I am the administrator for a network with a Windows Server 2003, and Windows XP workstations, all on private IPs behind a router/firewall. A couple days ago we were stricken by a virus or trojan which AVG Antivirus calls Trojan Proxy.25.D and many other of its variants all recognized as "Trojan Proxy.xx.letter" where xx is a number and "letter" an alphabet letter. The infected files are detected and eliminated by the antivirus and they can also be eliminated manually, but the files reapear soon after over and over again. This trojan also spreads to all shares on the network. It drops a couple of files to all shares on the network, these files are setup.exe (38kb) and autorun.inf(1kb). On the server itself there are some other .exe files created in the current logged on user's temp folder along with text files containing domain list, first name list, and last name list. At some point there is a srvhosts process that kicks in and takes up almost all the CPU time considerably slowing down the server. It seem like an attempt to use my server as a relay. Other than AVG antivirus, I have ran Hijackthis, and Spybot S&D without finding anything that could be causing this to reinstall. Any body can tell me how to get rid of this for good. Your Help is appreciated... Mr. Kidd

Please post your Hijack This log run from the server.

Logfile of HijackThis v1.99.1 Scan saved at 2:37:57 PM, on 11/15/2006 Platform: Windows 2003 SP1 (WinNT 5.02.3790) MSIE: Internet Explorer v6.00 SP1 (6.00.3790.1830) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe C:\WINDOWS\system32\cisvc.exe C:\WINDOWS\system32\Dfssvc.exe C:\WINDOWS\System32\dns.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\inetsrv\inetinfo.exe C:\WINDOWS\System32\ismserv.exe C:\WINDOWS\system32\ntfrs.exe C:\WINDOWS\System32\snmp.exe C:\Program Files\Belkin Bulldog Plus\upsd.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\PROGRA~1\Grisoft\AVG7\avgemc.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Belkin Bulldog Plus\MUPS.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\PROGRA~1\Grisoft\AVG7\avgcc.exe C:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://technet.microsoft.com/defaul... O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O4 - HKLM\..\Run: [AuCaption] DSA OMSA Reminder O4 - HKLM\..\Run: [AuFlag]  O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVG7\avgemc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: MUPS.lnk = C:\Program Files\Belkin Bulldog Plus\MUPS.exe O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windows... O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = hamzi.biz O17 - HKLM\Software\..\Telephony: DomainName = hamzi.biz O17 - HKLM\System\CCS\Services\Tcpip\..\{A4FFEE8D-1FF7-4362-97C1-48C1BB57CA28}: NameServer = 192.168.1.12 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = hamzi.biz O20 - Winlogon Notify: dimsntfy - C:\WINDOWS\SYSTEM32\dimsntfy.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe O23 - Service: UPS - UPSentry Service (UPSentry_Smart) - Delta - C:\Program Files\Belkin Bulldog Plus\upsd.exe

I see nothing in the server on the HJT log. Run these as double checks. Please download ComboFix to the desktop from this link: http://download.bleepingcomputer.com/sUBs/combofix.exe Double-click combofix.exe Follow the prompts. (Don't click on the window while the program is running, it may cause your system to hang.) Please post the combofix.txt log. Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable. This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log on your desktop. Post an HJT log from one one of the workstations if nothing is found with DR Web Cureit.

I'll have to do this when all users have logged off since it's my server, will post results tomorrow

