Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Using ComboFix for first time which removed false positives

  • Please log in to reply
2 replies to this topic

#1 hdowns


  • Members
  • 4 posts
  • Local time:06:07 PM

Posted 10 December 2010 - 06:30 AM

Hi, Without dispute to the sensitive nature of the use of Combo Fix tool and to responsibly use the tool in my own business to support client issues of repair, I have never had issues with the use of the program. I take to heart all of the guidance on the site herein without need to futher inquiring on how to use the program. I can safely state with having 15 years in business for myself and having 22 yrs of experience in a fortune 100 company doing same, the confidence factor of performing these steps for malware removal beyond the chance that utilties like Malwarebytes A/M; above and beyond the mis lead filtering that Symantec Endpoint Protection did stop a mere percentage of the actual damage, using the ComboFix tool with again the same confidence, I ran into the first instance of a false positive removal of files which have been on my system without issue for the last four years. The programs that are tethered to the removsl of certain files are not in question and are valid. The concern I have is that they were removed by ComboFix and for this instance of running the program, ComboFix performed a bit to clean. And in this instance, Combo Fix had tripped up removing files that for the last four years had never been filtered out as a potential issue. I respect the information in the disclaimer and use thereof and as well take note to the actual permission on use of the program, but in my business, I am confident and self reliant and do not hold any other parties responsible with potential damage. I take pre-cautionary steps with myself and my cleints for data backup etc so when I am compelled to the actual need of using ComboFix, it is only after thorough review of all facets to include Hijaak This and the other aforementioned utilities.

In a brief catchup of a post most disturbing of an arrogance not exhibited on this site before and ignorance of not recoginizing a real problem of needed review, I had posted the below post into the wrong forum. I apologize for the rattling I received from the responder a user named DC out of the top layer Windows XP forum. But I believe in fairness a user like this should pause briefly and read through the actual need of the post put forth. Replying to a post as such gives bad tidings for the real professionalism that is supposed to be transcended through the bleeping computer website and the token implied professionalism throughout the entire web.

By the way, I do follow a code of ethics not only in my business, but even formy own PC's. I utilize Symantec Endpoint Protection, Norton Ghost for imaging backups of my system and periodic reveiw of deeper scanning with tools like Malwarebytes A/M when I ntoice that Symantec blocked sometihng and I need to further investigate any potential damage. And recognizing that if there is any rootkit/insecure issue found or similar damage potential, I further use ComboFix with the highest confidence and ealways a good result to removing left over hooked damage. This time however was different. I have never run into this and possibly the developers should take advantage herein and note of these false positives that ComboFix proceeded to process in error.

Here below is the initial post of concern:

Hi I am wondering how I can post either through this forum topic or another forum what occurred in use of ComboFix tonight. I had an issue with hitting a site on Google which was for parts information on a laserjet and I can't remember the site name as it was removed quickly after I got a security alert from Symantec Endpoint Protection of a http redirect. At that point I disabled LAN connection and on quickly ran CC Cleaner, and then did a Malwarebytes A/M quick scan. I was not surprised to see a bunch of Trojan.bho that were loaded. On cleanup, I sent Symantec a report that of the items that which SEP purported to filter out, damage from these were still implemented. Malwarebytes A/M did trap all 17 items of which all were deleted from system. I then flushed system restore and then emptied my Recovery Console, not Recycle bin of which Executive Software's package manages that now. What I am concerned about though is that when I followed up with use of ComboFix, this time and only for the first time, tonight, ComboFix automatically deleted several items which are safe and needed for various programs. First of all here is a text copy of direct deletions:
2010-09-30 02:40:50 . 2010-07-31 00:53:11 9,480 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Harry Downs\My Documents\Readiris.DUS.vir
2010-09-30 02:32:08 . 2009-09-04 06:39:43 12,393 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Harry Downs\Favorites\HP_Chat_Session_4_Sep_2009_2_39.html.vir
2010-09-30 02:28:13 . 2005-05-26 21:58:33 6,144 ----a-w- C:\Qoobox\Quarantine\C\Documents and Settings\Harry Downs\Favorites\Thumbs.db.vir
2009-10-13 06:32:23 . 2005-01-27 00:11:52 53,248 ----a-w- C:\Qoobox\Quarantine\C\Undelete.exe.vir
2001-10-04 15:24:52 . 2001-10-04 15:24:52 1,272,320 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\System\msxml4.dll.vir
2001-10-04 15:20:54 . 2001-10-04 15:20:54 82,944 ----a-w- C:\Qoobox\Quarantine\C\WINDOWS\system32\System\msxml4r.dll.vir

I had to restore the files, Readirus is a control file for ReadIris scanner software package, then the chat log file link I had with an HP tech on a business issue, then a program undelete.exe which is a DOS based undelete program which I still use from time to time, and then the two msxml14 and 14r dll files which are used by Norton Password Manager 2004. Without the respective files in place, my startup was out of whack and thus for the immediate need, Readiris did not function, nor did the startup of Norton Password Manager producing Visual C++ runtime errors. I restored these, but how can I report this so proper feedback can get to the developers of the great program ComboFix. One more thing, it is a great tool to use and has helped me as well as my business clients from time to time. As for the ComboFix files that were removed falsely, once I put those files back in and removed the .vir extension; the next immediate re-boot was cured and everything was working again. Thank you very much!!!

I do hope this will give some insight for further future use of the great tool namely ComboFix. Thank you in advance for consideration to review this post.

BC AdBot (Login to Remove)


#2 Elise


    Bleepin' Blonde

  • Malware Study Hall Admin
  • 61,669 posts
  • Gender:Female
  • Location:Romania
  • Local time:01:07 AM

Posted 11 December 2010 - 04:47 AM

Hi hdowns, since you do not have an actual malware issue, I have moved this topic to a more appropriate forum.

As any antimalware tool, Combofix gets updated constantly. For this reason, it is possible, as you experienced, that it has not detected those files for years and now targets them. Unfortunately, as every tool, Combofix also detects the occasional false-positive (this is due advanced detection mechanisms that are refined on a regular basis). Those files are obviously legit. Combofix saves copies of any deleted item, whether it is in the registry or a file, so things can always get restored.

On the other hand, as was also mentioned in your other topic, combofix is a very powerful tool. It is recommended to use it only under guidance; if you do not do that, you risk doing damage to a system. Of course, if you feel confident you can resolve possible complications, that is quite okay.

regards, Elise

"Now faith is the substance of things hoped for, the evidence of things not seen."


Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome


Malware analyst @ Emsisoft



#3 Grinler


    Lawrence Abrams

  • Admin
  • 43,718 posts
  • Gender:Male
  • Location:USA
  • Local time:06:07 PM

Posted 11 December 2010 - 06:33 PM

Hi hdowns, thank you for reporting the false positive. I have notified the developer of this topic so he can review the files that are being removed. I will let you know if we need any samples.

Thanks again.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users