i searched and couldn’t find anything on this. i had two results turn up in my scan with errors and couldn’t be moved to the chest. they both are “Win32:Rootkit-gen [Rtk]” types.
The paths are:
C:\Documents and Settings\Owner\Desktop\Maintenance\Combofix.exe\dd.cfexe[Embedded#0a000]
Also, there was a listing of “C:\System Volume Information_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP702\A0062458.exe\data1.pck” that couldn’t be scanned because it’s a “decompressino bomb”. Should I be worried about that?
Thanks for the help.
I used jotti and these are the results for the combofix.exe:
Scan taken on 14 May 2008 23:35:34 (GMT)
A-Squared Found nothing
AntiVir Found APPL/NirCmd.3
ArcaVir Found Adware.Virtumonde.Afa
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found PUA.Nircmd
CPsecure Found Troj.W32.Shutdowner.cq
Dr.Web Found BATCH.Virus (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Win32.Autoit.D, Trojan-Downloader.Win32.Agent.aww
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Application/NirCmd.A
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.StartPage.20448
The first 2 are from combofix. One in the program itself and the other in a system restore point. You really shouldn’t have combofix laying around. It’s a tool to be used only when infected. Besides, it will expire in a few days.
The 3rd is a file/foler that when uncompressed for scanning will increase greatly in size. I woldn’t worry about it.
ps: the way combofix works, it does have trojan like qualities.
so I went ahead and deleted combofix and disabled my system restore. should that solve the problems? or is there something i need to do to fix the previous virus found in the system restore point?