New Nasty Critter 2

[drathz]

There is something new out there that has me stumped at the moment. On my home pc, Internet Explorer likes to fire up on its own, and it goes to a website called horeseserver.net/redir which redirects me to a porographic site called workeverytime.com/vo. I have Norton Antivirus with current updates, and it finds nothing. I have AdAware SE professional, and it finds nothing. I have performed a couple of other online scans as well as Microsoft's new spyware scan. Still nothing. Also, ZoneAlarm alerts me on startup that explorer.exe is trying to act as a server. Also, Ad-Aware tells me that about several attempts to change my registry, which involves making this horseserver.net/redir my new home page. It also tries to add a registry entry to run a file at startup called mszx23.exe located in my windows/system32 directory. I have deleted that file when I booted in safe mode, but it keeps re-creating itself.

I have also studied hijackthis logs, and nothing. All processes look legit. I searched and found a few other forums where others were having this same problem. Noone has a solution yet. Let me know if anyone else has this problem, and/or if they have found a solution for it yet. Thanks.

 

[diogenes10]

http://computercops.biz/postlite99866-workeverytime.html

Here is a thread you can watch for ideas.

It does look like the user removed a file that fixed the redirect issue and they are now fighting popups.



-------------------------------------
It's 10 O'Clock ( somewhere! ).
Are your registry and data backed up?

 

[eyec]

what version of windows are you running

 

[drathz]

I have Windows XP Professional with SP1 and with all the current Microsoft security updates. I have been monitoring the computercops forum for answers to this (thanks), and I am also monitoring a discussion on this at newbie.org:

http://www.newbie.org/help/messages/50363.html.

 

[BadBigBen]

With a critter like that...

you definately need to turn off System Restore, then Delete all Restore Points...

Boot into SafeMode and do the Repairs there... like running Ad-Aware, SpyBot S&D, MS new/old Giant, etc. twice or even better trice, then run HiJackThis! v1.99.0 and have it clean the rest...

I would then run a Registry fixer, like RegHealer or JV16 PowerTools, and NT-RegOpt...



Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[eyec]

after you do all these these and before you re-boot clear your cache & history files.

 

[drathz]

Just to update on this situation. I have tried a lot of things, including all the suggestions on this thread. This critter is not getting picked up by any antivirus or antispyware program at this time. The hijackthis logs all appear to be valid processes. It seems that conventional fixing methods don't work for this one. I am continuing to monitor other message boards, and there appears to be a lot more of this critter out there. If you do a web search for horseserver net, there are a lot of hits out there now. That wasn't the case just a couple of days ago. I am hopeful that a fix will be coming soon. I've never seen one this bad.

 

[BadBigBen]

Hmmm... sounds like this critter is hiding itself somewhere... possibly in the MBR of the harddrive...

other than trying FIXMBR, I am at a loss at the moment as I haven't gotten a hold of this critter and/or am bombed by it...


Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[drathz]

I was finally able to rid myself of this critter. I will explain in case anyone else has the same problem. It turned out that there were 6 primary files involved (all in windows/system32 folder):
mszx23.exe
drct16.dll
klogini.dll
klo5.sys
tmpf00.exe
tmpf01.exe
I booted in safe mode w/DOS prompt and deleted 5 of them. The drct16.dll file wouldn't let me delete it. I was able to rename it to something safe (I used yyy.zzz). I then rebooted into regular safe mode, and searched the registry for references to the above file names, and found a few. I deleted the references. I then rebooted in safe mode with networking so I could run a full virus scan with updates, as well as run an ad-aware check for any lingering residue the virus might have left. It turns out that this is a cousin of a known virus that Symantec just discovered called Backdoor.Haxdoor.D. It seems to have all come from the same place. I had some lingering files from that virus as well on my computer, and followed Symantec's instructions for eliminating it as well. When I finally rebooted into normal mode, I went ahead and deleted my yyy.zzz file, and all was well. I have no other problems (so far), and my computer is running as fast as ever. I hope this helps someone else out.

 

[eyec]

thanks and a star for posting the resolution.

 

[BadBigBen]

Yeah, thanks for the Info...

keeping my fingers crossed that that won't happen to me or someone else...




Ben

If it works don't fix it! If it doesn't use a sledgehammer...

 

[zarkon4]

You wrote:
I have Windows XP Professional with SP1 and with all the current Microsoft security updates.

You are not up to date with all the security updates, there are major and minor security updates, sp2 and some after sp2, the ones after sp2 cannot be applied unless you have sp2.