Hi there I tried running combofix on the server but it's incompatible with windows 2003 server. Ran Cureit and that returned nothing. Ran combofix on a workstation, it found and deleted 2 entries that you will see in the following post of the log from the workstation. I now there something hidden on the server, 'cause al long as there http connection to the server the files come back. Here is the combofix log from the workstation: mrkidd - 06-11-15 16:34:30.28 Service Pack 2 ComboFix 06.11.9 - Running from: "C:\Documents and Settings\mrkidd\Escritorio" (((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) C:\Archivos de programa\Archivos comunes\{2421A7A2-0AE9-3082-0121-0504162001fb} C:\Archivos de programa\Archivos comunes\{2421A7A2-0AE9-6154-0121-0504162001fb} ((((((((((((((((((((((((((((((( Files Created from 2006-10-15 to 2006-11-15 )))))))))))))))))))))))))))))))))) 2006-10-30 16:01 90,112 --a------ C:\WINDOWS\unvise32.exe 2006-10-30 16:01 676,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\hardlock.sys 2006-10-30 15:50 188,482 -ra------ C:\WINDOWS\SYSTEM32\helixprodctrl.dll 2006-10-30 15:49 385,108 --a------ C:\WINDOWS\SYSTEM32\csedv.dll 2006-10-30 15:49 376,832 --a------ C:\WINDOWS\SYSTEM32\hlcdvc.dll 2006-10-30 15:49 32,256 --a------ C:\WINDOWS\SYSTEM32\cdvccodc.dll 2006-10-30 15:49 22,528 --a------ C:\WINDOWS\SYSTEM32\csthread.dll 2006-10-30 15:49 159,832 --a------ C:\WINDOWS\SYSTEM32\csccdvc.dll 2006-10-30 15:49 147,456 --a------ C:\WINDOWS\SYSTEM32\csccdvcx.dll 2006-10-30 15:49 1,089,625 --a------ C:\WINDOWS\SYSTEM32\csedvh.dll 2006-10-30 12:01 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll 2006-10-26 16:36 48 --a------ C:\test.bat 2006-10-26 14:39 186 --a------ C:\PLIST.BAT 2006-10-25 17:21 299,520 --a------ C:\WINDOWS\uninst.exe 2006-10-17 13:19 53,299 --a------ C:\WINDOWS\SYSTEM32\pthreadVC.dll 2006-10-17 13:16 233,472 --a------ C:\WINDOWS\SYSTEM32\wpcap.dll 2006-10-17 13:15 81,920 --a------ C:\WINDOWS\SYSTEM32\Packet.dll 2006-10-17 13:14 61,440 --a------ C:\WINDOWS\SYSTEM32\WanPacket.dll 2006-10-17 13:09 35,072 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\npf.sys 2006-10-16 08:50 4,142,592 --a------ C:\WINDOWS\SYSTEM32\qtintf.dll (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))) 2006-11-15 16:35 -------- d-------- C:\Archivos de programa\Archivos comunes 2006-11-15 16:26 -------- d-------- C:\Archivos de programa\Manager 2000 (I.F.C.) 2006-11-10 11:27 -------- d-------- C:\Archivos de programa\Active Data Recovery Software 2006-11-09 16:23 -------- d-------- C:\Documents and Settings\mrkidd\Datos de programa\Adobe 2006-11-09 16:21 -------- d-------- C:\Documents and Settings\mrkidd\Datos de programa\Opera 2006-11-09 16:18 -------- d-------- C:\Archivos de programa\Adobe 2006-11-09 16:16 -------- d-------- C:\Archivos de programa\Archivos comunes\Adobe 2006-11-09 16:11 -------- d-------- C:\Archivos de programa\Archivos comunes\Adobe Systems Shared 2006-10-31 15:12 -------- d-------- C:\Archivos de programa\Microsoft Office 2006-10-31 10:36 -------- d-------- C:\Documents and Settings\mrkidd\Datos de programa\Vso 2006-10-31 09:37 -------- d-------- C:\Archivos de programa\Cain 2006-10-31 09:32 -------- d-------- C:\Archivos de programa\WinPcap 2006-10-31 09:08 -------- d-------- C:\Archivos de programa\RAR Password Cracker 2006-10-30 18:15 -------- d-------- C:\Archivos de programa\Atomic RAR Password Recovery 2006-10-30 18:06 -------- d-------- C:\Archivos de programa\WinRAR 2006-10-30 16:10 -------- d-------- C:\Documents and Settings\mrkidd\Datos de programa\Canopus 2006-10-30 16:01 -------- d-------- C:\Archivos de programa\DivX 2006-10-30 15:49 -------- d--h----- C:\Archivos de programa\InstallShield Installation Information 2006-10-30 15:49 -------- d-------- C:\Archivos de programa\Canopus 2006-10-30 15:49 -------- d-------- C:\Archivos de programa\Archivos comunes\Canopus Shared 2006-10-30 12:01 -------- d-------- C:\Archivos de programa\Deskshare 2006-10-25 17:37 -------- d-------- C:\Archivos de programa\RamBooster 2.0 2006-10-18 11:31 -------- d-------- C:\Archivos de programa\Sirius Contabilidad 2006-10-16 11:27 -------- d-------- C:\Archivos de programa\QuickTime 2006-10-16 08:50 -------- d-------- C:\Archivos de programa\APC 2006-10-10 10:58 -------- d-------- C:\Documents and Settings\mrkidd\Datos de programa\Apple Computer 2006-10-10 10:47 -------- d-------- C:\Archivos de programa\Internet Explorer 2006-10-09 17:26 -------- d-------- C:\Documents and Settings\mrkidd\Datos de programa\CyberLink 2006-10-09 17:24 -------- d-------- C:\Archivos de programa\CyberLink 2006-09-28 08:39 778656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys 2006-09-26 17:13 -------- d-------- C:\Archivos de programa\MP3 CD Converter Professional 2006-09-26 17:10 -------- d-------- C:\Archivos de programa\Absolute Video to Audio Converter 2006-09-26 08:41 -------- d-------- C:\Archivos de programa\Easy Video to Audio Converter 2006-09-25 17:00 -------- d-------- C:\Archivos de programa\Absolute Video Converter 2006-09-25 15:43 -------- d-------- C:\Archivos de programa\Musclesoft 2006-08-17 09:56 131072 --a------ C:\WINDOWS\SYSTEM32\SpoonUninstall.exe (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))) *Note* empty entries are not shown [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe" "RamBooster"="C:\\Archivos de programa\\RamBooster 2.0\\Rambooster.exe" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run] "IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe" "HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe" "SunJavaUpdateSched"="C:\\Archivos de programa\\Java\\jre1.5.0_06\\bin\\jusched.exe" "AVG7_CC"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP" "CAP3ON"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\CAP3ONN.exe" "TPP Auto