SpyWare BeWare! ASAP
March 30, 2017, 07:28:05 PM *
Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
News:
 
   Home   Help Search Calendar Donations Login Register Chat  



Google It!
Pages: [1] 2 3 ... 7   Go Down
  Print  
Author Topic: mszx23.exe - drct16.dll  (Read 79392 times)
0 Members and 1 Guest are viewing this topic.
BGN
Guest
« on: January 25, 2005, 04:19:41 PM »

Hi!

I Think I was one of the first to catch this buggar   and kill it manually   .

You can call it the HAXDOOR-BGN from now on  

Symptoms:
Disables a range of firewalls.
Disables or crashes a range of antivirus products.
Collects confidential information from Windows (i.e. passwords).
Opens certain ports for an intruder to collect files.
Redirects you browser to a range of websites.
Not possible to remove trojan/virus files in failsafe mode.
Reinstalls after partial removal.
Crashes windows and reebots if only the virus/trojan files are removed.


From what I can tell it's some kind of HAXDOOR virus containing the following files (there may be more though):

mszx23.exe (The Trojan I think)
drct16.dll (A bad feature that can make your Winlogin fail and reebot PC)
p2.ini (Also used in the HAXDOOR virus - check info on the net)
klo5.sys (A log with events, keyboard input and your passwords)
vdnt32.sys (Also used in the HAXDOOR virus)
klogini.dll (Also used in the HAXDOOR virus)
i.a3d (Also used in the HAXDOOR virus)
fltr.a3d (No info found on the net - propably some datafile)
redir.a3d (No info found on the net - propably some datafile)

Since at this point no virus scanner detects this buggar, and no trojan scanner either, it was a tough call to get rid of the key components since removing it only partly resulted in it coming back in full strength, and removing it fully and not removing the registry entry to drct16.dll resulted in the PC rebooting forever even in failsafe state!!!

Removing the virus/trojan manually is totally your own responsibility and as such also the possible risk of damaging your installed software/hardware.

What I did was:

1) Remove the registry entry (with regedit) with this key
   - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Notify\drct16.

2) Reboot your PC from the Windows XP install CD-ROM  in repair mode.
     - rebooting into failsafe mode will still keep the files "open" and you will be unable to move the files into quarantine.

3) With the DOS like command interpreter change directory to the windows system folder (CD C:\WINDOWS\SYSTEM32)

4) Create a directory called quarantine (MD quarantine)

5) Copy all the above mentioned files into quarantine (COPY <filename> quarantine)

6) Delete the above mentioned files from the SYSTEM32 folder (DEL <filename>)

7) Eject Windows CD-ROM, type EXIT and press [enter] to boot from harddisk

Your system should now be clean (from this trojan that is!)  

If you have'nt taken following precautions do it now:
1) Install a firewall
2) Install an antivirus product with the newest virusdefinitions
3) Install Windows XP servicepack 2
4) Install one or more antispyware programs (Ad-aware, Hijack-This . . .)

Spread the word not spyware!  
Logged
Guest
Guest
« Reply #1 on: February 03, 2005, 07:18:25 AM »

i seem to hav got the same virus.... hav actually deleted the registry key and  then drct16.dll.... and the mszx23.exe ....and the other files in a dos boot up... everything seems fine.... firewall does not report any unusual activity...... all the files hav disappeared and no reg key exists anymore...

But the drct16.dll  file seems to generated again in the system32 folder with 0kb size...... i am thinking tat there is some other program tat is generating this file.....is this malicious ... any comments or advise....??????

                                           
Logged
Guest
Guest
« Reply #2 on: February 03, 2005, 08:31:22 AM »

Thanks for this one. Helped me a lot in getting rid of this pest. Smiley

Although I did find some more related files.

ps.a3d -> contains a collection of login/passwords together with the related URLs.

Did not find vdnt32.sys, but vdmt16.sys instead. Seems to be the same, just a different filename.
Logged
EclipseGSX
Guest
« Reply #3 on: February 04, 2005, 06:51:30 AM »

A friend of mine got hit by this too... nasty stuff.  It disabled the XP SP2 security center and firewall, Symantec Anti-Virus (the engine and LiveUpdate), and kept IE from opening at all (would just generate errors and close).  Attempting to remove the components from normal startup mode would actually blue-screen the computer.

