I ran into an issue with a user's computer. Initially, he was experiencing problems with the computer running slow. A previous technician diagnosed the issue and decided to run Combofix to clear any issues that might be causing this. However, in running Combofix, the files in the folder C:/windows/csc folder/d6 or %systemroot%/csc folder/d6 were treated as malware and moved to C:/Qoobox/Quarantine/C/Windows/csc folder/d6 and renamed with the extension .vir. In doing so, the user has lost some of his data. Although the data represents files on a share drive on a server, in syncing the share drive's files in order to make them available offline, some of those files were lost. Well, at least that's how it seems as the user's files seemed to have disappeared around the same time Combofix was run.
We've tried a system restore to the day BEFORE Combofix was run to no avail. We've also tried to use batch file renaming programs as we made copies of the files in the Quarantine in order to get them out of quarantine and rename them without the .vir extension, put them back in their original folder and resync, but that did not work. The Windows resynchronization process reports that some of the files can't be restored because the user is not connected to the server, even though he is. Nonetheless, after that attempt, the files that were missing are still missing.
The files themselves vary from Excel spreadsheets to Word documents. The scan was performed on 11/28/11, but the last-edited dates of the about 11/12-11/27 or so.
Also, I spoke to an expert on Experts-Exchange who suggested to find and run a "erdnt.exe" file in one of two directories:
Oddly enough, these .exe's did not exist. The files are still in Quarantine and I also have a backup of the quarantined files in a different directory. I also have the Combofix log attached for further clarification. The OS is Windows XP Service Pack 3.
Any assistance would be appreciated. Thank you for your time.