deleted something help 1

[dss147]

I have a program loaded on the hard drive. I go to the start program files and click on it and this appears.
" D:\WPWW21|wpworks.exe attempt to access invalid address"

I tryed even the folder itself no luck

I tryed to reinstall file off the disks that i have and same error.
system xp pro 512 ram

can anyone help please thanks dss147

 

[bcastner]

You might want to adjust your Java security. In IE, Tools, Internet Options, Security tab, Custom Level. At bottom right click, "Java Custom Settings" and set as appropriate.

 

[dog29279]

For more details on my last post - I am including this message from, an internet security watch dog

Qualys, Inc. <sans-qualys@qualys.com>

************************
Widely Deployed Software
************************

(1) MODERATE: Sun Java Plug-in Security Bypass
Affected:
SDK and JRE versions 1.4.0, 1.4.2, 1.4.1_06 and prior, 1.3.1_12 and prior for
Windows

Description: The Sun Java Plug-in technology, a part of the Java Runtime
Environment (JRE), enables applets on websites to run in a user's browser.
The Java Plug-in contains a vulnerability in handling JavaScript code that
may be exploited to bypass an applet's access restrictions. A malicious applet,
when loaded into Internet Explorer, can leverage the flaw to read and write
files as well as execute applications on the user's system. Note that applets
are automatically downloaded and executed in typical Internet Explorer
configuration (medium security setting for Internet Zone). Hence, the flaw
can be exploited by simply viewing a malicious webpage or an HTML email.
The technical details required to construct a malicious applet have not
yet been posted.

Status: Sun confirmed. Upgrade to version SDK/JRE 1.4.2_01 or 1.3.1_13.
Although the flaw is fixed in 1.4.2_01, it is better to upgrade to 1.4.2_06
that fixes another non-critical vulnerability in the Sun Java SDK/JRE.

Council Site Actions: Most of the reporting council sites are not running
the affected software. Of the sites that are running affected versions,
several sites have notified their support staff and plan no further action.
The remaining few sites are in the process of patching their systems.

References:
Sun Advisory

http://sunsolve.sun.com/search/document.do?assetkey=1-26-57708-1

Applet Security Overview

http://java.sun.com/docs/books/tutorial/security1.2/overview/index.html

SecurityFocus BID

http://www.securityfocus.com/bid/12317

 

[dog29279]

This problem is definitely caused by the Backdoor.haxdoor.D virus. It is very difficult to get rid of. I found a recipe for a fix on a technical forum by google searching this file mszx23.exe. Symantec has posted a recent security alert relating to this matter. I will post the fix recipe if I can find the forum that I found it in. My system is now completely cured.

 

[albevier]

Just ran into the same issue (horsserve.net, soft-trend.net, mszx23.exe, would not let me enter Recovery Console) and would love to see the recipe for resolution.

By-the-by, I got rid of mszx23.exe by booting to Safe Mode Command prompt only. Probem reoccured at next non-safe mode reboot.

Al

 

[garebo]

Dog, it looks like albevier could use that posting you mentioned!!
Wish there was a way to pm here!!


Good advice + great people = tek-tips

 

[dog29279]

Yes, my system is completely curred. I have installed adware se profesional and zone alarm to protect it in the future. As for the fix recipe - a forum member by the name of microbell or micro_bell posed it in another thread. I will attempt to post my download of it here:
QUOTED"

This looks like the new Backdoor.Haxdoor.D trojan varient thats starting to appear. Print these instructions out...as you'll have no access to view.

Download the file attached to this post (fixhx.txt) and save it to your desktop. Right click on the file and choose rename. Rename the file from fixhx.txt to fixhx.reg. DO NOT run it yet.

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore.

Now..disconnect this PC from the internet (unplug the modem..ect) as it MUST have no internet access.

Run the cleanup utility and reboot/logoff when prompted. On the reboot...boot directly to safe mode. Once in safe mode Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

**Note** You may not have all these files..but try each one to make sure!

C:\WINDOWS\system32\Tibs3.exe
C:\WINDOWS\system32\drct16.dll
C:\WINDOWS\system32\vdmt16.sys
C:\WINDOWS\system32\winlow.sys
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\w32tm.exe
C:\WINDOWS\System32\mszx23.exe
C:\WINDOWS\webx1.exe
C:\WINDOWS\System32\sharamon.dll

On the reboot choose SAFE mode

Double click on the fixhx.reg we made earlier and merge it to the registry. Choose YES when it asks to merge.

Run Killbox again and clear the temp files
- choose Tools > Delete Temp Files and click OK.

Open Windows Explorer and navigate to the C:\Windows\System32 folder
You will likely want the details view and to sort the files by DATE (Arrange icons --> modified)

Have a look for the following files (which should all be about the same date)
Some of them may not be present and there may be some which I haven't listed.

C:\WINDOWS\system32\mszx23.exe
C:\WINDOWS\system32\Tibs3.exe
C:\WINDOWS\system32\w32tm.exe
C:\WINDOWS\system32\drct16.dll
C:\WINDOWS\system32\cz.dll
C:\WINDOWS\system32\vdmt16.sys
C:\WINDOWS\system32\hz.dll
C:\WINDOWS\system32\winlow.sys
C:\WINDOWS\system32\wz.dll
C:\WINDOWS\system32\p2.ini
C:\WINDOWS\system32\es.
C:\WINDOWS\system32\WaiZ.
C:\WINDOWS\system32\z.
C:\WINDOWS\system32\—I0?+opes.
C:\WINDOWS\system32\slowIsys.
C:\WINDOWS\system32\zININEwz.
C:\WINDOWS\system32\2Ioso.
C:\WINDOWS\system32\3d.
C:\WINDOWS\system32\|msz.

If you find these files delete them. Use KILLBOX again if need be in the same method as before.

There is several registry entrys you will have to check. You should manually check your registry for such items as using the link at symantec as a guide...

http://securityresponse.symantec.co....haxdoor.d.html

Once your finished reconnect your PC to the internet and reboot. Once rebooted run the fixhx.reg again and then run cleanup utility. Don't forget to update your antivirus. Post another hijackthis log when finished and let me know the outcome.
Attached Files
File Type: txt fixhx.txt (1.1 KB, 0 views)

"UNQUOTE

I dont know how to attach files to this forum. But the content of this fixhx.txt is simple - you can cut and paste it from below and make your own fixhx.txt.

REGEDIT4


[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vdmt16]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\winlow]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_WINLOW]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_VDMT16]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\memlow]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ENUM\ROOT\LEGACY_MEMLOW]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\drct16]


[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"secboot"=-
"tibs3"=-

[HKEY_LOCAL_MACHINE\SYSTEM\RAdmin\v2.0\Server\Parameters]
"Disable TrayIcon"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control]
"StackSize"=-
"Impersonate"=-

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion]
"hws"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Session Manager\Memory Management]
"EnforceWriteProtect"=-
"hws"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management]
"EnforceWriteProtect"=-
"hws"=-

Goodluck!