Luckily I was able to finally remove it all from a command prompt (using the reg /delete command to remove that key).

This thing's probably the worst I've seen so far.

FYI:  An easy way to find all the related files is to sort your System32 directory by date.  For the infection I dealt with, there were about 12 files that had to be removed -- the hardest being the "mszx23.exe" file.

I made a backup of all the files related to the infection.  Anyone know where I can send them to have them start being added to removal databases?

 
Logged
joyrider
Guest
« Reply #4 on: February 04, 2005, 10:00:31 PM »

thanks for the info, that did the trick.

Some of my passwords were in the files but my firewall kept blocking it so i hope i'm safe. U could look at the file before deleting it to know what passwords they might have gotten from u.
Logged
boomer
Guest
« Reply #5 on: February 05, 2005, 11:41:13 AM »

hi
thanks for this explanation, it helped me repair my PC
It all started when my norton antivirus identified some virus as 'Downloader.Trojan', every couple of minutes I got virus and it took me to some site called 'horseserver.net'; afterwards it was suddenly called 'Backdoor.haxdoor.D' when it detected some other infected files
Then I got myself into a great mess trying to clean it up
I used regedit to throw out some suspicious keys like dcrv16 (in microsoft-windows-windowsNT-currentversion-winlogon-notify
and also some in mcrosoft-windows-currentversion-run (like hiden)

I disabled internetconnection, I used hijackthis to stop some processes (hiden.exe, everyting with tmp and dload and some other mayb) and fix some stuff with it, I deleted all my temp internet files, cookies
I deleted these files, all in windows/system32 dir:

hiden.exe
p2.ini
tmpf00.exe
mszx.exe
drct16.dll
vdnt32.sys
klogini.dll
i.a3d
fltr.a3d
redir.a3d
ps.a3d
w32tm.exe
cz.dll
hz.dll
wz.dll

some wouldnt go away (mszx,drct,..), I used hijackthis again to delete some files immediatly after rebooting
then afterwards I ran ad-aware scan which removed some stuff too

now it seems quite normal again..thanks to you  guys



 
Logged
Guest
Guest
« Reply #6 on: February 05, 2005, 03:11:27 PM »

Can anyone tell me how to get to the DOS prompt when booting with xp installation repair mode?
Logged
Zapzarap
Guest
« Reply #7 on: February 05, 2005, 04:24:33 PM »

Thanks a lot to BGN !
Your instructions were very helpfull. You deserve, that this nightmare is called "Haxdoor.BGN". :cool:
I had some more trouble to reinstall ZoneAlarm, which the beast had killed. I had to delete WINDOWS\system32\ZoneLabs\ vsmon.exe by the same procedure with the CD-boot-repair-mode. You shoud also delete the Registry HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs + all components as well as all ZoneAlarm related files under c:\windows (no problem in normal mode )
For instructions check  http://nh2.nohold.net/noHoldCust25/Prod_1/...stallNonNT.html

Can anyone tell me how to get to the DOS prompt when booting with xp installation repair mode
The DOS promt asks you 'which system you like to repair'. Default is only one possibility: c:\windows
So type <1> and <enter>. The administrater password default is <enter> (=no password)
Logged
Guest
Guest
« Reply #8 on: February 07, 2005, 08:31:46 PM »

Well that was painful.  I don't normally have a problem with trojans/viruses but this one (or a variation of) just cost me about 6 hours of troubleshooting (which is not how I like spending my days off).

Thanks to those who mentioned the Xp install CD repair mode.  I'd never heard of it until I read this post.  The real problem with these trojans isn't tracking down the files - it's getting rid of them.  The file permissions on Windows are so ridiculous that none of the utilities have the power to get rid of them.  It's inane.  And also ironic since the only thing that can save Windows is DOS.

