.

All of these tools should be able to detect and remove Sality from your computer. Sality is also able to spread through mapped network drives and shares. If you share any folders on your network, you should perform the above steps on those computers as well.

If you need help with any of these steps, or would like us to check your computer, please feel free to ask us in the forums. You can either post in the Am I infected? forum or create a virus removal assistance topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum using these steps.

http://www.bleepingcomputer.com/forums/topic483431.html

credits to original author
Lawrence Abrams
BleepingComputer.com

 

[Exterminator]

Thanks for this!!! This is obviously a very serious issue.I hope everyone gets to see this before it gets buried.

 

[arsenaloyal]

this is strange i just downloaded Combo fix and uploaded it to Virustotal and it just shows 1/46

https://www.virustotal.com/file/361548f74415a41f00d5345b3e3c489b3282b302c0c51266880eda586db01a12/analysis/1359477407/

perhaps its only detected after the original exe is run ?

 

[Gnosis]

That is a really crafty way to infect a PC!

ComboFix instructions:

1. Turn off ALL of your realtime security
2. Don't so much as move the mouse arrow while ComboFix is running
3. It may take a while, so wait patiently


LOLOLOLOLOLOLOLOLOLOLOL

 

[VectorFool]

Here's what you should do

Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.

The developer, sUBs, is currently looking into what happened and when I have a full update, I will be sure to let you know. From the limited information that I have, it appears that the affected version has been available since approximately 2am EST on January 29th, but it may have been earlier. If this timeframe changes, I will update this topic to let you know. If you have used a new copy of ComboFix in the last day or so, then you should examine your system for possible infection. If you have used a copy of ComboFix prior to this version, then you should be ok.

In the meantime, it is important for those who may have used ComboFix recently and are concerned they are infected to get the help they need. As the Sality infection has been around for a while, almost all antivirus vendors will have detected it and blocked it when you ran ComboFix. Unfortunately, not everyone has up-to-date virus definitions or uses an AV program, so it is important to examine your system if you have downloaded a new copy and used it since 2am EST.

The steps we suggest you take to make sure your computer is not infected are:

Scan your computer with ESET's Online Scanner.

Download and scan your computer with the Kaspersky Rescue Disk

Use SalityKiller if you are unable to use the above tools for some reason. When using this tool, you should disconnect from your network first.

Use AVG Sality Remover Tool. When using this tool, you should disconnect from your network first.

All of these tools should be able to detect and remove Sality from your computer. Sality is also able to spread through mapped network drives and shares. If you share any folders on your network, you should perform the above steps on those computers as well.

If you need help with any of these steps, or would like us to check your computer, please feel free to ask us in the forums. You can either post in the Am I infected? forum or create a virus removal assistance topic in the Virus, Trojan, Spyware, and Malware Removal Logs forum using these steps.

http://www.bleepingcomputer.com/forums/topic483431.html

credits to original author
Lawrence Abrams
BleepingComputer.com

 

[Littlebits]

Most PC techs do not use Combofix since it cause more problems then what it fixes. However many security forums highly recommend this tool for some unknown reason.

There has to be some kind of negligence on the developer or host server to allow malware within the file. Most certainly unprofessional.

I feel sorry for the users who ran this infected version and at the same time it is humorous. This version must have caused a lot more problems then the ones that I tried in the past.

I don't know how the developer is going to explain how this happened.

Thanks.

 

[illumination]

This is one tool that im thankful i do not use, for the same reason Littlebits just explained, causes more problems then what it is worth. After reading this, really glad i do not use it.

 

[Ink]

They pulled the infected version down. You downloaded a clean version.

Infected ComboFix are as follows:
http://malwaretips.com/Thread-Last-version-of-ComboFix-infecred-with-Sality-virus

this is strange i just downloaded Combo fix and uploaded it to Virustotal and it just shows 1/46

 

[Littlebits]

They pulled the infected version down. You downloaded a clean version.

Infected ComboFix are as follows:
http://malwaretips.com/Thread-Last-version-of-ComboFix-infecred-with-Sality-virus

this is strange i just downloaded Combo fix and uploaded it to Virustotal and it just shows 1/46

BeepingComputer has pulled all Combofix downloads.
http://www.bleepingcomputer.com/download/combofix/

This download is not available at this time.
We apologize for the issues and hope to have it available soon.

Because if anyone is downloading Combofix it is not from the official link and probably an older version hosted by a third-party site.

Until they get to the bottom of this problem, it is not recommended to download it or run it.

Thanks.

 

[Deleted member 178]

That is a really crafty way to infect a PC!

ComboFix instructions:

1. Turn off ALL of your realtime security
2. Don't so much as move the mouse arrow while ComboFix is running
3. It may take a while, so wait patiently


LOLOLOLOLOLOLOLOLOLOLOL

1- because it will be easier to infect you, thanks for you cooperation
2- anyway we infected you already so you will soon not be able to use it
3- yes, your HDD contains lot of files, so it will take times to infect all your files

 

[Exterminator]

Maybe they can get together with Java and compare notes

 

[Deleted member 178]

Maybe they can get together with Java and compare notes

Combofix was just bought by Oracle yesterday, it is why ...

Combofix, take it with a grain of SALITY

 

[Littlebits]

Probably the first malware removal tool in history that actually come with malware included.

So your system is clean, not after running Combofix.

Thanks.

 

[Fiery]

Probably the first malware removal tool in history that actually come with malware included.

So your system is clean, not after running Combofix.

Thanks.

:lolz: I'm pretty sure this happened before back in 2007 or 2008. Combofix was infected by a virus that caused it to delete the entire system32 folder, if I remember correctly. (Or it was some other system folders)

 

[tapoo]

OMG, i am not sure, its funny or dangerous which word i should apply !!!!!

 

[Exterminator]

OMG, i am not sure, its funny or dangerous which word i should apply !!!!!

I guess its funny if you dont use it and dangerous if you do.Probably not funny if you got peppered by Sality though.

If there wasnt enough to worry about with all the hacking in the past couple years,then Java and now combofix. Worse comes to worse there is always *MyCleanPC.com.

*Please do not visit or use this, as it is a joke and not an endorsement

 

[McLovin]

I say it's a good thing I don't need or use it. As Littlebits said, if your not a Malware Removal Technician, then there is no need to use it.

Thanks for the heads up none the less, gives users that do use it to stay away from it at the moment.

 

[Fiery]

Combofix is effective in removing rootkits and the nastiest infections, that's why it's used so frequently. No other tools comes close to combofix's effectiveness. Plus the customizable scripting feature is what makes it useful

 

[McLovin]

Combofix is effective in removing rootkits and the nastiest infections, that's why it's used so frequently. No other tools comes close to combofix's effectiveness. Plus the customizable scripting feature is what makes it useful

True, but if you have no idea what your doing then it's best to stay away from it and get a professional to do it.

 

[Littlebits]

Combofix is effective in removing rootkits and the nastiest infections, that's why it's used so frequently. No other tools comes close to combofix's effectiveness. Plus the customizable scripting feature is what makes it useful

It also is very effective at breaking Windows even if used correctly.
I would rather reinstall Windows to to mess with it that way you know for sure the system is clean.

Thanks.