Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Is PEV.EXE a Combofix File ?

  • This topic is locked This topic is locked
1 reply to this topic

#1 AlanCB


  • Members
  • 8 posts
  • Local time:04:42 PM

Posted 03 November 2009 - 01:40 PM

I would greatly appreciate any help/advice on resolving on the following.

On 28Aug 2009 I used Combofix to add the Recovery Console to the Boot Menu of my Toshiba Satellite Pro M70 laptop, which is running on Win XP Pro SP3.
(if necessary, refer to my previous post of 29Aug2009).

After adding the Recovery Console to the Boot Menu, I then uninstalled Combofix, and deleted all the Combofix entries in the Registry, but left 3 folders that are associated with Combofix in the root directory (Combofix, cmdcons & Qoobox).

Today I ran a full scan of the C: partition with SuperAntiSpyware, and it detected Trojan.Agent/Gen in 2 files:
C:\System Volume Information\-Restore{8CEF57C7-733C-4C48-BEA9-6DA51175C09C}\RP220\A0032428.EXE

So far I have not taken any action using SuperAntiSpyware to quarantine &/or remove the 2 files, because scans with MalawareBytes and my CA Antivirus V8.4 software did not detect the Trojan.Agent/Gen, and therefore I don't know whether the SAS detection is just a false positive.

I did a google search for PEV.EXE, and some of the results suggested that PEV.EXE is associated with Combofix.

I checked the properties of the PEV.EXE file, and in the General tab the info given is:

Type of File: Application
Size: 224 KB (229,376 bytes)
Size on Disk: 224 KB (229,376 bytes)
Created: 28Aug2009, 10:50:22
Modified: 23 Aug 2009, 03:09:13 ???

The Time Created (28/08/09, 10:50:22) of the PEV.EX file is similar to the Times Created of the 3 Combofix-related foldrers:

Combofix - created 28/08/09 at 10:54
cmdcons - created 28/08/09 at 10:52
Qoobox - created 28/08/09 at 10:50

This would suggest that the PEV.EXE file is associated with Combofix. Is this correct ?

If yes, why is it being detected as Trojan.Agent/Gen ?

Can I safely delete it ?

Is the A0032428.EXE file also associated with Combofix ?

Thank you


BC AdBot (Login to Remove)


#2 Blade


    Strong in the Bleepforce

  • Site Admin
  • 12,704 posts
  • Gender:Male
  • Location:US
  • Local time:08:42 AM

Posted 03 November 2009 - 02:13 PM

Unfortunately the author of the tool does not want information on how Combofix works on public forums. This is in order to safeguard and protect the integrity of the tool from malware writers. As such, the developer does not want his tool discussed outside of private forums and therefore we cannot answer specific questions. That's the decision by the creator and we will abide by that decision.
Please read Combofix's Disclaimer. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

The only public information that is available can be found at this guide:

How to use ComboFix


That being said, PEV.exe is safe for you to delete.

A0032428.EXE can be deleted by purging System Restore.

Disable and Enable System Restore. - You should disable and enable system restore to make sure there are no infected files found in a restore point. You can find instructions on how to disable and enable system restore here: Windows XP System Restore Guide or Windows Vista System Restore Guide

Re-enable system restore with instructions from tutorial above.

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users