BleepingComputer.com: Combofix false positive

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Combofix false positive Driver file "XLoader.sys" was quarantined

#1 User is offline   Robertone 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 28-December 09

Posted 29 December 2009 - 07:17 AM

Combofix was great for me, because it solved my problem.
Neverthless, in order to improve the tool, I'd notify the following false positive.
The file "XLoader.sys" was deleted and, after renaming as "XLoader.sys.vir", placed in the "Quarantine" folder.
But this file is not a virus: is it a part of drivers of my videoconverter named "ConvertX".
Without this file, the "ConvertX" peripheral doesn't work anymore.
I had to restore the original name and newly put the file in the appropriate folder (in my case, "C:\Windows\System32\Drivers\").
Then I'd kindly ask you to consider this problem in the future releases of Combofix.
Cheers
:thumbsup:

This post has been edited by Robertone: 29 December 2009 - 07:17 AM

#2 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,514
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 29 December 2009 - 08:14 AM

I have informed the developer.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 User is offline   sUBs 

  • sUBs
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,456
  • Joined: 19-May 05

Posted 29 December 2009 - 08:18 AM

Hello, I need a sample of the file.

Please upload XLoader.sys via this webpage > http://www.bleepingcomputer.com/submit-malware.php?channel=4


Thanks.

#4 User is offline   Robertone 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 28-December 09

Posted 29 December 2009 - 08:43 AM

Done.

#5 User is offline   sUBs 

  • sUBs
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,456
  • Joined: 19-May 05

Posted 29 December 2009 - 08:45 AM

Thank you. I shall have a look at it now. Will update you when I have some news.

#6 User is offline   sUBs 

  • sUBs
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,456
  • Joined: 19-May 05

Posted 29 December 2009 - 08:56 AM

It shall be fixed in the next update.

#7 User is offline   Robertone 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 28-December 09

Posted 29 December 2009 - 02:39 PM

OK
I'll check it.
Many thanks.
:thumbsup:

#8 User is offline   Robertone 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 5
  • Joined: 28-December 09

Posted 31 January 2010 - 04:18 AM

View PostsUBs, on Dec 29 2009, 08:45 AM, said:

Thank you. I shall have a look at it now. Will update you when I have some news.

I'tried the new Combofix release: bug fixed, the peripheral is still working!
Very nice job.
Many thanks.
:thumbsup: :flowers: :trumpet:

#9 User is offline   quietman7 

  • Bleepin' Janitor
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Global Moderator
  • Posts: 25,514
  • Joined: 09-July 05
  • Gender:Male
  • Location:Virginia, USA

Posted 31 January 2010 - 10:00 AM

Now you should read the pinned topic ComboFix usage, Questions, Help? - Look here.
Microsoft MVP - Consumer Security 2007-2012 Posted Image
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#10 User is offline   akok 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 3
  • Joined: 11-January 09
  • Gender:Male

Posted 22 April 2010 - 06:04 AM

Hello
I regret to find that ComboFix automatically deletes mailer The Bat!
http://ru.wikipedia.org/wiki/The_Bat!

ComboFix 10-04-21.01 - Masha 22.04.2010   8:11.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1251.7.1049.18.1015.471 [GMT 4:00]
Running from: c:\documents and settings\masha\Рабочий стол\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\masha\Application Data\.#
c:\program files\The Bat!
c:\program files\The Bat!\bat_czh.tip
c:\program files\The Bat!\bat_dut.tip
c:\program files\The Bat!\bat_esp.tip
c:\program files\The Bat!\bat_fra.tip
c:\program files\The Bat!\bat_ger.tip
c:\program files\The Bat!\bat_pol.tip
c:\program files\The Bat!\bat_rom.tip
c:\program files\The Bat!\bat_rus.tip
c:\program files\The Bat!\bat_sky.tip
c:\program files\The Bat!\bat_srb.tip
c:\program files\The Bat!\bat_src.tip
c:\program files\The Bat!\bat_swe.tip
c:\program files\The Bat!\bat_ukr.tip
c:\program files\The Bat!\DelMSI.exe
c:\program files\The Bat!\Images\default.msl
c:\program files\The Bat!\Images\Default\42.gif
c:\program files\The Bat!\Images\Default\angel.gif
c:\program files\The Bat!\Images\Default\angry.gif
c:\program files\The Bat!\Images\Default\bag.gif
c:\program files\The Bat!\Images\Default\beer.gif
c:\program files\The Bat!\Images\Default\blink.gif
c:\program files\The Bat!\Images\Default\cat.gif
c:\program files\The Bat!\Images\Default\cheerful.gif
c:\program files\The Bat!\Images\Default\coffee.gif
c:\program files\The Bat!\Images\Default\cool.gif
c:\program files\The Bat!\Images\Default\crazy.gif
c:\program files\The Bat!\Images\Default\cry.gif
c:\program files\The Bat!\Images\Default\cwy.gif
c:\program files\The Bat!\Images\Default\devil.gif
c:\program files\The Bat!\Images\Default\dog.gif
c:\program files\The Bat!\Images\Default\getlost.gif
c:\program files\The Bat!\Images\Default\getlost2.gif
c:\program files\The Bat!\Images\Default\gift.gif
c:\program files\The Bat!\Images\Default\gpig.gif
c:\program files\The Bat!\Images\Default\grin.gif
c:\program files\The Bat!\Images\Default\gun.gif
c:\program files\The Bat!\Images\Default\h2g2.gif
c:\program files\The Bat!\Images\Default\happy.gif
c:\program files\The Bat!\Images\Default\headshot.gif
c:\program files\The Bat!\Images\Default\hmm.gif
c:\program files\The Bat!\Images\Default\hrhr.gif
c:\program files\The Bat!\Images\Default\kissing.gif
c:\program files\The Bat!\Images\Default\knifed.gif
c:\program files\The Bat!\Images\Default\laughing.gif
c:\program files\The Bat!\Images\Default\love.gif
c:\program files\The Bat!\Images\Default\lunch.gif
c:\program files\The Bat!\Images\Default\movie.gif
c:\program files\The Bat!\Images\Default\music.gif
c:\program files\The Bat!\Images\Default\no.gif
c:\program files\The Bat!\Images\Default\omg.gif
c:\program files\The Bat!\Images\Default\oops.gif
c:\program files\The Bat!\Images\Default\phone.gif
c:\program files\The Bat!\Images\Default\poo.gif
c:\program files\The Bat!\Images\Default\pouty.gif
c:\program files\The Bat!\Images\Default\sad.gif
c:\program files\The Bat!\Images\Default\shocked.gif
c:\program files\The Bat!\Images\Default\shower.gif
c:\program files\The Bat!\Images\Default\sick.gif
c:\program files\The Bat!\Images\Default\sideways.gif
c:\program files\The Bat!\Images\Default\smile.gif
c:\program files\The Bat!\Images\Default\stfu.gif
c:\program files\The Bat!\Images\Default\teeth.gif
c:\program files\The Bat!\Images\Default\tungue.gif
c:\program files\The Bat!\Images\Default\ufo.gif
c:\program files\The Bat!\Images\Default\vomit.gif
c:\program files\The Bat!\Images\Default\w00t.gif
c:\program files\The Bat!\Images\Default\weird.gif
c:\program files\The Bat!\Images\Default\whistle.gif
c:\program files\The Bat!\Images\Default\wink.gif
c:\program files\The Bat!\Images\Default\wtf.gif
c:\program files\The Bat!\Images\Default\yes.gif
c:\program files\The Bat!\Images\Default\zzz.gif
c:\program files\The Bat!\licence.txt
c:\program files\The Bat!\licence_pro.rtf
c:\program files\The Bat!\readme.txt
c:\program files\The Bat!\Speller\accent.tlx
c:\program files\The Bat!\Speller\correct.tlx
c:\program files\The Bat!\Speller\Ssceam.tlx
c:\program files\The Bat!\Speller\Ssceam2.clx
c:\program files\The Bat!\Speller\SSCEBR.tlx
c:\program files\The Bat!\Speller\sscebr12.clx
c:\program files\The Bat!\Speller\ssceda.tlx
c:\program files\The Bat!\Speller\ssceda2.clx
c:\program files\The Bat!\Speller\SSCEDU.tlx
c:\program files\The Bat!\Speller\SSCEDU2.clx
c:\program files\The Bat!\Speller\SSCEFI.tlx
c:\program files\The Bat!\Speller\SSCEFI2.clx
c:\program files\The Bat!\Speller\SSCEFR.tlx
c:\program files\The Bat!\Speller\SSCEFR2.clx
c:\program files\The Bat!\Speller\sscegn.tlx
c:\program files\The Bat!\Speller\sscegn2.clx
c:\program files\The Bat!\Speller\sscego.tlx
c:\program files\The Bat!\Speller\sscego2.clx
c:\program files\The Bat!\Speller\SSCEIT.tlx
c:\program files\The Bat!\Speller\SSCEIT2.clx
c:\program files\The Bat!\Speller\SSCENB.tlx
c:\program files\The Bat!\Speller\SSCENB2.clx
c:\program files\The Bat!\Speller\sscepb.tlx
c:\program files\The Bat!\Speller\SSCEPB2.CLX
c:\program files\The Bat!\Speller\SSCEPO.TLX
c:\program files\The Bat!\Speller\SSCEPO2.CLX
c:\program files\The Bat!\Speller\SSCESP.tlx
c:\program files\The Bat!\Speller\SSCESP2.clx
c:\program files\The Bat!\Speller\SSCESW.tlx
c:\program files\The Bat!\Speller\SSCESW2.clx
c:\program files\The Bat!\Speller\userdic.tlx
c:\program files\The Bat!\SSCE5132.dll
c:\program files\The Bat!\TBMapi.dll
c:\program files\The Bat!\The_bat.chm
c:\program files\The Bat!\thebat.exe
c:\program files\The Bat!\thebat.lng
c:\program files\The Bat!\thebat.tip


