Jump to content

Persistent Worm - Help is appreciated!

Recommended Posts

Hi, I'm posting this because MBAM found "Trojan.FakeAlert" on my PC. Additionally, I recently had one my gmail accounts hacked by a possible keylogger, and I'm not sure where it could be located. My PC has felt infected for the last few weeks and I'm not sure why, as my online behaviors are pretty much the same.

I followed the instructions on this forum for producing a full report. What follows is the text from a recent MBAM scan, then a DDS report. I've also attached the "ark.txt" and "attach.txt" files in the .zip format (I used GMER version - as the newer version froze my PC). Finally, tea-timer, a program I use for real-time scanning purposes found a "NoDriveTypeAutoRun" registry adjustment, which is possibly suspicious, but might be due to the Defogger program. I've included the screen-shot of this event for analysis as well.

I appreciate sincerely all of the help and I'm strongly considering purchasing the MBAM professional version, based on the clear guidance that is offered on this forum. Thank You!



Malwarebytes' Anti-Malware 1.46


Database version: 4052

Windows 5.1.2600 Service Pack 2

Internet Explorer 6.0.2900.2180

5/6/2010 3:37:43 PM

mbam-log-2010-05-06 (15-37-43).txt

Scan type: Full scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|)

Objects scanned: 270358

Time elapsed: 1 hour(s), 3 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP1083\A0131908.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.



DDS (Ver_10-03-17.01) - NTFSx86

Run by Owner at 23:07:11.26 on Thu 05/06/2010

Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_20

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.503.85 [GMT -7:00]

AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

FW: Sunbelt VIPRE *enabled* {FF1CD5B7-1553-4625-A258-1775385CED33}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch


C:\WINDOWS\System32\svchost.exe -k netsvcs






C:\Program Files\Digital Media Reader\shwiconem.exe



C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Unlocker\UnlockerAssistant.exe

C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe

C:\Program Files\Lexmark 5600-6600 Series\lxdumon.exe


C:\Program Files\Lexmark 5600-6600 Series\lxduMsdMon.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Java\jre6\bin\jqs.exe


C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\WINDOWS\System32\svchost.exe -k HPZ12

C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe

C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe

C:\WINDOWS\system32\svchost.exe -k imgsvc






C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uSearch Bar = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sb/*http://www.yahoo.com/search/ie.html

uSearch Page = hxxp://us.rd.yahoo.com/customize/ycomp_adbe/defaults/sp/*http://www.yahoo.com

mDefault_Page_URL = hxxp://www.gateway.com

uInternet Settings,ProxyServer = http=

BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll

BHO: {53707962-6F74-2D53-2644-206D7942484F} - No File

BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - No File

BHO: Lexmark Printable Web: {d2c5e510-be6d-42cc-9f61-e4f939078474} - c:\program files\lexmark printable web\bho.dll

BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll

BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe

uRun: [spybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe

mRun: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe

mRun: [CHotkey] zHotkey.exe

mRun: [sunKistEM] c:\program files\digital media reader\shwiconem.exe

mRun: [soundMan] SOUNDMAN.EXE

mRun: [AlcWzrd] ALCWZRD.EXE

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRun: [QuickCare] c:\program files\qwest\quickcare\bin\sprtcmd.exe /P QUICKCARE

mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"

mRun: [unlockerAssistant] "c:\program files\unlocker\UnlockerAssistant.exe"

mRun: [sBAMTray] "c:\program files\sunbelt software\vipre\SBAMTray.exe"

mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime

mRun: [lxdumon.exe] "c:\program files\lexmark 5600-6600 series\lxdumon.exe"

mRun: [lxduamon] "c:\program files\lexmark 5600-6600 series\lxduamon.exe"

IE: &AOL Toolbar search - c:\program files\aol toolbar\toolbar.dll/SEARCH.HTML

IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office12\EXCEL.EXE/3000

IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe

IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~4\office12\ONBttnIE.dll

IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office12\REFIEBAR.DLL

DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204

DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} - hxxps://signup.msn.com/pages/MsnInstC.cab

DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - hxxp://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab

DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://by114fd.bay114.hotmail.msn.com/resources/MsnPUpld.cab

DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1137735952303

DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab


DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cab

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll

Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.dll

Notify: igfxcui - igfxsrvc.dll

SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL

LSA: Notification Packages = :\windows\system32\srr

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\hepng2xl.default\

FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/

FF - plugin: c:\documents and settings\owner\local settings\application data\yahoo!\browserplus\2.4.21\plugins\npybrowserplus_2.4.21.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll

FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll

FF - plugin: c:\program files\opera\program\plugins\np_gp.dll

FF - plugin: c:\program files\opera\program\plugins\npjpi160_11.dll

FF - plugin: c:\program files\opera\program\plugins\npoji610.dll

FF - plugin: c:\program files\opera\program\plugins\NPTURNMED.dll

FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}

FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}


c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pr

ef", true);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.renego_unrestricted_hosts", "");

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.treat_unsafe_negotiation_as_broken", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl.require_safe_negotiation", false);

c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\sasdifsv.sys [2010-2-17 12872]

R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2010-2-17 66632]

R1 sbaphd;sbaphd;c:\windows\system32\drivers\sbaphd.sys [2010-3-23 13400]

R1 SbFw;SbFw;c:\windows\system32\drivers\SbFw.sys [2010-3-22 322904]

R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [2009-10-13 95024]

R1 SbTis;SbTis;c:\windows\system32\drivers\sbtis.sys [2010-3-22 204632]

R2 lxdu_device;lxdu_device;c:\windows\system32\lxducoms.exe -service --> c:\windows\system32\lxducoms.exe -service [?]

R2 SBAMSvc;VIPRE Antivirus Premium;c:\program files\sunbelt software\vipre\SBAMSvc.exe [2010-3-11 2726000]

R2 sbapifs;sbapifs;c:\windows\system32\drivers\sbapifs.sys [2010-3-23 69720]

R2 SbHips;sbhips;c:\windows\system32\drivers\sbhips.sys [2010-3-22 86104]

R2 SBPIMSvc;SB Recovery Service;c:\program files\sunbelt software\vipre\SBPIMSvc.exe [2010-3-11 181584]

R3 SBFWIMCL;Sunbelt Software Firewall NDIS IM Filter Miniport;c:\windows\system32\drivers\SbFwIm.sys [2010-3-17 67800]

S2 lxduCATSCustConnectService;lxduCATSCustConnectService;c:\windows\system32\spool\drivers\w32x86\3\lxduserv.exe [2010-4-22 98984]

S2 navapsvc;Norton AntiVirus Auto Protect Service;"c:\program files\norton antivirus\navapsvc.exe" --> c:\program files\norton antivirus\navapsvc.exe [?]

S3 FirebirdServerMAGIXInstance;Firebird Server - MAGIX Instance;c:\program files\magix\common\database\bin\fbserver.exe [2009-11-7 1527900]

S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2010-2-3 19712]

S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2010-2-3 8320]

S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-6-27 42752]

S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2010-2-3 23936]

S3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2010-2-17 12872]

=============== Created Last 30 ================

2010-05-07 05:53:55 0 ----a-w- c:\documents and settings\owner\defogger_reenable

2010-04-23 06:49:45 0 d-----w- c:\docume~1\alluse~1\applic~1\Lexmark 5600-6600 Series

2010-04-23 06:49:17 0 d-----w- c:\docume~1\owner\applic~1\Lexmark Productivity Studio

2010-04-22 18:39:22 0 d-----w- c:\documents and settings\all users\Lx_cats

2010-04-22 18:38:45 9600 -c--a-w- c:\windows\system32\dllcache\hidusb.sys

2010-04-22 18:38:45 9600 ----a-w- c:\windows\system32\drivers\hidusb.sys

2010-04-22 18:30:47 0 d-----w- C:\logs

2010-04-22 18:30:20 40960 ----a-w- c:\windows\system32\lxduvs.dll

2010-04-22 18:30:17 360448 ----a-w- c:\windows\system32\lxducoin.dll

2010-04-22 18:30:08 61218 ----a-w- c:\windows\system32\lxduprpr.chm

2010-04-22 18:29:05 87040 -c--a-w- c:\windows\system32\dllcache\wiafbdrv.dll

2010-04-22 18:29:05 87040 ----a-w- c:\windows\system32\wiafbdrv.dll

2010-04-22 18:28:06 81920 ----a-w- c:\windows\system32\lxducaps.dll

2010-04-22 18:28:05 69632 ----a-w- c:\windows\system32\lxducnv4.dll

2010-04-22 18:28:05 1036288 ----a-w- c:\windows\system32\lxdudrs.dll

2010-04-22 18:27:05 0 d-----w- c:\program files\Abbyy FineReader 6.0 Sprint

2010-04-22 18:26:15 0 d-----w- c:\program files\Lexmark Tools for Office

2010-04-22 18:24:54 0 d-----w- c:\program files\Lexmark Toolbar

2010-04-22 18:24:38 0 d-----w- c:\program files\Lexmark Printable Web

2010-04-22 18:24:33 44 ----a-w- c:\windows\system32\lxdurwrd.ini

2010-04-22 18:24:28 352256 ----a-w- c:\windows\system32\LXDUwupd.dll

2010-04-22 18:24:28 17064 ----a-w- c:\windows\system32\LXDUwupd.exe

2010-04-22 18:22:24 0 d-----w- c:\program files\Lexmark 5600-6600 Series

2010-04-21 05:14:10 411368 ----a-w- c:\windows\system32\deployJava1.dll

==================== Find3M ====================

2010-04-29 22:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2010-04-29 22:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys

2010-03-12 01:03:04 27984 ----a-w- c:\windows\system32\sbbd.exe

2010-03-11 21:49:08 86104 ----a-w- c:\windows\system32\drivers\sbhips.sys

2010-03-11 21:49:08 322904 ----a-w- c:\windows\system32\drivers\SbFw.sys

2010-03-11 21:49:08 204632 ----a-w- c:\windows\system32\drivers\sbtis.sys

============= FINISH: 23:10:43.78 ===============



Link to post
Share on other sites

Hi counselorgene And


My main concern is to look for a keyloger. So lets to a Kaspersky scan. Since your PC has the latest Java 20 installed.

TFC(Temp File Cleaner

Generally tools like TFC are created to assist us with malware removal by removing a lot of junk files, so our security tools will have less to scan, thus speed things up. It may also help to remove some types of malware which may be lurking in temp/user account folders. Then we'll run Kaspersky Online Scanner.... :)

TFC(Temp File Cleaner):

  • Please download TFC to your desktop,
  • Save any unsaved work. TFC will close all open application windows.
  • Double-click TFC.exe to run the program.
  • If prompted, click "Yes" to reboot.

Note: Save your work. TFC will automatically close any open programs, let it run uninterrupted. It shouldn't take longer take a couple of minutes, and may only take a few seconds. Only if needed will you be prompted to reboot.


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

  • Click Run at the Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


To optimize scanning time and produce a more sensible report for review:

  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Link to post
Share on other sites

Hi Kenny, Thanks a lot for your help. I worked the whole day and I'm currently in the process of doing the Kaspersky scan. Please don't think I've forgotten to get back to you. Once the scan finishes (it's been going for 2+ hours at this point) I will get back to you with the report. For now I do want to also tell you that another of my gmail accounts got hacked. It may be a keylogger or something else on my PC - I simply don't know.

