maandag 29 december 2008

Haxfix version 5.0.52

Version 5.0.52
2008 12 29

Infection: Trojan Nethell

O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll
O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - contrld.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59D94AAD-0A67-417e-969B-8311296E8364}

Files:
system32\alog.txt
system32\condw32.dll
system32\contrld.dll
system32\msft.txt
system32\ps1.dat
system32\rc.dat


Infection: Goldun

O20 - Winlogon Notify: swapdm - C:\WINDOWS\system32\swapdm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\swapdm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swapm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\swapm.sys

Files:
system32\k86.bin
system32\swapdm.dll
system32\swapm.sys


Other related files:
system32\vkj.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 28 december 2008

Haxfix version 5.0.51

Version 5.0.51
2008 12 28

Infection: TrojanSpy:Win32/Ambler.D - Trojan Nethell

O2 - BHO: Microsoft copyright - {0DDD155F-B89C-4f34-90F0-53D7BD21A37C} - mscont32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DDD155F-B89C-4f34-90F0-53D7BD21A37C}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
"StubPath"= "rundll32 mscont32.dll,InitModule"

Files:
system32\mscont32.dll
system32\sft.res


Infection: Troj/Ambler-G

O2 - BHO: Microsoft copyright - {32C620D6-CC10-4e6a-9715-BACACD5B0E61} - sxmg4.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61}

O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - sxmg4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"="{A744F16C-B2D5-4138-81A2-085CDFCDE83A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
"StubPath"="rundll32 sxmg4.dll,InitModule"

Files:
system32\lt.res
system32\sft.res
system32\sn.txt
system32\sxmg4.dll


Infection: Troj/Ambler-G

O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}

O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"="{66186F05-BBBB-4a39-864F-72D84615C679}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}]
"StubPath"="rundll32 sockins32.dll,InitModule"

Files:
system32\lt.res
system32\sft.res
system32\sn.txt
system32\sockins32.dll



Infection: SpyBanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01BE3276-1420-45b5-9762-172C5C184EB7}]
"StubPath"= "rundll32 svchstb.dll,InitO

File:
system32\svchstb.dll


Infection: Spybanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67525E1B-5B8E-41d4-AFCC-03CC04F141FA}]
"StubPath"="rundll32 rbsgam.dll,InitO"

Files:
system32\log.txt
system32\bb1.dat
system32\kaxs.dat
system32\ps1.dat
system32\rbsgam.dll
system32\rc.dat
%Windir%\inform.dat


Other files:

system32\kaxs.dat
system32\Spool\hpprintqueue.exe



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 27 december 2008

Haxfix version 5.0.50

Version 5.0.50
2008 12 27

Infection: Goldun

O20 - Winlogon Notify: modzlib - C:\WINDOWS\system32\modzlib.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modzlib

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys

Files:
system32\modzlib.dll
system32\gzvba.sys


Infection: Trojan-Downloader.Win32.BHO.aej - TrojanSpy:Win32/Ambler.D - Trojan-Dropper.Win32.Ambler

O2 - BHO: Google plugin - {18CACF0E-72A4-4be1-AA42-DC2ECDB197F1} - C:\WINDOWS\system32\kcms.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18CACF0E-72A4-4be1-AA42-DC2ECDB197F1}

Files:
system32\alog.txt
system32\bb1.dat
system32\kcms.dll
system32\mx
system32\ps1.dat
system32\rc.dat


Infection: Virus.Neshta - Trojan-Banker.Win32.Banker.ghd - TSPY_BANKER.LJU TrojanSpy:Win32/Ambler.A - Trojan-Spy.Win32.Banker

Files:
system32\accs.txt
system32\cookie.dat
system32\ps.dat



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 26 december 2008

Haxfix version 5.0.49

Version 5.0.49
2008 12 26

Infection: Goldun

O20 - Winlogon Notify: syncps - C:\WINDOWS\system32\syncps.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syncps

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncmc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncmc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncmc.sys

Files:
system32\syncmc.sys
system32\syncps.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

woensdag 24 december 2008

Haxfix version 5.0.48

Version 5.0.48
2008 12 24

Infection: Goldun

Updated the appinit detection.


Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63845B64-69B6-4b9a-9461-C59B2AFDC0A9}

File:
system32\vgf32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

dinsdag 23 december 2008

Haxfix version 5.0.47

Version 5.0.47
2008 12 23

Infection: Goldun

Updated the appinit detection.


Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C}

File:
system32\nods32.dll


Infection: Goldun

O20 - Winlogon Notify: modgzip - C:\WINDOWS\system32\modgzip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modgzip\modgzip

File:
system32\modgzip.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 20 december 2008

Haxfix version 5.0.46

Version 5.0.46
2008 12 20

Infection: Goldun

O20 - Winlogon Notify: snjava - C:\WINDOWS\system32\snjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\java2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\java2.sys

Files:
system32\snjava.dll
system32\java2.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 19 december 2008

Haxfix version 5.0.45

Version 5.0.45
2008 12 19

Infection: Goldun

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzvba

File:
system32\gzvba.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 18 december 2008

Haxfix version 5.0.44

Version 5.0.44
2008 12 18

Infection: Goldun

O20 - Winlogon Notify: xliftm - C:\WINDOWS\system32\xliftm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xliftm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xlift.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xlift.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xlift

system32\cardb.dat
system32\xlift.sys
system32\xliftm.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.