zondag 23 maart 2008

Haxfix

Maybe you know, maybe you don't, but I made a small removaltool (haxifx) to delete haxdoor and goldun infections.
http://users.telenet.be/marcvn/tools/haxfix.exe
http://download.bleepingcomputer.com/marckie/haxfix.exe


When you start haxfix, you will get a menu with 4 options.

Option 1: Make logfile
If you use haxfix, always make a log file first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to goldun.
Haxfix also checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Catchme.exe has been integrated in haxfix since version 4.43. (thank You Gmer)
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.


Option 2: Run auto fix.
Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.
You can use option 2 if the notify keys that are found, are related to haxdooor or goldun.
- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them
- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys
- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.
- All known goldunvariants will be deleted with option 2.
- If ieplore.exe is infected, haxfix can fix this without reboot.


Option 3: Run manual fix
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:

echo Insert the haxdoorkey,
and then press Enter:

Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
- unknown or legit notify keys with related services in the haxlog.txt file.
- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)
If you use option 3 to delete a haxdoorvariant, and one or more goldunvariants are present too, all infection will be deleted.


Option 4: Run unknow fix.
The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.
If a match is found, you can delete them by using option 4 - remove unknown.
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.


A few remarks:
If you see this in the logfile: registrysettings failed
use this command: %systemdrive%\haxfix.exe /reset

If you don't get a logfile after reboot:
use this command: %systemdrive%\haxfix.exe /after



More information about the tool you can find on my website (or on the security boards).
http://users.pandora.be/marcvn/spyware/1541877.htm
http://users.pandora.be/marcvn/spyware/1585977.htm



Updates:
From now on, I will post all updates of haxfix also here.


Version 5.00.1

2008 01 22
Goldun
O20 - Winlogon Notify: sha1hsh - C:\WINDOWS\SYSTEM32\sha1hsh.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sha1hsh
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sha1krnl
Kernel CryptoService: \??\C:\WINDOWS\System32\sha1krnl.sys (system)
sha1hsh.dll
sha1krnl.sys



Version 5.00.2

2008 01 28
Goldun
O20 - Winlogon Notify: px86emul - C:WINDOWS\SYSTEM32\px86emul.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\px86emul
FPU emulation service: ??C:WINDOWS\system32\x86emul.sys (system)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\x86emul
px86emul.dll
x86emul.sys



Version 5.00.3

2008 02 20
Goldun
O20 - Winlogon Notify: alcomt - C:\WINDOWS\SYSTEM32\alcomt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\alcomt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\alcom
alcom.sys
alcomt.dll



Version 5.00.4

2008 02 24
Goldun
O20 - Winlogon Notify: alcopt - C:\WINDOWS\SYSTEM32\alcopt.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\alcopt
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\alcop
alcop server: \??\C:\WINDOWS\System32\alcop.sys (system)
alcop.sys
alcopt.dll



Version 5.00.5

2008 02 27
O20 - Winlogon Notify: mplink - C:\WINDOWS\SYSTEM32\mplink.dll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\fprot
FT StarForce Protector: \??\C:\WINDOWS\System32\fprot.sys (system)
mplink.dll
fprot.sys



Version 5.00.6

2008 03 16
O20 - Winlogon Notify: mp3res - C:\WINDOWS\SYSTEM32\mp3res.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xprot
XPROTECTOR Driver \??\C:\WINDOWS\System32\xprot.sys (system)
mp3res.dll
xprot.sys
k86.bin


Version 5.00.7

2008 03 20
O20 - Winlogon Notify: upsctl - C:\WINDOWS\SYSTEM32\upsctl.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\upsctl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upscr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\Minimal\upscr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
\Network\upscr.sys
hrs.bin
upscr.sys
upsctl.dll

Geen opmerkingen: