ComboFix shows BITS Possible infected sites

Posted on 2011-10-05
Last Modified: 2012-08-14
Quite simply, why does ComboFix tell me this and why do I read on the Internet that several other folks experience the same result, but I find NOTHING on  I know what PDF complete is, we have McAfee product installed, also scanned with MS SystemSweeper, MBAM, and TDSSKiller, no results.  No results in Google searching on the result below.  MS-ISAC SOC reported this to us (a large organization) as "Outbound Trojan Activity" and also flagged this traffic as potential Trojan Banload activity:

So, my question is, I know PDF Complete is safe and so is the update URL, but why is Multi-State Information Sharing & Analysis Center (MS-ISAC) flagging this and why is ComboFix also defining this in its log as follows:

----- BITS: Possible infected sites -----

Question by:dcjsdts
    LVL 47

    Expert Comment

    If you know that the website is safe, there is nothing to worry about.

    I assume combofix also showed below lines in the log? then that would explain it.

    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat


    Author Comment

    I do beleive this will be the Accepted solution, but can you tell me WHY qmge0 & 1 are being detected by ComboFix and some other AV/Anti-malware products?  Is it a false positive and why?

    Is there a Symantec, McAfee or kapersky article that exaplains this so we can proceed without worry?  

    PS: I did look myself but could not find any direct correlation.

    LVL 47

    Accepted Solution

    Yes it is false positive.
    ComboFix flags the qmgr0.dat and qmgr1.dat files if they contain http paths to sites other than or sites that combofix hasn't whitelisted yet.

    So when that happens, legit sites will be listed under the:
    ----- BITS: Possible infected sites -----

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    14 Experts available now in Live!

    Get 1:1 Help Now