1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

mszx23.exe removal help/ hijackthis log evaluation needed

Discussion in 'Virus & Other Malware Removal' started by demi4200, Feb 3, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    hello everyone my father seem's to have contracted a trojan on his pc and im trying to help him remove it. its pretty certain there's a bug running on the pc since when i start i.e. it redirect's the browser to a page intended to install a dialer on the system.

    here's his hijackthis log:

    Logfile of HijackThis v1.99.0
    Scan saved at 8:49:33 PM, on 2/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\TONYCO~1.000\LOCALS~1\Temp\Rar$EX00.171\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
    O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
     
  2. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Download the lspfix in the event you have a problem after uninstalling New.net. (instructions to folow)If you do have a problem getting on the internet, open the lspfix and press the finish button. This is a zip file so first extract the exe it contains.
    http://www.cexx.org/lspfix.zip


    AVG6 is obsolete. There have been no virus signature updates for a while. He needs to get the newer version and install it. The install will uninstall the old version for him.
    Second, you are running Hijackthis from the compressed file. You are ogin to lose the backups it makes if you do that. so extract Hijackthis to its own folder on the desktop or my documents, for example.


    I would uninstall the PanicwarePop-Up Stopper Free Edition. The Google Toolbar has a very nice fee pop up stopper.

    Open Hijackthis and fix these items:
    O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
    O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab


    Go to AddRemove programs and uninstall New.Net

    Restart the computer.

    Delete this file:

    C:\WINDOWS\System32\mszx23.exe

    You may have to disable
    Tea
    Timer for these changes to be allowed.


    Post a new Hijackthis log in your next reply here after you finish.
     
  3. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
  4. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    hey thanks a bunch for the fast reply, should i delete both of the akmai.download entry's?
     
  5. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    You're welcome. The other is just the Quicktime installer. But you can delete it too if you like.
     
  6. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    i uninstalled new.net and it killed internet access, but when i ran lspfix it didnt fix anything when i hit finish. i also did what you said to do with the mszx23.exe and the registry entry but the file it self has come back twice now.

    here's the new hijackthis log:

    Logfile of HijackThis v1.99.0
    Scan saved at 8:49:33 PM, on 2/2/2005
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\TONYCO~1.000\LOCALS~1\Temp\Rar$EX00.171\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O10 - Hijacked Internet access by New.Net
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
    O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
    O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
    O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
     
  7. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486

    Is Internet Access restored or are you on a different computer?

    I don't want to leave you in a mess, but it is very late here. I'll wait for the answer and then give you a followup. After that I have to sign off. I'll be here for about 5 more minutes.

    Also, to make certain changes you should disable Spybot's TeaTimer. Please do that while we try to repair the problems.

    Post a startuplist please. In Hijackthis press the Config Button
    Click Misc Tools
    Check both boxes under the Generate StartupList log and then click the generate startuplist log button.

    Paste the contents into your next reply here.
     
  8. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Here is some information I have just found on the problem file. It is more that at first appears. I have not worked on one of these yet.
    http://www.techsupportforum.com/showthread.php?threadid=34430

    There is more to removing this than what it seems. I am going to have to wait until tomorrow to help. But do read that threada nd follow the driections it gives to download the Killbox as a start.
     
  9. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    im on another pc, and its no proablem i cant wait till tomorrow we still have 2 pc's with internet access at the moment.

    thats another thing the mszx.exe show's up in msconfig and when i uncheck it it comes back checked on reboot.

    here's the start up list, thanks for the help and have a good nights rest.

    StartupList report, 2/2/2005, 10:51:41 PM
    StartupList version: 1.52.2
    Started from : C:\Documents and Settings\Tony.COMPUTER.000\Desktop\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    ==================================================

    Running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\svchost.exe
    C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
    C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Documents and Settings\Tony.COMPUTER.000\Desktop\HijackThis.exe

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINDOWS\system32\userinit.exe,

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
    SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
    NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    PopUpStopperFreeEdition = "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
    SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    --------------------------------------------------

    Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

    Shell=*INI section not found*
    SCRNSAVE.EXE=*INI section not found*
    drivers=*INI section not found*

    Shell & screensaver key from Registry:

    Shell=Explorer.exe
    SCRNSAVE.EXE=C:\WINDOWS\System32\ssbezier.scr
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry key not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
    (no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

    --------------------------------------------------

    Enumerating Download Program Files:

    [Shockwave ActiveX Control]
    InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

    [MSSecurityAdvisor Class]
    InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
    CODEBASE = http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083045436953

    [YInstStarter Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
    CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

    [FilePlanet Download Control Class]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
    CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

    [Office Update Installation Engine]
    InProcServer32 = C:\WINDOWS\opuc.dll
    CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

    [{469C7080-8EC8-43A6-AD97-45848113743C}]
    CODEBASE = http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab

    [{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
    CODEBASE = http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

    [Update Class]
    InProcServer32 = C:\WINDOWS\System32\iuctl.dll
    CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38103.8363773148

    [DoomCln Object]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoomCln.dll
    CODEBASE = http://www.microsoft.com/security/controls/DoomCln.CAB

    [Shockwave Flash Object]
    InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
    CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    [Hotmail Attachments Control]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
    CODEBASE = http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx

    [MSN Chat Control 4.5]
    InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
    CODEBASE = http://chat.msn.com/bin/msnchat45.cab

    [{F72BC3F0-6C20-4793-9DDA-258589D8A907}]

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
    CDBurn: C:\WINDOWS\system32\SHELL32.dll
    WebCheck: C:\WINDOWS\System32\webcheck.dll
    SysTray: C:\WINDOWS\System32\stobject.dll

    --------------------------------------------------
    End of report, 5,673 bytes
    Report generated in 0.016 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  10. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Darn it. Do you have a recent restore point you can use to get internet back?

    Try that. If no joy you can undo the restore.

    I am attaching a text file too. Downalod and save it. Tomorrow we'll see about doing the rest of it.
     

    Attached Files:

  11. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    im not to sure the computer has restore points, i usually disable them to increase performance and save disc space. this pc also has historically had trouble reverting to old point's.

    if all eles fail's im thinking of reformating the hd and installing xp clean. im worried tho about the virus still being there after the reformat.

    i also came across this after typing in "mszx23.exe" into google:

    http://forums.maddoktor2.com/index.php?showtopic=2659

    some guy claim's to have killed it manually.
     
  12. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    Let's try this. Open lspfix and press I know what I am doing.

    Look at the eft pane and move anythikng New.net into the right pane.

    Click finish.

    See if that helps. Let me know. I'll be here waiting.

    Also, are these computers networked and all XP? If so, you can probably get the winsock2 key from one of the others and import it. I'll show you how to do that if need be.
     
  13. Mosaic1

    Mosaic1

    Joined:
    Aug 17, 2001
    Messages:
    7,486
    There is a way to get rid of the trojan and it has worked. But if you are networked, then do disconnect the problem machine from the network and unplug it from the modem. Check the other machines to be sure they are clean too.
     
  14. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    the pc's are not networked (thank god!), we have a wireless router as a sort of internet cable splitter. and i've checked my pc up and down and it seem's clean. im super paranoid about stuff like this so im constantly monitoring internet traffic and programs running in the background.

    my dad's backing up all his important files right now. after he's done i'll hop on his pc and try the lspfix idea you had.
     
  15. demi4200

    demi4200 Thread Starter

    Joined:
    Aug 14, 2003
    Messages:
    90
    i just got a chance to run lspfix and here's whats in the left field:

    mswsock.dll
    winrnr.dll
    rsvpsp.dll
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/326197

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice