need help - rootkit attached to combofix?

i searched and couldn’t find anything on this. i had two results turn up in my scan with errors and couldn’t be moved to the chest. they both are “Win32:Rootkit-gen [Rtk]” types.

The paths are:

C:\Documents and Settings\Owner\Desktop\Maintenance\Combofix.exe\dd.cfexe[Embedded#0a000]

C:\System Volume Information_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP745\A0064305.exe\dd.cfexe[Embedded#0a000]

Also, there was a listing of “C:\System Volume Information_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP702\A0062458.exe\data1.pck” that couldn’t be scanned because it’s a “decompressino bomb”. Should I be worried about that?
Thanks for the help.

I used jotti and these are the results for the combofix.exe:

Scan taken on 14 May 2008 23:35:34 (GMT)
A-Squared Found nothing
AntiVir Found APPL/NirCmd.3
ArcaVir Found Adware.Virtumonde.Afa
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found PUA.Nircmd
CPsecure Found Troj.W32.Shutdowner.cq
Dr.Web Found BATCH.Virus (probable variant)
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Trojan.Win32.Autoit.D, Trojan-Downloader.Win32.Agent.aww
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found Application/NirCmd.A
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.StartPage.20448

Thanks again for any help!

Hi

The first 2 are from combofix. One in the program itself and the other in a system restore point. You really shouldn’t have combofix laying around. It’s a tool to be used only when infected. Besides, it will expire in a few days.

The 3rd is a file/foler that when uncompressed for scanning will increase greatly in size. I woldn’t worry about it.

ps: the way combofix works, it does have trojan like qualities.

thanks for the info!

so I went ahead and deleted combofix and disabled my system restore. should that solve the problems? or is there something i need to do to fix the previous virus found in the system restore point?

The proper way to delete(remove) combo fix is

Click the start button, click run, copy and paste this into the run box and click ok

combofix /u

I’m not sure if it will work now, but give it a try. If you get an “not found” error, do this instead.

Open windows explorer and check the c:\ drive for the following folders.

c:\combofix.txt
c:\qoobox

Turning off system restore will remove all restore points, and turning it back on again will create a new one.

Great! So I delete those two combofix files right? Sorry for the hassle. I just want to get this right.
thanks again!

Yes.