tag:blogger.com,1999:blog-65256301191683647932012-02-08T20:38:30.637+01:00Moment of SurrenderMarchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.comBlogger1011100tag:blogger.com,1999:blog-6525630119168364793.post-25973275647664936182012-02-08T20:35:00.002+01:002012-02-08T20:38:30.641+01:00Financial malwareMooie reportage van de BBC ivm Financial malware: <br /><a href="http://www.youtube.com/watch?feature=player_embedded&v=EUGTlVSefeo#!">Financial malware</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2597327564766493618?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-53529375739038254542011-11-20T12:07:00.002+01:002011-11-20T12:09:56.758+01:00ReglooksNew version up: 0.993<br />Download <a href="http://users.telenet.be/marcvn/tools/reglooks.exe">reglooks</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5352937573903825454?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-7859102719945064582011-10-29T22:05:00.000+02:002011-10-29T22:06:42.272+02:00ReglooksNew version up: 0992<br /><a href="http://users.telenet.be/marcvn/spyware/1022467.htm"><br />Download reglooks.</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-785910271994506458?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-1846877531300247002011-10-29T17:19:00.001+02:002011-10-29T17:21:36.805+02:00ReglooksNew version up: 0.991.<br /><br /><a href="http://users.telenet.be/marcvn/spyware/1022467.htm">Download reglooks.exe </a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-184687753130024700?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-45413231235883306092011-10-21T17:29:00.001+02:002011-10-21T17:34:26.282+02:00ReglooksReglooks version 0.990.<br /><br />I added a few new things to the tool.<br /><a href="http://users.telenet.be/marcvn/spyware/1022467.htm">http://users.telenet.be/marcvn/spyware/1022467.htm</a><br /><br />Download: <a href="http://users.telenet.be/marcvn/tools/reglooks.exe">reglooks.exe</a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-4541323123588330609?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-35686325595556002332011-04-23T19:57:00.002+02:002011-04-23T19:59:22.607+02:00HaxFix Version 5.097<span style="font-weight: bold;"></span><span style="font-weight: bold;">5.097</span><br /><span style="font-weight: bold;">2011 04 23<br /><br /></span><span>Bugfix.<br />Ready for windows 7 SP1.</span><span style="font-weight: bold;"><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3568632559555600233?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-71630410666591451732011-01-09T13:26:00.002+01:002011-01-09T13:31:00.692+01:00HaxFix version 5.096<!--[if gte mso 9]><xml> <o:officedocumentsettings> <o:targetscreensize>800x600</o:TargetScreenSize> </o:OfficeDocumentSettings> </xml><![endif]--><!--[if gte mso 9]><xml> <w:worddocument> <w:view>Normal</w:View> <w:zoom>0</w:Zoom> <w:trackmoves/> <w:trackformatting/> <w:hyphenationzone>21</w:HyphenationZone> <w:punctuationkerning/> <w:validateagainstschemas/> <w:saveifxmlinvalid>false</w:SaveIfXMLInvalid> <w:ignoremixedcontent>false</w:IgnoreMixedContent> <w:alwaysshowplaceholdertext>false</w:AlwaysShowPlaceholderText> <w:donotpromoteqf/> <w:lidthemeother>NL-BE</w:LidThemeOther> <w:lidthemeasian>X-NONE</w:LidThemeAsian> <w:lidthemecomplexscript>X-NONE</w:LidThemeComplexScript> <w:compatibility> <w:breakwrappedtables/> <w:snaptogridincell/> <w:wraptextwithpunct/> <w:useasianbreakrules/> <w:dontgrowautofit/> <w:splitpgbreakandparamark/> <w:enableopentypekerning/> <w:dontflipmirrorindents/> <w:overridetablestylehps/> </w:Compatibility> <w:browserlevel>MicrosoftInternetExplorer4</w:BrowserLevel> <m:mathpr> <m:mathfont val="Cambria Math"> <m:brkbin val="before"> <m:brkbinsub val="--"> <m:smallfrac val="off"> <m:dispdef/> <m:lmargin val="0"> <m:rmargin val="0"> <m:defjc val="centerGroup"> <m:wrapindent val="1440"> <m:intlim val="subSup"> <m:narylim val="undOvr"> </m:mathPr></w:WordDocument> </xml><![endif]--><!--[if gte mso 9]><xml> <w:latentstyles deflockedstate="false" defunhidewhenused="true" defsemihidden="true" defqformat="false" defpriority="99" latentstylecount="267"> <w:lsdexception locked="false" priority="0" semihidden="false" unhidewhenused="false" qformat="true" name="Normal"> <w:lsdexception locked="false" priority="9" semihidden="false" unhidewhenused="false" qformat="true" name="heading 1"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 2"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 3"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 4"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 5"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 6"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 7"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 8"> <w:lsdexception locked="false" priority="9" qformat="true" name="heading 9"> <w:lsdexception locked="false" priority="39" name="toc 1"> <w:lsdexception locked="false" priority="39" name="toc 2"> <w:lsdexception locked="false" priority="39" name="toc 3"> <w:lsdexception locked="false" priority="39" name="toc 4"> <w:lsdexception locked="false" priority="39" name="toc 5"> <w:lsdexception locked="false" priority="39" name="toc 6"> <w:lsdexception locked="false" priority="39" name="toc 7"> <w:lsdexception locked="false" priority="39" name="toc 8"> <w:lsdexception locked="false" priority="39" name="toc 9"> <w:lsdexception locked="false" priority="35" qformat="true" name="caption"> <w:lsdexception locked="false" priority="10" semihidden="false" unhidewhenused="false" qformat="true" name="Title"> <w:lsdexception locked="false" priority="0" name="Default Paragraph Font"> <w:lsdexception locked="false" priority="11" semihidden="false" unhidewhenused="false" qformat="true" name="Subtitle"> <w:lsdexception locked="false" priority="22" semihidden="false" unhidewhenused="false" qformat="true" name="Strong"> <w:lsdexception locked="false" priority="20" semihidden="false" unhidewhenused="false" qformat="true" name="Emphasis"> <w:lsdexception locked="false" priority="59" semihidden="false" unhidewhenused="false" name="Table Grid"> <w:lsdexception locked="false" unhidewhenused="false" name="Placeholder Text"> <w:lsdexception locked="false" priority="1" semihidden="false" unhidewhenused="false" qformat="true" name="No Spacing"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 1"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 1"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 1"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 1"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 1"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 1"> <w:lsdexception locked="false" unhidewhenused="false" name="Revision"> <w:lsdexception locked="false" priority="34" semihidden="false" unhidewhenused="false" qformat="true" name="List Paragraph"> <w:lsdexception locked="false" priority="29" semihidden="false" unhidewhenused="false" qformat="true" name="Quote"> <w:lsdexception locked="false" priority="30" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Quote"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 1"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 1"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 1"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 1"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 1"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 1"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 1"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 1"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 2"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 2"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 2"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 2"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 2"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 2"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 2"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 2"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 2"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 2"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 2"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 2"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 2"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 2"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 3"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 3"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 3"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 3"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 3"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 3"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 3"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 3"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 3"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 3"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 3"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 3"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 3"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 3"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 4"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 4"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 4"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 4"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 4"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 4"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 4"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 4"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 4"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 4"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 4"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 4"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 4"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 4"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 5"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 5"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 5"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 5"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 5"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 5"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 5"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 5"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 5"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 5"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 5"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 5"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 5"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 5"> <w:lsdexception locked="false" priority="60" semihidden="false" unhidewhenused="false" name="Light Shading Accent 6"> <w:lsdexception locked="false" priority="61" semihidden="false" unhidewhenused="false" name="Light List Accent 6"> <w:lsdexception locked="false" priority="62" semihidden="false" unhidewhenused="false" name="Light Grid Accent 6"> <w:lsdexception locked="false" priority="63" semihidden="false" unhidewhenused="false" name="Medium Shading 1 Accent 6"> <w:lsdexception locked="false" priority="64" semihidden="false" unhidewhenused="false" name="Medium Shading 2 Accent 6"> <w:lsdexception locked="false" priority="65" semihidden="false" unhidewhenused="false" name="Medium List 1 Accent 6"> <w:lsdexception locked="false" priority="66" semihidden="false" unhidewhenused="false" name="Medium List 2 Accent 6"> <w:lsdexception locked="false" priority="67" semihidden="false" unhidewhenused="false" name="Medium Grid 1 Accent 6"> <w:lsdexception locked="false" priority="68" semihidden="false" unhidewhenused="false" name="Medium Grid 2 Accent 6"> <w:lsdexception locked="false" priority="69" semihidden="false" unhidewhenused="false" name="Medium Grid 3 Accent 6"> <w:lsdexception locked="false" priority="70" semihidden="false" unhidewhenused="false" name="Dark List Accent 6"> <w:lsdexception locked="false" priority="71" semihidden="false" unhidewhenused="false" name="Colorful Shading Accent 6"> <w:lsdexception locked="false" priority="72" semihidden="false" unhidewhenused="false" name="Colorful List Accent 6"> <w:lsdexception locked="false" priority="73" semihidden="false" unhidewhenused="false" name="Colorful Grid Accent 6"> <w:lsdexception locked="false" priority="19" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Emphasis"> <w:lsdexception locked="false" priority="21" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Emphasis"> <w:lsdexception locked="false" priority="31" semihidden="false" unhidewhenused="false" qformat="true" name="Subtle Reference"> <w:lsdexception locked="false" priority="32" semihidden="false" unhidewhenused="false" qformat="true" name="Intense Reference"> <w:lsdexception locked="false" priority="33" semihidden="false" unhidewhenused="false" qformat="true" name="Book Title"> <w:lsdexception locked="false" priority="37" name="Bibliography"> <w:lsdexception locked="false" priority="39" qformat="true" name="TOC Heading"> </w:LatentStyles> </xml><![endif]--><!--[if gte mso 10]> <style> /* Style Definitions */ table.MsoNormalTable {mso-style-name:Standaardtabel; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin:0cm; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:10.0pt; font-family:"Times New Roman","serif";} </style> <![endif]--><span style="font-size: 10pt; font-family: "Verdana","sans-serif";" lang="EN-US"><span style="font-weight: bold;">5.096</span><br /><span style="font-weight: bold;">2011 01 09</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />Updated the appinit detection.<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<br />Haxfix has been updated for Windows Vista (32-bit) en Windows 7 (32-bit).<br /><br /></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7163041066659145173?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-35905461898843487062010-10-10T11:08:00.003+02:002011-01-09T13:32:06.078+01:00HaxFix version 5.095<span style="font-weight: bold;">5.095</span><br /><span style="font-weight: bold;">2010 10 10</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Haxdoor</span><br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\boot32<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\boot32.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\boot32.sys<br /><br />Files:<br />system32\boot32.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<br />Haxfix has been updated for Windows Vista (32-bit) en Windows 7 (32-bit).<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3590546189884348706?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-58807689884402743192010-04-04T13:11:00.002+02:002010-04-04T13:15:04.029+02:00HaxFix Version 5.094<span style="font-weight: bold;">5.094</span><br /><span style="font-weight: bold;">2010 04 04<br /><br /><span style="color: rgb(255, 255, 51);">Infection: Goldun<br /></span></span><span style="color: rgb(0, 0, 0);">Updated the detection for random services.<br /></span><span style="font-weight: bold;"><span style="color: rgb(255, 255, 51);"><br /></span></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5880768988440274319?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-74130647628727702842010-01-28T12:46:00.001+01:002010-01-28T12:48:28.897+01:00Haxfix version 5.0.93<span style="font-weight: bold;">5.093</span><br /><span style="font-weight: bold;">2010 01 28</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lixgap<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lixgax<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lixgax.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lixgax.sys<br /><br />Files:<br />system32\a99k.bin<br />system32\lixgax.sys<br />system32\lixgap.dll<br />system32\mod_st.dat<br />windows\pxysdb.dat<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<br />Haxfix has been updated for Windows Vista (32-bit) en Windows 7 (32-bit).<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7413064762872770284?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-88101537936409554332010-01-19T09:21:00.002+01:002010-01-19T09:25:02.634+01:00Haxfix version 5.0.92<span style="font-weight: bold;">5.092</span><br /><span style="font-weight: bold;">2010 01 20</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxop81<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\lingap<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lingax<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\lingax.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\lingax.sys<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{209a54af-418a-4b1e-a68d-21fc33494303}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E14B6F5F-3F90-4871-AC57-18DFE244EE8F}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A1E88A88-9B9B-45D8-9CDC-39A934318E46}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3063ABBF-1257-4B23-A672-9E29A508A2FA}<br /><br />Files:<br />system32\nnurri9.dll<br />system32\jtaqhghuc47.dll<br />system32\xxupuykyz65.dll<br />system32\ywud.dll<br />system32\ijqwv45.dll<br />system32\lingap.dll<br />system32\lingax.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<br />Haxfix has been updated for Windows Vista (32-bit) en Windows 7 (32-bit).<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8810153793640955433?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-75348508804831548882010-01-09T14:05:00.003+01:002010-01-09T14:10:04.475+01:00Haxfix version 5.0.91<span style="font-weight: bold;"></span><span style="font-weight: bold;">Version 5.091<br />2010 01 09</span><br /><br />Haxfix has been updated for <span style="font-weight: bold;">Windows Vista</span> (32-bit) en <span style="font-weight: bold;">Windows 7</span> (32-bit).<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7534850880483154888?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-19369416562507003132009-12-24T14:17:00.003+01:002009-12-24T14:42:50.860+01:00Greetings...<a href="http://www.u2.com/news/title/seasons-greetings?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+U2comNews+%28U2.com+News%29&utm_content=Google+International">They said there'd be snow at Christmas...</a><br /><br />To everybody who occasionally takes a look at this blog.<br />I wish you a merry Christmas and happy New Year.<br /><br /><br /><a href="http://www.u2.com/news/title/seasons-greetings?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+U2comNews+%28U2.com+News%29&utm_content=Google+International"></a><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1936941656250700313?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com2tag:blogger.com,1999:blog-6525630119168364793.post-18419546988555715612009-12-19T19:37:00.001+01:002009-12-19T19:39:50.215+01:00Haxfix version 5.0.90<span style="font-weight: bold;">Version 5.090</span><br /><span style="font-weight: bold;">2009 12 19</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\simdpp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\simdpx<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\simdpx.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\simdpx.sys<br /><br />Files:<br />system32\mod_st.dat<br />system32\simdpx.sys<br />system32\simdpp.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\saifx<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sorrd<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sorrd.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sorrd.sys<br /><br />Files:<br />system32\saifx.dll<br />system32\sorrd.sys<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection Goldun:</span><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\linkap<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\linkax<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\linkax.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\linkax.sys<br /><br />Files:<br />system32\linkap.dll<br />system32\linkax.sys<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1841954698855571561?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-77435255714230839542009-10-31T09:35:00.001+01:002009-10-31T09:36:44.530+01:00Haxfix version 5.0.89<span style="font-weight: bold;">Version 5.089</span><br /><span style="font-weight: bold;">2009 10 31</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\semdpp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\semdpx<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\semdpx.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\semdpx.sys<br /><br />Files:<br />system32\semdpp.dll<br />system32\semdpx.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7743525571423083954?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-11948828947085043262009-10-07T20:25:00.001+02:002009-10-07T20:27:25.411+02:00Haxfix version 5.0.88<span style="font-weight: bold;">Version 5.088</span><br /><span style="font-weight: bold;">2009 10 07 </span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: SpyBanker</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d9ad1747-7b19-4dea-bc02-0ab12c4fc468}<br />system32\GbpDist.dl<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sebdpp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sebdpx<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sebdpx.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sebdpx.sys<br />%Windir%\pxysdb.dat<br />system32\sebdpp.dll<br />system32\sebdpx.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1194882894708504326?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-63828131655120812132009-09-12T19:16:00.001+02:002009-09-12T19:17:27.907+02:00Haxfix version 5.0.87<span style="font-weight: bold;">Version 5.087</span><br /><span style="font-weight: bold;">2009 09 12</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />Updated the appinit detection.<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6382813165512081213?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-13789393536132263782009-09-11T21:18:00.003+02:002009-09-12T19:18:04.054+02:00Haxfix version 5.0.86<span style="font-weight: bold;">Version 5.086</span><br /><span style="font-weight: bold;">2009 09 11</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Haxdoor</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pdx<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pdx32<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pdx32.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pdx32.sys<br />system32\cfgh.ini<br />system32\pdx.dll<br />system32\pdx32.sys<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f675c54f-60b6-4fd8-bba0-443c493305eb}<br /><br />File:<br />system32\rant32.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1378939353613226378?