Viruses, Spyware and other Nasties RSS Viruses, Spyware and other Nasties RSS

Can't remove ColdFusion Trojan

Reply

Join Date: Nov 2004
Posts: 2
Reputation: spiritualized is an unknown quantity at this point 
Solved Threads: 1
spiritualized spiritualized is offline Offline
Newbie Poster

Re: Can't remove ColdFusion Trojan

 
0
  #1
Nov 13th, 2004
Originally Posted by corduroy

I've followed Symantec's removal instructions (http://www.symantec.com/avcenter/ven...colfusion.html) but there are always at least 5 dlls which Norton (or the other apps I've tried) cannot remove.

Also, I always get winsock.scr and dxsetu.exe errors at startup, followed by "Exception EInOut Error in module dxsetu.exe at 000056F2 I/O error 32". ope1C3.exe and ope1C4.exe also try to connect to the internet (I find this files very suspicious). And I have an unusual amount of processes running (like 10 cmd.exe)..
Exactly the same problem here - I managed to delete the DLLs in Safe Mode, but the dxsetu.exe keeps on appearing in the registry, even after deletes.
The winsock.scr errors are probably the Trojan trying to mess with the antivirus.
Originally Posted by corduroy
I don't know if my situation is completely similar to keesjansma3 but I've tried the HijackThis thing to fix the dxsetu.exe entry. But after rebooting I can't find the file anywhere and if I run HijackThis the dxsetu entry is there again. I've also tried running APM but I can't find any of the trojan's dlls listed.
Problem is virtually the same - Hijackthis finds it, but I CANNOT FIND THE DXSETU.EXE file, even though registry entries & Hijackthis point to a F:\WINDOWS\dxsetu.exe location.

I have enclosed my hijackthis log

Logfile of HijackThis v1.97.7
Scan saved at 09:09:57, on 13/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\System32\cisvc.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\DU Meter\DUMeter.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\WINDOWS\System32\cmd.exe
F:\WINDOWS\System32\cmd.exe
f:\progra~1\popfile\popfileib.exe
F:\WINDOWS\System32\cmd.exe
F:\WINDOWS\System32\cmd.exe
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\Program Files\Winamp\winamp.exe
F:\WINDOWS\System32\cidaemon.exe
F:\Documents and Settings\Administrator\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] F:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Run POPFile.lnk = F:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: http://www.rateyourmusic.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
Reply With Quote Quick reply to this message  
Join Date: Aug 2003
Posts: 9,638
Reputation: caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold caperjack is a splendid one to behold 
Solved Threads: 499
Team Colleague
caperjack's Avatar
caperjack caperjack is online now Online
Posting Prodigy

Re: Can't remove ColdFusion Trojan

 
0
  #2
Nov 13th, 2004
Trojan Hunter 30 fully working Demo here .
http://www.misec.net/trojanhunter/
Linux boot cd http://www.knopper.net/knoppix/index-en.html
Reply With Quote Quick reply to this message  
Join Date: Nov 2004
Posts: 10
Reputation: lummy is an unknown quantity at this point 
Solved Threads: 2
lummy lummy is offline Offline
Newbie Poster

Re: Can't remove ColdFusion Trojan

 
0
  #3
Nov 15th, 2004
I also had this problem, but Dav555 very kindly provided this fix:

Make sure you turn off system restore first, Go into control panel, system, system restore tab and check\uncheck the system restore box.

you should fixed the following problems with HijackThis
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe

then delete the following files with GiPo@FileUtilities (Move on boot)
(Remember to go into explorer, folder options, view and uncheck "hide protected operating system files" otherwise you'll spend forever and a day looking for things that aren't showing themselves, like I did!!!!!)

c:\windows\system32\winsock.dll
c:\windows\winsock.scr
c:\windows\dxsetu.exe
c:\windows\system32\winlog.com
c:\windows\system32\dxwinex.exe

I think these locations are right, the above files are either in c:\windows or c:\windows\system32

Reboot, then do a full system scan with your anti-virus program, this will pick up all the affected files and should delete\quarantine them.
Reply With Quote Quick reply to this message  
Join Date: Dec 2004
Posts: 9
Reputation: bluffy is an unknown quantity at this point 
Solved Threads: 0
bluffy bluffy is offline Offline
Newbie Poster

Re: Can't remove ColdFusion Trojan

 
0
  #4
Dec 30th, 2004
wot does the above line " then delete the following files with GiPo@FileUtilities (Move on boot) " wots gipo ? and what is move on boot mean ? sorry to be A PAIN!
Reply With Quote Quick reply to this message  
Reply

Quick Reply to Thread
This thread is more than three months old.
Perhaps start a new thread instead?
Message:



Similar Threads
Other Threads in the Viruses, Spyware and other Nasties Forum
Thread Tools Search this Thread



adware anti-malware anti-virussitesaccessissue antivirus apple attack avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial conficker connect control cyber cybercrime cyberwarfare ddos education email europe exam exploit facebook fake fancheckvirus gaming gtaiv halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles malware mcafee messagelabs microsoft mobile msn nazi news obama onlinethreats paedophile panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus samhain sans scareware school search security seopoisoning sites software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen translate trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista war warning windows worm yahoo zeroday
About Us | Contact Us | Advertise | DaniWeb | Acceptable Use Policy | RSS Feed

©2003 - 2009 DaniWeb® LLC