mszx23.exe removal help/ hijackthis log evaluation needed

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
hello everyone my father seem's to have contracted a trojan on his pc and im trying to help him remove it. its pretty certain there's a bug running on the pc since when i start i.e. it redirect's the browser to a page intended to install a dialer on the system.

here's his hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 8:49:33 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\TONYCO~1.000\LOCALS~1\Temp\Rar$EX00.171\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
 
Joined
Aug 17, 2001
Messages
7,486
Download the lspfix in the event you have a problem after uninstalling New.net. (instructions to folow)If you do have a problem getting on the internet, open the lspfix and press the finish button. This is a zip file so first extract the exe it contains.
http://www.cexx.org/lspfix.zip


AVG6 is obsolete. There have been no virus signature updates for a while. He needs to get the newer version and install it. The install will uninstall the old version for him.
Second, you are running Hijackthis from the compressed file. You are ogin to lose the backups it makes if you do that. so extract Hijackthis to its own folder on the desktop or my documents, for example.


I would uninstall the PanicwarePop-Up Stopper Free Edition. The Google Toolbar has a very nice fee pop up stopper.

Open Hijackthis and fix these items:
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binari...slv32_EN_XP.cab


Go to AddRemove programs and uninstall New.Net

Restart the computer.

Delete this file:

C:\WINDOWS\System32\mszx23.exe

You may have to disable
Tea
Timer for these changes to be allowed.


Post a new Hijackthis log in your next reply here after you finish.
 

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
hey thanks a bunch for the fast reply, should i delete both of the akmai.download entry's?
 
Joined
Aug 17, 2001
Messages
7,486
You're welcome. The other is just the Quicktime installer. But you can delete it too if you like.
 

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
i uninstalled new.net and it killed internet access, but when i ran lspfix it didnt fix anything when i hit finish. i also did what you said to do with the mszx23.exe and the registry entry but the file it self has come back twice now.

here's the new hijackthis log:

Logfile of HijackThis v1.99.0
Scan saved at 8:49:33 PM, on 2/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\TONYCO~1.000\LOCALS~1\Temp\Rar$EX00.171\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.games-fusion.net/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [secboot] C:\WINDOWS\System32\mszx23.exe !!
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {469C7080-8EC8-43A6-AD97-45848113743C} - http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_EN_XP.cab
O23 - Service: AVG6 Service - GRISOFT s.r.o - C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
O23 - Service: NVIDIA Display Driver Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sygate Personal Firewall Pro - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\Smc.exe
 
Joined
Aug 17, 2001
Messages
7,486
uninstalled new.net and it killed internet access, but when i ran lspfix it didnt fix anything when i hit finish

Is Internet Access restored or are you on a different computer?

I don't want to leave you in a mess, but it is very late here. I'll wait for the answer and then give you a followup. After that I have to sign off. I'll be here for about 5 more minutes.

Also, to make certain changes you should disable Spybot's TeaTimer. Please do that while we try to repair the problems.

Post a startuplist please. In Hijackthis press the Config Button
Click Misc Tools
Check both boxes under the Generate StartupList log and then click the generate startuplist log button.

Paste the contents into your next reply here.
 
Joined
Aug 17, 2001
Messages
7,486
Here is some information I have just found on the problem file. It is more that at first appears. I have not worked on one of these yet.
http://www.techsupportforum.com/showthread.php?threadid=34430

There is more to removing this than what it seems. I am going to have to wait until tomorrow to help. But do read that threada nd follow the driections it gives to download the Killbox as a start.
 

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
im on another pc, and its no proablem i cant wait till tomorrow we still have 2 pc's with internet access at the moment.

thats another thing the mszx.exe show's up in msconfig and when i uncheck it it comes back checked on reboot.

here's the start up list, thanks for the help and have a good nights rest.

StartupList report, 2/2/2005, 10:51:41 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\Tony.COMPUTER.000\Desktop\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Tony.COMPUTER.000\Desktop\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

AVG_CC = C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
SmcService = C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

PopUpStopperFreeEdition = "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
SpybotSD TeaTimer = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssbezier.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[MSSecurityAdvisor Class]
InProcServer32 = C:\WINDOWS\System32\mssecadv.dll
CODEBASE = http://download.microsoft.com/downl...-a3de-373c3e5552fc/msSecAdv.cab?1083045436953

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://download.yahoo.com/dl/installs/yinst0401.cab

[FilePlanet Download Control Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\FilePlanetDownloadCtrl.dll
CODEBASE = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc.cab

[{469C7080-8EC8-43A6-AD97-45848113743C}]
CODEBASE = http://akamai.downloadv3.com/binaries/IA/nethv32_EN_XP.cab

[{62475759-9E84-458E-A1AB-5D2C442ADFDE}]
CODEBASE = http://a1540.g.akamai.net/7/1540/52....apple.com/saba/us/win/QuickTimeInstaller.exe

[Update Class]
InProcServer32 = C:\WINDOWS\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38103.8363773148

[DoomCln Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\DoomCln.dll
CODEBASE = http://www.microsoft.com/security/controls/DoomCln.CAB

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[Hotmail Attachments Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\HMAtchmt.ocx
CODEBASE = http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx

[MSN Chat Control 4.5]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MSNChat45.ocx
CODEBASE = http://chat.msn.com/bin/msnchat45.cab

[{F72BC3F0-6C20-4793-9DDA-258589D8A907}]

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 5,673 bytes
Report generated in 0.016 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 
Joined
Aug 17, 2001
Messages
7,486
Darn it. Do you have a recent restore point you can use to get internet back?

Try that. If no joy you can undo the restore.

I am attaching a text file too. Downalod and save it. Tomorrow we'll see about doing the rest of it.
 

Attachments

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
im not to sure the computer has restore points, i usually disable them to increase performance and save disc space. this pc also has historically had trouble reverting to old point's.

if all eles fail's im thinking of reformating the hd and installing xp clean. im worried tho about the virus still being there after the reformat.

i also came across this after typing in "mszx23.exe" into google:

http://forums.maddoktor2.com/index.php?showtopic=2659

some guy claim's to have killed it manually.
 
Joined
Aug 17, 2001
Messages
7,486
Let's try this. Open lspfix and press I know what I am doing.

Look at the eft pane and move anythikng New.net into the right pane.

Click finish.

See if that helps. Let me know. I'll be here waiting.

Also, are these computers networked and all XP? If so, you can probably get the winsock2 key from one of the others and import it. I'll show you how to do that if need be.
 
Joined
Aug 17, 2001
Messages
7,486
There is a way to get rid of the trojan and it has worked. But if you are networked, then do disconnect the problem machine from the network and unplug it from the modem. Check the other machines to be sure they are clean too.
 

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
the pc's are not networked (thank god!), we have a wireless router as a sort of internet cable splitter. and i've checked my pc up and down and it seem's clean. im super paranoid about stuff like this so im constantly monitoring internet traffic and programs running in the background.

my dad's backing up all his important files right now. after he's done i'll hop on his pc and try the lspfix idea you had.
 

demi4200

Thread Starter
Joined
Aug 14, 2003
Messages
90
i just got a chance to run lspfix and here's whats in the left field:

mswsock.dll
winrnr.dll
rsvpsp.dll
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top