- Nov 9, 2012
- 363
Combofix or Java whether they are infected or clean I use neither of them. Keep it simple, keep it clean. Thanks 
Eset: "Beware of Combofix - contains infected file"
- Thread starter VectorFool
- Start date
Littlebits
Retired Staff
- May 3, 2011
- 3,893
It looks like BleepingComputer has their Combofix download link live again but still no word on what happened in the first place to allow Combofix to be infected.
http://www.bleepingcomputer.com/forums/topic483431.html/page__view__findpost__p__2962705
So the question remains how did the file get infected if the default download was not compromised?
Here are the only reasons that I can think of:
1. sUBs development system was infected with Sality virus and the virus was able to copy over to his installer package. (Since Sality is an older virus, this is unlikely.)
2. sUBs might have had a copy sample of Sality virus used for testing and accidentally packaged it into his installer. (Possible but very neglectful and irresponsible). Malware samples should always be placed in an area where they can not contaminate your development work.
3. sUBs intentionally placed the Sality virus into his installer package for some unknown reason. ( I would say this is possible because nobody knows anything about this developer, he doesn't have his own website or doesn't have any known credentials to his name.) He doesn't even go by his real name, he uses his forum display name on BleepingComputer. We don't know if he uses a secure system to develop Combofix or uses the same system to test malware samples.
Another example of his trust:
Instead of working on a statement to say how Combofix got infected, he works on the next release to get it live again?
So we have no way of knowing if his latest version has some unknown malware that will go undetected or if it is to be trusted.
If this same thing was to happen to other popular removal tools like McAfee Stinger, Kaspersky Virus Removal Tool, Norton Power Eraser, Dr Web CureIt, Malwarebytes, Microsoft Malicious Software Removal Tool, Emsisoft Emergency Kit, Comodo Cleaning Essentials, HitmanPro, etc.
Would you ever trust those tools again without any good reasons stated on how they got infected?
BleepingComputer acts like they are just going to try to sweep this problem under the rug by allowing a replacement file to be uploaded without any good reason how the previous file got infected.
For all of you so-called malware removal specialist, stop recommending Combofix and stop copying removal guides that recommend using it.
There are many alternatives that are developed by trusted developers.
Thanks.
http://www.bleepingcomputer.com/forums/topic483431.html/page__view__findpost__p__2962705
So the question remains how did the file get infected if the default download was not compromised?
Here are the only reasons that I can think of:
1. sUBs development system was infected with Sality virus and the virus was able to copy over to his installer package. (Since Sality is an older virus, this is unlikely.)
2. sUBs might have had a copy sample of Sality virus used for testing and accidentally packaged it into his installer. (Possible but very neglectful and irresponsible). Malware samples should always be placed in an area where they can not contaminate your development work.
3. sUBs intentionally placed the Sality virus into his installer package for some unknown reason. ( I would say this is possible because nobody knows anything about this developer, he doesn't have his own website or doesn't have any known credentials to his name.) He doesn't even go by his real name, he uses his forum display name on BleepingComputer. We don't know if he uses a secure system to develop Combofix or uses the same system to test malware samples.
Another example of his trust:
Instead of working on a statement to say how Combofix got infected, he works on the next release to get it live again?
So we have no way of knowing if his latest version has some unknown malware that will go undetected or if it is to be trusted.
If this same thing was to happen to other popular removal tools like McAfee Stinger, Kaspersky Virus Removal Tool, Norton Power Eraser, Dr Web CureIt, Malwarebytes, Microsoft Malicious Software Removal Tool, Emsisoft Emergency Kit, Comodo Cleaning Essentials, HitmanPro, etc.
Would you ever trust those tools again without any good reasons stated on how they got infected?
BleepingComputer acts like they are just going to try to sweep this problem under the rug by allowing a replacement file to be uploaded without any good reason how the previous file got infected.
For all of you so-called malware removal specialist, stop recommending Combofix and stop copying removal guides that recommend using it.
There are many alternatives that are developed by trusted developers.
Thanks.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
sUBs has made a reply:
http://www.bleepingcomputer.com/forums/topic483431.html/page__view__findpost__p__2962903
I'm sure that BleepingComputer will accept this response since it did make their website popular but not everyone is going to buy this.
What kind of an respectful developer uses the same system to develop products for consumers and also uses it for testing malware as well?
That is like asking for cross contamination of your developed products.
This is an example of a sloppy developer and who says this can't happen again? I don't believe he packaged malware intentionally into Combofix but his sloppy actions can not be ignored.
For those who want to continue to support sUBs and Combofix, use it on your own systems don't recommend to others allow them to choose if they want to trust it for themselves after they know the details.
Thanks.
http://www.bleepingcomputer.com/forums/topic483431.html/page__view__findpost__p__2962903
I'm sure that BleepingComputer will accept this response since it did make their website popular but not everyone is going to buy this.
