Hi
I don’t know how to delete C:\WINDOWS\dxsetu.exe because it doesnt appear in the directory C:\WINDOWS\ even when i choose to view hidden files, i already tried to search the name with the windows search tool but it didn’t found anything too.
Delete it booting in Safe Mode (repeatedly press F8 while booting):
http://support.microsoft.com/default.aspx?scid=kb;en-us;315222
You could use the “Advanced File Remover” feature in RejZoR’s avast! External Control available from http://www.excessive-software.tk/
Hi
Didn’t solved, the file continues not to appear. 
Should I skip this step?
So, why do you think the file must be there?
Are you receiving any error message?
Yes, every time i turn on windows there is an error.
what is the exact error messge ?
maybe you just get the error, because the virus file was removed by AV, while the startup-entry (F2) is still there
did you fix the F2-entry with hijackthis ?
→ after the Scan, checkmark the above mentioned offending lines, and then click “fix checked”-button below
reboot, and post a new log
AppName: dxsetu.exe AppVer: 0.0.0.0 ModName: kernel32.dll
ModVer: 5.1.2600.2180 Offset: 0001eb33
This is the error of dxset.exe
Here is the log file of hijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 19:41:31, on 09-04-2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programas\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Programas\Internet Explorer\IEXPLORE.EXE
C:\Programas\MSN Apps\Updater\01.02.3000.1001\pt-br\msnappau.exe
C:\Documents and Settings\cliente\Definições locais\Temp\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.btuga.com/
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU..\Run: [MessengerPlus3] “C:\Programas\Messenger Plus! 3\MsgPlus.exe” /WinStart
O4 - HKCU..\Run: [msnmsgr] “C:\Programas\MSN Messenger\msnmsgr.exe” /background
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
The virus AV continues to detect the trojan 
Hi mariohugo,
Disable System Restore and reboot your pc.
You still have 2 bad entries, so remove these:
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
Then open any folder, go to Tools > Folder options > View:
Then check/select ‘Show hidden files and folders’
Then Uncheck/unselect ‘Hide extensions for known file types’ and ‘Hide protected Operating system files’.
Then open search (Start > Search), then click ‘All files and folders’, then near the bottom left hand corner click on ‘More advanced options’, then check/select ‘Search System folders’, ‘search hidden files and folders’ and ‘search subfolders’.
Then search for and delete these files:
dxsetu.exe
winsock.scr
Then run Ad-aware and Spybot
Then do a boot time scan with avast.
Then run ccleaner
Then let us know if the problem is solved.
–lee
The problem isn’t solved, i already eliminated dxsetu.exe and winsock.scr but they keep showing up after the rebooot. The AV only detects the dll files that are created every reboot, i also tried to eliminate those files but only some are deleted others cannot be deleted. Could the virus be somewhere else where the AV cannot detect it?
Hi,
-
disable! system Restore first, then reboot to safeMode
-
rescan with hijackthis, save the log(1), then go config-> misctools-> process manager and see if you can find and kill dxsetu.exe there
-
go back to HJT’s main window, then fix the 2 bad entries (checkmark the lines, and klick “fix Checked”)
-
close an reopen hijackthis-Log, and then scan&save another Log(2)
-
schedule a Boot-time scan with avast; move findings to chest
-
reboot normally, post here the two logs 1) and (2) and a fresh/new one after reboot
plus the report of avast boot-time scan (virusnames and locations/path/folder/filenames) -
do a complete Scan with ESCAN in safeMode; report findings
-
do an OnlineScan with Trend & RAV
Links/Info/how-to on the above can be found in “VirusRemoval” below
The first Log
Logfile of HijackThis v1.99.1
Scan saved at 16:36:31, on 04/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Programas\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Programas\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [msnmsgr] “C:\Programas\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Programas\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SpySweeper] “C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
The Second Log
Logfile of HijackThis v1.99.1
Scan saved at 16:43:39, on 04/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Programas\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Programas\QuickTime\qttask.exe” -atboottime
O4 - HKCU..\Run: [msnmsgr] “C:\Programas\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Programas\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SpySweeper] “C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
The log after the AV boot scan
Logfile of HijackThis v1.99.1
Scan saved at 18:13:27, on 04/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
C:\Programas\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Programas\Alwil Software\Avast4\ashWebSv.exe
C:\Programas\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.exe
C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programas\QuickTime\qttask.exe
C:\Programas\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Programas\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.pt/
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programas\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Programas\MSN Apps\MSN Toolbar\01.02.4000.1001\pt-br\msntb.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [SiSUSBRG] C:\WINDOWS\sisUSBrg.exe
O4 - HKLM..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM..\Run: [AdaptecDirectCD] “C:\Programas\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe”
O4 - HKLM..\Run: [Cmaudio] RunDll32 cmicnfg.dll,CMICtrlWnd
O4 - HKLM..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Programas\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Programas\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKCU..\Run: [msnmsgr] “C:\Programas\MSN Messenger\msnmsgr.exe” /background
O4 - HKCU..\Run: [MSMSGS] “C:\Programas\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [SpySweeper] “C:\Programas\Webroot\Spy Sweeper\SpySweeper.exe” /0
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programas\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra ‘Tools’ menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programas\Messenger\msmsgs.exe
