I've followed Symantec's removal instructions (http://www.symantec.com/avcenter/venc/data/backdoor.colfusion.html) but there are always at least 5 dlls which Norton (or the other apps I've tried) cannot remove.Also, I always get winsock.scr and dxsetu.exe errors at startup, followed by "Exception EInOut Error in module dxsetu.exe at 000056F2 I/O error 32". ope1C3.exe and ope1C4.exe also try to connect to the internet (I find this files very suspicious). And I have an unusual amount of processes running (like 10 cmd.exe)..
Exactly the same problem here - I managed to delete the DLLs in Safe Mode, but the dxsetu.exe keeps on appearing in the registry, even after deletes.
The winsock.scr errors are probably the Trojan trying to mess with the antivirus.
I don't know if my situation is completely similar to keesjansma3 but I've tried the HijackThis thing to fix the dxsetu.exe entry. But after rebooting I can't find the file anywhere and if I run HijackThis the dxsetu entry is there again. I've also tried running APM but I can't find any of the trojan's dlls listed.
Problem is virtually the same - Hijackthis finds it, but I CANNOT FIND THE DXSETU.EXE file, even though registry entries & Hijackthis point to a F:\WINDOWS\dxsetu.exe location.
I have enclosed my hijackthis log
Logfile of HijackThis v1.97.7
Scan saved at 09:09:57, on 13/11/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
F:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.exe
F:\WINDOWS\System32\cisvc.exe
F:\Program Files\Norton AntiVirus\navapsvc.exe
F:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
F:\WINDOWS\System32\nvsvc32.exe
F:\WINDOWS\System32\svchost.exe
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Common Files\Symantec Shared\ccApp.exe
F:\Program Files\QuickTime\qttask.exe
F:\Program Files\DU Meter\DUMeter.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
F:\Program Files\Messenger\msmsgs.exe
F:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
F:\Program Files\WinZip\WZQKPICK.EXE
F:\WINDOWS\System32\cmd.exe
F:\WINDOWS\System32\cmd.exe
f:\progra~1\popfile\popfileib.exe
F:\WINDOWS\System32\cmd.exe
F:\WINDOWS\System32\cmd.exe
F:\Program Files\Norton AntiVirus\SAVScan.exe
F:\Program Files\Winamp\winamp.exe
F:\WINDOWS\System32\cidaemon.exe
F:\Documents and Settings\Administrator\My Documents\My Received Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F0 - system.ini: Shell=Explorer.exe winsock.scr
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - F:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ccApp] "F:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] F:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE F:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "F:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [DU Meter] F:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] F:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "F:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - Global Startup: Run POPFile.lnk = F:\Program Files\POPFile\runpopfile.exe
O4 - Global Startup: WinZip Quick Pick.lnk = F:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O15 - Trusted Zone: http://www.allmusic.com
O15 - Trusted Zone: http://www.rateyourmusic.com
O16 - DPF: {084F552D-19EB-4668-9788-984CBC781A8F} (AsyncDownloader Class) - http://survey.otxresearch.com/Preloader.dll
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-9.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real.com/gameconsole/Bundler/CAB/RealArcadeRdxIE.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab