Jump to content
DragonMaster Jay

ComboFix detected as Rootkit.Agent

Recommended Posts

Malwarebytes log detects legitimate ComboFix file Combo-Fix.sys as Rootkit.Agent.

Malwarebytes' Anti-Malware 1.42

Database version: 3414

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

12/23/2009 8:03:16 AM

mbam-log-2009-12-23 (08-03-16).txt

Scan type: Full Scan (C:\|)

Objects scanned: 158288

Time elapsed: 26 minute(s), 5 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\commy12953c\Combo-Fix.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

====

Having the user run developer mode now.

Share this post


Link to post
Share on other sites

Funny but it never gets hit on my desktop and I scan every update on the test box.

Share this post


Link to post
Share on other sites

Hello DragonMaster Jay

Not being hit here either, have user update MBAM and run another scan.

Present DB version is 3418, users log is showing DB ver.3414

Share this post


Link to post
Share on other sites
Hello DragonMaster Jay

Not being hit here either, have user update MBAM and run another scan.

Present DB version is 3418, users log is showing DB ver.3414

I've got scan logs for each update back a few days and it's not detected on any of those either.

I suspect it's a partial heuristic hit.

Share this post


Link to post
Share on other sites

It's not actually ComboFix.exe that's being detected. It's the little Combo-Fix.sys file inside the the ComboFix.exe archive that MBAM is picking up. And, because of the way that ComboFix is supposed to be used, I'm not even sure it's worth going to the trouble of fixing it. Anyway, here's the file and a developer's log.

Malwarebytes' Anti-Malware 1.42

Database version: 3418

Windows 5.1.2600 Service Pack 3

Internet Explorer 7.0.5730.13

23/12/2009 22:49:54

mbam-log-2009-12-23 (22-49-42).txt

Scan type: Quick Scan

Objects scanned: 119116

Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Kenny\Desktop\Combo-Fix.sys (Rootkit.Agent) -> No action taken. [b94F82EBC6D8EF27F0846A8D63ECA472]

Combo_Fix.zip

Filealyzer_Report.zip

Share this post


Link to post
Share on other sites

Thanks, sUBs, and nosirrah. Thanks to TeMerc, Marktreq, and sho-dan.

This has happened before, I concur: http://www.malwarebytes.org/forums/index.php?showtopic=30690

Heuristic is most likely correct.

The user helped replied with Dev-mode with nothing found:

Malwarebytes' Anti-Malware 1.42

Database version: 3414

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

12/23/2009 6:35:22 PM

mbam-log-2009-12-23 (18-35-22).txt

Scan type: Full Scan (C:\|)

Objects scanned: 158240

Time elapsed: 35 minute(s), 38 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Share this post


Link to post
Share on other sites

Detected again?

Malwarebytes' Anti-Malware 1.44

Databasversion: 3520

Windows 6.0.6002 Service Pack 2

Internet Explorer 8.0.6001.18865

2010-01-09 12:27:26

mbam-log-2010-01-09 (12-27-26).txt

Skanningstyp: Fullst

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.