maandag 29 september 2008

Haxfix version 5.0.21

Version 5.021
2008 09 29

Infection: Trojan.Win32.Agent

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CIJBDYZA"="%systemroot%\CIJBDYZA.exe"

%System%\tremir.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 22 september 2008

Haxfix version 5.0.20

Version 5.0.20
2008 09 22

Infection: Goldun

O20 - Winlogon Notify: asplug - C:\WINDOWS\SYSTEM32\asplug.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\asplug]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asplg]
DirectSound KDriver: \??\C:\WINDOWS\SYSTEM32\asplg.sys

C:\WINDOWS\SYSTEM32\asplg.sys
C:\WINDOWS\SYSTEM32\asplug.dll

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"solo"=-


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 18 september 2008

Haxfix version 5.0.19

Version 5.0.19
2008 09 18

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod]

gzipmod.dll
vbagz.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 15 september 2008

Haxfix Version 5.0.18

Version 5.018
2008 09 15

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddrawxt]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"braviax"=-

Files:
ddrawxt.dll
cabpck.dll
ddraw.sys
krnlcab.sys
braviax.exe

I changed the script that is checking for othter haxdoor and goldunfiles.
If known rootkitfiles are present, haxfix will find and delete them.


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 11 september 2008

Haxfix Version 5.0.17

Version 5.017
2008 09 11

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMedia16"="wmedia16.exe"

%windir%\system32\wmedia16.exe
%windir%\wmedia16.exe


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.16

Version 5.016
2008 09 10

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hinet
hinet.dll
ddram.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 8 september 2008

Haxfix version 5.0.15

Version 5.015
2008 09 07

Added:
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\spndt.sys]
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\spndt.sys]


Fixed a bug with some of the newer goldunvariants that use the notifykey.
Sometimes this notifykey is hidden.


Added detection for these browser helper objects:
{92617934-9abc-def0-0fed-fad682644311}
{68397934-9abc-def0-0fed-fad682644311}
{61468245-A343-CF27-3452-44DF4679BDF1}
{56262124-6251-5625-3072-548536364311}
{46278903-5678-2464-3452-545679092D31}
{68363724-9ABC-DEF0-0FED-FAD682644311}
{92617934-9ABC-DEF0-0FED-FAD48C654321}
{5240864B-FDFE-4563-3514-463926792311}
{13146842-6251-5625-3072-548536364311}
{62457936-6381-6170-3572-468926792311}
{5FCA4D4F-CBDD-4263-3814-463926792311}
{65194BCE-CBDD-4263-3814-463926792311}
{BCD2AF6E-4271-6572-6429-A63F26792311}
{80523A67-ABCD-CF37-3352-54DF4479BDF1}
{4A26217C-5521-3459-2345-AB36721975AF}
{78934132-3451-67A2-8919-678931572311}
{7548953E-4371-6552-6419-A43F26792311}
{73468251-2534-8760-3685-423479197575}
{81463526-1357-4638-2418-538263794561}
{0033669F-AADD-AA59-AA7D-AA4B78888000}
{00534B55-3155-CA4F-B41D-0E922121D03C}
{92617934-9ABC-DEF0-0FED-FAD48C654321}
{00534B55-3155-CA4F-B41D-0E922121D03C}
{BF468356-BB7E-42D7-9F15-4F3B9BCFCED2}
{DABCE839-3831-3818-AF3A-3837BCD324D2}
{DABCE839-3831-3818-AF3A-47D47A738D32}
{DABFC839-F831-3D1A-A33A-A7D4BA7C8D3D}
{0000AC13-3487-1583-C4BE-BE6A839DB000}
{AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8}

Haxfix deletes the clsid and the file.


Added detection for goldunvariants that use the appinitkey.
Detection is done by MD5 check: 21 different MD5's at this moment.

Matching files that are not detected by MD5 check, will be enumerated.
May I ask you to upload these file in my bleeping channel: http://www.bleepingcomputer.com/submit-malware.php?channel=11


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.