vrijdag 31 oktober 2008

Haxfix Version 5.0.32

Version 5.0.32
2008 10 31

Infection Goldun.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdhsh]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mdhsh.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mdhsh.sys]

Files:
system32\mdhash.dll
system32\mdhsh.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 26 oktober 2008

Haxfix version 5.0.31

Version 5.0.31:
2008 10 26

Infection: Goldun.

O21 - SSODL: oledll - {12345B67-1234-1234-D123-7F84D123BC7D} - C:\WINDOWS\System32\wmldap.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"oledll" = "{12345B67-1234-1234-D123-7F84D123BC7D}"

File:
System32\wmldap.dll


Infection: Goldun.

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urinon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urinon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ursnon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ursnon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urunon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urunon.dll

O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urwnon.dll
O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urwnon.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]
"CLSID = "{DC186800-657F-11D4-B0B5-0050BABFC904}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]
"CLSID" = "{DC186800-657F-11D4-B0B5-0050BABFC904}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC186800-657F-11D4-B0B5-0050BABFC904}]

Files:
urikon.dll
urinon.dll
ursnon.dll
urunon.dll
urwnon.dll


Infection: Goldun.

scrcki32.dll

If scrcki32.dll or scrcwi32.dll is present in the system32 folder, the default path for this registrykey will be modified:
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

HaxFix will restore the default value: %systemroot%\system32\shell32.dll


Other related files:
%System%\spool\c.ini
%System%\spool\desktops.ini
%System%\spool\dr.ini


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 24 oktober 2008

Haxfix Version 5.0.30

Version 5.0.30

Infection: Spybanker - Trojan.Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF99D588-3D5F-4194-828A-E03870A57A77}]

system32\gcomd32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix Version 5.0.29

Version 5.0.29
2008 10 24

Infection Goldun.

O2 - BHO: (no name) - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\ system32\msindeo.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ACB5731-5839-13AB-EABC-124791194525}]

O21 - SSODL: msindeo.dll - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\ system32\msindeo.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"msindeo.dll" = "{7ACB5731-5839-13AB-EABC-124791194525}"

File:
system32\msindeo.dll


Infection Haxdoor / Goldun.

O20 - Winlogon Notify: acpiz - C:\WINDOWS\SYSTEM32\acpiz.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acpiz]
O20 - Winlogon Notify: hpstp - C:\WINDOWS\SYSTEM32\hpstp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpstp]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acup]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmram]

Files:
system32\acpiz.dll
system32\acup.sys
system32\dmram.sys
system32\hpstp.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 17 oktober 2008

Haxfix Version 5.0.28

Version 5.0.28
2008 10 17

Infection: Goldun

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\netprp]

%System%\netprp.dll 23724 bytes
%System%\netrp.sys 8512 bytes

Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

dinsdag 14 oktober 2008

Haxfix Version 5.0.27

Version 5.0.27
2008 10 14

Infection: SpyBanker

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB59DF5-544D-4A1C-8A74-1FD054950140}]

%System%\ipv6monl.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 12 oktober 2008

Haxfix instructions - updated

This article is an update for this one.


Download
You can download haxfix from my site, or from Bleeping computer.
On both sites you will find always an updated version of the tool.

How to use?
Download haxfix.exe and save it to your desktop.
Double click on haxfix.exe to run it.
A red "dos window" (dos box) will open with this options:
· 1. Make logfile
· E. Exit Haxfix

After running option 1, you will get a new menu with all options:
· 1. Make logfile
· 2. Run auto fix
· 3. Run manual fix
· 4. Run unknow fix
· U. Uninstall Hafix
· E. Exit Haxfix


Option 1. Make logfile..
When you use haxfix, always make a logfile first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to Goldun.
Haxfix checks for known Browser Helper Objects (BHO) related to Goldun of SpyBanker infections.
Haxfix checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Haxfix checks for known goldunvariants that use the appinit key to load. These filenames are randome. Haxfix checks the MD5 checksum.
Haxfix checks for a lot of related haxdoor and goldunfiles. If present haxfix will list them in the logfile. If the file is rootkitfile, haxfix will mark the file as a rootkitfile.
Catchme.exe has been integrated in haxfix since version 4.43.
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.
The logfile made by option 1, shows you if a known infection is present on you computer.

Option 2. Run autofix..
Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.
You can use option 2 if the notify keys that are found, are related to haxdoor or goldun.
- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them
- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys
- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.
- All known goldunvariants will be deleted with option 2.
- All known SpyBankervariants will be deleted with option 2.
- If ieplore.exe is infected, haxfix can fix this without a reboot.

Option 3. Run manual fix..
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:
echo Insert the haxdoorkey,
and then press Enter:
Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
- unknown or legit notify keys with related services in the haxlog.txt file.
- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)
If you use option 3 to delete a haxdoorvariant, and one or more goldun- or SpyBankervariants are present too, all infections will be deleted.


Option 4. Run unknown fix..
The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.
If a match is found, you can delete them by using option 4 - remove unknown.
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.


Option U. Uninstall Haxfix..
This will remove all files and folders produced by haxfix.

Option E. Exit Haxfix..
Use option E to shut down haxfix.


A few remarks
If you see this in the logfile: registrysettings failed , use this command: %systemdrive%\haxfix.exe /reset
If you don't get the logfile after reboot, use this command: %systemdrive%\haxfix.exe /after

More information about the tool you can find on my website.

Haxfix Version 5.0.26

Version 5.0.26
2008 10 12

Added detection for these Spy.Bankers:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB59DF5-544D-4A1C-8A74-1FD054950140}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D471CEA2-EDEC-4184-BE2E-574DD655DD2D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7A4C0C8-2BFF-4241-9E8C-92E10245EC28}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68D5BBF9-EED5-4125-B227-55F81540BF4D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8A3B994-E27A-42f5-A053-C63799E621FB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3AAB6591-87DD-424b-AFF2-4685EBF6A5EF}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47D92EB6-E52C-4cda-92A6-2369963F4913}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{33161E98-0A6C-4d3c-BD62-3A7D56137F52}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D21D9540-6415-4288-BDD0-4453088D9D38}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C579E8B-92F1-44d1-9444-66A4355E9386}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930247B4-16BE-48d2-87DD-86D7FB314639}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF37362D-4088-4c36-AEF1-C167F9CD3DAD}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9249083-6055-476c-A69D-13E110BFEA91}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85911752-BC96-4fff-9121-6EB9D8F438E1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FED228E-A6F7-49aa-A0BC-76E0A67C53BB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9916AF04-5F23-4ae8-A2B1-1C4FF50B2A51}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-B432-46fc-9143-B82B832B1B14}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096059FD-99AB-41eb-9E55-59AEB0A3B444}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-DAD2-4a4c-848D-2CBFC6F0FD21}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-D71D-41e4-A699-F506DBD097F0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-08DF-483c-BD3A-99CBCF44E4DC}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DE68A8A-8158-4bde-8F5F-849F00AF31FB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-8F0D-4322-B01F-B42439E0B71C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B87D203B-B43D-4af9-9E1B-9C20478CBB74}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21D7135F-AEE9-45e7-A0C1-791A4654BFF1}]


alivefor.dll
alog.txt
bagetionwll.dll
bb1.dat
bodrowis.dll
bsn32.dll
bsndcom.dll
btaskv.dll
bulgan.dll
comd32.dll
conf.dat
cookie1.dat
cs.dat
csm.txt
dcrick.dll
dna32v1.dll
drweb32.dll
duis.txt
es.dat
gwin32.dll
haskel32.dll
hnew32.dll
hyperconn.dll
hyperser.dll
IEBHO.dll
IEBHO0B.dll
IEBHO23.dll
ieguard.dll
interns32.dll
jetaccss.dll
jkcom32.dll
jzcom32.dll
kd.txt
knmld.dll
ktaskr.dll
lbbd32.dll
lbcd64.dll
mac.dll
mac1.dll
macaaq.dll
mcac.dll
msindc.dll
mvx.dat
nod32.dll
nortn32.dll
paruisd.dll
pidfenon.dll
pns32.dll
ppret2.dll
roadmap16.dll
ritz8.dll
rozmchild.dll
sac32.dll
siemens32.dll
simcard1.dll
sincim32.dll
sklh.dat
skrb32.dll
smb32.dll
sndcom.dll
strike12.dll
strike45.dll
svc32.dll
swin32.dll
tb.dr
tconn1.dll
tkcom32.dll
tlove2.dll
xd.txt
xmd.dat


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 9 oktober 2008

Haxfix Version 5.0.25

Version 5.0.25
2008 10 09

Infection: Haxdoor - Infostealer

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\oedes]
system32\oedes.dll
system32\kedes.sys
system32\dadr.dat


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 5 oktober 2008

Haxfix Version 5.0.24

Version 5.0.24
2008 10 05

Infection: Goldun

[HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mt47hub]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svitch]
mt47hub.dll
svitch.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 3 oktober 2008

Haxfix Version 5.0.23

Version 5.023
2008 10 03

Infection: Goldun

Added detection for a new kind of files, using the Appinitkey.

donderdag 2 oktober 2008

Haxfix Version 5.0.22

Version 5.0.22
2008 10 02

Infection: Goldun

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}]
%System%\IEBHO.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.