[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 778
  • Last Modified:

ComboFix shows BITS Possible infected sites update.pdfcomplete.com

Quite simply, why does ComboFix tell me this and why do I read on the Internet that several other folks experience the same result, but I find NOTHING on update.pdfcomplete.com?  I know what PDF complete is, we have McAfee product installed, also scanned with MS SystemSweeper, MBAM, and TDSSKiller, no results.  No results in Google searching on the result below.  MS-ISAC SOC reported this to us (a large organization) as "Outbound Trojan Activity" and also flagged this traffic as potential Trojan Banload activity:

So, my question is, I know PDF Complete is safe and so is the update URL, but why is Multi-State Information Sharing & Analysis Center (MS-ISAC) flagging this and why is ComboFix also defining this in its log as follows:

----- BITS: Possible infected sites -----

hxxp://update.pdfcomplete.com
0
dcjsdts
Asked:
dcjsdts
  • 2
1 Solution
 
rpggamergirlCommented:
If you know that the website is safe, there is nothing to worry about.

I assume combofix also showed below lines in the log? then that would explain it.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

0
 
dcjsdtsAuthor Commented:
I do beleive this will be the Accepted solution, but can you tell me WHY qmge0 & 1 are being detected by ComboFix and some other AV/Anti-malware products?  Is it a false positive and why?

Is there a Symantec, McAfee or kapersky article that exaplains this so we can proceed without worry?  

PS: I did look myself but could not find any direct correlation.

Thanks!!
0
 
rpggamergirlCommented:
Yes it is false positive.
ComboFix flags the qmgr0.dat and qmgr1.dat files if they contain http paths to sites other than microsoft.com or sites that combofix hasn't whitelisted yet.

So when that happens, legit sites will be listed under the:
 
----- BITS: Possible infected sites -----
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now