maandag 31 maart 2008

Haxfix version 5.00.8

Haxfix version 5.00.8
2008 03 31
O20 - Winlogon Notify: ibudu - C:\WINDOWS\SYSTEM32\ibudu.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ibudu
itcoe adapter \\??\C:\WINDOWS\System32\itcoe.sys (system)

Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 23 maart 2008


Maybe you know, maybe you don't, but I made a small removaltool (haxifx) to delete haxdoor and goldun infections.

When you start haxfix, you will get a menu with 4 options.

Option 1: Make logfile
If you use haxfix, always make a log file first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to goldun.
Haxfix also checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Catchme.exe has been integrated in haxfix since version 4.43. (thank You Gmer)
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.

Option 2: Run auto fix.
Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.
You can use option 2 if the notify keys that are found, are related to haxdooor or goldun.
- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them
- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys
- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.
- All known goldunvariants will be deleted with option 2.
- If ieplore.exe is infected, haxfix can fix this without reboot.

Option 3: Run manual fix
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:

echo Insert the haxdoorkey,
and then press Enter:

Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
- unknown or legit notify keys with related services in the haxlog.txt file.
- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)
If you use option 3 to delete a haxdoorvariant, and one or more goldunvariants are present too, all infection will be deleted.

Option 4: Run unknow fix.
The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.
If a match is found, you can delete them by using option 4 - remove unknown.
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.

A few remarks:
If you see this in the logfile: registrysettings failed
use this command: %systemdrive%\haxfix.exe /reset

If you don't get a logfile after reboot:
use this command: %systemdrive%\haxfix.exe /after

More information about the tool you can find on my website (or on the security boards).

From now on, I will post all updates of haxfix also here.

Version 5.00.1

2008 01 22
O20 - Winlogon Notify: sha1hsh - C:\WINDOWS\SYSTEM32\sha1hsh.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sha1hsh
Kernel CryptoService: \??\C:\WINDOWS\System32\sha1krnl.sys (system)

Version 5.00.2

2008 01 28
O20 - Winlogon Notify: px86emul - C:WINDOWS\SYSTEM32\px86emul.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\px86emul
FPU emulation service: ??C:WINDOWS\system32\x86emul.sys (system)

Version 5.00.3

2008 02 20
O20 - Winlogon Notify: alcomt - C:\WINDOWS\SYSTEM32\alcomt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\alcomt

Version 5.00.4

2008 02 24
O20 - Winlogon Notify: alcopt - C:\WINDOWS\SYSTEM32\alcopt.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\alcopt
alcop server: \??\C:\WINDOWS\System32\alcop.sys (system)

Version 5.00.5

2008 02 27
O20 - Winlogon Notify: mplink - C:\WINDOWS\SYSTEM32\mplink.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
FT StarForce Protector: \??\C:\WINDOWS\System32\fprot.sys (system)

Version 5.00.6

2008 03 16
O20 - Winlogon Notify: mp3res - C:\WINDOWS\SYSTEM32\mp3res.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res
XPROTECTOR Driver \??\C:\WINDOWS\System32\xprot.sys (system)

Version 5.00.7

2008 03 20
O20 - Winlogon Notify: upsctl - C:\WINDOWS\SYSTEM32\upsctl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\upsctl