Topics:
1 and 2


Please, correct false positive Combofix

#11 User is offline   Cristian Bonilla 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 16-September 11

Posted 16 September 2011 - 03:23 PM

Hello. I have an .NET application called Netbus, installed using ClickOnce.

When I run ComboFix, it deletes my program installation.

What I have to do to avoid.

You are taking my application as a false positive.

Best regards, Cristian.

#12 User is offline   sUBs 

  • sUBs
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,456
  • Joined: 19-May 05

Posted 16 September 2011 - 10:41 PM

Cristian,

Please zip/upload the file/folder that was deleted. Also include the ComboFix log of the event.

#13 User is offline   Cristian Bonilla 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 2
  • Joined: 16-September 11

Posted 26 September 2011 - 11:11 AM

View PostsUBs, on 16 September 2011 - 10:41 PM, said:

Cristian,

Please zip/upload the file/folder that was deleted. Also include the ComboFix log of the event.


Thanks for your response.

I think you can check easily the situation:

1. Just download and install my clicOnce aplication called 'Supervisor Netbus', use this link:

http://netbus.s3.amazonaws.com/AKIAIT52VGKA3GMUQKMQ/supervisor/supervisorNetBus.application

2. The installation creates an access in the Windows menu (Datamining Systems/Supervisor Netbus Web)

3. Run ComboFix, and you will see my application dissapears.

Best regards, Cristian

#14 User is offline   sUBs 

  • sUBs
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 2,456
  • Joined: 19-May 05

Posted 29 September 2011 - 01:46 PM

Apologies Cristian, I have installed your app but when I ran ComboFix, it does not appear to touch any of the files.

Perhaps, I made a mistake in the installation. Please refer to the list below & confirm that I have the full lists of your files?

Spoiler 


Also include the ComboFix log of the event.

Your ComboFix log would be most helpful.

This post has been edited by sUBs: 29 September 2011 - 01:46 PM

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users