mszx23.exe and HAXDOOR removal
This trojan is appearently new and not much info available.
Ran the Hijackthis logs and cleaned everything Computer Cops could find. One of their experts said its soo new they haven't quite figured it out.
Anyway, Sheh and some others have worked on the various problems caused by this thing.
Here's where I'm at now:
I've got the mszx23.exe in the System32 folder but I can't remove it, even in Safe Mode. Says '..being used by another person...
BTW, this thing causes mucho problems.
Right now, I'm in SP1, everything is clean in HJT, no virus, Ad-Aware, Spybot, Spy Sweeper, Pest Patrol, NAV, CounterSpy, you name it.
System Restore off, everything clean.
This is, I hope, the last remnants.
It won't allow the installation of Zone Alarm or any other firewall. Zone Alarm won't load vsmon.exe.
We got SP2 working but than IE 6 wouldn't work.
Just ran another HJT, Posted, no nasties, hardly anything on it.
Pete
(Somebody's got to get this thing.)
Ran the Hijackthis logs and cleaned everything Computer Cops could find. One of their experts said its soo new they haven't quite figured it out.
Anyway, Sheh and some others have worked on the various problems caused by this thing.
Here's where I'm at now:
I've got the mszx23.exe in the System32 folder but I can't remove it, even in Safe Mode. Says '..being used by another person...
BTW, this thing causes mucho problems.
Right now, I'm in SP1, everything is clean in HJT, no virus, Ad-Aware, Spybot, Spy Sweeper, Pest Patrol, NAV, CounterSpy, you name it.
System Restore off, everything clean.
This is, I hope, the last remnants.
It won't allow the installation of Zone Alarm or any other firewall. Zone Alarm won't load vsmon.exe.
We got SP2 working but than IE 6 wouldn't work.
Just ran another HJT, Posted, no nasties, hardly anything on it.
Pete
(Somebody's got to get this thing.)
ASKER
BTW, again, connecting to the internet with this PC brings every bit of spyware, malware.
Everything from IST, Coolweb, eXact, etc. is immediatly downloaded.
I can't install firewalls.
All new program install halt on error 1606.
I think a format is in order on this.
I have had 3 posts going. Each time one problem is cleared, another crops up than the original ones come back.
It's got a 160 Gig HD.
Suppose I partitioned and gave "C:" 60 gigs, formatted, reinstalled, and looked for this crap later.
Its starting to crop up on Google "mszx23.exe"
Everything from IST, Coolweb, eXact, etc. is immediatly downloaded.
I can't install firewalls.
All new program install halt on error 1606.
I think a format is in order on this.
I have had 3 posts going. Each time one problem is cleared, another crops up than the original ones come back.
It's got a 160 Gig HD.
Suppose I partitioned and gave "C:" 60 gigs, formatted, reinstalled, and looked for this crap later.
Its starting to crop up on Google "mszx23.exe"
have you tried unplugging yourself from the network.. possible that if that file is a trojan, that your being connected allows a "user" to connect to you... if you disable the network, that might break it enough to enable you to delete via safe mode....
also, with this being "new", I think posting a HJT log here for the experts to view might not be a bad idea (and normally, I am against posting these logs as they can be annoying)... from a command prompt, try typing in "netstat -a > c:\netstat.log" and take a look at that for anything out of the ordinary...
have you tried doing an online virus scan?
Trend Antivirus Online Scanner - http://housecall.trendmicro.com
Stinger - http://vil.nai.com/vil/stinger
also, with this being "new", I think posting a HJT log here for the experts to view might not be a bad idea (and normally, I am against posting these logs as they can be annoying)... from a command prompt, try typing in "netstat -a > c:\netstat.log" and take a look at that for anything out of the ordinary...
have you tried doing an online virus scan?
