cannot get rid of Backdoor.colfusion

Download the Pocket KillBox
Unzip the file to your desktop.
Run Pocket Killbox and paste the full file path of each of the below files in the box and click on Standard File Kill and End Explorer Shell While Killing File. Click on the button with the red circle and an X in the middle after you enter each file (see the files below).

C:\WINDOWS\System32\svcnet.exe
C:\WINDOWS\dxsetu.exe
c:\windows\winsock.scr
c:\windows\dxsetu.exe
c:\windows\system32\winlog.com
c:\windows\system32\dxwinex.exe

Reboot afterwards if the files are successfully deleted.

If all files are not deleted, do not reboot yet. Run Pocket Killbox again and paste the full file path in the box and click on Delete on Reboot. Next click on the button with the red circle and an X in the middle. You will get a message saying "File with be deleted on next reboot, Process and Reboot now?" Click "Yes" to reboot only after the last file you enter.

Post a new log.

thx m8 ive done everything u said but unfortunatly it still says i have the virus after i did my re-scan heres my new log:

Logfile of HijackThis v1.99.0
Scan saved at 12:05:30, on 12/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\WINDOWS\Explorer.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
F:\Program Files\Messenger Plus! 3\MsgPlus.exe
F:\Program Files\Rage3DTweak\RegTwk.exe
F:\WINDOWS\System32\ope6B4.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\rage3dtweak\gameutil.exe
F:\Program Files\Xfire\Xfire.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NVMixerTray] "F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [RegTweak] F:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [F:\WINDOWS\System32\ope6A1.exe ] F:\WINDOWS\System32\ope6A1.exe
O4 - HKLM\..\Run: [WinDSNX] F:\WINDOWS\System32\ope6B4.exe
O4 - HKLM\..\Run: [F:\WINDOWS\System32\ope6AA.exe ] F:\WINDOWS\System32\ope6AA.exe
O4 - HKLM\..\Run: [F:\WINDOWS\System32\ope6B3.exe ] F:\WINDOWS\System32\ope6B3.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [dxset.exe] F:\WINDOWS\dxsetu.exe
O4 - HKCU\..\Run: [MessengerPlus3] "F:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = F:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10406.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A0CB375-758B-402A-934C-57C212272F87}: NameServer = 192.168.1.1
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service - Symantec Corporation - F:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - F:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

try this program while waiting for a reply from Crunchie after running it post a fresh log .
,,,,,,,,,,,,,,,,,,,,,,,,,,
Go
Here and Get Trojan-Hunter Fully working trial! and run a full scan

Close all browser windows, scan with HJT, and have it fix the following entries:

F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM\..\Run: [F:\WINDOWS\System32\ope6A1.exe ] F:\WINDOWS\System32\ope6A1.exe
O4 - HKLM\..\Run: [WinDSNX] F:\WINDOWS\System32\ope6B4.exe
O4 - HKLM\..\Run: [F:\WINDOWS\System32\ope6AA.exe ] F:\WINDOWS\System32\ope6AA.exe
O4 - HKLM\..\Run: [F:\WINDOWS\System32\ope6B3.exe ] F:\WINDOWS\System32\ope6B3.exe
O4 - HKLM\..\Run: [dxset.exe] F:\WINDOWS\dxsetu.exe

Reboot into Safe Mode

Delete the highlighted files in these locations:

F:\WINDOWS\System32\ope6A1.exe
F:\WINDOWS\System32\ope6B4.exe
F:\WINDOWS\System32\ope6AA.exe
F:\WINDOWS\System32\ope6B3.exe
F:\WINDOWS\dxsetu.exe

Open Windows Explorer, go to Tools, and in the Folder Options, select "Show hidden files and folders," and uncheck "Hide protected operating system files."

For every User listed under C:\Documents and Settings, delete the entire contents of these folders (not the folders themselves):

Cookies
History
Local Settings\Temp
Local Settings\Temporary Internet Files\Content.IE5

Delete the entire contents of your C:\Windows\Temp folder.

Delete the entire contents of your C:\Temp folder (if you have one).

