ComboFix shows BITS Possible infected sites update.pdfcomplete.com

Quite simply, why does ComboFix tell me this and why do I read on the Internet that several other folks experience the same result, but I find NOTHING on update.pdfcomplete.com?  I know what PDF complete is, we have McAfee product installed, also scanned with MS SystemSweeper, MBAM, and TDSSKiller, no results.  No results in Google searching on the result below.  MS-ISAC SOC reported this to us (a large organization) as "Outbound Trojan Activity" and also flagged this traffic as potential Trojan Banload activity:

So, my question is, I know PDF Complete is safe and so is the update URL, but why is Multi-State Information Sharing & Analysis Center (MS-ISAC) flagging this and why is ComboFix also defining this in its log as follows:

----- BITS: Possible infected sites -----

hxxp://update.pdfcomplete.com
dcjsdtsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

rpggamergirlCommented:
If you know that the website is safe, there is nothing to worry about.

I assume combofix also showed below lines in the log? then that would explain it.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

0
dcjsdtsAuthor Commented:
I do beleive this will be the Accepted solution, but can you tell me WHY qmge0 & 1 are being detected by ComboFix and some other AV/Anti-malware products?  Is it a false positive and why?

Is there a Symantec, McAfee or kapersky article that exaplains this so we can proceed without worry?  

PS: I did look myself but could not find any direct correlation.

Thanks!!
0
rpggamergirlCommented:
Yes it is false positive.
ComboFix flags the qmgr0.dat and qmgr1.dat files if they contain http paths to sites other than microsoft.com or sites that combofix hasn't whitelisted yet.

So when that happens, legit sites will be listed under the:
 
----- BITS: Possible infected sites -----
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.