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-63178078146461476272009-08-12T19:07:00.003+02:002009-08-12T19:11:07.958+02:00Haxfix version 5.0.85<span style="font-weight: bold; color: rgb(0, 0, 0);">Version 5.085</span><br /><span style="font-weight: bold; color: rgb(0, 0, 0);">2009 08 12</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91704C3F-A675-4e0e-9FB7-B03E005EDDA7}<br /><br />Files:<br />system32\systran.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rgadtm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rgadta<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rgadta.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rgadta.sys<br /><br />Files:<br />system32\rgadtm.dll<br />system32\rgadta.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6317807814646147627?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-50164827797046490712009-07-26T19:49:00.002+02:002009-07-26T19:52:18.693+02:00Haxfix version 5.0.84<span style="font-weight: bold;">Version 5.084</span><br /><span style="font-weight: bold;">2009 07 26</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rbadmm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rbadmm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rbadmm.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rbadmm.sys<br /><br />Files:<br />system32\rbadma.sys<br />system32\rbadmm.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rbadzm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rbadza<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rbadza.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rbadza.sys<br /><br />Files:<br />system32\rbadza.sys<br />system32\rbadzm.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ED78190A-DFB2-4336-A960-979CD88F7A8D}<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Amble</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{61DC85A0-4A32-4c38-92CF-24652B3F416C}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{544735C9-AE13-4721-9DE7-D529BE675038}<br /><br />Files:<br />system32\locsock32.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AFF01325-0FC2-4749-8914-FBF0565AD9CC}<br /><br />Files:<br />system32\jbnmcd.dll<br />system32\jbnmck.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{480FA3BD-A372-4f65-9F8A-15DF38F4E2AB}<br /><br />Files:<br />system32\pcmfd3.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{996D4E16-517F-474a-870F-F882C6133C47}<br /><br />Files:<br />system32\gacaq32.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5016482779704649071?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-82771726675130631952009-06-27T21:32:00.000+02:002009-06-27T21:33:07.424+02:00Haxfix version 5.0.83<span style="font-weight: bold;">Version 5.083</span><br /><span style="font-weight: bold;">2009 06 27</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46B35542-A3CF-4cca-9C0B-259DB2FFF078}<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8277172667513063195?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-79233734255119654322009-06-13T11:21:00.001+02:002009-06-13T11:21:57.617+02:00Haxfix version 5.0.82<span style="font-weight: bold;">Version 5.082.</span><br /><span style="font-weight: bold;">2009 06 13</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection Goldun.</span><br />Updated appinit detection<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7923373425511965432?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-47501070851486460312009-06-09T20:12:00.001+02:002009-06-13T11:22:19.128+02:00Haxfix version 5.0.81<span style="font-weight: bold;">Version 5.081</span><br /><span style="font-weight: bold;">2009 06 09</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection Goldun</span><br />Updated appinit detection.<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-4750107085148646031?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-89812843693723584372009-06-06T13:28:00.001+02:002009-06-09T20:15:39.681+02:00Haxfix version 5.0.80<span style="font-weight: bold;">Version 5.080</span><br /><span style="font-weight: bold;">2009 06 06</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7B303E07-7C7D-45ad-8D42-EB41C9CBC908}<br /><br />File:<br />system32\krpod32.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0D75B38F-C5F6-444e-ABB3-FD0F77201602}<br /><br /><br />Files:<br />system32\c2d.dat<br />system32\idm.dat<br />system32\jc.dat<br />system32\q1.dat<br />system32\lpxg<br />system32\nk.dat<br />system32\udinfrm.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7F66FC8B-DCF6-4db0-908A-2D566D7EF66D}<br /><br />Files:<br />system32\afha<br />system32\blkernel.dll<br />system32\c2d.dat<br />system32\ck.dat<br />system32\idm.dat<br />system32\jc.dat<br />system32\nk.dat<br />system32\q1.dat<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{91673BA2-1DC6-411c-9CD0-150750A2ECB5}<br /><br />Files:<br />system32\armad32.dll<br />system32\c2d.dat<br />system32\ck.dat<br />system32\idm.dat<br />system32\lkjd<br />system32\nk.dat<br />system32\q1.dat<br />system32\xd.dat<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10C0B0C0-FC01-473b-8EBB-4376353F96E4}<br /><br />Files:<br />system32\bekbn.dll<br />system32\ck.dat<br />system32\idm.dat<br />system32\q1.dat<br />system32\xd.dat<br />system32\fkas<br />system32\nk.dat<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />KEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8AA4410F-A3EE-4279-8F2C-4BFAB8CEB231}<br /><br />Files:<br />system32\c2d.dat<br />system32\ck.dat<br />system32\idm.dat<br />system32\q1.dat<br />system32\xd.dat<br />system32\krmnat.dll<br />system32\pis<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F30B5E7E-CFBB-44fb-A947-226E5A7A4290}<br /><br />Files:<br />system32\jhxm32.dll<br />system32\sft.res<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8981284369372358437?