I've attached two screen-shots to this post: screen-shot #1 features the IP of someone who logged into my gmail from Russia in the last 10 Hours (as recorded by my gmail account). I live in Arizona so I don't have any idea who would have logged in from Russia. Next (in screen-shot #2), I used TraceIP to trace the Russian IP and got some results; perhaps you can give me some guidance on what to do, once you see the screen shots. I will post the Kaspersky report as soon as it's done.

Thank you again!



Link to post
Share on other sites

Hi Kenny,

Here's what happened: I couldn't get the Kaspersky online scanner to work, so I downloaded a free trial version. of Kaspersky internet security. It didn't really find anything (the screenshot of the results is attached). I do have some PC tools such as ZEROCMOS on my PC, which I bought from bootdisk.com, in the past. These did come up and I'm sure they are false positives.

When I ran the ESET scanner it appeared that it found some interesting results. Several other files were marked as bad and I think one of them might be a key-logger. The results are attached in a .txt file. Please take a look and thank you again. I'd like to track and destroy this thing.


- Gene


Link to post
Share on other sites

Yeah this PC was hacked. We'll take care of it..... :blink:

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper.


  1. Download ComboFix from below:
    Combofix download
    * IMPORTANT !!! Place combofix.exe on your Desktop
  2. Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.
    You can get help on disabling your protection programs here
  3. Double click on combofix.exe & follow the prompts.
  4. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
    The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.
    With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.
    Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.
    ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.
    Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:
    The Recovery Console was successfully installed.
    Click on Yes, to continue scanning for malware.
  5. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
  6. When finished, it shall produce a log for you. Post that log in your next reply
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  7. Ensure your AntiVirus and AntiSpyware applications are re-enabled.

Link to post
Share on other sites

Hi Kenny,

I did all these things, but nothing really went as expected. ComboxFix didn't run on my system and simply restarted my PC every time I ran it. I tried in Safe Mode and it worked. I also didn't have the XP recovery console the first time I ran the program. I got the console and ran it again, and this gave me a new report. Finally, I couldn't get on the internet after all of this was done, so I did a system restore to just before I downloaded ComboFix, and was able to get on. I downloaded again and ran through the process in Safe Mode. I was able to get on the internet with a simple restart (I'm pretty darn tired, so it must not have occurred to me before). The latest ComboFix report is attached (named Combo3), please let me know where we go next. I have also attached the other two reports (named Combo1 and Combo2), just in case you'd want to take a look.

Thank you again for your immense help!




Link to post
Share on other sites

Lets run Dr.Web CureIt, it's great to use for Keyloggers. But run it just one time OK counselorgene........ :blink:

Please download to your Desktop: Dr.Web CureIt

  • After the file has downloaded, disable your current Anti-Virus and disconnect from the Internet
  • Doubleclick the drweb-cureit.exe file, then click the Start button, then the OK button to perform an Express Scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it.
  • Once the short scan has finished, Click on the Complete scan radio button.
  • Then click on the Settings menu on top, the select Change Settings or press the F9 key. You can also change the Language
  • Choose the Scanning tab and I recomend leaving the Heuristic analysis enabled (this can lead to False Positives though)
  • On the File types tab ensure you select All files
  • Click on the Actions tab and set the following:
    • Objects Infected objects = Cure, Incurable objects = Move, Suspicious objects = Report
    • Infected packages Archive = Move, E-mails = Report, Containers = Move
    • Malware Adware = Move, Dialers = Move, Jokes = Move, Riskware = Move, Hacktools = Move
    • Do not change the Rename extension - default is: #??
    • Leave the default save path for Moved files here: %USERPROFILE%\DoctorWeb\Quarantine\
    • Leave prompt on Action checked

    [*]On the Log file tab leave the Log to file checked.

    [*]Leave the log file path alone: %USERPROFILE%\DoctorWeb\CureIt.log

    [*]Log mode = Append

    [*]Encoding = ANSI

    [*]Details Leave Names of file packers and Statistics checked.