What kind of an respectful developer uses the same system to develop products for consumers and also uses it for testing malware as well?
That is like asking for cross contamination of your developed products.
This is an example of a sloppy developer and who says this can't happen again? I don't believe he packaged malware intentionally into Combofix but his sloppy actions can not be ignored.
For those who want to continue to support sUBs and Combofix, use it on your own systems don't recommend to others allow them to choose if they want to trust it for themselves after they know the details.
Thanks.
That is why Umbra Fort is managed by emergency situation task holder who can save the fort even one of your soldier betrayed you
:lol:
:lol:
Fiery
Level 1
- Jan 11, 2011
- 2,007
Littlebits said:
I guess not many people know this but sUBs works at MBAM's development team. MBAM incorporates features of Combofix but not all since there's no way to include advance features into a simple interface that MBAM uses. Should we stop trusting MBAM now since sUBs is a part of it?
I agree it was a sloppy mistake by him, hopefully it won't happen again :s
- Oct 23, 2012
- 12,527
Maybe MBAM will drop him like a hot potato after this.I agree makes you think twice about the very tools you use to clean and repair a system.Apart from reputable security vendors and the free tools that they put out,you have to wonder now.
Littlebits
Retired Staff
- May 3, 2011
- 3,893
Fiery said:
I don't see him listed on the development team- http://www.malwarebytes.org/company/management/
The only info about him is he is a moderator of Malwarebytes forum.
http://forums.malwarebytes.org/index.php?showuser=2164
He maybe helps with gathering research for Malwarebytes and moderate the forums but he is not listed as part of the development team and it is not stated who he is or if he is even employed by Malwarebytes.
If sUBs was a valuable member of Malwarebytes don't you think he would be listed with the rest of the team?
If MBAM released a version that was infected, then yes you shouldn't trust them anymore either.
Malwarebytes works in a professional manner, they list all of them team members with backgrounds and photos unlike sUBs which has continued to be anonymous since the first release of Combofix, nobody knows nothing about him except for his nickname used on forums.
I have been suspicious of Combofix since it first appeared but after using it on several infected systems, I realized how dangerous the tool was and how it could cause more damage to a system then it was actually worth.
It broke several Windows resorting in me having to reinstall Windows to repair the damage.
There are warnings on the tool about how you should not use it unless instructed by an expert, how does anyone prove that they are an expert to begin with? Just because someone claims to be an expert on security forums doesn't make it so. Yet Combofix is recommended and used by helpers on security forums that nobody knows anything about for simple adware and toolbar that many safe removal tools can remove without causing any damage to Windows. Many removal guides start right off from the start and say use Combofix before any other tool is recommended.
I have my own home business and have been removing malware from my customers systems since 2002, Combofix is the most dangerous removal tool that I have ever come across. It is poorly coded, it has no fail safes and sUBs has made it clear that his is not responsible for damages to your system caused by using this tool.
Combofix should only be used as the last resort after trying all other removal tools available. It should not be the first tool used to remove infections.
Thanks.
Fiery
Level 1
- Jan 11, 2011
- 2,007
I respect your concern and disapproval of Combofix, I'm sure many people are just like you. I just want to address/ clear a few things
That list is only the management of Malwarebytes, not the actual development. I don't think anyone would want a highly qualified VP of Sales or managing director, with background in business to work on the actual detection and coding of MBAM
To be exact, he is a research engineer, like most of the other staff member's title besides something related to online support or the actual management. You won't see other companies listing all their staff members because the average user doesn't need to know. If Norton starts listing all their employee.. it will take a while to read
The Unified Network of Instructors and Trained Eliminators hosts the training. Each school have instructors who either:
a) A member of the Alliance of Security Analysis Professional
b) Microsoft MVPs
c) Graduates of a UNITE training school who have worked on live logs for a long time
Each trainee is subject to intensive training that can last 6-8 months in:
1. The functionality of all tools
2. Troubleshooting and recovering a PC as a result of damage from malware or a tool, such as combofix
3. Registry editing training
4. Before they graduate, they must undergo 1-3 months of moderation, by the school's instructors in malware removal logs
To become a "trusted helper" or "expert", you have to apply to the site and get a background check to confirm that you are a graduate of a school.
I can't really respond to that since it depends on the circumstances. I would require an example of an actual thread to be able to respond to that.
Cheers
Littlebits said:
That list is only the management of Malwarebytes, not the actual development. I don't think anyone would want a highly qualified VP of Sales or managing director, with background in business to work on the actual detection and coding of MBAM
To be exact, he is a research engineer, like most of the other staff member's title besides something related to online support or the actual management. You won't see other companies listing all their staff members because the average user doesn't need to know. If Norton starts listing all their employee.. it will take a while to read
Not all valuable members can be listed, else the whole company's employees will be listed. The list, again, related to management, not the development of MBAM.