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-13647452766500431332009-05-21T10:23:00.000+02:002009-05-21T10:24:52.478+02:00Haxfix version 5.0.78<span style="font-weight: bold;">Version 5.078</span><br /><span style="font-weight: bold;">2009 05 21</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{7C7EFE99-C71F-48b8-8CC8-BA506CA76A33}<br /><br />File:<br />system32\xagkf32.dll<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{1925C7E1-5540-4675-8198-8A2779D4072A}<br /><br />File:<br />system32\msfgw32.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{D6E0FAFC-2B61-4753-B3DA-D83BE96A2C39}<br /><br />File:<br />system32\mashtuic32.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1364745276650043133?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-81894765167968765702009-05-10T12:23:00.002+02:002009-05-21T10:25:38.630+02:00Haxfix version 5.0.77<span style="font-weight: bold;">Version 5.0.77</span><br /><span style="font-weight: bold;">2009 05 </span><span style="font-weight: bold;">10</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{FFCC6792-7219-4ff8-98D2-5D632A5FA01C}<br />system32\al.txt<br />system32\dz1.txt<br />system32\kixm32.dll<br />system32\opxd<br />system32\p1.txt<br />system32\r24.txt<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{C3221010-0AD7-4c09-B17B-EDCFFDA4B7F9}<br />system32\fow64.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: SpyBanker</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{DCF49866-8F81-4F5F-8193-7EC75A2AB321}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{FCADDC14-BD46-408A-9842-CDBE1C6D37EB}<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper obJects\{73364D99-1240-4dff-B11A-67E448373048}<br /><br />File:<br />system32\ipv6mons.dll<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8189476516796876570?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-38111275494502878952009-05-01T19:17:00.001+02:002009-05-01T19:18:19.029+02:00Haxfix version 5.0.76<span style="font-weight: bold;">Version 5.0.76</span><br /><span style="font-weight: bold;">2009 05 01</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rksocket<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rkskt<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rkskt.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rkskt.sys<br /><br />Files:<br />system32\hrpdcf.bin<br />system32\rkskt.sys<br />system32\rksocket.dll<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pmod11<br /><br />File:<br />system32\pmod11.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3811127549450287895?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-8512639751205023802009-04-29T20:13:00.001+02:002009-04-29T20:14:43.118+02:00Haxfix version 5.0.75<span style="font-weight: bold;">Version 5.0.75</span><br /><span style="font-weight: bold;">2009 04 29</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\dbbin<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dbbin<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dbbin.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\dbbin.sys<br /><br />Files:<br />system32\dbbin.dll<br />system32\dbbin.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-851263975120502380?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-72642899673786298282009-04-18T16:26:00.001+02:002009-04-18T16:27:32.376+02:00HaxFix version 5.0.74<span style="font-weight: bold;">Version 5.0.74</span><br /><span style="font-weight: bold;">2009 04 18</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br />"Microsoft Update Machine"<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ramdmm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ramdma<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ramdma.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ramdma.sys<br /><br />Files:<br />a99k.bin<br />ramdma.sys<br />ramdmm.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ctasys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mmcta<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mmcta.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mmcta.sys<br /><br />Files:<br />ctasys.dll<br />mmcta.sys<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection Goldun:</span><br />Detection updated for the variants that are using the orphaned service registrykeys.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />Detection updated for the variants that are using the appinit key.<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7264289967378629828?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-48319313282430123072009-04-12T19:00:00.002+02:002009-04-12T19:02:51.996+02:00HaxFix version 5.0.73<span style="font-weight: bold;">Version 5.0.73</span><br /><span style="font-weight: bold;">2009 04 12</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ntpdxt<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ntpdxt<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ntpdxt.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ntpdxt.sys<br /><br />Files:<br />ntpdxt.dll<br />ntpdxt.sys<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sphub<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sphub<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sphub.