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programas\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programas\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programas\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
The boot record
11/04/2005 16:47
Escaneamento de todos os discos locais
Arquivo C:\Documents and Settings\Cristina\Definições locais\Temp~DP13B.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Documents and Settings\Cristina\Definições locais\Temp~DP13C.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Documents and Settings\Cristina\Definições locais\Temp~DP13D.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Documents and Settings\Cristina\Definições locais\Temp~DP13E.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
…
Arquivo C:\Documents and Settings\Pedro\Definições locais\Temp~DP32.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Documents and Settings\Pedro\Definições locais\Temp~DP34.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Documents and Settings\Pedro\Definições locais\Temp~DP36.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
…
Arquivo C:\Programas\Alwil Software\Avast4\DATA\moved~DP1.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Programas\Alwil Software\Avast4\DATA\moved~DP10.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\Programas\Alwil Software\Avast4\DATA\moved~DP104.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
…
Arquivo C:\WINDOWS\Temp~DP34.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\WINDOWS\Temp~DP35.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Arquivo C:\WINDOWS\Temp~DP36.dll esta infectado por Win32:Trojan-gen. {Delphi} - Movido
Numero de pastas processadas: 5253
Numero de arquivos testados: 171599
Numero de arquivos infectados: 470
Woow This is it, now i am going to run ESCAN and Trend & Rav.
Thanks
I believe it’s not necessary to post hundreds of (mostly) identical lines… I cleaned it up a little.
Hi mariohugo,
You say these entries reapear right?:
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
If so, is it only after a reboot?, or is it everytime you run hijackthis? (without a reboot inbetween scanning with hijackthis).
–lee
Well it appears allways between hijackthis scans
Something has to be replacing/repairing it then thats running in memory.
OK try these:
-
First Disable System Restore
-
Then open task Manager (Alt + Ctrl + Delete) then click on the processes tab, then kill these processes: (if there)
cmd.exe (All of them)
cidaemon.exe
DirectCD.exe
jusched.exe
qttask.exe
msmsgs.exe
winsock.scr
dxsetu.exe
winlog.com
Sexy Hospital (1).exe
dxwinex.exe
(let me know if any of the processes above reapear when you ‘kill’ them)
-
Then run ccleaner: http://www.filehippo.com/download_ccleaner.html
-
Then search for and delete these files: (if there)
winsock.scr
dxsetu.exe
TFTP1728
TFTP1892
popcaploader.dll
Sexy Hospital (1).exe
winlog.com
dxwinex.exe
- Then go to the folder:
C:\Documents and Settings\Cristina\Definições locais\Temp
And delete ALL files inside it
- Then run ccleaner again
Then remove these entries from hijackthis:
F2 - REG:system.ini: Shell=Explorer.exe winsock.scr
O4 - HKLM..\Run: [dxset.exe] C:\WINDOWS\dxsetu.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Programas\QuickTime\qttask.exe” -atboottime
-
Then run Spybot/adaware
-
Then run avast and delete all that it finds.
-
Then run ccleaner again
-
Also search for rootkits: (http://www.sysinternals.com/files/rootkitrevealer.zip) AND (http://www.europe.f-secure.com/exclude/blacklight/fsbl.exe)
-
Then let us know if the problem is solved :o
–lee
Hi, this the report from the ESCAN
ESCAN virus files
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP8A.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP8C.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP8D.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP8E.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP8F.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP90.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\winlog.com infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dxwinex.exe infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\dxsetu.exe infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winsock.scr infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\TFTP1728 infected by “Worm.Win32.Lovesan.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\TFTP1892 infected by “Worm.Win32.Lovesan.a” Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Pedro\DEFINI~1\Temp~DP62.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP1.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP10.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP104.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP14_3.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP15.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP150.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP28_1.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP29.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP29_1.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP40_1.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP41.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Alwil Software\Avast4\DATA\moved~DP42.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\Programas\Jogos\Championship Manager 01-02\Data\Coisas Boas\Virtual Girl - Nadia & Nicky - Sexy Hospital (1).exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\Downloaded Program Files\popcaploader.dll infected by “not-a-virus:Porn-Downloader.Win32.PopCap.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\TFTP1728 infected by “Worm.Win32.Lovesan.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\TFTP1892 infected by “Worm.Win32.Lovesan.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP37.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP38.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP54.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP55.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP56.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP57.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP58.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Temp~DP59.dll infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winsock.scr infected by “Backdoor.Win32.Coldfuson.11.a” Virus. Action Taken: No Action Taken.
File C:\WINDOWS\wt\wtvh.dll infected by “not-a-virus:AdWare.WildTangent.b” Virus. Action Taken: No Action Taken.
Hi mariohugo,
I have edited my abive post to account for the Escan results, please try the steps there.
–lee