mszx23.exe HELP!!!

[Kent W. England]

chris rubino wrote on 23-Jan-2005 11:43 PM:

my browser hijacked by a file called mszx23.exe..... everytime i delete
it.... it still comes when i start windows XP.

How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and no
resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[Bill Sanderson]

Here's a thread from another forum relating to the bug you've got:

http://www.techsupportforum.com/computer/topic/34430-1.html

Glad you got a handle on it.

If Microsoft Antispyware couldn't remove this in safe mode, it'd have been
great to have a Tools, suspected spyware report sent from the infected
machine.

It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

Ups... sorry.... i mean ..... D:\\Windows is my windows default
directory.... you may have different dir

 

[Steve Wechsler [MVP]]

Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my browser
always turn to http:\\horseserver.net ...., after that it start to download
a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect this
too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals REGMON
to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete all
files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang, west-timor,
Indonesia)



Regards,

Chris Rubino

chris rubino wrote on 23-Jan-2005 11:43 PM:


How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and no
resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[Bill Sanderson]

Interesting. You might try password-protecting the zip and passing the
password on to Steve.

That encrypts the zip file and keeps naive antivirus apps from digging too
deeply. If that works, bad for Google, good for this process. Slicker
antivirus apps can decrpyt--the encryption isn't very high-strength.
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail... refuse
this attachments (even i already zip these files).. it says "illegal
attachment"

Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my
browser
always turn to http:\\horseserver.net ...., after that it start to download
a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect this
too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals REGMON
to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete
all
files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang, west-timor,
Indonesia)



Regards,

Chris Rubino





chris rubino wrote on 23-Jan-2005 11:43 PM:

my browser hijacked by a file called mszx23.exe..... everytime i
delete
it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and no
resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[chris rubino]

my browser hijacked by a file called mszx23.exe..... everytime i delete
it.... it still comes when i start windows XP.

 

[chris rubino]

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my browser
always turn to http:\\horseserver.net ...., after that it start to download
a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect this
too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals REGMON
to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete all
files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang, west-timor,
Indonesia)



Regards,

Chris Rubino

 

[chris rubino]

It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

Ups... sorry.... i mean ..... D:\\Windows is my windows default
directory.... you may have different dir

 

[chris rubino]

Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail... refuse
this attachments (even i already zip these files).. it says "illegal
attachment"

Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my browser
always turn to http:\\horseserver.net ...., after that it start to download
a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect this
too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals REGMON
to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete all
files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang, west-timor,
Indonesia)



Regards,

Chris Rubino

chris rubino wrote on 23-Jan-2005 11:43 PM:

my browser hijacked by a file called mszx23.exe..... everytime i delete
it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and no
resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[chris rubino]

Hi Steve.....
I'm using another SMTP..... hopely they don't banned this attachment

in message

Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail... refuse
this attachments (even i already zip these files).. it says "illegal
attachment"

Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my browser
always turn to http:\\horseserver.net ...., after that it start to download
a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect this
too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals REGMON
to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete all
files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang, west-timor,
Indonesia)



Regards,

Chris Rubino





chris rubino wrote on 23-Jan-2005 11:43 PM:

my browser hijacked by a file called mszx23.exe..... everytime i delete
it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and no
resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[Steve Wechsler [MVP]]

Try what Bill Sanderson suggested, Chris. Password protect the zip file
and send me the password with the zip attached.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Hi Steve.....
I'm using another SMTP..... hopely they don't banned this attachment

in message

Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail... refuse
this attachments (even i already zip these files).. it says "illegal
attachment"

Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server


chris rubino wrote:

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my

browser

always turn to http:\\horseserver.net ...., after that it start to
download

a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect
this

too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals
REGMON

to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete

all

files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang,
west-timor,

Indonesia)



Regards,

Chris Rubino






chris rubino wrote on 23-Jan-2005 11:43 PM:


my browser hijacked by a file called mszx23.exe..... everytime i

delete

it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and

no

resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[Bill Sanderson]

I'm impressed, sort of. I guess we won't find very many virus researchers
using Gmail account!
--
FAQ for MS AntiSpy http://www.geocities.com/marfer_mvp/FAQ_MSantispy.txt

I already do that....
But have the same result.... gmail just banned this attachment...

can u give me an FTP account to upload these file to you Steve?

Try what Bill Sanderson suggested, Chris. Password protect the zip file
and send me the password with the zip attached.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Hi Steve.....
I'm using another SMTP..... hopely they don't banned this attachment

in message

Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail... refuse
this attachments (even i already zip these files).. it says "illegal
attachment"





Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to
be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a
.zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server


chris rubino wrote:

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my

browser

always turn to http:\\horseserver.net ...., after that it start to

download

a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect

this

too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals

REGMON

to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete

all

files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang,

west-timor,

Indonesia)



Regards,

Chris Rubino






chris rubino wrote on 23-Jan-2005 11:43 PM:


my browser hijacked by a file called mszx23.exe..... everytime i

delete

it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual
removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and

no

resolution that I can find. It may be a new beast or a variation on an
old malware theme.

 

[Steve Wechsler [MVP]]

Thanks anyway, Chris. Already obtained it from a spyware forum and will
submit it to MS.

Steve Wechsler (akaMowGreen)
MVP Windows Server

I already do that....
But have the same result.... gmail just banned this attachment...

can u give me an FTP account to upload these file to you Steve?

Try what Bill Sanderson suggested, Chris. Password protect the zip file
and send me the password with the zip attached.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Hi Steve.....
I'm using another SMTP..... hopely they don't banned this attachment

in message


Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail...

refuse

this attachments (even i already zip these files).. it says "illegal
attachment"






Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server


chris rubino wrote:


MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my

browser


always turn to http:\\horseserver.net ...., after that it start to

download


a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect

this


too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals

REGMON


to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete

all


files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang,

west-timor,


Indonesia)



Regards,

Chris Rubino







chris rubino wrote on 23-Jan-2005 11:43 PM:



my browser hijacked by a file called mszx23.exe..... everytime i

delete


it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can

remove

it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you

this,

then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and

no


resolution that I can find. It may be a new beast or a variation on

an

old malware theme.

 

[chris rubino]

I already do that....
But have the same result.... gmail just banned this attachment...

can u give me an FTP account to upload these file to you Steve?

Try what Bill Sanderson suggested, Chris. Password protect the zip file
and send me the password with the zip attached.

Steve Wechsler (akaMowGreen)
MVP Windows Server

Hi Steve.....
I'm using another SMTP..... hopely they don't banned this attachment

in message

Dear Steve,
I'm trying to send these files to your e-mail .... but my gmail... refuse
this attachments (even i already zip these files).. it says "illegal
attachment"





Thanks for the info on cleaning up "mszx23.exe", Chris.
If you know how/where the system was infected it would be helpful to be
able to get ones hands on

cz.dll
drct16.dll
sharamon.dll
mszx23.exe

If you can get obtain the above files could you compress them to a .zip
folder and email them to me ? If not, point me to the site where the
system became infected, please.
Thanks.

Steve Wechsler (akaMowGreen)
MVP Windows Server


chris rubino wrote:

MSAS just told me that mszx23.exe trying to add it self to registry
start-up... (blocked it, but not recognize as malware)... but my
browser

always turn to http:\\horseserver.net ...., after that it start to

download

a kinds of dialer..., banner... etc (randomize)

Norton (22 jan 2005), pestpatrol (newest), ad-aware... cannot detect

this

too....(shameful!)

But, now i found the way to remove this trojan (i used Sysinternals

REGMON

to monitor windows activity)
It add these entry to registry :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secboot"="D:\\WINDOWS\\system32\\mszx23.exe !!"

[HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru\5603]

"000"="cz.dll"

"001"="drct16.dll "

"002"="sharamon.dll"

"003"="mszx23.exe"



Yeah, you're right.... just clean up these entry ... and then delete
all

files above.....(in save mode).



Please Forgive me, for my bad english... (l'm living on kupang,

west-timor,

Indonesia)



Regards,

Chris Rubino






chris rubino wrote on 23-Jan-2005 11:43 PM:


my browser hijacked by a file called mszx23.exe..... everytime i
delete

it.... it still comes when i start windows XP.



How do you know that there is a file mszx23.exe? Is MSAS telling you
this? If so, try F8 safe mode boot and re-run and see if it can remove
it. If not, send in a report.

If some other program like Norton, McAfee, or whatever tells you this,
then search their web site for the name of the bug and manual removal
instructions.

Or you can google "mszx23.exe", but there isn't much information and
no

resolution that I can find. It may be a new beast or a variation on an
old malware theme.