The variant I got also shut down ZoneAlarm, would randomly kill my net connection (which made downloading and updating all the anti-virus utilities a lot of fun), would slow the computer down to an excruciating crawl, and even forced me to reactivate Windows (by phone of course, since at that point I couldn't get the net connect to work at all).  Luckily I had access to another computer to look for help.

In addition to the mentioned

hiden.exe
p2.ini
mszx32.exe
drct16.dll
vdnt32.sys
klogini.dll
i.a3d
fltr.a3d
redir.a3d
ps.a3d
w32tm.exe
cz.dll
hz.dll
wz.dll

I also had trouble with

tmpA.tmp   [in a temp directory, the others were in windows/system32]
snim.dll
winlow.sys
vdmt16.sys


AVG, Spybot and Hijack were mildly helpful but it kept coming back until I deleted all these files in Repair mode.  Hopefully the thing is gone now.

Thanks for posting the fix, BGN.


 
Logged
sidwood
Guest
« Reply #9 on: February 07, 2005, 09:16:52 PM »

This Hakdoor is a  bad one.

I have it on my machine now and will have to try out your  fixes on this web forum.

If anyone has any folllow up information please post it I know I will

 
Logged
sidwood
Guest
« Reply #10 on: February 07, 2005, 11:05:19 PM »

Well I used the clean up information from all the posts here and it  seems to have worked.
IE 6 is still  trying to go to  anothe r page  but no other funnny stufff

Ran adaware and spybot to remove other  rubbitsh.

Can anyone tell me anything about a dll   snim.dll   is  it  dodgy?

thanks

sidwood
Logged
Wolfman
Guest
« Reply #11 on: February 10, 2005, 11:09:16 AM »

:wacko: Have tried to remove it but just ended up with windows re-booting.
      An error occurs after pointer comes on screen then the windows starting up screen  -
-----------------------------------------------------------------------------------------------
The instruction at "0x77f52cd0" referenced memory at "0x0070803c". The memory could not be "written"

Click on OK to terminate program

-----------------------------------------------------------------------------------------------
Click ok then it reboots

Can I edit the old registry - have loaded a second clean version of XP on the same machine in a different directory to get the bloke his files back.

Which worked

But how can I get to the old registry to get all his old programs working ?
Any ideas or should I just re-install everything and then delete the old directory ?

Wolfman
Logged
Guest
Guest
« Reply #12 on: February 11, 2005, 07:49:57 AM »

WOW BGN I thought I was helpless, I hereby promulgate you leader of all vigilante partisans to help the public! (sounds very fruity, but I am so glad I just found this topic without google asking if I meant to buy.. err nevermind, heh)!!

Okay Wolf, regards to your errors, try uninstalled SP2. I installed it this morning and the Haxdoor.BGN was even more maulicious since you couldn't open IE with the constant errors and everything is glitchy. Try from that man!

Viva la revolution! Yea this was a BAD virus, this took me many days, and Spybot/Ad-Aware/MS's Antispyware couldn't get rid of this. What sites have you guys been browsing? I think we have  been used as guinea pigs lol

Okay, snim.dll is another one of those trickies you need to get out through safe mode. I don't know how it's being used since no processes are using it, maybe someone else can explain that. I am going to try and follow BGN's instructions now and I hope it works since nothing else helped! Okay, thanks a ton!
Logged
Guest
Guest
« Reply #13 on: February 11, 2005, 07:52:55 AM »

btw, did you guys have problems with that garbage sex.exe shortcut on your desktop? Was so annoyying... and those random file names in numbers generating (e.g. 93284239.exe)

What about the tmpf00.exe and tmpf01.exe?
Logged
Guest
Guest
« Reply #14 on: February 11, 2005, 12:36:19 PM »

Thankyou  Thankyou Thankyou ALL!!

I was just about to format c:/ y!! and re-install windows XP!

followed all instructions - spybot had managed to remove some but not all. Restarted and let Spybot tell ne the system was clean - just for fun! Now to reinstall all the networking components that were damaged and get all those updates that it wouldn't let me download!!
Logged
Pages: [1] 2 3 ... 7   Go Up
  Print  
 
Jump to:  


Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2013, Simple Machines Valid XHTML 1.0! Valid CSS!