    [*]Limit log file size = 2048 KB and leave the check mark on the Maximum log file size.

    [*]On the General tab leave the Scan Priority on High

    [*]Click the Apply button at the bottom, and then the OK button.

    [*]On the right side under the Dr Web Anti-Virus Logo you will see 3 little buttons. Click the left VCR style Start button.

    [*]In this mode it will scan Boot sectors of all disks, All removable media, and all local drives

    [*]The more files and folders you have the longer the scan will take. On large drives it can take hours to complete.

    [*]When the Cure option is selected, an additional context menu will open. Select the necessary action of the program, if the curing fails.

    [*]Click Yes to all if it asks if you want to cure/move the files.

    [*]This will move it to the %USERPROFILE%\DoctorWeb\Quarantine\ folder if it can't be cured. (in this case we need samples)

    [*]After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list

    [*]Save the report to your Desktop. The report will be called DrWeb.csv

    [*]Close Dr.Web Cureit.

    [*]Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

    [*]After reboot, post the contents of the log from Dr.Web you saved previously to your Desktop in your next reply

Link to post
Share on other sites

Hi Kenny,

I really did try to run it once this time, but my machine restarted in the middle of the first scan, so I had to rescan it again (it worked the second time around). I can't take the blame for it this time. :) The results are attached.

I'm also including a screen-shot of the results, which appears to be more informative. There were several files which couldn't be cured by DrWeb and I put these into DrWeb's Quarantine folder, for now.

I have two other follow up questions:

(1) Did the ComboFix results reveal anything? (2) I want to get a comprehensive Anti-Virus/Firewall program. I'm using VIPRE, but I'm beginning to think it's not doing it's job. If it was I wouldn't have all these problems (right?). From what I've seen I'm impressed with ESET or DrWeb. Do you have any recommendations?

Let me know where we go next. Thanks again!



Link to post
Share on other sites

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these Files/Folders (if present):

C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\

C:\Documents and Settings\Owner\My Documents\Programs\Disk and System Files\xpbootcd.zip

C:\Documents and Settings\Owner\My Documents\Programs\Disk and System Files\XPBootCD

All the others are in system restore. When we uninstall Combofix this will take care of this for us.

One more scan to check your Security.

Download Security Check from here or here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Link to post
Share on other sites

We removed the hackers tools! Be sure to CHANGE all Important passwords........ :)

And be sure to run:

Secunia software inspector & update checker

Your Computer is Clean


Some final items:

Follow these steps to uninstall Combofix and tools used in the removal of malware

  • Please press the Windows Key and R on your keyboard. This will bring up the Run... command.
  • Now type in Combofix /Uninstall in the runbox and click OK. (Notice the space between the x and /)
  • Please follow the prompts to uninstall Combofix.
  • You will then recieve a message saying Combofix was uninstalled successfully once it's done uninstalling itself.

This will uninstall Combofix and anything assoicated with it.

Here are some additional links for you to check out to help you with your computer security.


Just because your computer came loaded with Internet Explorer doesn't mean that you have to use it, there are other free alternatives, FIREFOX and OPERA, both are free to use and are more secure than IE.

If you are using firefox you can stay more secure by adding NoScript and WOT (Web Of Trust)

NoScript stops Java scripts from starting on a web page unless you give permission for them, and WOT (Web Of Trust) has a comprehensive list of ratings for different websites allowing you to easily see if a website that you are about to go to has a bad reputation; in fact it will warn you to check if you are sure that you want to continue to a bad website.

  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.

Additional Security Measures

Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

SpywareBlaster- SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

Cookienator- Scans your PC for tracking cookies in multiple browsers as well as in Adobe Flash.

Winpatrol Download and install the free version of Winpatrol. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.

Secunia software inspector & update checker

My Blog Malware And Spyware Tips

Also, see here for system improvement: Help! My computer is slow!

It was a pleasure working with you



Link to post
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.