•
•
•
•
What is DaniWeb IT Discussion Community?
You're currently browsing the Viruses, Spyware and other Nasties section within the Tech Talk category of DaniWeb, a massive community of 391,588 software developers, web developers, Internet marketers, and tech gurus who are all enthusiastic about making contacts, networking, and learning from each other. In fact, there are 2,643 IT professionals currently interacting right now! Registration is free, only takes a minute and lets you enjoy all of the interactive features of the site.
Please support our Viruses, Spyware and other Nasties advertiser:
Views: 3414 | Replies: 3
 |
•
•
Join Date: Nov 2004
Posts: 2
Reputation: 
Rep Power: 0
Solved Threads: 1
Newbie Poster
•
•
•
•
Originally Posted by corduroy
I've followed Symantec's removal instructions (http://www.symantec.com/avcenter/ven...colfusion.html) but there are always at least 5 dlls which Norton (or the other apps I've tried) cannot remove.
Also, I always get winsock.scr and dxsetu.exe errors at startup, followed by "Exception EInOut Error in module dxsetu.exe at 000056F2 I/O error 32". ope1C3.exe and ope1C4.exe also try to connect to the internet (I find this files very suspicious). And I have an unusual amount of processes running (like 10 cmd.exe)..
Exactly the same problem here - I managed to delete the DLLs in Safe Mode, but the dxsetu.exe keeps on appearing in the registry, even after deletes.
The winsock.scr errors are probably the Trojan trying to mess with the antivirus.
•
•
•
•
Originally Posted by corduroy
I don't know if my situation is completely similar to keesjansma3 but I've tried the HijackThis thing to fix the dxsetu.exe entry. But after rebooting I can't find the file anywhere and if I run HijackThis the dxsetu entry is there again. I've also tried running APM but I can't find any of the trojan's dlls listed.
Problem is virtually the same - Hijackthis finds it, but I CANNOT FIND THE DXSETU.EXE file, even though registry entries & Hijackthis point to a F:\WINDOWS\dxsetu.exe location.
I have enclosed my hijackthis log
Logfile of HijackThis v1.97.7
Scan saved at 09:09:57, on 13/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\System32\cisvc.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\DU Meter\DUMeter.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\WINDOWS\System32\cmd.exe
F:\WINDOWS\System32\cmd.exe
f:\progra~1\popfile\popfileib.exe
F:\WINDOWS\System32\cmd.exe
F:\WINDOWS\System32\cmd.exe
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\Program Files\Winamp\winamp.exe
F:\WINDOWS\System32\cidaemon.exe
F:\Documents and Settings\Administrator\My Documents\My Received Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] F:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Run POPFile.lnk = F:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: http://www.rateyourmusic.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti...l_v1-0-3-9.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole...rcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex...l_v1-0-3-0.cab
•
•
Join Date: Aug 2003
Posts: 7,114
Reputation:
Rep Power: 24
Solved Threads: 302
Trojan Hunter 30 fully working Demo here .
http://www.misec.net/trojanhunter/
http://www.misec.net/trojanhunter/
Boo!!!!! Sarcastic Jack
•
•
Join Date: Nov 2004
Posts: 10
Reputation:
Rep Power: 4
Solved Threads: 2
Newbie Poster
I also had this problem, but Dav555 very kindly provided this fix:
Make sure you turn off system restore first, Go into control panel, system, system restore tab and check\uncheck the system restore box.
you should fixed the following problems with HijackThis
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
then delete the following files with GiPo@FileUtilities (Move on boot)
(Remember to go into explorer, folder options, view and uncheck "hide protected operating system files" otherwise you'll spend forever and a day looking for things that aren't showing themselves, like I did!!!!!)
c:\windows\system32\winsock.dll
c:\windows\winsock.scr
c:\windows\dxsetu.exe
c:\windows\system32\winlog.com
c:\windows\system32\dxwinex.exe
I think these locations are right, the above files are either in c:\windows or c:\windows\system32
Reboot, then do a full system scan with your anti-virus program, this will pick up all the affected files and should delete\quarantine them.
Make sure you turn off system restore first, Go into control panel, system, system restore tab and check\uncheck the system restore box.
you should fixed the following problems with HijackThis
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
then delete the following files with GiPo@FileUtilities (Move on boot)
(Remember to go into explorer, folder options, view and uncheck "hide protected operating system files" otherwise you'll spend forever and a day looking for things that aren't showing themselves, like I did!!!!!)
c:\windows\system32\winsock.dll
c:\windows\winsock.scr
c:\windows\dxsetu.exe
c:\windows\system32\winlog.com
c:\windows\system32\dxwinex.exe
I think these locations are right, the above files are either in c:\windows or c:\windows\system32
Reboot, then do a full system scan with your anti-virus program, this will pick up all the affected files and should delete\quarantine them.
|
•
•
•
•
Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
•
•
•
•
•
•
•
•
DaniWeb Viruses, Spyware and other Nasties Marketplace
Linear Mode
•
•
•
•
adware antivirus:worm:trojan:rootkit apple botnet complete information defender fraction hotmail im legal leopard mac malware mcafee microsoft mp3 new folder new viruses news nhatquanglan phishing pirates reliability remove satnav search second security skype software spam spyware ssvichosst survey svchost taskmanager trojan virus viruses vista website windows worm yahoo
- Can't remove ColdFusion Trojan (Viruses, Spyware and other Nasties)
- Can't remove ColdFusion Trojan (Viruses, Spyware and other Nasties)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: about:blank HELP PLEASE!
- Next Thread: An Internal applicaton error has occured!