Trend Antivirus Online Scanner - http://housecall.trendmicro.com
Stinger - http://vil.nai.com/vil/stinger
also, might want to take a look at the following links under this search:
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=haxdoor&alt=haxdoor&Sect=SA
http://www.trendmicro.com/vinfo/virusencyclo/default2.asp?m=q&virus=haxdoor&alt=haxdoor&Sect=SA
>> BTW, again, connecting to the internet with this PC brings every bit of spyware, malware
how old is this installation of WindowsXP ??
how old is this installation of WindowsXP ??
ASKER
Ran both scans before posting.
PC is a year old eMachine T3025, came with XP SP1, customer was waiting to upgrade to SP2 based on info from another source.
There was another link, can't find it now, that linked the "mszx23" to HAXDOOR.
Looked at Trend but didn't see it.
Fact is, the executable file is still stuck in Windows/System32.
The CounterSpy program is like Zone Alarm in appearence.
Every time the PC is booted it says, "CounterSpy has blocked mszx23.exe from starting...."
Sheh, I can clean everything out, except for the nasty, and the PC will run fine until I connect. It really is weird. I can "feel" the PC slow down as I'm using it due to the spyware being downloaded. An immediate run of Ad-Aware or one of the others verifies the spyware has returned.
Since this is a 160 Gig, I'm close to partition and format.
Pete
PC is a year old eMachine T3025, came with XP SP1, customer was waiting to upgrade to SP2 based on info from another source.
There was another link, can't find it now, that linked the "mszx23" to HAXDOOR.
Looked at Trend but didn't see it.
Fact is, the executable file is still stuck in Windows/System32.
The CounterSpy program is like Zone Alarm in appearence.
Every time the PC is booted it says, "CounterSpy has blocked mszx23.exe from starting...."
Sheh, I can clean everything out, except for the nasty, and the PC will run fine until I connect. It really is weird. I can "feel" the PC slow down as I'm using it due to the spyware being downloaded. An immediate run of Ad-Aware or one of the others verifies the spyware has returned.
Since this is a 160 Gig, I'm close to partition and format.
Pete
ASKER
Giving up on cleaning mszx23.
I've partitioned the HD and now have 60 G C: with the OS and misc. data on it, also, the trojan.
I have a 100 G clean, new partion, D:
I'm going to format the C: and install, (from the eMachine Recovery discs), the OS on C: and move the shell folders from C: to D:.
Any comments, since we can't find a way to remove mszx23.exe?
Pete
(This thing is going to haunt the PC world.)
I've partitioned the HD and now have 60 G C: with the OS and misc. data on it, also, the trojan.
I have a 100 G clean, new partion, D:
I'm going to format the C: and install, (from the eMachine Recovery discs), the OS on C: and move the shell folders from C: to D:.
Any comments, since we can't find a way to remove mszx23.exe?
Pete
(This thing is going to haunt the PC world.)
ASKER
Page Editor or Moderator:
I'm posting this thread over in Community Support.
Need assistance.
Pete
I'm posting this thread over in Community Support.
Need assistance.
Pete
ASKER
Posted this in Community:
Have this thread going in Security:
https://www.experts-exchange.com/questions/21295251/mszx23-exe-and-HAXDOOR-removal.html#13182601
I have tried every suggestion in this Forum and others and was even advised by Symantec, eMachine, Sunbelt and CA that they know of no removal as of yet for this problem. Was advised to format and reinstall which I have done and the problem is gone.
I need to know how to distribute or whatever with the points and close the thread without a PAQ since I feel we have not reached a solution. Lots of help, all good, but didn't work.
Pete
Have this thread going in Security:
https://www.experts-exchange.com/questions/21295251/mszx23-exe-and-HAXDOOR-removal.html#13182601
I have tried every suggestion in this Forum and others and was even advised by Symantec, eMachine, Sunbelt and CA that they know of no removal as of yet for this problem. Was advised to format and reinstall which I have done and the problem is gone.
I need to know how to distribute or whatever with the points and close the thread without a PAQ since I feel we have not reached a solution. Lots of help, all good, but didn't work.
Pete
as a precursor to the post I see coming - I have no objections to refunding/deleting as the user was able to resolve by themselves.... :)
ASKER
In case anyone is interested, this just came up on Google as # 2:
"You can call it the HAXDOOR-BGN from now on
Symptoms:
Disables a range of firewalls.
