Beware of Combofix - contains infected file

Discussion in 'ESET NOD32 Antivirus' started by Marcos, Jan 29, 2013.

Thread Status:
Not open for further replies.
  1. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    We have discovered that the current installer of Combofix contains iexplore.exe infected with the Sality virus. It's pretty well detected by other vendors as well.
    We do not recommend downloading and using it until the author remedies the issue.
     
  2. WOW! How could this happen?
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Hard to say, especially given that it's detected by almost 40 vendors on VT. We have notified the author.
     

    Attached Files:

  4. er34

    er34 Guest

    This is very serious issue because there are many who advise others on daily bases to use tools like ComboFix. And what is worse is that people are strongly advised to disabled their AVs before running ComboFix.

    Marcos, thanks for posting ! :thumb:
     
  5. Blade Z

    Blade Z Registered Member

    Joined:
    Jan 29, 2013
    Posts:
    1
    Hello,

    Just letting you know that the mirror at Bleeping Computer has been deactivated until this gets sorted out. So that should go a ways towards minimizing the exposure.

    A big thanks to Marcos as it was this thread that first alerted our staff to the issue.

    ~Blade
    Bleeping Computer Forum Administrator
     
  6. therock247uk

    therock247uk Spyware Fighter

    Joined:
    Apr 12, 2004
    Posts:
    2
    Location:
    Newark, Nottinghamshire, UK
    i wonder how it got infected in the first place?
     
  7. Trooper

    Trooper Registered Member

    Joined:
    Jan 26, 2005
    Posts:
    5,507
    Crazy. Just saw this on DSLReports. :doubt:
     
  8. Karsten

    Karsten Registered Member

    Joined:
    Dec 29, 2011
    Posts:
    2
    Location:
    Denmark
    You are not alone in thinking this Sean Im sure. This will need to be investigated! I can only hope it didn't ruin CF for good.
     
  9. Dark Shadow

    Dark Shadow Registered Member

    Joined:
    Oct 11, 2007
    Posts:
    4,553
    Location:
    USA
    Real Nice! Thanks Marcos for the heads up. I am Glad I don't use cleaning tools and just resort to offline image's but plenty of people do use combofix and for that I hope it's reputation is not destroyed.
     
  10. Corrine

    Corrine Spyware Fighter

    Joined:
    Jan 10, 2005
    Posts:
    117
    Location:
    Upstate NY
  11. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Below link infected. The developer has been notified his app is infected.

     
  12. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    587
    Location:
    Europe - Denmark .
    Thanks Marcos and Corrine for the heads up. Very sneaky and very unfortunate that Combofix were somehow wrapped with the Sality virus,..Combofix a tool that is much used by many websites that voluntary help people with infections.

    Regards, Janus
     
    Last edited: Jan 29, 2013
  13. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    23
    Randy, curious why you say the above link is infected?
     
  14. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    Larry -

    According to the timeline of the link, it was delivering an infected payload of the combofix file as cited already at the top of this thread.

    You've since yanked the developers file until further notice. We await on you or a representative of combo for a green light to point to a link in order to use it again, in an uninfected form.

    I asked for a de-link for maximum occasional reader safety, not to be construed as finger-pointing at Bleeping Computer.
     
  15. Grinler

    Grinler Security Expert

    Joined:
    Jun 20, 2004
    Posts:
    23
    Randy, I honestly don't understand what you are trying to say. It's already established that ComboFix was infected with Sality, so it was pulled.

    What I don't understand is why you would state that the below forum topic was infected and change it from a http to a hxxp.

    This one -> www.bleepingcomputer.com/forums/topic483431.html

    The above link was NEVER delivering an infected payload. It's the announcement as to what happened.

    /me confused
     
  16. siljaline

    siljaline Registered Member

    Joined:
    Jun 29, 2003
    Posts:
    6,618
    There appears to have been some level of confusion on behalf of myself.
    A de-link would not be in order in this case.

    ESET users should have some level of protection from Sality.

    I hope that an uninfected version of combofix is made available soon.
     
  17. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    4,868
    Location:
    Outer space
    Perhaps it's best to move this thread to another forum like Other security issues & news for better coverage to spread the word.
     
  18. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    Agree :thumb:

    This tool is largely used in computer repair shops and by technicians. (offtopic: it gives so much money to win to others, that it shouldn´t be free, and the developer should be rich, IMO)
     
  19. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,102
    Location:
    on my zx10-r
    while it "was" a good tool (hopefully this will be sorted out) i was not ever a fan. i used it on a very rare occasion. it did what it was intended to but i preferred other ways / tools. i agree this is a HUGE blow to them and im not sure how many will ever trust it again after this regardless of what the explanation is. thanks to eset and marcos and this is just one reason why i am and always will be a eset user doesnt matter what testing shows etc.
     
  20. therock247uk

    therock247uk Spyware Fighter

    Joined:
    Apr 12, 2004
    Posts:
    2
    Location:
    Newark, Nottinghamshire, UK
    why are computer shops etc using this tool? its way to powerful IMO and if these computer shops arent trained in combofix useage then bad things can happen. its scary ive even seen forums out there use it as some anti virus that they run every week.
     
  21. AlexC

    AlexC Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    1,288
    I´ve been using that tool daily in several diferent computers, for more than year, and i never saw it trash any system. I just follow some simple rules:
    - disable AV / HIPS / BB , etc. before running the tool;
    - don´t use the computer while Combofix is running (don´t move combofix window, don´t use other programs);
    - restart the computer after Combofix ends.

    That´s it.

    Because is a impressive malware removal and repair tool. :thumb:
     
  22. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    It seems like I downloaded Combofix about 2 1/2 months ago, and it was flagged by Eset as containing the Sality Dog W32 Virus. It may have even been more like 3 1/2 months ago. I have no grasp of time these days. I hope i'm wrong. I thought it was a false positive so I didn't report it. I was just downloading it to add to a flash drive that I use for removing malware from other users computers. I keep a copy of of several Malware removal utilities on a flash drive for convenience. It kept flagging it so I got annoyed with it, and just decided to delete it. I'm pretty sure it was Combofix from my Bleeping Computer. That really makes me wonder how long it had been infected :(
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    According to cloud information, it had been available for a few hours only.
     
  24. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    4,101
    How was it detected.?
    How can bleeping computer be so sure it hasnt been infected for several weeks or months.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.