donderdag 24 december 2009

Greetings...

They said there'd be snow at Christmas...

To everybody who occasionally takes a look at this blog.
I wish you a merry Christmas and happy New Year.


zaterdag 19 december 2009

Haxfix version 5.0.90

Version 5.090
2009 12 19

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\simdpp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simdpx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\simdpx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\simdpx.sys

Files:
system32\mod_st.dat
system32\simdpx.sys
system32\simdpp.dll


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\saifx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sorrd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sorrd.sys

Files:
system32\saifx.dll
system32\sorrd.sys


Infection Goldun:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\linkap
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\linkax
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\linkax.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\linkax.sys

Files:
system32\linkap.dll
system32\linkax.sys

zaterdag 31 oktober 2009

Haxfix version 5.0.89

Version 5.089
2009 10 31

Infection: Goldun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\semdpp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\semdpx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semdpx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semdpx.sys

Files:
system32\semdpp.dll
system32\semdpx.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

woensdag 7 oktober 2009

Haxfix version 5.0.88

Version 5.088
2009 10 07

Infection: SpyBanker

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}
system32\GbpDist.dl

Infection: Goldun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sebdpp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sebdpx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sebdpx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sebdpx.sys
%Windir%\pxysdb.dat
system32\sebdpp.dll
system32\sebdpx.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 12 september 2009

Haxfix version 5.0.87

Version 5.087
2009 09 12

Infection: Goldun

Updated the appinit detection.


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 11 september 2009

Haxfix version 5.0.86

Version 5.086
2009 09 11

Infection: Haxdoor
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pdx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdx32
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pdx32.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pdx32.sys
system32\cfgh.ini
system32\pdx.dll
system32\pdx32.sys


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f675c54f-60b6-4fd8-bba0-443c493305eb}

File:
system32\rant32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

woensdag 12 augustus 2009

Haxfix version 5.0.85

Version 5.085
2009 08 12

Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91704C3F-A675-4e0e-9FB7-B03E005EDDA7}

Files:
system32\systran.dll


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rgadtm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rgadta
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rgadta.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rgadta.sys

Files:
system32\rgadtm.dll
system32\rgadta.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 26 juli 2009

Haxfix version 5.0.84

Version 5.084
2009 07 26

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rbadmm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rbadmm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rbadmm.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rbadmm.sys

Files:
system32\rbadma.sys
system32\rbadmm.dll


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rbadzm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rbadza
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rbadza.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rbadza.sys

Files:
system32\rbadza.sys
system32\rbadzm.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED78190A-DFB2-4336-A960-979CD88F7A8D}


Infection: Trojan Amble
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61DC85A0-4A32-4c38-92CF-24652B3F416C}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{544735C9-AE13-4721-9DE7-D529BE675038}

Files:
system32\locsock32.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}

Files:
system32\jbnmcd.dll
system32\jbnmck.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{480FA3BD-A372-4f65-9F8A-15DF38F4E2AB}

Files:
system32\pcmfd3.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{996D4E16-517F-474a-870F-F882C6133C47}

Files:
system32\gacaq32.dll


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 27 juni 2009

Haxfix version 5.0.83

Version 5.083
2009 06 27

Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46B35542-A3CF-4cca-9C0B-259DB2FFF078}



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 13 juni 2009

Haxfix version 5.0.82

Version 5.082.
2009 06 13

Infection Goldun.
Updated appinit detection



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

dinsdag 9 juni 2009

Haxfix version 5.0.81

Version 5.081
2009 06 09

Infection Goldun
Updated appinit detection.



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 6 juni 2009

Haxfix version 5.0.80

Version 5.080
2009 06 06

Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B303E07-7C7D-45ad-8D42-EB41C9CBC908}

File:
system32\krpod32.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D75B38F-C5F6-444e-ABB3-FD0F77201602}


Files:
system32\c2d.dat
system32\idm.dat
system32\jc.dat
system32\q1.dat
system32\lpxg
system32\nk.dat
system32\udinfrm.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F66FC8B-DCF6-4db0-908A-2D566D7EF66D}

Files:
system32\afha
system32\blkernel.dll
system32\c2d.dat
system32\ck.dat
system32\idm.dat
system32\jc.dat
system32\nk.dat
system32\q1.dat


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91673BA2-1DC6-411c-9CD0-150750A2ECB5}

Files:
system32\armad32.dll
system32\c2d.dat
system32\ck.dat
system32\idm.dat
system32\lkjd
system32\nk.dat
system32\q1.dat
system32\xd.dat


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}

Files:
system32\bekbn.dll
system32\ck.dat
system32\idm.dat
system32\q1.dat
system32\xd.dat
system32\fkas
system32\nk.dat


Infection: Trojan Ambler
KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AA4410F-A3EE-4279-8F2C-4BFAB8CEB231}

Files:
system32\c2d.dat
system32\ck.dat
system32\idm.dat
system32\q1.dat
system32\xd.dat
system32\krmnat.dll
system32\pis


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}

Files:
system32\jhxm32.dll
system32\sft.res



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 21 mei 2009

Haxfix version 5.0.78

Version 5.078
2009 05 21

Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{7C7EFE99-C71F-48b8-8CC8-BA506CA76A33}

File:
system32\xagkf32.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{1925C7E1-5540-4675-8198-8A2779D4072A}

File:
system32\msfgw32.dll


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{D6E0FAFC-2B61-4753-B3DA-D83BE96A2C39}

File:
system32\mashtuic32.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 10 mei 2009

Haxfix version 5.0.77

Version 5.0.77
2009 05 10

Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{FFCC6792-7219-4ff8-98D2-5D632A5FA01C}
system32\al.txt
system32\dz1.txt
system32\kixm32.dll
system32\opxd
system32\p1.txt
system32\r24.txt


Infection: Trojan Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{C3221010-0AD7-4c09-B17B-EDCFFDA4B7F9}
system32\fow64.dll


Infection: SpyBanker
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{DCF49866-8F81-4F5F-8193-7EC75A2AB321}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{73364D99-1240-4dff-B11A-67E448373048}

File:
system32\ipv6mons.dll

vrijdag 1 mei 2009

Haxfix version 5.0.76

Version 5.0.76
2009 05 01

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rksocket
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rkskt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rkskt.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rkskt.sys

Files:
system32\hrpdcf.bin
system32\rkskt.sys
system32\rksocket.dll


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmod11

File:
system32\pmod11.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

woensdag 29 april 2009

Haxfix version 5.0.75

Version 5.0.75
2009 04 29

Infection: goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbbin
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dbbin
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dbbin.sys

Files:
system32\dbbin.dll
system32\dbbin.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 18 april 2009

HaxFix version 5.0.74

Version 5.0.74
2009 04 18

Infection: Goldun
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Update Machine"


Infection: goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ramdmm
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ramdma
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ramdma.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ramdma.sys

Files:
a99k.bin
ramdma.sys
ramdmm.dll


Infection: goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ctasys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mmcta
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmcta.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mmcta.sys

Files:
ctasys.dll
mmcta.sys


Infection Goldun:
Detection updated for the variants that are using the orphaned service registrykeys.


Infection: Goldun
Detection updated for the variants that are using the appinit key.



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 12 april 2009

HaxFix version 5.0.73

Version 5.0.73
2009 04 12

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ntpdxt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntpdxt
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ntpdxt.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ntpdxt.sys

Files:
ntpdxt.dll
ntpdxt.sys


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sphub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sphub
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sphub.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sphub.sys

Files:
system32\sphub.dll
system32\sphub.sys


Infection: Troj/Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{56BB6D01-7BD5-4458-A4AE-F03DF643D6EE}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{C2C3339C-2559-4b81-B9EF-CBAF906D5DA2}

Files:
bxx.txt
sft.res
system32\smstf.dll
system32\trinf32.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 26 maart 2009

HaxFix version 5.0.72

Version 5.0.72
2009 03 26

Infection: Goldun
Detection updated for the variants that are using the appinit key.



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

dinsdag 24 maart 2009

HaxFix version 5.0.71

Version 5.0.71
2009 03 24

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jstdrv
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jscript
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jscript.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\jscript.sys

Files:
system32\ak9.bin
system32\jscript.sys
system32\jstdrv.dll


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ipfwrd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipfwrd
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipfwrd.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipfwrd.sys

Files:
system32\ak9.bin
system32\ipfwrd.dll
system32\ipfwrd.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 22 maart 2009

HaxFix version 5.0.70

Version 5.0.70
2009 03 22

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pptpr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pptpr
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pptpr.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pptpr.sys
Detection updated for the variants that are using the orphaned service registrykeys.

Files:
system32\a9k.bin
system32\pptpr.dll
system32\pptpr.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

dinsdag 17 maart 2009

HaxFix version 5.0.69

Version 5.0.69
2009 03 17

Infection: Troj/Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{013DFA9D-4A04-4907-B043-46BDE4B090E6}

Files:
system32\al.txt
system32\dz1.txt
system32\mld
system32\p1.txt
system32\r24.txt
system32\sdd.txt
system32\utrmk.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 16 maart 2009

HaxFix version 5.0.68

Version 5.068
2009 03 16


Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vmbox2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmbox2
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmbox2.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmbox2.sys

Files:
system32\a9k.bin
system32\vmbox2.dll
system32\vmbox2.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 14 maart 2009

HaxFix version 5.0.67

Version 5.0.67
2009 03 14

Infection: Troj/Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA

File:
system32\kmsvc32.dll


Infection: Goldun:
Detection updated for the variants that are using the appinit key.



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

dinsdag 24 februari 2009

HaxFix version 5.0.66

Version 5.0.66
2009 02 24

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\utsync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uvsync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uvsync.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\uvsync.sys

Files:
system32\a9k.bin
system32\hrpdcf.bin
system32\utsync.dll
system32\uvsync.sys


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 22 februari 2009

HaxFix version 5.0.65

Version 5.0.65
2009 02 22

Infection Goldun:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\i975gl
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mjva
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mjva.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mjva.sys

Files:
system32\a9k.bin
system32\i975gl.dll
system32\mjva.sys
system32\z98.bin

Infection Goldun:
Detection updated for the variants that are using the orphaned service registrykeys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 16 februari 2009

HaxFix version 5.0.64

Version 5.0.64
2009 02 16

Infection: Goldun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eeekp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eeekp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eeekp.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\eeekp.sys

Files:
system32\a9k.bin
system32\eeekp.sll
system32\eeekp.sys
system32\wdh.bin


Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 8 februari 2009

HaxFix version 5.0.63

Version 5.0.63
2009 02 08

Infection: Troj/Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CC2F638-99FF-45d2-97C7-E30E83CF04D2}

Files:
system32\ak
system32\alog.txt
system32\bb1.dat
system32\cs.dat
system32\ps1.dat
system32\rc.dat
system32\tb.dr
system32\ipv6sp.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

vrijdag 6 februari 2009

Haxfix version 5.0.62

Version 5.0.62
2009 02

Infection: Troj/Ambler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6607E676-1BDE-4cb3-9913-4DC5EBCAE35E}

Files:
system32\alog.txt
system32\conf.dat
system32\cs.dat
system32\ps1.dat
system32\rc.dat
system32\unifff.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

donderdag 5 februari 2009

Haxfix version 5.0.61

Version 5.0.61
2009 02 05

Infection: Goldun
O20 - Winlogon Notify: tomto - C:\WINDOWS\system32\tomto.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tomto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tomto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tomto.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tomto.sys

Files:
system32\a9k.bin
system32\tomto.dll
system32\tomto.sys


Infection: Goldun
O20 - Winlogon Notify: iokey - C:\WINDOWS\system32\iokey.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iokey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iokey
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iokey.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\iokey.sys

