Haxfix version 5.0.52

Version 5.0.52
2008 12 29

Infection: Trojan Nethell

O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll
O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - contrld.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59D94AAD-0A67-417e-969B-8311296E8364}

Files:
system32\alog.txt
system32\condw32.dll
system32\contrld.dll
system32\msft.txt
system32\ps1.dat
system32\rc.dat


Infection: Goldun

O20 - Winlogon Notify: swapdm - C:\WINDOWS\system32\swapdm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\swapdm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swapm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\swapm.sys

Files:
system32\k86.bin
system32\swapdm.dll
system32\swapm.sys


Other related files:
system32\vkj.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.51

Version 5.0.51
2008 12 28

Infection: TrojanSpy:Win32/Ambler.D - Trojan Nethell

O2 - BHO: Microsoft copyright - {0DDD155F-B89C-4f34-90F0-53D7BD21A37C} - mscont32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DDD155F-B89C-4f34-90F0-53D7BD21A37C}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
"StubPath"= "rundll32 mscont32.dll,InitModule"

Files:
system32\mscont32.dll
system32\sft.res


Infection: Troj/Ambler-G

O2 - BHO: Microsoft copyright - {32C620D6-CC10-4e6a-9715-BACACD5B0E61} - sxmg4.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61}

O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - sxmg4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"="{A744F16C-B2D5-4138-81A2-085CDFCDE83A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
"StubPath"="rundll32 sxmg4.dll,InitModule"

Files:
system32\lt.res
system32\sft.res
system32\sn.txt
system32\sxmg4.dll


Infection: Troj/Ambler-G

O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}

O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"="{66186F05-BBBB-4a39-864F-72D84615C679}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}]
"StubPath"="rundll32 sockins32.dll,InitModule"

Files:
system32\lt.res
system32\sft.res
system32\sn.txt
system32\sockins32.dll



Infection: SpyBanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01BE3276-1420-45b5-9762-172C5C184EB7}]
"StubPath"= "rundll32 svchstb.dll,InitO

File:
system32\svchstb.dll


Infection: Spybanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67525E1B-5B8E-41d4-AFCC-03CC04F141FA}]
"StubPath"="rundll32 rbsgam.dll,InitO"

Files:
system32\log.txt
system32\bb1.dat
system32\kaxs.dat
system32\ps1.dat
system32\rbsgam.dll
system32\rc.dat
%Windir%\inform.dat


Other files:
system32\kaxs.dat
system32\Spool\hpprintqueue.exe



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.50

Version 5.0.50
2008 12 27

Infection: Goldun

O20 - Winlogon Notify: modzlib - C:\WINDOWS\system32\modzlib.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modzlib

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys

Files:
system32\modzlib.dll
system32\gzvba.sys


Infection: Trojan-Downloader.Win32.BHO.aej - TrojanSpy:Win32/Ambler.D - Trojan-Dropper.Win32.Ambler

O2 - BHO: Google plugin - {18CACF0E-72A4-4be1-AA42-DC2ECDB197F1} - C:\WINDOWS\system32\kcms.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18CACF0E-72A4-4be1-AA42-DC2ECDB197F1}

Files:
system32\alog.txt
system32\bb1.dat
system32\kcms.dll
system32\mx
system32\ps1.dat
system32\rc.dat


Infection: Virus.Neshta - Trojan-Banker.Win32.Banker.ghd - TSPY_BANKER.LJU TrojanSpy:Win32/Ambler.A - Trojan-Spy.Win32.Banker

Files:
system32\accs.txt
system32\cookie.dat
system32\ps.dat



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.49

Version 5.0.49
2008 12 26

Infection: Goldun

O20 - Winlogon Notify: syncps - C:\WINDOWS\system32\syncps.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syncps

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncmc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncmc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncmc.sys

Files:
system32\syncmc.sys
system32\syncps.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.48

Version 5.0.48
2008 12 24

Infection: Goldun

Updated the appinit detection.


Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63845B64-69B6-4b9a-9461-C59B2AFDC0A9}

File:
system32\vgf32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.47

Version 5.0.47
2008 12 23

Infection: Goldun

Updated the appinit detection.


Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C}

File:
system32\nods32.dll


Infection: Goldun

O20 - Winlogon Notify: modgzip - C:\WINDOWS\system32\modgzip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modgzip\modgzip

File:
system32\modgzip.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.46

Version 5.0.46
2008 12 20

Infection: Goldun

O20 - Winlogon Notify: snjava - C:\WINDOWS\system32\snjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\java2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\java2.sys

Files:
system32\snjava.dll
system32\java2.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.45

Version 5.0.45
2008 12 19

Infection: Goldun

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzvba

File:
system32\gzvba.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.44

Version 5.0.44
2008 12 18

Infection: Goldun

O20 - Winlogon Notify: xliftm - C:\WINDOWS\system32\xliftm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xliftm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xlift.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xlift.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xlift

system32\cardb.dat
system32\xlift.sys
system32\xliftm.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.43

Version 5.0.43
2008 11 30

Infection: Goldun

O20 - Winlogon Notify: mckwave - C:\WINDOWS\system32\mckwave.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mckwave

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kwave

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kwave.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\kwave.sys

Files:
system32\mckwave.dll
system32\kwave.sys
system32\drivers\mrxdavv.sys


Infection: Haxdoor

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sksdrvr2

File:
system32\sksdrvr2.sys


Infection: Goldun

O20 - Winlogon Notify: wrapkm - C:\WINDOWS\system32\wrapkm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrapkm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wrapk

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrapk.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wrapk.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"advap32"=""%Temp%\load2.exe" /r"

Files:
system32\wrapkm.dll
system32\wrapk.sys
windows\wiaserviv.log

Infection: Goldun

O20 - Winlogon Notify: sbrige - C:\WINDOWS\system32\sbrige.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbrige

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbunit.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sbunit.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"rs32net"="%System%\rs32net.exe"


Files:
system32\rs32net.exe
system32\sbrige.dll
system32\sbunit.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix down

I removed haxfix this afternoon from my site and from bleeping, because the tool can not delete some of the latest goldun and haxdoor variants.

I found a solution, and the tool will be available again soon

Haxfix version 5.0.42

Version 5.0.42
2008 11 24
Infection: Haxdoor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Update" = "system.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Microsoft Update" = "system.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft Update" = "system.exe"

File:
system32/system.exe


Infection: SpyBanker - Trojan Nethell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABADC07C-9990-405a-AA24-2C209B50AE79}

File:
system32/svchstb.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.41

Version 5.0.41
2008 11 21

Added the file mmsystem.dll to the whitelist.
It wil not be detected anymore as a "possible infected file".


Infection: Goldun

O20 - Winlogon Notify: priarsz - C:\WINDOWS\SYSTEM32\priarsz.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\priarsz


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.40

Version 5.0.40
2008 11 17

Infection: SpyBanker - Trojan Nethell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FDA60DF-6D94-4f16-A48C-3C4EC57FEF58}

File:
system32\nokia32.dll


Infection: Spy.Banker - Infostealer.Bancos

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{890C7964-9320-4055-BE11-7D7B562A6417}

Files:
system32\mstrans.dll
system32\mstrans1.dll


Infection: Goldun
O20 - Winlogon Notify: netwrp - C:\WINDOWS\SYSTEM32\netwrp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netwrp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netwp

Files:
system32\netwrp.dll
system32\netwp.sys
system32\a9k.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.39

Version 5.0.39
2008 11 12

Infection: SpyBanker - Trojan Nethell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8FD36B2-A25B-47e3-9477-82557F5F5995}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECBA18CA-FF22-464c-A963-70BEC79D2485}

Files:
system32\cukert.dll
system32\masyan.dll
system32\savec32.dll



Infection: SpyBanker

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60FD4F58-4748-48f6-B661-5FCE71B0D907}

File:
system32\torm.dll
system32\torm1.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.38

Version 5.0.38
2008 11 12

Infection: Haxdoor

O20 - Winlogon Notify: mt49hub - C:\WINDOWS\SYSTEM32\mt49hub.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mt49hub

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msvtch
"ImagePath" = "system32\msvtch.sys"
"DisplayName" = "Kernel Mode SND msvtcher"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msvtch.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\msvtch.sys


Files:
system32\adrnln.bin
system32\mt49hub.dll
system32\msvtch.sys



Infection: SpyBanker

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850C7964-9320-4055-BE11-7D7B562A6417}


Files:
system32\Helper.dll
system32\Helper1.dll
system32\mstrans.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.37

Version 5.0.37
2008 11 11

Infection: Haxdoor

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\status]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tage32]
"ImagePath" = "system32\tage32.sys"
"DisplayName = "NGate service"

Files:
system32\mprexe.exe
system32\snowx.ini
system32\status.dll
system32\tage32.sys
Windows\svchost32.exe


Infection: SpyBanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68DF1496-983B-9ED5-03A6-F78E3267FB52}]

Files:
system32\gh.dat
system32\nokia32.dll
system32\symdb32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.36

Version 5.0.36
2008 11 09

Infection: Goldun

Added a new variant that is using the appinit key to load.
Filename is semi-random.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "%System%\mms******.dll"

Files:
%System%\DefaultColor.info
%System%\mms******.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.35

Version 5.0.35
2008 11 05

Infection: Spybanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BEEFD1C-446F-48a7-A7C7-C8E5986A9760}]

File:
system32\rbsgam.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.34

Version 5.0.34
2008 11 02

Infection: Goldun.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ctlsys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mmctl]

Files:
system32\ctlsys.dll
system32\mmctl.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.33

Version 5.0.33
2008 11 01

Infection Haxdoor / Goldun.

O20 - Winlogon Notify: kryostm - C:\Windows\System32\kryostm.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kryostm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kryo2.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\kryo2.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kryo2]
"DisplayName" = "CPU FUN Controller"


Files:
system32\kryostm.dll
system32\kryo2.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.32

Version 5.0.32
2008 10 31

Infection Goldun.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdhsh]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mdhsh.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mdhsh.sys]

Files:
system32\mdhash.dll
system32\mdhsh.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.31

Version 5.0.31:
2008 10 26

Infection: Goldun.

O21 - SSODL: oledll - {12345B67-1234-1234-D123-7F84D123BC7D} - C:\WINDOWS\System32\wmldap.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"oledll" = "{12345B67-1234-1234-D123-7F84D123BC7D}"

File:
System32\wmldap.dll


Infection: Goldun.

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urinon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urinon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ursnon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ursnon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urunon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urunon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urwnon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urwnon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID = "{DC186800-657F-11D4-B0B5-0050BABFC904}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]
"CLSID" = "{DC186800-657F-11D4-B0B5-0050BABFC904}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC186800-657F-11D4-B0B5-0050BABFC904}]

Files:
urikon.dll
urinon.dll
ursnon.dll
urunon.dll
urwnon.dll


Infection: Goldun.

scrcki32.dll

If scrcki32.dll or scrcwi32.dll is present in the system32 folder, the default path for this registrykey will be modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

HaxFix will restore the default value: %systemroot%\system32\shell32.dll


Other related files:
%System%\spool\c.ini
%System%\spool\desktops.ini
%System%\spool\dr.ini


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.30

Version 5.0.30

Infection: Spybanker - Trojan.Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF99D588-3D5F-4194-828A-E03870A57A77}]

system32\gcomd32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.29

Version 5.0.29
2008 10 24

Infection Goldun.

O2 - BHO: (no name) - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\ system32\msindeo.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ACB5731-5839-13AB-EABC-124791194525}]

O21 - SSODL: msindeo.dll - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\ system32\msindeo.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msindeo.dll" = "{7ACB5731-5839-13AB-EABC-124791194525}"

File:
system32\msindeo.dll


Infection Haxdoor / Goldun.

O20 - Winlogon Notify: acpiz - C:\WINDOWS\SYSTEM32\acpiz.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acpiz]
O20 - Winlogon Notify: hpstp - C:\WINDOWS\SYSTEM32\hpstp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpstp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acup]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmram]

Files:
system32\acpiz.dll
system32\acup.sys
system32\dmram.sys
system32\hpstp.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.28

Version 5.0.28
2008 10 17

Infection: Goldun

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\netprp]

%System%\netprp.dll 23724 bytes
%System%\netrp.sys 8512 bytes

Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.27

Version 5.0.27
2008 10 14

Infection: SpyBanker

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB59DF5-544D-4A1C-8A74-1FD054950140}]

%System%\ipv6monl.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix instructions - updated

This article is an update for this one.


Download
You can download haxfix from my site, or from Bleeping computer.
On both sites you will find always an updated version of the tool.

