mszx23.exe - drct16.dll, Manual removal of new trojan/virus Options

[Guest_BGN_*]

Hi!

I Think I was one of the first to catch this buggar and kill it manually .

You can call it the HAXDOOR-BGN from now on

Symptoms:
Disables a range of firewalls.
Disables or crashes a range of antivirus products.
Collects confidential information from Windows (i.e. passwords).
Opens certain ports for an intruder to collect files.
Redirects you browser to a range of websites.
Not possible to remove trojan/virus files in failsafe mode.
Reinstalls after partial removal.
Crashes windows and reebots if only the virus/trojan files are removed.


From what I can tell it's some kind of HAXDOOR virus containing the following files (there may be more though):

mszx23.exe (The Trojan I think)
drct16.dll (A bad feature that can make your Winlogin fail and reebot PC)
p2.ini (Also used in the HAXDOOR virus - check info on the net)
klo5.sys (A log with events, keyboard input and your passwords)
vdnt32.sys (Also used in the HAXDOOR virus)
klogini.dll (Also used in the HAXDOOR virus)
i.a3d (Also used in the HAXDOOR virus)
fltr.a3d (No info found on the net - propably some datafile)
redir.a3d (No info found on the net - propably some datafile)

Since at this point no virus scanner detects this buggar, and no trojan scanner either, it was a tough call to get rid of the key components since removing it only partly resulted in it coming back in full strength, and removing it fully and not removing the registry entry to drct16.dll resulted in the PC rebooting forever even in failsafe state!!!

Removing the virus/trojan manually is totally your own responsibility and as such also the possible risk of damaging your installed software/hardware.

What I did was:

1) Remove the registry entry (with regedit) with this key
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogin\Notify\drct16.

2) Reboot your PC from the Windows XP install CD-ROM in repair mode.
- rebooting into failsafe mode will still keep the files "open" and you will be unable to move the files into quarantine.

3) With the DOS like command interpreter change directory to the windows system folder (CD C:\WINDOWS\SYSTEM32)

4) Create a directory called quarantine (MD quarantine)

5) Copy all the above mentioned files into quarantine (COPY <filename> quarantine)

6) Delete the above mentioned files from the SYSTEM32 folder (DEL <filename>)

7) Eject Windows CD-ROM, type EXIT and press [enter] to boot from harddisk

Your system should now be clean (from this trojan that is!)

If you have'nt taken following precautions do it now:
1) Install a firewall
2) Install an antivirus product with the newest virusdefinitions
3) Install Windows XP servicepack 2
4) Install one or more antispyware programs (Ad-aware, Hijack-This . . .)

Spread the word not spyware!

[Guest_Guest_*]

i seem to hav got the same virus.... hav actually deleted the registry key and then drct16.dll.... and the mszx23.exe ....and the other files in a dos boot up... everything seems fine.... firewall does not report any unusual activity...... all the files hav disappeared and no reg key exists anymore...

But the drct16.dll file seems to generated again in the system32 folder with 0kb size...... i am thinking tat there is some other program tat is generating this file.....is this malicious ... any comments or advise....??????

[Guest_Guest_*]

Thanks for this one. Helped me a lot in getting rid of this pest.

Although I did find some more related files.

ps.a3d -> contains a collection of login/passwords together with the related URLs.

Did not find vdnt32.sys, but vdmt16.sys instead. Seems to be the same, just a different filename.

[Guest_EclipseGSX_*]

A friend of mine got hit by this too... nasty stuff. It disabled the XP SP2 security center and firewall, Symantec Anti-Virus (the engine and LiveUpdate), and kept IE from opening at all (would just generate errors and close). Attempting to remove the components from normal startup mode would actually blue-screen the computer.

Luckily I was able to finally remove it all from a command prompt (using the reg /delete command to remove that key).

This thing's probably the worst I've seen so far.

FYI: An easy way to find all the related files is to sort your System32 directory by date. For the infection I dealt with, there were about 12 files that had to be removed -- the hardest being the "mszx23.exe" file.

I made a backup of all the files related to the infection. Anyone know where I can send them to have them start being added to removal databases?

[Guest_joyrider_*]

thanks for the info, that did the trick.

Some of my passwords were in the files but my firewall kept blocking it so i hope i'm safe. U could look at the file before deleting it to know what passwords they might have gotten from u.

[Guest_boomer_*]

hi
thanks for this explanation, it helped me repair my PC
It all started when my norton antivirus identified some virus as 'Downloader.Trojan', every couple of minutes I got virus and it took me to some site called 'horseserver.net'; afterwards it was suddenly called 'Backdoor.haxdoor.D' when it detected some other infected files
Then I got myself into a great mess trying to clean it up
I used regedit to throw out some suspicious keys like dcrv16 (in microsoft-windows-windowsNT-currentversion-winlogon-notify
and also some in mcrosoft-windows-currentversion-run (like hiden)

I disabled internetconnection, I used hijackthis to stop some processes (hiden.exe, everyting with tmp and dload and some other mayb) and fix some stuff with it, I deleted all my temp internet files, cookies
I deleted these files, all in windows/system32 dir:

hiden.exe
p2.ini
tmpf00.exe
mszx.exe
drct16.dll
vdnt32.sys
klogini.dll
i.a3d
fltr.a3d
redir.a3d
ps.a3d
w32tm.exe
cz.dll
hz.dll
wz.dll

some wouldnt go away (mszx,drct,..), I used hijackthis again to delete some files immediatly after rebooting
then afterwards I ran ad-aware scan which removed some stuff too

now it seems quite normal again..thanks to you guys

[Guest_Guest_*]

Can anyone tell me how to get to the DOS prompt when booting with xp installation repair mode?

[Guest_Zapzarap_*]

Thanks a lot to BGN !
Your instructions were very helpfull. You deserve, that this nightmare is called "Haxdoor.BGN".
I had some more trouble to reinstall ZoneAlarm, which the beast had killed. I had to delete WINDOWS\system32\ZoneLabs\ vsmon.exe by the same procedure with the CD-boot-repair-mode. You shoud also delete the Registry HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs + all components as well as all ZoneAlarm related files under c:\windows (no problem in normal mode )
For instructions check http://nh2.nohold.net/noHoldCust25/Prod_1/...stallNonNT.html

Can anyone tell me how to get to the DOS prompt when booting with xp installation repair mode
The DOS promt asks you 'which system you like to repair'. Default is only one possibility: c:\windows
So type <1> and <enter>. The administrater password default is <enter> (=no password)

[Guest_Guest_*]

Well that was painful. I don't normally have a problem with trojans/viruses but this one (or a variation of) just cost me about 6 hours of troubleshooting (which is not how I like spending my days off).

Thanks to those who mentioned the Xp install CD repair mode. I'd never heard of it until I read this post. The real problem with these trojans isn't tracking down the files - it's getting rid of them. The file permissions on Windows are so ridiculous that none of the utilities have the power to get rid of them. It's inane. And also ironic since the only thing that can save Windows is DOS.

The variant I got also shut down ZoneAlarm, would randomly kill my net connection (which made downloading and updating all the anti-virus utilities a lot of fun), would slow the computer down to an excruciating crawl, and even forced me to reactivate Windows (by phone of course, since at that point I couldn't get the net connect to work at all). Luckily I had access to another computer to look for help.

In addition to the mentioned

hiden.exe
p2.ini
mszx32.exe
drct16.dll
vdnt32.sys
klogini.dll
i.a3d
fltr.a3d
redir.a3d
ps.a3d
w32tm.exe
cz.dll
hz.dll
wz.dll

I also had trouble with

tmpA.tmp [in a temp directory, the others were in windows/system32]
snim.dll
winlow.sys
vdmt16.sys


AVG, Spybot and Hijack were mildly helpful but it kept coming back until I deleted all these files in Repair mode. Hopefully the thing is gone now.

Thanks for posting the fix, BGN.

[Guest_sidwood_*]

This Hakdoor is a bad one.

I have it on my machine now and will have to try out your fixes on this web forum.

If anyone has any folllow up information please post it I know I will

[Guest_sidwood_*]

Well I used the clean up information from all the posts here and it seems to have worked.
IE 6 is still trying to go to anothe r page but no other funnny stufff

Ran adaware and spybot to remove other rubbitsh.

Can anyone tell me anything about a dll snim.dll is it dodgy?

thanks

sidwood

[Guest_Wolfman_*]

Have tried to remove it but just ended up with windows re-booting.
An error occurs after pointer comes on screen then the windows starting up screen -
-----------------------------------------------------------------------------------------------
The instruction at "0x77f52cd0" referenced memory at "0x0070803c". The memory could not be "written"

Click on OK to terminate program

-----------------------------------------------------------------------------------------------
Click ok then it reboots

Can I edit the old registry - have loaded a second clean version of XP on the same machine in a different directory to get the bloke his files back.

Which worked

But how can I get to the old registry to get all his old programs working ?
Any ideas or should I just re-install everything and then delete the old directory ?

Wolfman

[Guest_Guest_*]

WOW BGN I thought I was helpless, I hereby promulgate you leader of all vigilante partisans to help the public! (sounds very fruity, but I am so glad I just found this topic without google asking if I meant to buy.. err nevermind, heh)!!

Okay Wolf, regards to your errors, try uninstalled SP2. I installed it this morning and the Haxdoor.BGN was even more maulicious since you couldn't open IE with the constant errors and everything is glitchy. Try from that man!

Viva la revolution! Yea this was a BAD virus, this took me many days, and Spybot/Ad-Aware/MS's Antispyware couldn't get rid of this. What sites have you guys been browsing? I think we have been used as guinea pigs lol

Okay, snim.dll is another one of those trickies you need to get out through safe mode. I don't know how it's being used since no processes are using it, maybe someone else can explain that. I am going to try and follow BGN's instructions now and I hope it works since nothing else helped! Okay, thanks a ton!

[Guest_Guest_*]

btw, did you guys have problems with that garbage sex.exe shortcut on your desktop? Was so annoyying... and those random file names in numbers generating (e.g. 93284239.exe)

What about the tmpf00.exe and tmpf01.exe?

[Guest_Guest_*]

Thankyou Thankyou Thankyou ALL!!

I was just about to format c:/ y!! and re-install windows XP!

followed all instructions - spybot had managed to remove some but not all. Restarted and let Spybot tell ne the system was clean - just for fun! Now to reinstall all the networking components that were damaged and get all those updates that it wouldn't let me download!!

[Guest_Guest_*]

Just one more thing you might be interested in ! a file called ied.exe in a cabinet was present on the computer I fixed Norton identified it but would not delete it or repair it - it was in a hidden directory c:\RECYCLER\
then another directory (cannot remember exactly what it was)
No more virus -

[Guest_Marce_*]

Hi -BGN-

Many thank's with your help.. It's seems under control..!!!

Only took my 5 hours of my time....

Really was a big help follow your indications... big thank's again!

Marce

[Guest_Woodturner_*]

BGN..you are the man!! My friend had this ...and I was stumped...and at the end of my rope. Excellent work. THANK YOU.

[Guest_Guest_*]

Thanks BGN - I just spent about 5 hrs on this one too...

[Guest_thankful guest_*]

This is what it took for me to remove it, too. Thank you so much.

files I removed in the process:

klo5.sys
klogini.dll
mszx23.exe
p2.ini
ps.a3d
tmpf01.exe
dload.exe
drct16.dll
fltr.a3d
redir.a3d