zondag 30 november 2008

Haxfix version 5.0.43

Version 5.0.43
2008 11 30

Infection: Goldun

O20 - Winlogon Notify: mckwave - C:\WINDOWS\system32\mckwave.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mckwave

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kwave

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kwave.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\kwave.sys

Files:
system32\mckwave.dll
system32\kwave.sys
system32\drivers\mrxdavv.sys


Infection: Haxdoor

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sksdrvr2

File:
system32\sksdrvr2.sys


Infection: Goldun

O20 - Winlogon Notify: wrapkm - C:\WINDOWS\system32\wrapkm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrapkm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wrapk

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrapk.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wrapk.sys

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"advap32"=""%Temp%\load2.exe" /r"

Files:
system32\wrapkm.dll
system32\wrapk.sys
windows\wiaserviv.log

Infection: Goldun

O20 - Winlogon Notify: sbrige - C:\WINDOWS\system32\sbrige.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbrige

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbunit.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sbunit.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"rs32net"="%System%\rs32net.exe"


Files:
system32\rs32net.exe
system32\sbrige.dll
system32\sbunit.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 08:51 0 reacties
Labels: ,

zaterdag 29 november 2008

Haxfix down

I removed haxfix this afternoon from my site and from bleeping, because the tool can not delete some of the latest goldun and haxdoor variants.

I found a solution, and the tool will be available again soon
Gepost door Marc op 19:25 0 reacties
Labels:

maandag 24 november 2008

Haxfix version 5.0.42

Version 5.0.42
2008 11 24
Infection: Haxdoor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"Microsoft Update" = "system.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"Microsoft Update" = "system.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"Microsoft Update" = "system.exe"

File:
system32/system.exe


Infection: SpyBanker - Trojan Nethell
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABADC07C-9990-405a-AA24-2C209B50AE79}

File:
system32/svchstb.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 19:19 0 reacties
Labels: ,

vrijdag 21 november 2008

Haxfix version 5.0.41

Version 5.0.41
2008 11 21

Added the file mmsystem.dll to the whitelist.
It wil not be detected anymore as a "possible infected file".


Infection: Goldun

O20 - Winlogon Notify: priarsz - C:\WINDOWS\SYSTEM32\priarsz.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\priarsz


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 15:17 0 reacties
Labels: ,

maandag 17 november 2008

Haxfix version 5.0.40

Version 5.0.40
2008 11 17

Infection: SpyBanker - Trojan Nethell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FDA60DF-6D94-4f16-A48C-3C4EC57FEF58}

File:
system32\nokia32.dll


Infection: Spy.Banker - Infostealer.Bancos

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{890C7964-9320-4055-BE11-7D7B562A6417}

Files:
system32\mstrans.dll
system32\mstrans1.dll


Infection: Goldun
O20 - Winlogon Notify: netwrp - C:\WINDOWS\SYSTEM32\netwrp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netwrp

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netwp

Files:
system32\netwrp.dll
system32\netwp.sys
system32\a9k.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 19:23 0 reacties
Labels: ,

woensdag 12 november 2008

Haxfix version 5.0.39

Version 5.0.39
2008 11 12

Infection: SpyBanker - Trojan Nethell

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8FD36B2-A25B-47e3-9477-82557F5F5995}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECBA18CA-FF22-464c-A963-70BEC79D2485}

Files:
system32\cukert.dll
system32\masyan.dll
system32\savec32.dll



Infection: SpyBanker

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60FD4F58-4748-48f6-B661-5FCE71B0D907}

File:
system32\torm.dll
system32\torm1.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 22:06 0 reacties
Labels: ,

Haxfix version 5.0.38

Version 5.0.38
2008 11 12

Infection: Haxdoor

O20 - Winlogon Notify: mt49hub - C:\WINDOWS\SYSTEM32\mt49hub.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mt49hub

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msvtch
"ImagePath" = "system32\msvtch.sys"
"DisplayName" = "Kernel Mode SND msvtcher"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msvtch.sys
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\msvtch.sys


Files:
system32\adrnln.bin
system32\mt49hub.dll
system32\msvtch.sys



Infection: SpyBanker

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850C7964-9320-4055-BE11-7D7B562A6417}


Files:
system32\Helper.dll
system32\Helper1.dll
system32\mstrans.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 19:50 0 reacties
Labels: ,

dinsdag 11 november 2008

Haxfix version 5.0.37

Version 5.0.37
2008 11 11

Infection: Haxdoor

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\status]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tage32]
"ImagePath" = "system32\tage32.sys"
"DisplayName = "NGate service"

Files:
system32\mprexe.exe
system32\snowx.ini
system32\status.dll
system32\tage32.sys
Windows\svchost32.exe


Infection: SpyBanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68DF1496-983B-9ED5-03A6-F78E3267FB52}]

Files:
system32\gh.dat
system32\nokia32.dll
system32\symdb32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 13:40 0 reacties
Labels: ,

zondag 9 november 2008

Haxfix version 5.0.36

Version 5.0.36
2008 11 09

Infection: Goldun

Added a new variant that is using the appinit key to load.
Filename is semi-random.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs" = "%System%\mms******.dll"

Files:
%System%\DefaultColor.info
%System%\mms******.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 14:52 0 reacties
Labels: ,

woensdag 5 november 2008

Haxfix Version 5.0.35

Version 5.0.35
2008 11 05

Infection: Spybanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BEEFD1C-446F-48a7-A7C7-C8E5986A9760}]

File:
system32\rbsgam.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 18:21 0 reacties
Labels: ,

zondag 2 november 2008

Haxfix Version 5.0.34

Version 5.0.34
2008 11 02

Infection: Goldun.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ctlsys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mmctl]

Files:
system32\ctlsys.dll
system32\mmctl.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 18:53 0 reacties

zaterdag 1 november 2008

Haxfix version 5.0.33

Version 5.0.33
2008 11 01

Infection Haxdoor / Goldun.

O20 - Winlogon Notify: kryostm - C:\Windows\System32\kryostm.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kryostm]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kryo2.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\kryo2.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kryo2]
"DisplayName" = "CPU FUN Controller"


Files:
system32\kryostm.dll
system32\kryo2.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 09:40 0 reacties
Labels: ,
Abonneren op: Posts (Atom)