Disables or crashes a range of antivirus products.
Collects confidential information from Windows (i.e. passwords).
Opens certain ports for an intruder to collect files.
Redirects you browser to a range of websites.
Not possible to remove trojan/virus files in failsafe mode.
Reinstalls after partial removal.
Crashes windows and reebots if only the virus/trojan files are removed.
From what I can tell it's some kind of HAXDOOR virus containing the following files (there may be more though):
mszx23.exe (The Trojan I think)
drct16.dll (A bad feature that can make your Winlogin fail and reebot PC)
p2.ini (Also used in the HAXDOOR virus - check info on the net)
klo5.sys (A log with events, keyboard input and your passwords)
vdnt32.sys (Also used in the HAXDOOR virus)
klogini.dll (Also used in the HAXDOOR virus)
i.a3d (Also used in the HAXDOOR virus)
fltr.a3d (No info found on the net - propably some datafile)
redir.a3d (No info found on the net - propably some datafile)
Since at this point no virus scanner detects this buggar, and no trojan scanner either, it was a tough call to get rid of the key components since removing it only partly resulted in it coming back in full strength, and removing it fully and not removing the registry entry to drct16.dll resulted in the PC rebooting forever even in failsafe state!!!"
Pete
"You can call it the HAXDOOR-BGN from now on
Symptoms:
Disables a range of firewalls.
Disables or crashes a range of antivirus products.
Collects confidential information from Windows (i.e. passwords).
Opens certain ports for an intruder to collect files.
Redirects you browser to a range of websites.
Not possible to remove trojan/virus files in failsafe mode.
Reinstalls after partial removal.
Crashes windows and reebots if only the virus/trojan files are removed.
From what I can tell it's some kind of HAXDOOR virus containing the following files (there may be more though):
mszx23.exe (The Trojan I think)
drct16.dll (A bad feature that can make your Winlogin fail and reebot PC)
p2.ini (Also used in the HAXDOOR virus - check info on the net)
klo5.sys (A log with events, keyboard input and your passwords)
vdnt32.sys (Also used in the HAXDOOR virus)
klogini.dll (Also used in the HAXDOOR virus)
i.a3d (Also used in the HAXDOOR virus)
fltr.a3d (No info found on the net - propably some datafile)
redir.a3d (No info found on the net - propably some datafile)
Since at this point no virus scanner detects this buggar, and no trojan scanner either, it was a tough call to get rid of the key components since removing it only partly resulted in it coming back in full strength, and removing it fully and not removing the registry entry to drct16.dll resulted in the PC rebooting forever even in failsafe state!!!"
Pete
looks to be similar to this one:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.O
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HAXDOOR.O
ASKER
Hi, Rev,
I had been there at the Trend site. There's another variation of the HAXDOOR in there that actually tells you it has the mszx23.exe in it but it doesn't tell you how to remove it. (Other than the obvious which don't work.)
It's also got a Jan 15 or 16 date on it which is when the owner of the PC's daughter was home from college and downloading all sorts of junk on his PC. (The infected one.)
Thanks for the heads-up, I think we may hear more about this.
Pete
I had been there at the Trend site. There's another variation of the HAXDOOR in there that actually tells you it has the mszx23.exe in it but it doesn't tell you how to remove it. (Other than the obvious which don't work.)
It's also got a Jan 15 or 16 date on it which is when the owner of the PC's daughter was home from college and downloading all sorts of junk on his PC. (The infected one.)
Thanks for the heads-up, I think we may hear more about this.
Pete
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Haxdoor.D.Removal
Source: MicroBell @ http://www.techsupportforum.com
(http://www.techsupportforum.com/showthread.php?t=34430)
--------------------------
Download the file attached to this post (fixhx.txt) and save it to your desktop. Right click on the file and choose rename. Rename the file from fixhx.txt to fixhx.reg. DO NOT run it yet.
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.