Unfortunately, that does happen.. Therefore only users who know how to troubleshoot and revert the changes should use the program.
The Unified Network of Instructors and Trained Eliminators hosts the training. Each school have instructors who either:
a) A member of the Alliance of Security Analysis Professional
b) Microsoft MVPs
c) Graduates of a UNITE training school who have worked on live logs for a long time
Each trainee is subject to intensive training that can last 6-8 months in:
1. The functionality of all tools
2. Troubleshooting and recovering a PC as a result of damage from malware or a tool, such as combofix
3. Registry editing training
4. Before they graduate, they must undergo 1-3 months of moderation, by the school's instructors in malware removal logs
To become a "trusted helper" or "expert", you have to apply to the site and get a background check to confirm that you are a graduate of a school.
I can't really respond to that since it depends on the circumstances. I would require an example of an actual thread to be able to respond to that.
Cheers
Littlebits
Retired Staff
- May 3, 2011
- 3,893
I understand that they can't list all of their employees but the point that I'm trying to make is nobody knows anything about him except for his nickname. No real name, no qualifications, no degrees, where does his development, absolutely nothing except from what is posted on BleepingComputer and Malwarebytes forums. It is not verified that he works for Malwarebytes, all that we know is he is a moderator and research engineer which has nothing to do with developing. A research engineer just gathers information and passes it to the developers. A lot of researchers are just volunteers.
Do you think that this is suspicious that nobody knows anything about him?
So does any of our members that post help to our members have this qualification and can they verify it? If not then why are they suggesting to members to run Combofix in our Malware Removal Assistance?
They are several threads in our Malware Removal Assistance section where members only had a simple adware or toolbar that they needed help removing and the reply that they got from us was to run Combofix.
Some of these could have easily been removed from the program uninstaller on Control Panel. I would have to look for those threads, but my point is Combofix is recommended to be use way too much when other simply options are available and are easier for novice users.
I have nothing against sUBs or Combofix, since I know nothing about him. BleepingComputer posts warnings about using it and they don't recommend to use it as first option. A lot of helpers on security forums freely use it as the first option which even sUBs doesn't agree with according to his posts and warnings included on Combofix.
If we don't have anyone here on our forum that has verified qualifications or training to use Combofix, then we need to quit instructing members to use it.
Thanks.
Fiery
Level 1
- Jan 11, 2011
- 2,007
Littlebits said:
Yes, he keeps a low profile on everything he does. He doesn't like discussion of his tools on open forums so I agree, he is "mysterious." That makes it no different for Farbar, OldTimer, Tigzy, Xplode and many others who developed standalone tools. They could be 15 year-old super geniuses in high school for all we know
In sUBs sig, he does have the Malwarebytes Staff banner and according to the admin on Geekstogo, he plays a developmental role in MBAM. If you choose not to believe that, that's completely fine, I respect your decision
There is a difference in how MT operates and how other forums operate. UNITE websites require helpers to be graduates from a school. MT is not on the UNITE website, thus, it's Jack's decision to choose the helpers and what tools are allowed.
I, for one, was Level 4 (last level, which was live logs) in Geekpolice Academy before I quit due to their management issues and they do not operate the school anymore. So I'm with Geekstogo now. If you look at our top secret forum
cool: ), 90% of what Jack posted related to malware is from me, a few years ago.I looked through some of the threads and I would probably disagree, unless we are looking at different threads. There are 2 ways of malware removal.
First method, the one I believe most users including yourself use, is automated removal. The only danger is that if the scanner doesn't have the signature for a certain malware or doesn't have a lower kernel access than the malware, it will remain undetected but the user may think his/her PC is clean. Since new malware rarely get a 46/46 hit on Virustotal, there is that danger.
Second method is manual removal through logs. The danger is removing good files by accident and the use of combofix. I suppose the reason why CF is used so often, in addition to its powerfulness is because of the log it generates. Log removal doesn't rely signatures. A combination of the too method is the best way to go.
So regardless of which method you use, there is pros and cons, one having undetected malware or the other having a damaged system. Both to me are equally dangerous.
But let's agree on one thing, being smart and using good security will avoid such hassle and debate
Cheers
Billmartin
Level 1
- Mar 27, 2014
- 14
combo fix is infected i have been using it for quite a while i just ran it on my desktop i suspected the companys that picked it up as infected were false positives i just scaned it with my eset not detected
- Mar 8, 2013
- 22,627
ComboFix was infected with Sality virus by accident, but it was fixed very fast.
- Sep 9, 2013
- 1,054
- Mar 8, 2013
- 22,627
Similar threads
