The ComboFix tool from BleepingComputer.com which supposed to remove viruses and other threats has been badly infected with Sality virus. Bleeping Computer acknowledged this and asking affected users who used their tool recently to scan with virus scanner and lists tools to remove Sality as well. If you’re planning to fix your friend or relative’s Computer with ComboFix, don’t use it for now.
Currently ComboFix is not available for download from BleepingComputer.com as they’re already removed it from their site. Since they don’t have control on mirror sites offering this tool, that’s why they’re requesting users not to attempt the download of same from other sites like Cnet.
BleepingComputer’s ComboFix infected with Sality Virus
“Unfortunately it has come to light that the program ComboFix had a file in it that is infected with the Sality virus. The minute we heard about this, we pulled the executable so that it is no longer available from BleepingComputer.com. Unfortunately we have no control over other sites that may have mirrored ComboFix without permission, so please do not attempt to download it elsewhere.” says Glinter, admin in BC forum.
If you’ve downloaded ComboFix recently where “affected version has been available since approximately 2am EST on January 29th, but it may have been earlier”, compare Hashes with SHA256 Hashes of affected versions listed below.
SHA256 Hashes of Sality Infected ComboFix
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e5341c3c32a9726a2d3dd1ac0b90f13d896581ab8707dd0a17431df061a2a71d
4524611a78ddd40afa7e13238da230302786c546d1f824e6e7dea480a5d55333
e95f77fd437b16312fbd66a02fed8b179968a7615c1bd3cd3b2fd86879b4bbc8
You can also scan downloaded ComboFix file from your Computer using VirusTotal Uploader or VirusTotal Scanner or manually upload to VT website which also have those hashes checked and shows Sality virus infection of the file in scan results.
How to remove Sality Virus from your Computer
1. Scan with ESET online scanner.
2. Download and use Kaspersky rescue disk.
3. Disconnect from network and use Sality virus removal tools available such as SalityKiller, or AVG Sality Remover.
All the above tools mentioned can detect and remove Sality virus from your Computer. If you’re connected to a network then you need to perform scan for Sality on those computers as well.
Update 01/02/2013: ComboFix is now virus free and safe to download.