Now..disconnect this PC from the internet (unplug the modem..ect) as it MUST have no internet access.
Run the cleanup utility and reboot/logoff when prompted. On the reboot...boot directly to safe mode. Once in safe mode Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.
**Note** You may not have all these files..but try each one to make sure!
C:\WINDOWS\system32\Tibs3.
C:\WINDOWS\system32\drct16
C:\WINDOWS\system32\vdmt16
C:\WINDOWS\system32\winlow
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\w32tm.
C:\WINDOWS\System32\mszx23
C:\WINDOWS\webx1.exe
C:\WINDOWS\System32\sharam
On the reboot choose SAFE mode
Double click on the fixhx.reg we made earlier and merge it to the registry. Choose YES when it asks to merge.
Run Killbox again and clear the temp files
- choose Tools > Delete Temp Files and click OK.
Open Windows Explorer and navigate to the C:\Windows\System32 folder
You will likely want the details view and to sort the files by DATE (Arrange icons --> modified)
Have a look for the following files (which should all be about the same date)
Some of them may not be present and there may be some which I haven't listed.
C:\WINDOWS\system32\mszx23
C:\WINDOWS\system32\Tibs3.
C:\WINDOWS\system32\w32tm.
C:\WINDOWS\system32\drct16
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\vdmt16
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\system32\winlow
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\p2.ini
C:\WINDOWS\system32\es.
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\z.
C:\WINDOWS\system32\—I0¢+o
C:\WINDOWS\system32\slowIs
C:\WINDOWS\system32\zININE
C:\WINDOWS\system32\2Ioso.
C:\WINDOWS\system32\3d.
C:\WINDOWS\system32\|msz.
If you find these files delete them. Use KILLBOX again if need be in the same method as before.
There is several registry entrys you will have to check. You should manually check your registry for such items as using the link at symantec as a guide...
http://securityresponse.symantec.co....haxdoor.d.html
--------------------------
Source: MicroBell @ http://www.techsupportforum.com
(http://www.techsupportforum.com/showthread.php?t=34430)
To make fixhx.txt, copy the following, paste in notepad and save as .reg file):
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SOFTW
[HKEY_LOCAL_MACHINE\Softwa
"secboot"=-
"tibs3"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"Disable TrayIcon"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"StackSize"=-
"Impersonate"=-
[HKEY_LOCAL_MACHINE\Softwa
"hws"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"EnforceWriteProtect"=-
"hws"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"EnforceWriteProtect"=-
"hws"=-
Source: MicroBell @ http://www.techsupportforum.com
(http://www.techsupportforum.com/showthread.php?t=34430)
--------------------------
Download the file attached to this post (fixhx.txt) and save it to your desktop. Right click on the file and choose rename. Rename the file from fixhx.txt to fixhx.reg. DO NOT run it yet.
Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.
Now..disconnect this PC from the internet (unplug the modem..ect) as it MUST have no internet access.
Run the cleanup utility and reboot/logoff when prompted. On the reboot...boot directly to safe mode. Once in safe mode Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.
**Note** You may not have all these files..but try each one to make sure!
C:\WINDOWS\system32\Tibs3.
C:\WINDOWS\system32\drct16
C:\WINDOWS\system32\vdmt16
C:\WINDOWS\system32\winlow
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\w32tm.
C:\WINDOWS\System32\mszx23
C:\WINDOWS\webx1.exe
C:\WINDOWS\System32\sharam
On the reboot choose SAFE mode
Double click on the fixhx.reg we made earlier and merge it to the registry. Choose YES when it asks to merge.
Run Killbox again and clear the temp files
- choose Tools > Delete Temp Files and click OK.
Open Windows Explorer and navigate to the C:\Windows\System32 folder
You will likely want the details view and to sort the files by DATE (Arrange icons --> modified)
Have a look for the following files (which should all be about the same date)
Some of them may not be present and there may be some which I haven't listed.
C:\WINDOWS\system32\mszx23
C:\WINDOWS\system32\Tibs3.
C:\WINDOWS\system32\w32tm.
C:\WINDOWS\system32\drct16
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\vdmt16
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\system32\winlow
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\p2.ini
C:\WINDOWS\system32\es.
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\z.
C:\WINDOWS\system32\—I0¢+o
C:\WINDOWS\system32\slowIs
C:\WINDOWS\system32\zININE
C:\WINDOWS\system32\2Ioso.
C:\WINDOWS\system32\3d.
C:\WINDOWS\system32\|msz.
If you find these files delete them. Use KILLBOX again if need be in the same method as before.
There is several registry entrys you will have to check. You should manually check your registry for such items as using the link at symantec as a guide...
http://securityresponse.symantec.co....haxdoor.d.html
--------------------------
Source: MicroBell @ http://www.techsupportforum.com
(http://www.techsupportforum.com/showthread.php?t=34430)
To make fixhx.txt, copy the following, paste in notepad and save as .reg file):
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SYSTE
[-HKEY_LOCAL_MACHINE\SOFTW
[HKEY_LOCAL_MACHINE\Softwa
"secboot"=-
"tibs3"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"Disable TrayIcon"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"StackSize"=-
"Impersonate"=-
[HKEY_LOCAL_MACHINE\Softwa
"hws"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"EnforceWriteProtect"=-
"hws"=-
[HKEY_LOCAL_MACHINE\SYSTEM
"EnforceWriteProtect"=-
"hws"=-
If you find anyone with this problem, please give them this information. It was a ***** for me to remove off a clients computer. All information was found at TechSupportForums. So please don't take credit for this information.
OriginalEQ - <Email address removed by OzzMod>
OriginalEQ - <Email address removed by OzzMod>
I got a call four days ago from an Accountant that lives near by. Being the last couple weeks of tax season, he was miffed about a slow computer, many pop-ups and his inability to access the internet. E-Filing being the craze and all...imagine.
Ok, the Nit, grits...
After removing all the spyware, adware, and junk, I installed norton AV 2005. I got it to install and found that internet would only work for a short while requiring a reboot. Netstat showed some unusual behavior so I did the updates for Norton and promptly removed the modem power cable. I then installed ZoneAlarm and found that upon reboot, it would not load. Vsmon.exe was not running correctly and the zlclient was hung. After going home and searching the internet, I got thrown a long ball and got sidetracked by possible problems between Norton 2005 and Zonealarm...one little episode while being connected was when the computerstarted mailing email after email and I won't repeat the Subjects in the header...
A review of the logs from Norton after a system scan showed that a file mszx23.exe was deleted and infected with Backdoor.Haxdoor.D. After Symantecs removal failed, I came here.
I did as previous posts above, problem was that KillBox, after finally saying reboot to do the file deletion, I get a dialog that says "External Process Has removed Registry Entries." Hence, none of the possible file selections got deleted on the reboot. My first guess, Haxdoor has mutated or been refined to prevent KillBox or similiar apps from removing it that way. This is where I swear alot...
Back to the drawing board...things I know...mszx23.exe starts at boot and places something in resident memory, hidden even. Mszx23.exe is recreated, back in system32, but you cannot see it, even with hidden files visable. (found this by renaming a copy of notepad to mszx23.exe and dropping into system32 directory, said file already exists in a dialog box) Next, found w32tm.exe and w32timer.dll were somehow modified and had the same lazerus complex as mszx23.exe only they stayed visable, like a MicroSoftened file should.
Things I got form the boards were other filenames to look for and found hz.sys...here is the list of all I found through searching, all in system32, in addition to mszx23.exe, w32tm.exe and w32timer.dll
1) cz.dll
2) drct16.dll
3) fltr.a3d
4) hz.sys
5) i.a3d
6) klogini.dll
7) mszx23.exe
8) p2.ini
9) redir.a3d
10) tnfl.a3d
11) vdmt16.sys
12) winlow.sys
12) wz.sys
I went through these 12 files with a hexeditor, hz.sys gave up the filenames when I found this in it.