Do a search for *.tmp and delete all entries found.

Empty your Recycle Bin.

Reboot normally, close all browser windows, scan with HJT, and post a new log please. (Let us know if you still have the problem too)

heres my trojan hunter scan caperjack:

Registry scan
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX (matches DataSpy.020) (Regedit Jump)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX (matches DataSpy.030) (Regedit Jump)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX (matches DataSpy.040) (Regedit Jump)
Registry value exists: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\WinDSNX (matches DataSpy.200) (Regedit Jump)
Inifile scan
No suspicious entries found
Port scan
No suspicious open ports found
Memory scan
Found trojan running in memory: F:\WINDOWS\System32\ope6B4.exe, PID: 704 (DataSpy.051)
File scan
Found trojan file: C:\System Volume Information\_restore{90313B7C-C07E-41DF-A0EB-7CCDF33CCFA7}\RP36\A0004355.exe (Csr.100)
Found trojan file: F:\Program Files\Kickchat$cript[2.0]\Mirc.exe (Csr.100)
Found trojan file: F:\WINDOWS\system32\ope6A2.exe (DSNX.050)
Found trojan file: F:\WINDOWS\system32\ope6AB.exe (DSNX.050)
Found trojan file: F:\WINDOWS\system32\ope6B4.exe (DSNX.050)
5 trojan files found

Mirc.exe (Found trojan file: F:\Program Files\Kickchat$cript[2.0]\Mirc.exe (Csr.100) )
is a legit file, but could be infected (I don't think it should have that Csr.100 with it); not sure what to do about that one other than to delete and reinstall it:

http://startup.iamnotageek.com/srch-mirc.exe.html

http://www.liutilities.com/products/wintaskspro/processlibrary/mirc/

http://www.anti-spy.info/process/mirc.exe.html

See this thread for the trojan found on your "C" drive:

http://www.daniweb.com/techtalkforums/thread13362.html

Oh, and you should still follow the recommendations in my previous post, those same entries were found by Trojan Hunter

heres my latest HJT log: btw i tried to delete all the files that were .tmp but there were a few that would go, said being used by another programme or something.

Logfile of HijackThis v1.99.0
Scan saved at 16:14:33, on 12/02/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
F:\Program Files\Messenger Plus! 3\MsgPlus.exe
F:\Program Files\Rage3DTweak\RegTwk.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
F:\Program Files\MSN Messenger\msnmsgr.exe
F:\Program Files\rage3dtweak\gameutil.exe
F:\Program Files\Xfire\Xfire.exe
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\WINDOWS\system32\ZoneLabs\vsmon.exe
F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
F:\Program Files\Mozilla Firefox\firefox.exe
F:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.passport.com/ppsecure/md5auth.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - F:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NVMixerTray] "F:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [ATIPTA] F:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Zone Labs Client] F:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [MessengerPlus3] "F:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [RegTweak] F:\Program Files\Rage3DTweak\RegTwk.exe
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] F:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [avast!] F:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MessengerPlus3] "F:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "F:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Xfire.lnk = F:\Program Files\Xfire\Xfire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = F:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: gameutil.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O10 - Broken Internet access because of LSP provider 'xfire_lsp_10406.dll' missing
O17 - HKLM\System\CCS\Services\Tcpip\..\{6A0CB375-758B-402A-934C-57C212272F87}: NameServer = 192.168.1.1
O23 - Service: avast! iAVS4 Control Service - Unknown - F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - F:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown - F:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown - F:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - F:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service - Symantec Corporation - F:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - F:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor - Zone Labs Inc. - F:\WINDOWS\system32\ZoneLabs\vsmon.exe

I'd wait for some advice from crunchie or DMR on the Mirc.exe (unless you've done something with it already?); other than that, your log looks clean to me, are you still having trouble with the backdoor thing?

i uninstalled Mirc and was able to defeat the virus using avast 4.5 in safe mode, much better than norton thx for all ur help :P, just wish i could repay the b*****d who was sending it to me !! :twisted: :twisted:
MUAHAHAHAHAA!