Video Screencast Help

Trojan.ADH - combofix.exe

Created: 16 Apr 2010 • Updated: 19 Oct 2010 | 14 comments

Anyone else seeing a bunch of detections of combofix.exe as a trojan, specifically Trojan.ADH this morning?  Combofix has been on some users PC's for a while after techs were cleaning up infections in the and this morning SEP is detecting it as a trojan.

Discussion Filed Under:

Comments 14 CommentsJump to latest comment

Fatih Teke's picture

Hello
Where you download combofix?

Best Regards.
Fatih

 Everything works better when everything works together.

blenahan's picture

Not sure, it wasn't me.  It was a bunch of our techs have it on their thumb drives and scuh to clean up users machines.

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

blenahan's picture

Ok, I just accessed the version I have on my thumbdrive and SEP deleted it right away.  This was one I got from the combofix site in the past.  I just went back to combofix' site and redownloaded it and SEP does not delete this one, so evidently there is an MD5 hash detecting an older version of Combofix as malicious?

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

smartmoney's picture

This started showing up for me as well.  it referenced a fsa_setup.exe file.  I dont even know what that was

Fatih Teke's picture

I am not sure to SEP looked md5. I think so it is looking inside the code. therefore old version does't have any trojen.

Regards.
Fatih

 Everything works better when everything works together.

.Brian's picture

I am seeing a few trojan.ADH infections, although the executable that was caught and deleted was called 2003.exe so unlikely it was combofix

Please click the "Mark as solution" link at bottom left on the post that best answers your question. This will benefit admins looking for a solution to the same problem.

bboyle's picture

I frequently use Combofix and only download it from Bleepingcomputer.com. There may other sites with bad versions out there. Some viruses also attempt to compromise combofix and other tools. I would remove combofix and download it again from a safe site if needed.

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

blenahan's picture

I get it from bleepingcomputer.com too.  It detected the existing version I had on my thumb drive and deleted it.  Went back to bleepingcomputer.com and downloaded the latest and it did not detect this one as a threat.  All the techs here that use Combofix too are having the copies that are on their desktops detected, so it appears to be one particular version of Combofix.  That why I thought it might have the older MD5 as a threat.

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

The Bearded Mammal's picture

I just got a Trojan.ADH hit on file  "ConExec.exe" in "D:\Program Files\ConTEXT" folder.

Here is the full message:

IRS - Virus/Risk/Threat Detection Alert
 
Scan type:  Scheduled Scan
Event:  Security Risk Found!
Risk: Trojan.ADH
File:  D:\Program Files\ConTEXT\ConExec.exe
Location:  D:\Program Files\ConTEXT
Computer:  XXX007VV2897848
User:  DDXXX\ABCDEFG
Action taken:  Cleaned by Deletion
Date found: Monday, April 19, 2010  10:33:45 AM

Then I got a second hit, on a folder that is part of the Windows XP Operating System:

IRS - Virus/Risk/Threat Detection Alert
 
Scan type:  Scheduled Scan
Event:  Security Risk Found!
Risk: Trojan.ADH
File:  D:\System Volume Information\_restore{BA7406F1-08EC-49C7-BFEC-92674959F597}\RP320\A0055303.exe
Location:  D:\System Volume Information\_restore{BA7406F1-08EC-49C7-BFEC-92674959F597}\RP320
Computer:  XXX007VV2897848
User:  DDXXX\ABCDEFG
Action taken:  Cleaned by Deletion
Date found: Monday, April 19, 2010  10:34:49 AM

This second hit is especially bizarre, since it represents an XP "Restore Point" that is supposed to be totally inaccessible to users - only the OS can access these folders.

As for the first hit: the ConTEXT application was NOT downloaded or installed anytime recently. It is a version of the ConTEXT editor from an originating download that is at least nine years old.  It was carried over to my current IRS PC from my previous PC on June 5, 2008, and to that PC from its precessessor PC back about 2003. All the ConTEXT executablles still in the folder are dated either 7/9/2001 or 7/17/2001. So this is an ancient version of ConTEXT that has been living happily inside the IRS Firewall since about 2001.

So did this Trojan file have come from a 2001 download that has been lying dormant inside the IRS firewall for 9 years, waiting  for Symantic Antivirus to suddenly find it now, in 2010?

Not unless you believe "Flash Forward" is reality TV, not Sci-Fi. 

Maybe something just infected this folder with a bogus executable with a name that seems remarkably similar to legitimate ConTEXT files? But how? This PC has been powered off since last Wednesday, it gets a full scan every week, I NEVER download any executables from the Internet, and I even don't do much browsing outside the IRS Firewall, so I think the chances of that are Slim and None - and Slim just left town.

My suspicion is that both of these hits are bogus - something in these files is triggering a corrupted virus signature in the latest Symantic Antivirus signature file. My current Virus Definitions File is "4/18/2010 rev. 2", in case that helps anyone figure out what this means.

Thanks to anyone who can help,

Walter
 

Fatih Teke's picture

Hello.

I taken your mesage, but please your questions in here, because everybody can see and andwer to you :)
Are you using SEP or Norton Antivirus.
Best Regards.
Fatih

 Everything works better when everything works together.

The Bearded Mammal's picture

I am sure it must be SEP.

NAV is for home users, this is a Corporate account with over 100,000 PCs protected.

Virus signatures are updated from our own Symantec Antivirus servers.

Symantec AntiVirus tray icon says

Symantec AntiVirus

General Information
Parent Server: xxxxxxxxxxxxxxx
Client group:  Workstations
Quarentine: 0 Items

Program Versions
Program: 10.1.5.5010
Scan engine: 91.2.1.10

Virus Definitions File
Version: 4/18/2010 rev. 2

blenahan's picture

That is SAV Corporate Edition 10.1.5

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

blenahan's picture

We are now having legitimate files being removed from users computers.  We have several people that use a product called AcroPlot.  There is an EXE as part of the program called CADzWebReg.exe located in c:\Program Files\AcroPlot.  This file is being quarantined.  Other that adding this file to the exceptions list, is there anything that can be done to remove this file from being detected, or at least, can we find out why it is being detected?

 

_________________________________________________________________

Please remember to mark the thread 'SOLVED' with the answer that most helped you by choosing 'Mark As Solution' on the applicable answer

thatdude's picture

Too bad there isn't a way to exclude a particular signature within the set instead of waiting for legitimate files to be flagged.