donderdag 8 januari 2009

Haxfix version 5.0.53

Version 5.0.53
2009 01 08

Detection added for the ones using the orphaned driver keys.

Sample from the logfiles.

Logfile option 1:

checking for random used files and services
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys
…[/quote]

Logfile option 2:


--- checking for random used files and services ---
these files and services will not be deleted by HaxFix
C:\WINDOWS\system32\1.tmp
C:\WINDOWS\system32\drivers\gmer.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2
Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer
Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys


Haxfix will not delete these services and files.
If you want to remove them, use SC DELETE , reboot the computer and delete the file(s).

These are samples from a logfile. In this case the infection was using the legit service gmer and the legit filename gmer.sys. (Gmer is a legit program, a rootkitscanner.)
The other service used by this infection is memsweep2. Not necessarily a bad service, but here used by the infection.

Geen opmerkingen: