Haxfix version 5.0.52

Version 5.0.52
2008 12 29

Infection: Trojan Nethell

O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll
O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - contrld.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59D94AAD-0A67-417e-969B-8311296E8364}

Files:
system32\alog.txt
system32\condw32.dll
system32\contrld.dll
system32\msft.txt
system32\ps1.dat
system32\rc.dat


Infection: Goldun

O20 - Winlogon Notify: swapdm - C:\WINDOWS\system32\swapdm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\swapdm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swapm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\swapm.sys

Files:
system32\k86.bin
system32\swapdm.dll
system32\swapm.sys


Other related files:
system32\vkj.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.51

Version 5.0.51
2008 12 28

Infection: TrojanSpy:Win32/Ambler.D - Trojan Nethell

O2 - BHO: Microsoft copyright - {0DDD155F-B89C-4f34-90F0-53D7BD21A37C} - mscont32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DDD155F-B89C-4f34-90F0-53D7BD21A37C}

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
"StubPath"= "rundll32 mscont32.dll,InitModule"

Files:
system32\mscont32.dll
system32\sft.res


Infection: Troj/Ambler-G

O2 - BHO: Microsoft copyright - {32C620D6-CC10-4e6a-9715-BACACD5B0E61} - sxmg4.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61}

O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - sxmg4.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"="{A744F16C-B2D5-4138-81A2-085CDFCDE83A}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]
"StubPath"="rundll32 sxmg4.dll,InitModule"

Files:
system32\lt.res
system32\sft.res
system32\sn.txt
system32\sxmg4.dll


Infection: Troj/Ambler-G

O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}

O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"WebProxy"="{66186F05-BBBB-4a39-864F-72D84615C679}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}]
"StubPath"="rundll32 sockins32.dll,InitModule"

Files:
system32\lt.res
system32\sft.res
system32\sn.txt
system32\sockins32.dll



Infection: SpyBanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01BE3276-1420-45b5-9762-172C5C184EB7}]
"StubPath"= "rundll32 svchstb.dll,InitO

File:
system32\svchstb.dll


Infection: Spybanker - Trojan Nethell

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67525E1B-5B8E-41d4-AFCC-03CC04F141FA}]
"StubPath"="rundll32 rbsgam.dll,InitO"

Files:
system32\log.txt
system32\bb1.dat
system32\kaxs.dat
system32\ps1.dat
system32\rbsgam.dll
system32\rc.dat
%Windir%\inform.dat


Other files:
system32\kaxs.dat
system32\Spool\hpprintqueue.exe



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.50

Version 5.0.50
2008 12 27

Infection: Goldun

O20 - Winlogon Notify: modzlib - C:\WINDOWS\system32\modzlib.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modzlib

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys

Files:
system32\modzlib.dll
system32\gzvba.sys


Infection: Trojan-Downloader.Win32.BHO.aej - TrojanSpy:Win32/Ambler.D - Trojan-Dropper.Win32.Ambler

O2 - BHO: Google plugin - {18CACF0E-72A4-4be1-AA42-DC2ECDB197F1} - C:\WINDOWS\system32\kcms.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18CACF0E-72A4-4be1-AA42-DC2ECDB197F1}

Files:
system32\alog.txt
system32\bb1.dat
system32\kcms.dll
system32\mx
system32\ps1.dat
system32\rc.dat


Infection: Virus.Neshta - Trojan-Banker.Win32.Banker.ghd - TSPY_BANKER.LJU TrojanSpy:Win32/Ambler.A - Trojan-Spy.Win32.Banker

Files:
system32\accs.txt
system32\cookie.dat
system32\ps.dat



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.49

Version 5.0.49
2008 12 26

Infection: Goldun

O20 - Winlogon Notify: syncps - C:\WINDOWS\system32\syncps.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syncps

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncmc
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncmc.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncmc.sys

Files:
system32\syncmc.sys
system32\syncps.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.48

Version 5.0.48
2008 12 24

Infection: Goldun

Updated the appinit detection.


Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63845B64-69B6-4b9a-9461-C59B2AFDC0A9}

File:
system32\vgf32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.47

Version 5.0.47
2008 12 23

Infection: Goldun

Updated the appinit detection.


Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C}

File:
system32\nods32.dll


Infection: Goldun

O20 - Winlogon Notify: modgzip - C:\WINDOWS\system32\modgzip.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modgzip\modgzip

File:
system32\modgzip.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.46

Version 5.0.46
2008 12 20

Infection: Goldun

O20 - Winlogon Notify: snjava - C:\WINDOWS\system32\snjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\java2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\java2.sys

Files:
system32\snjava.dll
system32\java2.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.45

Version 5.0.45
2008 12 19

Infection: Goldun

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzvba

File:
system32\gzvba.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

Haxfix version 5.0.44

Version 5.0.44
2008 12 18

Infection: Goldun

O20 - Winlogon Notify: xliftm - C:\WINDOWS\system32\xliftm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xliftm

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xlift.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xlift.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xlift

system32\cardb.dat
system32\xlift.sys
system32\xliftm.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.