Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Combofix false positive


  • Please log in to reply
27 replies to this topic

#1 Robertone

Robertone

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 29 December 2009 - 07:17 AM

Combofix was great for me, because it solved my problem.
Neverthless, in order to improve the tool, I'd notify the following false positive.
The file "XLoader.sys" was deleted and, after renaming as "XLoader.sys.vir", placed in the "Quarantine" folder.
But this file is not a virus: is it a part of drivers of my videoconverter named "ConvertX".
Without this file, the "ConvertX" peripheral doesn't work anymore.
I had to restore the original name and newly put the file in the appropriate folder (in my case, "C:\Windows\System32\Drivers\").
Then I'd kindly ask you to consider this problem in the future releases of Combofix.
Cheers
:thumbsup:

Edited by Robertone, 29 December 2009 - 07:17 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 29 December 2009 - 08:14 AM

I have informed the developer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 December 2009 - 08:18 AM

Hello, I need a sample of the file.

Please upload XLoader.sys via this webpage > http://www.bleepingcomputer.com/submit-malware.php?channel=4


Thanks.

#4 Robertone

Robertone
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 29 December 2009 - 08:43 AM

Done.

#5 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 December 2009 - 08:45 AM

Thank you. I shall have a look at it now. Will update you when I have some news.

#6 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 December 2009 - 08:56 AM

It shall be fixed in the next update.

#7 Robertone

Robertone
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 29 December 2009 - 02:39 PM

OK
I'll check it.
Many thanks.
:thumbsup:

#8 Robertone

Robertone
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 31 January 2010 - 04:18 AM

Thank you. I shall have a look at it now. Will update you when I have some news.

I'tried the new Combofix release: bug fixed, the peripheral is still working!
Very nice job.
Many thanks.
:thumbsup: :flowers: :trumpet:

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,390 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:08 PM

Posted 31 January 2010 - 10:00 AM

Now you should read the pinned topic ComboFix usage, Questions, Help? - Look here.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 akok

akok

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:08 AM

Posted 22 April 2010 - 06:04 AM

Hello
I regret to find that ComboFix automatically deletes mailer The Bat!
http://ru.wikipedia.org/wiki/The_Bat!