Loader"="C:\\WINDOWS\\TPPALDR.exe" "WatchDog"="C:\\Archivos de programa\\mobile PhoneTools\\WatchDog.exe" "OpwareSE2"="\"C:\\Archivos de programa\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\"" "Synchronization Manager"=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,\ 73,74,65,6d,33,32,5c,6d,6f,62,73,79,6e,63,2e,65,78,65,20,2f,6c,6f,67,6f,6e,\ 00 "QuickTime Task"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL] "Installed"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI] "Installed"="1" "NoChange"="1" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS] "Installed"="1" [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components] "DeskHtmlVersion"=dword:00000110 "DeskHtmlMinorVersion"=dword:00000005 "Settings"=dword:00000001 "GeneralFlags"=dword:00000004 [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] "Source"="About:Home" "SubscribedURL"="About:Home" "FriendlyName"="Mi página de inicio actual" "Flags"=dword:00000002 "Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\ 00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00 "CurrentState"=hex:04,00,00,40 "OriginalStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,00,03,\ 00,00,04,00,00,40 "RestoredStateInfo"=hex:18,00,00,00,4e,00,00,00,00,00,00,00,b2,03,00,00,00,03,\ 00,00,01,00,00,00 [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.exe" "AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run] "CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.exe" "AVG7_Run"="C:\\ARCHIV~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler] "{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Precargador Browseui" "{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Demonio de caché de las categorías de componente" [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks] "{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="" [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "dontdisplaylastusername"=dword:00000000 "legalnoticecaption"="" "legalnoticetext"="" "shutdownwithoutlogon"=dword:00000001 "undockwithoutlogon"=dword:00000001 [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer] "NoDriveTypeAutoRun"=dword:00000091 [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload] "PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}" "CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}" "WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}" "SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Menú Inicio^Programas^Inicio^Ventana de estado de Canon LASER SHOT LBP-1120.LNK] "path"="C:\\Documents and Settings\\All Users\\Menú Inicio\\Programas\\Inicio\\Ventana de estado de Canon LASER SHOT LBP-1120.LNK" "backup"="C:\\WINDOWS\\pss\\Ventana de estado de Canon LASER SHOT LBP-1120.LNKCommon Startup" "location"="Common Startup" "command"="C:\\WINDOWS\\SYSTEM32\\SPOOL\\DRIVERS\\W32X86\\3\\CAP3LAK.exe !N" "item"="Ventana de estado de Canon LASER SHOT LBP-1120" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="Language" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\CyberLink\\PowerDVD\\Language\\Language.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="LogMeInSystray" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\LogMeIn\\LogMeInSystray.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="qttask" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\QuickTime\\qttask.exe\" -atboottime" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="PDVDServ" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\CyberLink\\PowerDVD\\PDVDServ.exe\"" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="realsched" "hkey"="HKLM" "command"="\"C:\\Archivos de programa\\Archivos comunes\\Real\\Update_OB\\realsched.exe\" -osboot" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tunebite.exe] "key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" "item"="tunebite" "hkey"="HKCU" "command"="C:\\Archivos de programa\\tunebite\\tunebite.exe -hidden" "inimapping"="0" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "RichVideo"=dword:00000002 "rpcapd"=dword:00000003 [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders] "SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" ~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ backup-20061110-161551-973 O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing) backup-20061110-161449-361 R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos backup-20061110-161449-365 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ backup-20061110-161449-458 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com/ backup-20061110-161449-283 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com/ backup-20061110-161449-272 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/ Contents of the 'Scheduled Tasks' folder C:\WINDOWS\tasks\RegCure.job Completion time: 06-11-15 16:35:58.78 C:\ComboFix.txt ... 06-11-15 16:35

Run this on the server. Please download Dr Web CureIt to your desktop from this link ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe Doubleclick the drweb-cureit.exe file and Allow to run the express scan. This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan. Once the short scan has finished, mark the drives that you want to scan. Select all drives. A red dot shows which drives have been chosen. Click the green arrow at the right, and the scan will start. Click 'Yes to all' if it asks if you want to cure/move the file. When the scan has finished, look if you can click next icon next to the files found: If so, click it and then click the next icon right below and select Move incurable. This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples) After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list Save the report to your desktop. The report will be called DrWeb.csv Close Dr.Web Cureit. Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log on your desktop.