Hi,

I was surfing and found this forum, thought that this might be the place to get some help cause I am getting crazy.

My pc is infected with the coldfusion trojan
http://vic.zonelabs.com/tmpl/body/CA/virusDetails.jsp?VId=30221

It seems impossible to remove because the files are regenerated after I delete them.

The last thing I need is to defragment my HD.

I have tried all kinds of programs and scanners but while some detect some infected files none could remove it permanently.

You're my last hope :)

Regards
Keesjansma3

Recommended Answers

All 11 Replies

When are the files regenerated? Immediately? At system startup?

You might be able to go into the registry using those keys provided in the link you gave us, and delete them. Then, try deleting the files manually from the locations specified in the same link.

Sometimes, antivirus programs can't "Fix" something because there's nothing to fix; just stuff to remove.

Before you make any changes to the registry, you should first back it up. Here are the instructions for doing so:
http://support.microsoft.com/default.aspx?kbid=322756#2

In regards to this statement:

The last thing I need is to defragment my HD.

Defragging should be done on a regular basis (once a week in my opinion, but some people say twice a year is okay). I think you probably meant to say 'reformat.'

Yeah of course, I actually meant formatting my HD.

I'll look at the tips and see if I can fix it.

Well, I've tried to remove the registry entries but I couldnt find them.
That's strange. Maybe its a newer version.

I scanned my system with trojanhunter and it removed the trojan, but when I rebooted the trojan was back again, and this keeps going.

It seems impossible to remove this one. I really dont understand....

Well, I've tried to remove the registry entries but I couldnt find them.
That's strange. Maybe its a newer version.

I scanned my system with trojanhunter and it removed the trojan, but when I rebooted the trojan was back again, and this keeps going.

It seems impossible to remove this one. I really dont understand....

I haven't seen one yet that couldn't be removed, but some take more perseverance then others. Go to this thread and get HijackThis and post a log here.
http://www.daniweb.com/techtalkforums/thread5690.html

Thank you for your answer.

The problem is that this trojan injects dll files into explorer.exe so you might not see much wrong in the log.

Here it is:

Logfile of HijackThis v1.98.2
Scan saved at 16:27:25, on 4-11-04
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZLCLIENT.EXE
C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE
C:\PROGRAM FILES\PIMEX\PIMEX.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\APPS\HJT\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 62.58.77.21:80
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O4 - HKLM\..\Run: [Taakcontrole] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRAM FILES\GRISOFT\AVG6\avgcc32.exe /startup
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\PROGRAM FILES\TROJANHUNTER 4.0\THGUARD.EXE"
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - Startup: Pimex Reminder.lnk = C:\Program Files\PIMEX\Pimex.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Download All Files by HiDownload - C:\DIVX\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download all by Net Transport - C:\DIVX\NETTRA~1\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\DIVX\NETTRA~1\NTAddLink.html
O8 - Extra context menu item: Download alle met &ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_All.htm
O8 - Extra context menu item: Download met &ReGet Deluxe - C:\PROGRAM FILES\COMMON FILES\REGET SHARED\CC_Link.htm
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\DIVX\HIDOWN~1\hidownload.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM\MSJAVA.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Besturing) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {E9790C6C-DCAA-4E4F-8048-FFEC3B62DFED} (VOGWeb2 Class) - http://67.18.204.35/activex/vogweb29.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

Scan with hijackthis and tick the boxes next to all the following entries, then close all browser and explorer windows, and hit the "Fix checked" button.

O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe

Reboot and delete the dxsetu.exe file.

What does this translate to?
O4 - HKLM\..\Run: [[b]Taakcontrole[/b]] C:\WINDOWS\taskmon.exe

Download and install APM from: http://www.diamondcs.com.au/index.php?page=apm

In the upper window of APM select explorer.exe
Find the dll's that are being injected.
Select Unload DLL and click OK on the prompts that follow.

Thanks very much for your answer!

The program you reccommended didnt work for win98 but I found an alternative. Still it couldnt unload the dll file, it kept coming back.

I then went into to pure dos and deleted the dll along with the dxsetu.exe file and now the trojan is finally off my computer.

Thanks for giving me the tip on dxsetu file and for your time. Its a relieve, it took me three days....

Best regards
Kees

You're welcome :).

You're welcome :).

Hi - just wanted to say thank you as well - removed this nasty Trojan (my first one on XP after errrrr 9 months) fairly succesfully thanks to your method.

One query though :

The registry entry pointed at a location F:\WINDOWSz\dxsetu.exe. I have searched everywhere, and cannot for the life of me find this file.

Can you understand why I would not :eek: ?

Hi - just wanted to say thank you as well - removed this nasty Trojan (my first one on XP after errrrr 9 months) fairly succesfully thanks to your method.

One query though :

The registry entry pointed at a location F:\WINDOWSz\dxsetu.exe. I have searched everywhere, and cannot for the life of me find this file.

Can you understand why I would not :eek: ?

Maybe yours is on the C drive? Go to folder options and unhide hidden files\folders.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.