ComboFix 10-04-21.01 - Masha 22.04.2010   8:11.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.2.1251.7.1049.18.1015.471 [GMT 4:00]
Running from: c:\documents and settings\masha\Рабочий стол\ComboFix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Symantec AntiVirus Corporate Edition *On-access scanning disabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\masha\Application Data\.#
c:\program files\The Bat!
c:\program files\The Bat!\bat_czh.tip
c:\program files\The Bat!\bat_dut.tip
c:\program files\The Bat!\bat_esp.tip
c:\program files\The Bat!\bat_fra.tip
c:\program files\The Bat!\bat_ger.tip
c:\program files\The Bat!\bat_pol.tip
c:\program files\The Bat!\bat_rom.tip
c:\program files\The Bat!\bat_rus.tip
c:\program files\The Bat!\bat_sky.tip
c:\program files\The Bat!\bat_srb.tip
c:\program files\The Bat!\bat_src.tip
c:\program files\The Bat!\bat_swe.tip
c:\program files\The Bat!\bat_ukr.tip
c:\program files\The Bat!\DelMSI.exe
c:\program files\The Bat!\Images\default.msl
c:\program files\The Bat!\Images\Default\42.gif
c:\program files\The Bat!\Images\Default\angel.gif
c:\program files\The Bat!\Images\Default\angry.gif
c:\program files\The Bat!\Images\Default\bag.gif
c:\program files\The Bat!\Images\Default\beer.gif
c:\program files\The Bat!\Images\Default\blink.gif
c:\program files\The Bat!\Images\Default\cat.gif
c:\program files\The Bat!\Images\Default\cheerful.gif
c:\program files\The Bat!\Images\Default\coffee.gif
c:\program files\The Bat!\Images\Default\cool.gif
c:\program files\The Bat!\Images\Default\crazy.gif
c:\program files\The Bat!\Images\Default\cry.gif
c:\program files\The Bat!\Images\Default\cwy.gif
c:\program files\The Bat!\Images\Default\devil.gif
c:\program files\The Bat!\Images\Default\dog.gif
c:\program files\The Bat!\Images\Default\getlost.gif
c:\program files\The Bat!\Images\Default\getlost2.gif
c:\program files\The Bat!\Images\Default\gift.gif
c:\program files\The Bat!\Images\Default\gpig.gif
c:\program files\The Bat!\Images\Default\grin.gif
c:\program files\The Bat!\Images\Default\gun.gif
c:\program files\The Bat!\Images\Default\h2g2.gif
c:\program files\The Bat!\Images\Default\happy.gif
c:\program files\The Bat!\Images\Default\headshot.gif
c:\program files\The Bat!\Images\Default\hmm.gif
c:\program files\The Bat!\Images\Default\hrhr.gif
c:\program files\The Bat!\Images\Default\kissing.gif
c:\program files\The Bat!\Images\Default\knifed.gif
c:\program files\The Bat!\Images\Default\laughing.gif
c:\program files\The Bat!\Images\Default\love.gif
c:\program files\The Bat!\Images\Default\lunch.gif
c:\program files\The Bat!\Images\Default\movie.gif
c:\program files\The Bat!\Images\Default\music.gif
c:\program files\The Bat!\Images\Default\no.gif
c:\program files\The Bat!\Images\Default\omg.gif
c:\program files\The Bat!\Images\Default\oops.gif
c:\program files\The Bat!\Images\Default\phone.gif
c:\program files\The Bat!\Images\Default\poo.gif
c:\program files\The Bat!\Images\Default\pouty.gif
c:\program files\The Bat!\Images\Default\sad.gif
c:\program files\The Bat!\Images\Default\shocked.gif
c:\program files\The Bat!\Images\Default\shower.gif
c:\program files\The Bat!\Images\Default\sick.gif
c:\program files\The Bat!\Images\Default\sideways.gif
c:\program files\The Bat!\Images\Default\smile.gif
c:\program files\The Bat!\Images\Default\stfu.gif
c:\program files\The Bat!\Images\Default\teeth.gif
c:\program files\The Bat!\Images\Default\tungue.gif
c:\program files\The Bat!\Images\Default\ufo.gif
c:\program files\The Bat!\Images\Default\vomit.gif
c:\program files\The Bat!\Images\Default\w00t.gif
c:\program files\The Bat!\Images\Default\weird.gif
c:\program files\The Bat!\Images\Default\whistle.gif
c:\program files\The Bat!\Images\Default\wink.gif
c:\program files\The Bat!\Images\Default\wtf.gif
c:\program files\The Bat!\Images\Default\yes.gif
c:\program files\The Bat!\Images\Default\zzz.gif
c:\program files\The Bat!\licence.txt
c:\program files\The Bat!\licence_pro.rtf
c:\program files\The Bat!\readme.txt
c:\program files\The Bat!\Speller\accent.tlx
c:\program files\The Bat!\Speller\correct.tlx
c:\program files\The Bat!\Speller\Ssceam.tlx
c:\program files\The Bat!\Speller\Ssceam2.clx
c:\program files\The Bat!\Speller\SSCEBR.tlx
c:\program files\The Bat!\Speller\sscebr12.clx
c:\program files\The Bat!\Speller\ssceda.tlx
c:\program files\The Bat!\Speller\ssceda2.clx
c:\program files\The Bat!\Speller\SSCEDU.tlx
c:\program files\The Bat!\Speller\SSCEDU2.clx
c:\program files\The Bat!\Speller\SSCEFI.tlx
c:\program files\The Bat!\Speller\SSCEFI2.clx
c:\program files\The Bat!\Speller\SSCEFR.tlx
c:\program files\The Bat!\Speller\SSCEFR2.clx
c:\program files\The Bat!\Speller\sscegn.tlx
c:\program files\The Bat!\Speller\sscegn2.clx
c:\program files\The Bat!\Speller\sscego.tlx
c:\program files\The Bat!\Speller\sscego2.clx
c:\program files\The Bat!\Speller\SSCEIT.tlx
c:\program files\The Bat!\Speller\SSCEIT2.clx
c:\program files\The Bat!\Speller\SSCENB.tlx
c:\program files\The Bat!\Speller\SSCENB2.clx
c:\program files\The Bat!\Speller\sscepb.tlx
c:\program files\The Bat!\Speller\SSCEPB2.CLX
c:\program files\The Bat!\Speller\SSCEPO.TLX
c:\program files\The Bat!\Speller\SSCEPO2.CLX
c:\program files\The Bat!\Speller\SSCESP.tlx
c:\program files\The Bat!\Speller\SSCESP2.clx
c:\program files\The Bat!\Speller\SSCESW.tlx
c:\program files\The Bat!\Speller\SSCESW2.clx
c:\program files\The Bat!\Speller\userdic.tlx
c:\program files\The Bat!\SSCE5132.dll
c:\program files\The Bat!\TBMapi.dll
c:\program files\The Bat!\The_bat.chm
c:\program files\The Bat!\thebat.exe
c:\program files\The Bat!\thebat.lng
c:\program files\The Bat!\thebat.tip

Topics:
1 and 2


Please, correct false positive Combofix

#11 Cristian Bonilla

Cristian Bonilla

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 16 September 2011 - 03:23 PM

Hello. I have an .NET application called Netbus, installed using ClickOnce.

When I run ComboFix, it deletes my program installation.

What I have to do to avoid.

You are taking my application as a false positive.

Best regards, Cristian.

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 16 September 2011 - 10:41 PM

Cristian,

Please zip/upload the file/folder that was deleted. Also include the ComboFix log of the event.

#13 Cristian Bonilla

Cristian Bonilla

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:08 PM

Posted 26 September 2011 - 11:11 AM

Cristian,

Please zip/upload the file/folder that was deleted. Also include the ComboFix log of the event.


Thanks for your response.

I think you can check easily the situation:

1. Just download and install my clicOnce aplication called 'Supervisor Netbus', use this link:

http://netbus.s3.amazonaws.com/AKIAIT52VGKA3GMUQKMQ/supervisor/supervisorNetBus.application

2. The installation creates an access in the Windows menu (Datamining Systems/Supervisor Netbus Web)

3. Run ComboFix, and you will see my application dissapears.

Best regards, Cristian

#14 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:08 AM

Posted 29 September 2011 - 01:46 PM

Apologies Cristian, I have installed your app but when I ran ComboFix, it does not appear to touch any of the files.

Perhaps, I made a mistake in the installation. Please refer to the list below & confirm that I have the full lists of your files?

Spoiler


Also include the ComboFix log of the event.
Your ComboFix log would be most helpful.

Edited by sUBs, 29 September 2011 - 01:46 PM.


#15 1dollarAPS

1dollarAPS

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:08 PM

Posted 25 September 2013 - 12:32 PM

We create a software called USkeys2ES and is being reported as a virus.
Please let us know what to do to avoid the issue or if we have to submit the software to you.

Thanks in advance.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users