woensdag 21 januari 2009

Haxfix version 5.0.59

Verion 5.0.59
2009 01 21

Infection: Goldun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rssync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdsync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rdsync.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsync.sys

Files:
system32\a9k.bin
system32\hrpdcf.bin
system32\rdsync.sys
system32\rssync.dll


Infection: Banker Trojan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6458C00E-EF7F-4f06-9E06-49EA923386FD}
HKEY_LOCAL_MACHINE\SOFTWARE\AmSoft

File:
system32\kj32.dll


Infection: Trojan/Ambler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89F2C12A-027A-4de3-88F6-9F31A1C0F17C}

Files:
system32\alog.txt
system32\bb1.dat
system32\cs.dat
system32\ps1.dat
system32\rc.dat
system32\rs
system32\tb.dr
system32\xlk.dll
system32\xwa.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 12:12 0 reacties
Labels: ,

zondag 18 januari 2009

Haxfix version 5.0.58

Version 5.0.58
2009 01 18

Scanning the whole drive for random used files, can take a while.
I added the possibility to use a quick scan to search for random used files in the most important windows folders.
Gepost door Marc op 15:48 0 reacties
Labels: ,

woensdag 14 januari 2009

Haxfix version 5.0.57

Version 5.057
2009 01 14

Infection: Goldun

Detection updated for the variants that are using the orphaned service registrykeys.
Gepost door Marc op 18:45 0 reacties
Labels: ,

dinsdag 13 januari 2009

Haxfix version 5.0.56

Version 5.0.56
2009 01 13

Infection: Troj/Ambler

O2 - BHO: Microsoft copyright - {4D88F653-4230-4af1-A6A3-54B8D3CD7DF4} - msfacat32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
"StubPath"="rundll32 msfacat32.dll,InitModule"

File:
system32\msfacat32.dll
system32\sft.res


Infection: Troj/Ambler

O2 - BHO: Microsoft copyright - {085E2757-F41D-42d1-B4CC-9DADF7113BBC} - aj32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{085E2757-F41D-42d1-B4CC-9DADF7113BBC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}]
"StubPath"="rundll32 aj32.dll,InitO"

Files:
system32\aj32.dll
system32\alog.txt
system32\bb1.dat
system32\ps1.dat
system32\rc.dat
system32\lp
windows\inform.dat


Infection: Troj/Ambler

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6825FAC3-D7D2-4045-97A2-87DF42CB6728}]
"StubPath"="rundll32 kcms.dll,InitO"

File:
system32\kcms.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 20:27 0 reacties
Labels: ,

maandag 12 januari 2009

Haxfix version 5.0.55

Version 5.0.55
2009 01 12

Infection: Goldun

O20 - Winlogon Notify: sbfxi - C:\WINDOWS\system32\sbfxi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\surrd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\surrd.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\surrd.sys]

system32\a9k.bin
system32\sbfxi.dll
system32\surrd.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.
Gepost door Marc op 19:24 0 reacties
Labels: ,

zaterdag 10 januari 2009

Haxfix version 5.0.54

Version 5.0.54
2009 01 10

Infection: Goldun
Detection added for other variants that use random orphaned service keys.
Gepost door Marc op 22:20 0 reacties
Labels: ,

donderdag 8 januari 2009

Haxfix version 5.0.53

Version 5.0.53
2009 01 08

Detection added for the ones using the orphaned driver keys.

Sample from the logfiles.

Logfile option 1:

checking for random used files and services
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys
…[/quote]

Logfile option 2:


--- checking for random used files and services ---
these files and services will not be deleted by HaxFix
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys


Haxfix will not delete these services and files.
If you want to remove them, use SC DELETE , reboot the computer and delete the file(s).

These are samples from a logfile. In this case the infection was using the legit service gmer and the legit filename gmer.sys. (Gmer is a legit program, a rootkitscanner.)
The other service used by this infection is memsweep2. Not necessarily a bad service, but here used by the infection.
Gepost door Marc op 22:00 0 reacties
Labels: ,
Abonneren op: Posts (Atom)