Link to home
Start Free TrialLog in
Avatar of dcjsdts
dcjsdts

asked on

ComboFix shows BITS Possible infected sites update.pdfcomplete.com

Quite simply, why does ComboFix tell me this and why do I read on the Internet that several other folks experience the same result, but I find NOTHING on update.pdfcomplete.com?  I know what PDF complete is, we have McAfee product installed, also scanned with MS SystemSweeper, MBAM, and TDSSKiller, no results.  No results in Google searching on the result below.  MS-ISAC SOC reported this to us (a large organization) as "Outbound Trojan Activity" and also flagged this traffic as potential Trojan Banload activity:

So, my question is, I know PDF Complete is safe and so is the update URL, but why is Multi-State Information Sharing & Analysis Center (MS-ISAC) flagging this and why is ComboFix also defining this in its log as follows:

----- BITS: Possible infected sites -----

hxxp://update.pdfcomplete.com
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
If you know that the website is safe, there is nothing to worry about.

I assume combofix also showed below lines in the log? then that would explain it.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

Avatar of dcjsdts
dcjsdts

ASKER

I do beleive this will be the Accepted solution, but can you tell me WHY qmge0 & 1 are being detected by ComboFix and some other AV/Anti-malware products?  Is it a false positive and why?

Is there a Symantec, McAfee or kapersky article that exaplains this so we can proceed without worry?  

PS: I did look myself but could not find any direct correlation.

Thanks!!
ASKER CERTIFIED SOLUTION
Avatar of rpggamergirl
rpggamergirl
Flag of Australia image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial