woensdag 21 januari 2009

Haxfix version 5.0.59

Verion 5.0.59
2009 01 21

Infection: Goldun

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rssync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdsync
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rdsync.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsync.sys

Files:
system32\a9k.bin
system32\hrpdcf.bin
system32\rdsync.sys
system32\rssync.dll


Infection: Banker Trojan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6458C00E-EF7F-4f06-9E06-49EA923386FD}
HKEY_LOCAL_MACHINE\SOFTWARE\AmSoft

File:
system32\kj32.dll


Infection: Trojan/Ambler

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89F2C12A-027A-4de3-88F6-9F31A1C0F17C}

Files:
system32\alog.txt
system32\bb1.dat
system32\cs.dat
system32\ps1.dat
system32\rc.dat
system32\rs
system32\tb.dr
system32\xlk.dll
system32\xwa.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zondag 18 januari 2009

Haxfix version 5.0.58

Version 5.0.58
2009 01 18

Scanning the whole drive for random used files, can take a while.
I added the possibility to use a quick scan to search for random used files in the most important windows folders.

woensdag 14 januari 2009

Haxfix version 5.0.57

Version 5.057
2009 01 14

Infection: Goldun

Detection updated for the variants that are using the orphaned service registrykeys.

dinsdag 13 januari 2009

Haxfix version 5.0.56

Version 5.0.56
2009 01 13

Infection: Troj/Ambler

O2 - BHO: Microsoft copyright - {4D88F653-4230-4af1-A6A3-54B8D3CD7DF4} - msfacat32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]
"StubPath"="rundll32 msfacat32.dll,InitModule"

File:
system32\msfacat32.dll
system32\sft.res


Infection: Troj/Ambler

O2 - BHO: Microsoft copyright - {085E2757-F41D-42d1-B4CC-9DADF7113BBC} - aj32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{085E2757-F41D-42d1-B4CC-9DADF7113BBC}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}]
"StubPath"="rundll32 aj32.dll,InitO"

Files:
system32\aj32.dll
system32\alog.txt
system32\bb1.dat
system32\ps1.dat
system32\rc.dat
system32\lp
windows\inform.dat


Infection: Troj/Ambler

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6825FAC3-D7D2-4045-97A2-87DF42CB6728}]
"StubPath"="rundll32 kcms.dll,InitO"

File:
system32\kcms.dll



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

maandag 12 januari 2009

Haxfix version 5.0.55

Version 5.0.55
2009 01 12

Infection: Goldun

O20 - Winlogon Notify: sbfxi - C:\WINDOWS\system32\sbfxi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\surrd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\surrd.sys]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\surrd.sys]

system32\a9k.bin
system32\sbfxi.dll
system32\surrd.sys



Use haxfix to remove this infection.
Removalinstructions for this infection, you can find here or here.

zaterdag 10 januari 2009

Haxfix version 5.0.54

Version 5.0.54
2009 01 10

Infection: Goldun
Detection added for other variants that use random orphaned service keys.

donderdag 8 januari 2009

Haxfix version 5.0.53

Version 5.0.53
2009 01 08

Detection added for the ones using the orphaned driver keys.

Sample from the logfiles.

Logfile option 1:

checking for random used files and services
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys
…[/quote]

Logfile option 2:


--- checking for random used files and services ---
these files and services will not be deleted by HaxFix
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys


Haxfix will not delete these services and files.
If you want to remove them, use SC DELETE , reboot the computer and delete the file(s).

These are samples from a logfile. In this case the infection was using the legit service gmer and the legit filename gmer.sys. (Gmer is a legit program, a rootkitscanner.)
The other service used by this infection is memsweep2. Not necessarily a bad service, but here used by the infection.