Files:
system32\a9k.bin
system32\iokey.dll
system32\iokey.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

woensdag 4 februari 2009

HaxFix version 5.0.60

Version 5.0.60
2009 02 04

Infection: Goldun

Detection updated for the variants that are using the orphaned service registrykeys and the appinit key.

woensdag 21 januari 2009

Haxfix version 5.0.59

Verion 5.0.59
2009 01 21

Infection: Goldun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rssync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdsync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rdsync.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsync.sys

Files:
system32\a9k.bin
system32\hrpdcf.bin
system32\rdsync.sys
system32\rssync.dll


Infection: Banker Trojan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6458C00E-EF7F-4f06-9E06-49EA923386FD}
HKEY_LOCAL_MACHINE\SOFTWARE\AmSoft

File:
system32\kj32.dll


Infection: Trojan/Ambler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89F2C12A-027A-4de3-88F6-9F31A1C0F17C}

Files:
system32\alog.txt
system32\bb1.dat
system32\cs.dat
system32\ps1.dat
system32\rc.dat
system32\rs
system32\tb.dr
system32\xlk.dll
system32\xwa.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 18 januari 2009

Haxfix version 5.0.58

Version 5.0.58
2009 01 18

Scanning the whole drive for random used files, can take a while.
I added the possibility to use a quick scan to search for random used files in the most important windows folders.

woensdag 14 januari 2009

Haxfix version 5.0.57

Version 5.057
2009 01 14

Infection: Goldun

Detection updated for the variants that are using the orphaned service registrykeys.

dinsdag 13 januari 2009

Haxfix version 5.0.56

Version 5.0.56
2009 01 13

Infection: Troj/Ambler

O2 - BHO: Microsoft copyright - {4D88F653-4230-4af1-A6A3-54B8D3CD7DF4} - msfacat32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
"StubPath"="rundll32 msfacat32.dll,InitModule"

File:
system32\msfacat32.dll
system32\sft.res


Infection: Troj/Ambler

O2 - BHO: Microsoft copyright - {085E2757-F41D-42d1-B4CC-9DADF7113BBC} - aj32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{085E2757-F41D-42d1-B4CC-9DADF7113BBC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}]
"StubPath"="rundll32 aj32.dll,InitO"

Files:
system32\aj32.dll
system32\alog.txt
system32\bb1.dat
system32\ps1.dat
system32\rc.dat
system32\lp
windows\inform.dat


Infection: Troj/Ambler

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6825FAC3-D7D2-4045-97A2-87DF42CB6728}]
"StubPath"="rundll32 kcms.dll,InitO"

File:
system32\kcms.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 12 januari 2009

Haxfix version 5.0.55

Version 5.0.55
2009 01 12

Infection: Goldun

O20 - Winlogon Notify: sbfxi - C:\WINDOWS\system32\sbfxi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\surrd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\surrd.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\surrd.sys]

system32\a9k.bin
system32\sbfxi.dll
system32\surrd.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 10 januari 2009

Haxfix version 5.0.54

Version 5.0.54
2009 01 10

Infection: Goldun
Detection added for other variants that use random orphaned service keys.

donderdag 8 januari 2009

Haxfix version 5.0.53

Version 5.0.53
2009 01 08

Detection added for the ones using the orphaned driver keys.

Sample from the logfiles.

Logfile option 1:

checking for random used files and services
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys
…[/quote]

Logfile option 2:


--- checking for random used files and services ---
these files and services will not be deleted by HaxFix
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys


Haxfix will not delete these services and files.
If you want to remove them, use SC DELETE , reboot the computer and delete the file(s).

These are samples from a logfile. In this case the infection was using the legit service gmer and the legit filename gmer.sys. (Gmer is a legit program, a rootkitscanner.)
The other service used by this infection is memsweep2. Not necessarily a bad service, but here used by the infection.