0

Hi there!

I've also been infected by the backdoor colfusion trojan and I can't find a way to get rid of it. I've been searching all over the net for a solution, I've already tried running ad-aware, trojan hunter, torjan remover and the anti-virus (norton 2004), but nothing seems to be able to remove the trojan's dlls.

I've followed Symantec's removal instructions (http://www.symantec.com/avcenter/venc/data/backdoor.colfusion.html) but there are always at least 5 dlls which Norton (or the other apps I've tried) cannot remove.

Also, I always get winsock.scr and dxsetu.exe errors at startup, followed by "Exception EInOut Error in module dxsetu.exe at 000056F2 I/O error 32". ope1C3.exe and ope1C4.exe also try to connect to the internet (I find this files very suspicious). And I have an unusual amount of processes running (like 10 cmd.exe).

I don't know if my situation is completely similar to keesjansma3 but I've tried the HijackThis thing to fix the dxsetu.exe entry. But after rebooting I can't find the file anywhere and if I run HijackThis the dxsetu entry is there again. I've also tried running APM but I can't find any of the trojan's dlls listed.

I'm seriously considering formatting my HD since I'm having problems since Tuesday evening and I can't wait much longer... You're basically my last hope.

thanks in advance,

João

P.S.: I'm running Windows XP SP2.

5
Contributors
13
Replies
14
Views
13 Years
Discussion Span
Last Post by DMR
0

1. Download and install Ad-Aware SE, keeping the default options. However, some of the settings will need to be changed before your first scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found

Download & instal Spybot S&D 1.3 from here. Update it before scanning.
After the scan is complete, have spybot fix everything marked RED.
On the page that first opens when you start Spybot there is an option to immunise, you should do this. In the immunise section there is also a link to download Spywareblaster. This program will prevent the install of bad activex controls that it has knowledge of. Download that & you can keep it updated by selecting the same link that you use to download it. Reboot

Download HijackThis from here & unzip it into it's own, permanent folder, (Not a temporary folder or the desktop (in a folder on the desktop is fine) & not directly on your hard drive). If you prefer an executable file, then download from here.
If you have anything disabled in MsConfig, please re-enable it/them.
Start HJT & press the scan button. When the scan is finished the scan button will change to save. Save the log to a text file, copy the entire contents of the text file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

0

Hi!

Thanks for the patience, crunchie!

My HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 15:43:39, on 13-11-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\evntsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
C:\Programas\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Opera75\opera.exe
C:\WINDOWS\Explorer.exe
C:\Programas\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Programas\Ficheiros comuns\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\ope1C3.exe ] C:\WINDOWS\system32\ope1C3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programas\Ficheiros comuns\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Pesquisar - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Programas\Ficheiros comuns\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe

João

0

I also had this problem, but Dav555 very kindly provided this fix:

Make sure you turn off system restore first, Go into control panel, system, system restore tab and check\uncheck the system restore box.

you should fixed the following problems with HijackThis
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe

then delete the following files with GiPo@FileUtilities (Move on boot)
(Remember to go into explorer, folder options, view and uncheck "hide protected operating system files" otherwise you'll spend forever and a day looking for things that aren't showing themselves, like I did!!!!!)

c:\windows\system32\winsock.dll
c:\windows\winsock.scr
c:\windows\dxsetu.exe
c:\windows\system32\winlog.com
c:\windows\system32\dxwinex.exe

I think these locations are right, the above files are either in c:\windows or c:\windows\system32

Reboot, then do a full system scan with your anti-virus program, this will pick up all the affected files and should delete\quarantine them.

0

thanks lummy...

...but it didn't work. I had already tried something similar.
As you can see in my log I don't even have
"F0 - system.ini: Shell=Explorer.exe winsock.scr" in my computer.

Also, I could only find the winsock.dll file in my computer, out of the 5 you mentioned.

And I don't know about this ope1C3.exe file, but I couldn't find anything about it in the net...

0

... Remember to go into explorer, folder options, view and uncheck "hide protected operating system files"

I could only find the winsock.dll file in my computer, out of the 5 you mentioned.

Under the "View" tab, also check "show hidden files and folders".

0

I did that. I can't see those files in my computer. I don't if there is a way by which they could be hidden, but otherwise they are not in my PC.

0

Because XP will not always show you hidden files and folders by default, Go to Start > Search and under "More advanced search options".
Make sure there is a check by "Search System Folders" and "Search hidden files and folders" and "Search system subfolders"

0

As I told you, that's not the issue. I know how to look for hidden files. The items you mentioned were all checked. I believe lummy's problem was not exactly the same as mine.

0

And I don't know about this ope1C3.exe file, but I couldn't find anything about it in the net...

Nor could I. Quite often not finding any information on a file is as telling as finding information on it. ;)

I'd have HJT fix that entry; if doing so doesn't seem to break any of your legit programs, I'd delete the file.


I believe lummy's problem was not exactly the same as mine

Not exatly perhaps, but quite close- your log does have entries for dxsetu.exe and winsock.scr, which means that those files were on your system at some point, even if (for some reason) they really aren't there now.

0

As I told you, that's not the issue. I know how to look for hidden files.

You seemed to imply here;

I don't if there is a way by which they could be hidden,

that you were not sure :). That's why I posted.

0

Yes, I noticed there was a language problem there. That's why I decided to say it straight. When I was talking of "hidden" I was thinking if there is a way we cannot see the files, even if search for hidden and system files...

Thanks for the help anyway!

0

Hello everyone.

I'm having the same problem than Corduroy. I followed all your steps until the logfile from HJT. I already had deleted the dxsetu.exe file, but it always coming back in regedit when I reboot. As the dll files... norton can't solve this problem. Can yout tell me which lines and files I should delete/fix or other solution... because i'm out!

Thanks!

Logfile of HijackThis v1.98.2
Scan saved at 20:11:50, on 24-11-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cmd.exe
C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
C:\Programas\Norton SystemWorks\Norton Antivirus\navapsvc.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Programas\Norton SystemWorks\Norton Antivirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\NUNOOL~1\DEFINI~1\Temp\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton SystemWorks\Norton Antivirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programas\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MBNet - {C014B140-3835-11d6-BC1D-00C095EEAD5D} - c:\progra~1\sibs\mbnet\icone.hta
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {4E592651-4590-11D6-BC20-00C095EEAD5D} - https://www.mbnet.pt/cc/mbnetbrws.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab

Yes, I noticed there was a language problem there. That's why I decided to say it straight. When I was talking of "hidden" I was thinking if there is a way we cannot see the files, even if search for hidden and system files...

Thanks for the help anyway!

0

Hello everyone.

I'm having the same problem than Corduroy...

Hi ndoliveira,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

Please start your own thread and post your question there. When you do, please try to give us as much specific info as possible regarding the problem (exact error messages, system specs, etc.).

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules


Thanks for understanding.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.