Posts by corduroy

Should I format the drive... is it the better solution?

Thanks in advance!

I had the same problem as you, and I had to format my HD. I couldn't find a way of getting rid of the trojan, in spite of the help I got here. It took me some time to backup all the stuff, but it also "forced" me to do some cleaning, which is good, if you have some time. If you do format, be careful and prepare yourself before you do so: you should install an updated antivirus, a firewall and have all the latest patches for Windows XP installed before you connect to the internet again. Or you might get infected again...

Yes, I noticed there was a language problem there. That's why I decided to say it straight. When I was talking of "hidden" I was thinking if there is a way we cannot see the files, even if search for hidden and system files...

Thanks for the help anyway!

As I told you, that's not the issue. I know how to look for hidden files. The items you mentioned were all checked. I believe lummy's problem was not exactly the same as mine.

I did that. I can't see those files in my computer. I don't if there is a way by which they could be hidden, but otherwise they are not in my PC.

thanks lummy...

...but it didn't work. I had already tried something similar.
As you can see in my log I don't even have
"F0 - system.ini: Shell=Explorer.exe winsock.scr" in my computer.

Also, I could only find the winsock.dll file in my computer, out of the 5 you mentioned.

And I don't know about this ope1C3.exe file, but I couldn't find anything about it in the net...

Hi!

Thanks for the patience, crunchie!

My HJT log:

Logfile of HijackThis v1.98.2
Scan saved at 15:43:39, on 13-11-2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\sstray.exe
C:\Programas\Ficheiros comuns\Real\Update_OB\evntsvc.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe
C:\Programas\Java\j2re1.4.2_01\bin\jusched.exe
C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccSetMgr.exe
C:\Programas\Ficheiros comuns\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Programas\Norton AntiVirus\navapsvc.exe
C:\Programas\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Programas\Ficheiros comuns\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Programas\Ficheiros comuns\Symantec Shared\ccEvtMgr.exe
C:\Programas\Ficheiros comuns\Symantec Shared\Security Center\SymWSC.exe
C:\Programas\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Programas\Opera75\opera.exe
C:\WINDOWS\Explorer.exe
C:\Programas\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hiperligações
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Programas\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Programas\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Programas\Ficheiros comuns\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Programas\Ficheiros comuns\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programas\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\ope1C3.exe ] C:\WINDOWS\system32\ope1C3.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Programas\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - …

Hi there!

I've also been infected by the backdoor colfusion trojan and I can't find a way to get rid of it. I've been searching all over the net for a solution, I've already tried running ad-aware, trojan hunter, torjan remover and the anti-virus (norton 2004), but nothing seems to be able to remove the trojan's dlls.

I've followed Symantec's removal instructions (http://www.symantec.com/avcenter/venc/data/backdoor.colfusion.html) but there are always at least 5 dlls which Norton (or the other apps I've tried) cannot remove.

Also, I always get winsock.scr and dxsetu.exe errors at startup, followed by "Exception EInOut Error in module dxsetu.exe at 000056F2 I/O error 32". ope1C3.exe and ope1C4.exe also try to connect to the internet (I find this files very suspicious). And I have an unusual amount of processes running (like 10 cmd.exe).

I don't know if my situation is completely similar to keesjansma3 but I've tried the HijackThis thing to fix the dxsetu.exe entry. But after rebooting I can't find the file anywhere and if I run HijackThis the dxsetu entry is there again. I've also tried running APM but I can't find any of the trojan's dlls listed.

I'm seriously considering formatting my HD since I'm having problems since Tuesday evening and I can't wait much longer... You're basically my last hope.

thanks in advance,

João

P.S.: I'm running Windows XP SP2.