An Avast scan found the virus: C:\windows\system32\TFTP2160 win32:lovesan-D (Wrm). A search on this forum found nothing and Google did not come up with anything useful.
As recommended in your Sticky I submitted it to Jotti. 7 programs found something and 14 found nothing.
I also found a post in this forum by David R which recommended Virus Total. I submitted the file there and 18 programs found something whilst 23 found nothing.
What is the best way to interpret results like this?
Easy really, the detection is good as with this many detections it limits the possibility of it being a false positive. If only one, two or even three detected something it could be an FP, but not so with larger numbers.
You didn’t give the full path and file name as this C:\windows\system32\TFTP2160 is a folder unless a file without a file type.
When you get no hits on a google search for the file name, then when that is for a file within the system32 folder (or sub-folder), then that in itself is suspicious in my opinion.
So you should allow avast to send it to the chest, if you haven’t done so already. There is no rush to delete anything from the chest, a protected area where it can do no harm. Anything that you send to the chest you should leave there for a few weeks. If after that time you have suffered no adverse effects from moving these to the chest, scan them again (inside the chest) and if they are still detected as viruses, delete them.
You might also want to run these tools to see if it didn’t have any friends that placed it there.
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
I run Malwarebytes and SuperAntispyware, and also Spybot, once a week or so - in fact I sometimes feel that I spend half my life protecting the damned PC!
The file itself is only 1 kB and Properties gives no clue. I guess I’d better just leave it in the Chest and see if some program ever complains that it’s missing. One of life’s little mysteries, I suppose.
I hope DavidR is right and these are remnants of an infection,
and not signs of a Win32 Spybot infection.
TFTP [port 69] = Trivial File Transfer Protocol used for uploading and
downloading files to and from TFTP host servers, which do not restrict
access. Block only for outbound (outgoing)
This is evidence of what is called an “autorouter” trojan. It probably
came in through your RPC ports. This attack has already been seen
against the vulnerability described in MS03-026.
You need to run your anti-virus and anti-spyware programs (MBAM & SAS) to identify
this trojan and begin to remove it. But disconnect from the Internet
immediately to prevent the hacker from accessing your machine from the
Internet and possibly installing other trojans and malware. Once they
are in and your machine “phones home”, the game is up, so move quickly.
Worst case, you have to do a clean reinstall to rid all vestiges of
programs that compromise your system security,