Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Computer infected with NirCmd.cfxxe (PEV.cfxxe, etc.)

  • Please log in to reply
3 replies to this topic

#1 user1000000


  • Members
  • 21 posts
  • Local time:12:14 AM

Posted 22 March 2011 - 06:30 PM

Hello Bleepingcomputer team! I have a stubborn trojan or virus in my computer running Vista Professional 32 bit. I suspected something was amiss because suddenly the computer would become slow, and as I connected to the internet, it seemed very active. I have Comodo Free Firewall installed and updated, Avira Personal Free (updated) and Spyshelter. Since no normal scan showed anything, I decided (I know, against your suggestions) to run Combofix. I did this because I've already used it several times before successfully to clean my PCs and other people's PC. Yet I am glad I did, because here's the funny thing: I forgot to turn off Spyshelter. This means that I disabled the firewall and Avira as Combofix usage suggests, but luckily I forgot to turn off Spyshelter. As I started Combofix, immediately a warning came from Spyshelter notifying me that an application called NirCmd.cfxee with a parent process called CF24160.cfxxe was trying to do something. I denied it and it tried again several times, after that, a file called PEV.cfxxe was brought to my attention, again from Spyshelter saying it was trying to do something. It goes on like this, and several files with the same cfxxe extension do their job. One is called catchme, another one is called rmbr.cfxee, and the last one that appears in the process is REGT.cfxee. The interesting thing is that if I turn off spyshelter, and run combofix, it runs smoothly as if nothing was there. This virus has the ability to hide itself from Combofix. I wanted your help, because I don't know how to tackle this stubborn virus. It's still there. I am no stranger to reinstallation and have my data backed up, but this virus or trojan seems to spread in USBs and the like, so I wanted your advise to really clean my PC, and to know how to face this threat in case it comes up again. I'm sorry for the verbosity, but I felt it was needed. Thanks again in advance for your time, patience and help.

Edit: Moved topic from Vista to the more appropriate forum, due to the subject matter relating to ComboFix as identified by staff. ~ Animal

BC AdBot (Login to Remove)


#2 Billy O'Neal

Billy O'Neal

    Visual C++ STL Maintainer

  • Malware Response Team
  • 12,304 posts
  • Gender:Male
  • Location:Redmond, Washington
  • Local time:10:14 PM

Posted 22 March 2011 - 07:23 PM

Hello, user1000000. :)

As the author of PEV.CFXXE, I can assure you that it's a legitimate part of ComboFix. Information on ComboFix (as well as files it uses or it's method of operation) is restricted in order to prevent malware from figuring out how CF works.

For more information, see http://www.bleepingcomputer.com/forums/topic273628.html/page__p__1511502#entry1511502 .

Have a nice day,

Twitter - My statements do not establish the official position of Microsoft Corporation, and are my own personal opinion. (But you already knew that, right?)
Posted Image

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 37,011 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 22 March 2011 - 07:31 PM


From what you've written, you have successfully run CF and therefore have produced a log or logs.

From the topic linked to by Billy, fix tools such as this are extremely powerful and can be used for good or bad. Therefore, such tools are often flagged as malicious. Think of it as a pair of scissors on a plane. The scissors aren't bad, but the wielder of them might be.

Please follow the instructions in ==>This Guide<== starting at step 6.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Since you have run ComboFix, please include the ComboFix log in the new topic. Please be sure to include a description of your computer issues and what you have done to try to resolve them.

If you cannot produce any of the other logs, then please create the new topic anyway, include the information that you were unable to produce the other logs and why and include the ComboFix log along with a description of your computer issues.

Orange Blossom :cherry:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#4 user1000000

  • Topic Starter

  • Members
  • 21 posts
  • Local time:12:14 AM

Posted 23 March 2011 - 12:05 PM

Thank you for your quick answers, Bleepingcomputer team! I feel better knowing PEV.cfxxe is part of Combofix. I will read the guides carefully, and post in the forum suggested by Orange Blossom if I have more difficulties. Thanks a lot again for your help, I learn something new everyday. Have a great day!

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users