Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False positives


  • Please log in to reply
4 replies to this topic

#1 Scott Bolander

Scott Bolander

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 28 March 2010 - 11:04 AM

I love what combofix does along with some of the other programs used to remove malware. I don't know where else to post this, but here are some items that wrongly get removed by combofix during it's cleaning process:

startup.exe
This is a great little utility that gives you control over what starts automatically on your computer.

It can be found here: http://www.mlin.net/StartupCPL.shtml

disktective.exe
This is an excellent utility that show you via pie charts where your disk space is used.

It can be found here: http://www.disktective.com/

ipscan.exe
This is a nice ip scanner for scanning subnets for active computers.

It can be found here: http://www.radmin.com/download/

install.bat
This is the installer for xxcopy.exe

It can be found here: http://www.xxcopy.com

offbyone.exe
This is a very lightweight web browser

It can be found here: http://offbyone.com/offbyone/

suspend.exe
This is a process suspender

It can be found here: http://technet.microsoft.com/en-us/sysinte...s/bb897540.aspx

These are all part of a utilities package I load on all the computers I work on and are placed in the c:\windows\system32 directory.


Additionally, I just ran rkill.exe on my computer and it wrongly killed two processes:


C:\Program Files\No-IP\DUC20.exe (this is no-ip.com's dynamic dns updater)
C:\Program Files\VMware\VMware Server\tomcat\bin\Tomcat6.exe (this is the web server for VMWare server 2.0)

Please let me know if I have posted this in the wrong place.

Thanks for all you guys do.

BC AdBot (Login to Remove)

 


#2 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,766 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:12:29 PM

Posted 28 March 2010 - 01:39 PM

Hi,

could you please provide a log from ComboFix where those files were deleted? Would it also be possible to get a sample of the package of files you unload on the PCs?

regards myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,531 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:03:29 AM

Posted 28 March 2010 - 02:31 PM

The author would like to verify the files that you have mentioned and compare how they were targeted by ComboFix. He requests that you look in C:\ComboFix\quarantine and upload the files to http://www.bleepingcomputer.com/submit-malware.php?channel=4. Please zip all the files considered legitimate that are in quarantine and also in the zip file you upload include the C:\combofix.txt. This will help the author verify and identify what was targeted. Thank you for your assistance in bringing this to our and the authors attention.

And yes you posted in the proper forum :thumbsup: .

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,461 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:06:29 AM

Posted 02 April 2010 - 12:35 PM

The Rkill FPs have been resolved. Thanks for alerting us.

#5 Scott Bolander

Scott Bolander
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:06:29 AM

Posted 02 April 2010 - 12:59 PM

The author would like to verify the files that you have mentioned and compare how they were targeted by ComboFix. He requests that you look in C:\ComboFix\quarantine and upload the files to http://www.bleepingcomputer.com/submit-malware.php?channel=4. Please zip all the files considered legitimate that are in quarantine and also in the zip file you upload include the C:\combofix.txt. This will help the author verify and identify what was targeted. Thank you for your assistance in bringing this to our and the authors attention.

And yes you posted in the proper forum :thumbsup: .


Thanks for responding. I have done as you asked; I uploaded fp-combofix.zip which included my combofix.txt and the affected files.

Additionally, the whole package I use (that includes these files) can be had at: http://www.getwithme.com/utils.exe




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users