How to use?
Download haxfix.exe and save it to your desktop.
Double click on haxfix.exe to run it.
A red "dos window" (dos box) will open with this options:
· 1. Make logfile
· E. Exit Haxfix

After running option 1, you will get a new menu with all options:
· 1. Make logfile
· 2. Run auto fix
· 3. Run manual fix
· 4. Run unknow fix
· U. Uninstall Hafix
· E. Exit Haxfix


Option 1. Make logfile..
When you use haxfix, always make a logfile first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to Goldun.
Haxfix checks for known Browser Helper Objects (BHO) related to Goldun of SpyBanker infections.
Haxfix checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Haxfix checks for known goldunvariants that use the appinit key to load. These filenames are randome. Haxfix checks the MD5 checksum.
Haxfix checks for a lot of related haxdoor and goldunfiles. If present haxfix will list them in the logfile. If the file is rootkitfile, haxfix will mark the file as a rootkitfile.
Catchme.exe has been integrated in haxfix since version 4.43.
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.
The logfile made by option 1, shows you if a known infection is present on you computer.

Option 2. Run autofix..
Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.
You can use option 2 if the notify keys that are found, are related to haxdoor or goldun.
- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them
- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys
- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.
- All known goldunvariants will be deleted with option 2.
- All known SpyBankervariants will be deleted with option 2.
- If ieplore.exe is infected, haxfix can fix this without a reboot.

Option 3. Run manual fix..
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:
echo Insert the haxdoorkey,
and then press Enter:
Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
- unknown or legit notify keys with related services in the haxlog.txt file.
- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)
If you use option 3 to delete a haxdoorvariant, and one or more goldun- or SpyBankervariants are present too, all infections will be deleted.


Option 4. Run unknown fix..
The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.
If a match is found, you can delete them by using option 4 - remove unknown.
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.


Option U. Uninstall Haxfix..
This will remove all files and folders produced by haxfix.

Option E. Exit Haxfix..
Use option E to shut down haxfix.


A few remarks
If you see this in the logfile: registrysettings failed , use this command: %systemdrive%\haxfix.exe /reset
If you don't get the logfile after reboot, use this command: %systemdrive%\haxfix.exe /after

More information about the tool you can find on my website.

Haxfix Version 5.0.26

Version 5.0.26
2008 10 12

Added detection for these Spy.Bankers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB59DF5-544D-4A1C-8A74-1FD054950140}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D471CEA2-EDEC-4184-BE2E-574DD655DD2D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7A4C0C8-2BFF-4241-9E8C-92E10245EC28}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68D5BBF9-EED5-4125-B227-55F81540BF4D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8A3B994-E27A-42f5-A053-C63799E621FB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3AAB6591-87DD-424b-AFF2-4685EBF6A5EF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47D92EB6-E52C-4cda-92A6-2369963F4913}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{33161E98-0A6C-4d3c-BD62-3A7D56137F52}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D21D9540-6415-4288-BDD0-4453088D9D38}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C579E8B-92F1-44d1-9444-66A4355E9386}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930247B4-16BE-48d2-87DD-86D7FB314639}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF37362D-4088-4c36-AEF1-C167F9CD3DAD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9249083-6055-476c-A69D-13E110BFEA91}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85911752-BC96-4fff-9121-6EB9D8F438E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FED228E-A6F7-49aa-A0BC-76E0A67C53BB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9916AF04-5F23-4ae8-A2B1-1C4FF50B2A51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-B432-46fc-9143-B82B832B1B14}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096059FD-99AB-41eb-9E55-59AEB0A3B444}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-DAD2-4a4c-848D-2CBFC6F0FD21}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-D71D-41e4-A699-F506DBD097F0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-08DF-483c-BD3A-99CBCF44E4DC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DE68A8A-8158-4bde-8F5F-849F00AF31FB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-8F0D-4322-B01F-B42439E0B71C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B87D203B-B43D-4af9-9E1B-9C20478CBB74}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21D7135F-AEE9-45e7-A0C1-791A4654BFF1}]


alivefor.dll
alog.txt
bagetionwll.dll
bb1.dat
bodrowis.dll
bsn32.dll
bsndcom.dll
btaskv.dll
bulgan.dll
comd32.dll
conf.dat
cookie1.dat
cs.dat
csm.txt
dcrick.dll
dna32v1.dll
drweb32.dll
duis.txt
es.dat
gwin32.dll
haskel32.dll
hnew32.dll
hyperconn.dll
hyperser.dll
IEBHO.dll
IEBHO0B.dll
IEBHO23.dll
ieguard.dll
interns32.dll
jetaccss.dll
jkcom32.dll
jzcom32.dll
kd.txt
knmld.dll
ktaskr.dll
lbbd32.dll
lbcd64.dll
mac.dll
mac1.dll
macaaq.dll
mcac.dll
msindc.dll
mvx.dat
nod32.dll
nortn32.dll
paruisd.dll
pidfenon.dll
pns32.dll
ppret2.dll
roadmap16.dll
ritz8.dll
rozmchild.dll
sac32.dll
siemens32.dll
simcard1.dll
sincim32.dll
sklh.dat
skrb32.dll
smb32.dll
sndcom.dll
strike12.dll
strike45.dll
svc32.dll
swin32.dll
tb.dr
tconn1.dll
tkcom32.dll
tlove2.dll
xd.txt
xmd.dat


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.25

Version 5.0.25
2008 10 09

Infection: Haxdoor - Infostealer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\oedes]
system32\oedes.dll
system32\kedes.sys
system32\dadr.dat


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.24

Version 5.0.24
2008 10 05

Infection: Goldun

[HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mt47hub]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svitch]
mt47hub.dll
svitch.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.23

Version 5.023
2008 10 03

Infection: Goldun

Added detection for a new kind of files, using the Appinitkey.

Haxfix Version 5.0.22

Version 5.0.22
2008 10 02

Infection: Goldun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}]
%System%\IEBHO.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.21

Version 5.021
2008 09 29

Infection: Trojan.Win32.Agent

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CIJBDYZA"="%systemroot%\CIJBDYZA.exe"

%System%\tremir.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.20

Version 5.0.20
2008 09 22

Infection: Goldun

O20 - Winlogon Notify: asplug - C:\WINDOWS\SYSTEM32\asplug.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\asplug]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asplg]
DirectSound KDriver: \??\C:\WINDOWS\SYSTEM32\asplg.sys

C:\WINDOWS\SYSTEM32\asplg.sys
C:\WINDOWS\SYSTEM32\asplug.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"solo"=-


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.19

Version 5.0.19
2008 09 18

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod]

gzipmod.dll
vbagz.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.18

Version 5.018
2008 09 15

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddrawxt]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-

Files:
ddrawxt.dll
cabpck.dll
ddraw.sys
krnlcab.sys
braviax.exe

I changed the script that is checking for othter haxdoor and goldunfiles.
If known rootkitfiles are present, haxfix will find and delete them.


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.17

Version 5.017
2008 09 11

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMedia16"="wmedia16.exe"

%windir%\system32\wmedia16.exe
%windir%\wmedia16.exe


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.16

Version 5.016
2008 09 10

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hinet
hinet.dll
ddram.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.15

Version 5.015
2008 09 07

Added:
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\spndt.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\spndt.sys]


Fixed a bug with some of the newer goldunvariants that use the notifykey.
Sometimes this notifykey is hidden.


Added detection for these browser helper objects:
{92617934-9abc-def0-0fed-fad682644311}
{68397934-9abc-def0-0fed-fad682644311}
{61468245-A343-CF27-3452-44DF4679BDF1}
{56262124-6251-5625-3072-548536364311}
{46278903-5678-2464-3452-545679092D31}
{68363724-9ABC-DEF0-0FED-FAD682644311}
{92617934-9ABC-DEF0-0FED-FAD48C654321}
{5240864B-FDFE-4563-3514-463926792311}
{13146842-6251-5625-3072-548536364311}
{62457936-6381-6170-3572-468926792311}
{5FCA4D4F-CBDD-4263-3814-463926792311}
{65194BCE-CBDD-4263-3814-463926792311}
{BCD2AF6E-4271-6572-6429-A63F26792311}
{80523A67-ABCD-CF37-3352-54DF4479BDF1}
{4A26217C-5521-3459-2345-AB36721975AF}
{78934132-3451-67A2-8919-678931572311}
{7548953E-4371-6552-6419-A43F26792311}
{73468251-2534-8760-3685-423479197575}
{81463526-1357-4638-2418-538263794561}
{0033669F-AADD-AA59-AA7D-AA4B78888000}
{00534B55-3155-CA4F-B41D-0E922121D03C}
{92617934-9ABC-DEF0-0FED-FAD48C654321}
{00534B55-3155-CA4F-B41D-0E922121D03C}
{BF468356-BB7E-42D7-9F15-4F3B9BCFCED2}
{DABCE839-3831-3818-AF3A-3837BCD324D2}
{DABCE839-3831-3818-AF3A-47D47A738D32}
{DABFC839-F831-3D1A-A33A-A7D4BA7C8D3D}
{0000AC13-3487-1583-C4BE-BE6A839DB000}
{AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8}

Haxfix deletes the clsid and the file.


Added detection for goldunvariants that use the appinitkey.
Detection is done by MD5 check: 21 different MD5's at this moment.

Matching files that are not detected by MD5 check, will be enumerated.
May I ask you to upload these file in my bleeping channel: http://www.bleepingcomputer.com/submit-malware.php?channel=11


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.14

Version 5.014
2008 08 30

Files:
berzk.dll
core3.sys
irptp.sys
meth.bin
meth.plg
powerxt.dll
spndt.sys
xatcore.dll

Notifykeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\powerxt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xatcore

Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core3
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irptp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spndt

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\core3.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.13

Version 5.013
2008 08 26

Files:
windows\servicez.exe
windows\nvchost.exe
windows\winlogon.exe
system32\alog.txt
system32\crypto64.dll
system32\csrcli32.dll
system32\dpl.txt
%System%\info.txt
system32\NGIX.bin
system32\ntld.bin
system32\preved.bat
system32\ps1.dat
system32\rc.dat
system32\rdata.bin
system32\rhs.bin
system32\scrcwi32.dll
system32\sms.bat
system32\sys32time.dll
system32\winsms.bat
system32\winsms.dll
system32\cryptmd5.dll
system32\datcom.dll
system32\datmps.dll
system32\droute.dll
system32\dwave.sys
system32\dx9sr.sys
system32\emulx86.sys
system32\hdtvu6.dll
system32\hooka.sys
system32\ke64boot.dll
system32\kteproc.sys
system32\mcrwave.dll
system32\necsopp.sys
system32\nkudpn1.sys
system32\pcixm.sys
system32\pcixmm.dll
system32\pemulx86.dll
system32\routew.dll
system32\rotw.sys
system32\stfilter.dll
system32\syncm.sys
system32\syslink.dll
system32\tehlink0.dll
system32\tehlink5.sys
system32\wlite.sys

Notifykeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datcom
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datmps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\droute
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hdtvu6
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ke64boot
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcrwave
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pcixmm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pemulx86
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\routew
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\stfilter
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syslink
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tehlink0

Services:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwave
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dx9sr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\emulx86
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hooka
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kteproc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\necsopp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nkudpn1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcixm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rotr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rotw
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tehlink5
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlite


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kteproc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\kteproc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wlite.sys

Runkeys:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nvchost"
"winlogon"
"Windows Services"
"KIT3"


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Niets voor niets!

Veel computergebruikers maken gebruik van cracks, patches of keygenerators om dat ene progje waar men niet wil voor betalen, toch maar werkend te krijgen.
Niets voor niets, is ook hier de boodschap.

De meeste trucjes die 'gratis' verkrijgbaar zijn op het internet om niet-gratis software toch werkend te krijgen zijn, zijn helemaal niet gratis. Zonder medeweten van de gebruiker wordt immers malware mee op de computer geïnstalleerd.
Malware die weer andere malware downloadt en installeert.
Malware die je de nodige problemen bezorgd onder de vorm van ongevraagde advertenties.
Deze advertenties zijn vaak vervelend, ze duiken te pas en te onpas op.
Zoekmachines geven niet meer de gewenste zoekresultaten.
Allemaal geen onoverkomelijke problemen, sommigen kunnen er mee leven, anderen niet.
Malware is vaak ook slecht geprogrammeerd, en kan de computer onstabiel en traag maken: de computer is nog nauwelijks werkbaar.
Een hoge prijs die je betaalt om dat ene programma waar je niet wenst voor te betalen toch werkend te krijgen.
De problemen laten oplossen door het computerwinkeltje om de hoek, kost je vaak een aardige duit. Vaak meer dan indien je het programma wat je illegaal wenste te gebruiken, toch zou kopen.


Nog niet overtuigd?
Met de eerder genoemde nevenwerkingen van cracks en keygenerators houdt het vaak niet op.
De tijd dat malwaremakers je alleen maar brachten naar 'hun favoriete' websites is al lang voorbij.
Indien jouw computer geïnfecteerd is met malware, kan afhankelijk van de infectie, deze ingezet worden in botnetwerken. Je computer kan onder meer gebruikt worden voor het het uitvoeren van DDos aanvallen, of voor het versturen van (massa's) hoeveelheden spam.
Anderen hebben meer controle over de computer dan jij zelf...
Ook kan bepaalde malware zich doorsturen naar jouw contactpersonen die jij dan ook weer de nodige problemen bezorgt.

Malwaremakers willen echter nog meer.
Men is uit op jouw persoonlijke informatie, jouw gegevens die je op het internet gebruikt om bijvoorbeeld te internetbankieren.
Op diverse manieren probeert men deze informatie van jou te achterhalen en de methoden die men hiervoor gebruikt gaan ver, heel ver.
Doe je niet aan internetbankieren op deze computer, maar misschien wel op een andere computer in het netwerk, geen probleem hoor. De malware kan zich via je netwerk of via draagbare media ook op andere computers nestelen.


Dit hele verhaal draait om geld.
Geld dat jij niet wil betalen voor bepaalde software. De andere kant van het verhaal draait ook om geld. Men wil je producten laten kopen, door je verleidelijke advertenties te tonen en in het slechtste geval wil men jouw bankgegevens om geld te halen van jouw bankrekening...


Het gebruik van illegale verkregen software zorgt altijd voor problemen.
Niet alleen voor jou, maar ook voor andere gebruikers van het internet.
Jij als medegebruiker hebt ook je verantwoordelijkheden om het World Wide Web leefbaar te houden en om de verspreiding van malware tegen te gaan.


Gebruik van illegaal verkregen software is niet netjes tegenover de makers van deze programma's. Zij steken er tijd en geld in om deze software te ontwikkelen, en daar mag best wat tegenover staan.
Wens je toch niet te betalen voor software, zoek dan naar gratis alternatieven, want die zijn er echt wel.

Gebruik van legaal verkregen software, kan je veel problemen besparen!

Haxfix version 5.0.12

2008 07 10
Version 5.0.12
O20 - Winlogon Notify: lstream - C:\WINDOWS\SYSTEM32\lstream.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lstream
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fsxxd
XD FileSystemDriver: \??\C:\WINDOWS\System32\fsxxd.sys (system)
lstream.dll
fsxxd.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.11

2008 04 23
O20 - Winlogon Notify: divxps - C:\WINDOWS\SYSTEM32\divxps.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\divxps
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klite
KLite Codec 3.0: \??\C:\WINDOWS\System32\klite.sys (system)
divxps.dll
klite.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.10

2008 04 22
Added the uninstall option to the menu

Beautiful Day

Yesterday I was in South America for almost one hour and a half.
I could not believe what I saw and what I heard.
I was between a few ten thousand screaming U2 fans.
It was a wonderful experience. It was amazing.
I think I was at a place....where the streets have no name...a place where we are all together as One.
If you like U2, come and go to this place.
Go and see the movie U23D.

Haxfix version 5.00.9

Haxfix version 5.00.9
2008 04 19
O20 - Winlogon Notify: divxrs - C:\WINDOWS\SYSTEM32\divxrs.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\divxrs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dprot.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dprot
DTM Protector: \??\C:\WINDOWS\System32\dprot.sys (system)
divxrs.dll
dprot.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.00.8

Haxfix version 5.00.8
2008 03 31
O20 - Winlogon Notify: ibudu - C:\WINDOWS\SYSTEM32\ibudu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ibudu
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itcoe
itcoe adapter \\??\C:\WINDOWS\System32\itcoe.sys (system)
ibudu.dll
itcoe.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix

Maybe you know, maybe you don't, but I made a small removaltool (haxifx) to delete haxdoor and goldun infections.
http://users.telenet.be/marcvn/tools/haxfix.exe
http://download.bleepingcomputer.com/marckie/haxfix.exe


When you start haxfix, you will get a menu with 4 options.

Option 1: Make logfile
If you use haxfix, always make a log file first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to goldun.
Haxfix also checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Catchme.exe has been integrated in haxfix since version 4.43. (thank You Gmer)
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.


Option 2: Run auto fix.
Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.
You can use option 2 if the notify keys that are found, are related to haxdooor or goldun.
- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them
- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys
- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.
- All known goldunvariants will be deleted with option 2.
- If ieplore.exe is infected, haxfix can fix this without reboot.