1) \Device\vdmt16 \DosDevices\vdmt16 mszx23.exe vdmt16.sys winlow.sys cz.dll hz.sys wz.sys drct16.dll redir.a3d
fltr.a3d i.a3d tnfl.a3d p2.ini klogini.dll C:\Program Files\Common Files\PFWShared\idsxres.dl
It also had a little line that made me slap my head, my zonealarm connection...
2) \ZoneLabs\vsmon.exe
wz.sys had this to say to me
1) \C:\WINNT\System32
2) a- \Device\winlow
b- DosDevices\winlow
3) a- IoCreateDevice
b- IoCreateSymbolicLink
c- IofCompleteRequest
d- ZwWriteFile
e- ZwSetValueKey
f- ZwReadFile
g- ZwQueryInformationFile
h- ZwCreateKey
i- ZwCreateFile
j- ZwClose
k- NtLockFile
l- ntoskrnl.exe
winlow.sys same except this for 3)
3) a- RtlInitUnicodeString
b- IoCreateDevice
c- IoCreateSymbolicLink
d- IofCompleteRequest
e- ZwWriteFile
f- ZwSetValueKey
g- ZwReadFile
h- ZwQueryInformationFile
i- ZwCreateKey
j- ZwCreateFile
k- ZwClose
l- NtLockFile
m- ntoskrnl.exe
Alot of device creation and file calls to a dll...and don't look up ntoskrnl.exe, unless you want a headache...it has been updated in some of the microsoft updates and I believe the latest to have a date of Oct. 20, 2004...unless I have a problem with it too...
Now I am a tad long winded on this, I apologize, but I wanted to give the full find.
How did I remove it...
I threw the trojan a trojan...being that norton was immediately grabbing this mszx23.exe file, I removed the harddrive and placed a duplicate named inert app in place of mszx23.exe(notepad, I like this one cause it opens a blank window and tells me that something is playing games) Which ever entry in the registry or the ini files that was causing this file to execute was not visible after boot. Only thing I could come up with was it was removing it after install and replacing it on shutdown from a resident program. After the first boot, Norton found no Haxdoor trying to start, but I did get a notepad window looking for a file called !!.txt...hmmm...
I now removed the mszx23.exe file, the w32tm.exe and w32timer.dll, replacing the originals. I found all the other files on the above list removed them. Went into registry and removed all those entries including the LEGACY entries. Remember, need RegEdt32 to do that...change permissions and such.
Did a clean reboot, shutdown, and reboot again...been doing this since Win95, no explaination but it has seemed like it straightens out the registry a bit...habits...ran sfc.exe /scannow and checked system files. Finished all updates.
Happy Accountant, good challenge, I like a challenge, but I am not a martyr...Oh yeah, ZoneAlarm reinstalled and works fine too..
robear
Ok, the Nit, grits...
After removing all the spyware, adware, and junk, I installed norton AV 2005. I got it to install and found that internet would only work for a short while requiring a reboot. Netstat showed some unusual behavior so I did the updates for Norton and promptly removed the modem power cable. I then installed ZoneAlarm and found that upon reboot, it would not load. Vsmon.exe was not running correctly and the zlclient was hung. After going home and searching the internet, I got thrown a long ball and got sidetracked by possible problems between Norton 2005 and Zonealarm...one little episode while being connected was when the computerstarted mailing email after email and I won't repeat the Subjects in the header...
A review of the logs from Norton after a system scan showed that a file mszx23.exe was deleted and infected with Backdoor.Haxdoor.D. After Symantecs removal failed, I came here.
I did as previous posts above, problem was that KillBox, after finally saying reboot to do the file deletion, I get a dialog that says "External Process Has removed Registry Entries." Hence, none of the possible file selections got deleted on the reboot. My first guess, Haxdoor has mutated or been refined to prevent KillBox or similiar apps from removing it that way. This is where I swear alot...
