Posted 14 January 2010 - 06:56 AM
I have had times when a virus was intercepted trying to get into my PC but, up to now, I've not had one inside my PC that could have run so this is a first for me.
On 8 Jan, Trojan-Downloader.Win32.Agent.cyzf was located on my PC by Kaspersky Internet Security 7 (KIS 7) as file cltest.exe (used by Power DVD to check the external DVD). This file has been on my PC for many years. At this time VirusList.com did not report this trojan.
I accepted the KIS instruction to delete it to the KIS backup together with two files in the Restore folder and then started a full scan of my PC.
The event log strangely reports KIS turned off for about 6 minutes. I do not think I turned it off.
I panicked because a similar trojan Agent.alby turns off KIS, captures screens and is a key-logger.
Early on 9 Jan, I reported everything to Kaspersky and sent the files and the GetSystemInfo (GSI) file.
I conducted a full computer scan followed by a rootkit scan and KIS reported no problems found.
However, it seemed that everything had slowed down so I was concerned that during the time KIS7 was off, the virus had established itself as a legitimate programme.
I could not get a quick answer to my GSI report, but I was "informed" that Combofix would tell me more. I followed the instructions on this site and ran
Combofix and the report was produced. Apart from Combofix deleting three file, it all went as your instructions. I did not make any changes to my PC and Combofix didn't tell me to do anything.
Only now, reading this forum, I realise I shouldn't have run Combofix. Can I now send the report so that someone have a look please and tell me what it means?
I have run a CD with a .wmf file and it appears to work so not sure if the missing cltest.exe (that was deleted) file was doing anything.
Being wise after the event, it could be something as simple as cltest.exe giving a false positive. Because no one wants to give me the answer, I fear it is something worse?