Option 3: Run manual fix
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:

echo Insert the haxdoorkey,
and then press Enter:

Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
- unknown or legit notify keys with related services in the haxlog.txt file.
- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)
If you use option 3 to delete a haxdoorvariant, and one or more goldunvariants are present too, all infection will be deleted.


Option 4: Run unknow fix.
The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.
If a match is found, you can delete them by using option 4 - remove unknown.
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.


A few remarks:
If you see this in the logfile: registrysettings failed
use this command: %systemdrive%\haxfix.exe /reset

If you don't get a logfile after reboot:
use this command: %systemdrive%\haxfix.exe /after



More information about the tool you can find on my website (or on the security boards).
http://users.pandora.be/marcvn/spyware/1541877.htm
http://users.pandora.be/marcvn/spyware/1585977.htm



Updates:
From now on, I will post all updates of haxfix also here.


Version 5.00.1

2008 01 22
Goldun
O20 - Winlogon Notify: sha1hsh - C:\WINDOWS\SYSTEM32\sha1hsh.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sha1hsh
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sha1krnl
Kernel CryptoService: \??\C:\WINDOWS\System32\sha1krnl.sys (system)
sha1hsh.dll
sha1krnl.sys



Version 5.00.2

2008 01 28
Goldun
O20 - Winlogon Notify: px86emul - C:WINDOWS\SYSTEM32\px86emul.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\px86emul
FPU emulation service: ??C:WINDOWS\system32\x86emul.sys (system)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\x86emul
px86emul.dll
x86emul.sys



Version 5.00.3

2008 02 20
Goldun
O20 - Winlogon Notify: alcomt - C:\WINDOWS\SYSTEM32\alcomt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\alcomt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\alcom
alcom.sys
alcomt.dll



Version 5.00.4

2008 02 24
Goldun
O20 - Winlogon Notify: alcopt - C:\WINDOWS\SYSTEM32\alcopt.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\alcopt
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\alcop
alcop server: \??\C:\WINDOWS\System32\alcop.sys (system)
alcop.sys
alcopt.dll



Version 5.00.5

2008 02 27
O20 - Winlogon Notify: mplink - C:\WINDOWS\SYSTEM32\mplink.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\fprot
FT StarForce Protector: \??\C:\WINDOWS\System32\fprot.sys (system)
mplink.dll
fprot.sys



Version 5.00.6

2008 03 16
O20 - Winlogon Notify: mp3res - C:\WINDOWS\SYSTEM32\mp3res.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xprot
XPROTECTOR Driver \??\C:\WINDOWS\System32\xprot.sys (system)
mp3res.dll
xprot.sys
k86.bin


Version 5.00.7

2008 03 20
O20 - Winlogon Notify: upsctl - C:\WINDOWS\SYSTEM32\upsctl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\upsctl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upscr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\Minimal\upscr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\Network\upscr.sys
hrs.bin
upscr.sys
upsctl.dll

Wie ben ik?

Unos, dos, tres, catorce!

Met deze woorden schoot Bono diverse concerten van de Vertigo Tour op gang.
En met dezelfde woorden wil ik mijn allereerste bericht hier starten.
Een beetje onwennig, 10 keer gecontroleerd op spelfouten, dit moet goed gaan!

Buiten mijn gezin, vrouwtje Kathleen en zoontje Jens, heb ik nog een aantal passies: voetbal, malware en muziek.

In de voetbalwereld overheerst het blauw en zwart uit Brugge.
Club Brugge deed in mijn kinderjaren mijn hart al sneller slaan. Nu is de voetbalpassie en vooral de emotie een heel stuk minder.
Vroeger was ik kapot na een nederlaag, nu kan ik het allemaal wat makkelijker relativeren. De leeftijd zal daar wel wat mee te maken hebben denk ik.

Malware is een ander tijdverdrijf.
Je vindt me vaak op allerlei securityfora, waar ik (aka Marckie) mensen probeer te helpen die problemen hebben met malware.

Muziek betekent voor mij U2.
Mijn eerste kennismaking met deze groep dateert van 1982. Live zag ik ze voor het eerst aan het werk in 1983.
De songs, de muziek, ze bezorgen me elke keer opnieuw weer kippevel.

I am not in a place called Vertigo, I am in the city of blinding lights, where the streets have no name....and malware has no chance...