Back to the drawing board...things I know...mszx23.exe starts at boot and places something in resident memory, hidden even. Mszx23.exe is recreated, back in system32, but you cannot see it, even with hidden files visable. (found this by renaming a copy of notepad to mszx23.exe and dropping into system32 directory, said file already exists in a dialog box) Next, found w32tm.exe and w32timer.dll were somehow modified and had the same lazerus complex as mszx23.exe only they stayed visable, like a MicroSoftened file should.
Things I got form the boards were other filenames to look for and found hz.sys...here is the list of all I found through searching, all in system32, in addition to mszx23.exe, w32tm.exe and w32timer.dll
1) cz.dll
2) drct16.dll
3) fltr.a3d
4) hz.sys
5) i.a3d
6) klogini.dll
7) mszx23.exe
8) p2.ini
9) redir.a3d
10) tnfl.a3d
11) vdmt16.sys
12) winlow.sys
12) wz.sys
I went through these 12 files with a hexeditor, hz.sys gave up the filenames when I found this in it.
1) \Device\vdmt16 \DosDevices\vdmt16 mszx23.exe vdmt16.sys winlow.sys cz.dll hz.sys wz.sys drct16.dll redir.a3d
fltr.a3d i.a3d tnfl.a3d p2.ini klogini.dll C:\Program Files\Common Files\PFWShared\idsxres.dl
It also had a little line that made me slap my head, my zonealarm connection...
2) \ZoneLabs\vsmon.exe
wz.sys had this to say to me
1) \C:\WINNT\System32
2) a- \Device\winlow
b- DosDevices\winlow
3) a- IoCreateDevice
b- IoCreateSymbolicLink
c- IofCompleteRequest
d- ZwWriteFile
e- ZwSetValueKey
f- ZwReadFile
g- ZwQueryInformationFile
h- ZwCreateKey
i- ZwCreateFile
j- ZwClose
k- NtLockFile
l- ntoskrnl.exe
winlow.sys same except this for 3)
3) a- RtlInitUnicodeString
b- IoCreateDevice
c- IoCreateSymbolicLink
d- IofCompleteRequest
e- ZwWriteFile
f- ZwSetValueKey
g- ZwReadFile
h- ZwQueryInformationFile
i- ZwCreateKey
j- ZwCreateFile
k- ZwClose
l- NtLockFile
m- ntoskrnl.exe
Alot of device creation and file calls to a dll...and don't look up ntoskrnl.exe, unless you want a headache...it has been updated in some of the microsoft updates and I believe the latest to have a date of Oct. 20, 2004...unless I have a problem with it too...
Now I am a tad long winded on this, I apologize, but I wanted to give the full find.
How did I remove it...
I threw the trojan a trojan...being that norton was immediately grabbing this mszx23.exe file, I removed the harddrive and placed a duplicate named inert app in place of mszx23.exe(notepad, I like this one cause it opens a blank window and tells me that something is playing games) Which ever entry in the registry or the ini files that was causing this file to execute was not visible after boot. Only thing I could come up with was it was removing it after install and replacing it on shutdown from a resident program. After the first boot, Norton found no Haxdoor trying to start, but I did get a notepad window looking for a file called !!.txt...hmmm...
I now removed the mszx23.exe file, the w32tm.exe and w32timer.dll, replacing the originals. I found all the other files on the above list removed them. Went into registry and removed all those entries including the LEGACY entries. Remember, need RegEdt32 to do that...change permissions and such.
Did a clean reboot, shutdown, and reboot again...been doing this since Win95, no explaination but it has seemed like it straightens out the registry a bit...habits...ran sfc.exe /scannow and checked system files. Finished all updates.
Happy Accountant, good challenge, I like a challenge, but I am not a martyr...Oh yeah, ZoneAlarm reinstalled and works fine too..
robear
First of all you should get rid of bad files, and to get rid of them, use KillBox >> http://www.downloads.subratam.org/KillBox.zip
Extract it, boot in safemode, run it, and set it to delete the file(s) one by one which cannot be deleted in any mode, when finished setting up, say yes to restart, it will restart the system, now check if the files are gone or not?
Post back the resutls and we will move furhter from there! :)