Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Combofix infection?

  • Please log in to reply
2 replies to this topic

#1 sh4rkbyt3


  • Members
  • 419 posts
  • Gender:Male
  • Local time:06:51 PM

Posted 15 February 2011 - 02:59 AM

Recently while using the Combofix program I began to notice a trojan warning popping up on my system after downloading and using Combofix from the #1 link on bleepingcomputer.
I thought it might have possibly come in with another program or was erroneously detected but a friend of mine experienced the same thing using a different program and found the same thing on his computer after also downloading and using Combofix.
Mine is being reported by Emsisoft AntiMalware as follows:

Trojan-Ransom.Win32PinkBlocker!IK (underlined entire line)
Details: 1 files - high risk
- File: C:\Users\Virus\Desktop\rempu.exe/32788R22FWJFW\pevb.cfxxe

Virus is the name of my computer and rempu is the renamed version of the exe file for combofix.

If this is not the correct place to post I apologize but I thought someone might look into this. On my system I'm using Win 7 64bit and my friends system is Win XP 32bit. Two completely different systems showing the exact same infection multiple times.

BC AdBot (Login to Remove)


#2 Andrew


    Bleepin' Night Watchman

  • Moderator
  • 8,260 posts
  • Gender:Not Telling
  • Location:Right behind you
  • Local time:03:51 PM

Posted 15 February 2011 - 04:05 AM

Provided that you downloaded ComboFix from Bleeping Computer directly (and not from one of the rogue sites offering fake or ancient versions) then it's a false positive. Even genuine versions of the most up-to-date issue of ComboFix are likely going to trigger many security programs because it uses many tools and techniques that the bad guys also like to use.

That being said, you should not be using Combofix unless instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be "used under the guidance and supervision of an expert", NOT for general public or personal use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.

If you believe your computer might be infected, please review this topic and post a help request in the Am I Infected? What Do I Do? forum.is

#3 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 51,733 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:51 PM

Posted 15 February 2011 - 08:15 AM

To expand on what Andrew said, certain embedded files that are part of legitimate programs or specialized fix tools such as Combofix may at times be detected by some anti-virus and anti-malware scanners as a "Risk Tool", "Hacking Tool", "Potentially Unwanted Program", or even "Malware" (virus/trojan) when that is not the case. This occurs for a variety of reasons to include the tool's compiler, the files it uses, whether files are compressed or packed, what behavior it performs, any registry strings it may contain and the type of security engine that was used during the scan. Other legitimate files which may be obfuscated, encrypted or password protected in order to conceal itself so they do not allow access for scanning but often trigger alerts by anti-virus software.

Common detections of embedded files include process.exe, pev.exe, nircmd.exe and catchme.exe.

Such programs have legitimate uses in contexts where a Malware Removal Expert asked you to use the tool or when an authorized user/administrator has knowingly installed it. When flagged by an anti-virus or security scanner, it's because the program includes features, behavior or files that appear suspicious or which can potentially be used for malicious purposes. These detections do not necessarily mean the file is malware or a bad program.

It means it has the potential for being misused by others or that it was simply detected as suspicious or a threat due to the security program's heuristic analysis engine which provides the ability to detect possible new variants of malware. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them. In these cases the detection is a "false positive".

The problem is really with the anti-vendors who keep targeting these embedded files and NOT with ComboFix. We can inform the developer but he has encountered this issue before and in most cases there isn't much he can do about it.

IMPORTANT!: If you ran or want to run ComboFix on your own due to malware infection, please be aware that using it is only one part of the disinfection process. Preliminary scans from other tools like DDS, RSIT and GMER should be used first because they provide comprehensive logs with specific details about files, folders and registry keys which may have been modified by malware infection. Analysis of those logs allows planning an strategy for effective disinfection and a determination if using ComboFix is necessary.

Further, when issues arise due to complex malware infections, possible false detections, problems running ComboFix or with other security tools causing conflicts, experts are usually aware of them and can advise what should or should not be done while providing individual assistance. When false detections are identified, experts have access to the developer and can report them so he can investigate, confirm and make corrections. Those attempting to use ComboFix on their own do not have such information and are at risk when running the tool in an unsupervised environment as Andrew has indicated.

You may also want to read the pinned topic ComboFix usage, Questions, Help? - Look here.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users