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sphub.sys<br /><br />Files:<br />system32\sphub.dll<br />system32\sphub.sys<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Troj/Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{56BB6D01-7BD5-4458-A4AE-F03DF643D6EE}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{C2C3339C-2559-4b81-B9EF-CBAF906D5DA2}<br /><br />Files:<br />bxx.txt<br />sft.res<br />system32\smstf.dll<br />system32\trinf32.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-4831931328243012307?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-84620977103610443282009-03-26T21:24:00.001+01:002009-03-26T21:24:48.949+01:00HaxFix version 5.0.72<span style="font-weight: bold;">Version 5.0.72</span><br /><span style="font-weight: bold;">2009 03 26</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />Detection updated for the variants that are using the appinit key.<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8462097710361044328?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-66420104301885423522009-03-24T20:42:00.001+01:002009-03-24T20:43:22.823+01:00HaxFix version 5.0.71<span style="font-weight: bold;">Version 5.0.71</span><br /><span style="font-weight: bold;">2009 03 24</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\jstdrv<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\jscript<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\jscript.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\jscript.sys<br /><br />Files:<br />system32\ak9.bin<br />system32\jscript.sys<br />system32\jstdrv.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ipfwrd<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ipfwrd<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ipfwrd.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\ipfwrd.sys<br /><br />Files:<br />system32\ak9.bin<br />system32\ipfwrd.dll<br />system32\ipfwrd.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6642010430188542352?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-35787889041829569472009-03-22T17:18:00.000+01:002009-03-22T17:20:13.915+01:00HaxFix version 5.0.70<span style="font-weight: bold;">Version 5.0.70</span><br /><span style="font-weight: bold;">2009 03 22</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\browser helper objects\{36DBC179-A19F-48F2-B16A-6A3E19B42A87}<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pptpr<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pptpr<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\pptpr.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\pptpr.sys<br />Detection updated for the variants that are using the orphaned service registrykeys.<br /><br />Files:<br />system32\a9k.bin<br />system32\pptpr.dll<br />system32\pptpr.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3578788904182956947?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-35686022219624230862009-03-17T19:04:00.000+01:002009-03-17T19:05:12.812+01:00HaxFix version 5.0.69<span style="font-weight: bold;">Version 5.0.69</span><br /><span style="font-weight: bold;">2009 03 17</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Troj/Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{013DFA9D-4A04-4907-B043-46BDE4B090E6}<br /><br />Files:<br />system32\al.txt<br />system32\dz1.txt<br />system32\mld<br />system32\p1.txt<br />system32\r24.txt<br />system32\sdd.txt<br />system32\utrmk.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3568602221962423086?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-69359172034449100162009-03-16T19:31:00.001+01:002009-03-16T19:33:11.778+01:00HaxFix version 5.0.68<span style="font-weight: bold;">Version 5.068<br />2009 03 16</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\vmbox2<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmbox2<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vmbox2.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\vmbox2.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\vmbox2.dll<br />system32\vmbox2.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6935917203444910016?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-73952420303679977322009-03-14T17:10:00.001+01:002009-03-17T19:05:54.139+01:00HaxFix version 5.0.67<span style="font-weight: bold;">Version 5.0.67</span><br /><span style="font-weight: bold;">2009 03 14</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 102);">Infection: Troj/Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\684EE1DB-CD52-4ca9-9CCF-93D5F6B419BA<br /><br />File:<br />system32\kmsvc32.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun:</span><br />Detection updated for the variants that are using the appinit key.<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7395242030367997732?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-593431565789850522009-02-24T19:54:00.001+01:002009-02-24T19:56:36.077+01:00HaxFix version 5.0.66<span style="font-weight: bold;">Version 5.0.66</span><br /><span style="font-weight: bold;">2009 02 24</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\utsync<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\uvsync<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\uvsync.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\uvsync.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\hrpdcf.bin<br />system32\utsync.dll<br />system32\uvsync.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-59343156578985052?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-493482950150290422009-02-22T20:14:00.002+01:002009-02-22T20:16:52.102+01:00HaxFix version 5.0.65<span style="font-weight: bold;">Version 5.0.65<br />2009 02 22<br /></span><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection Goldun:</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\i975gl<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mjva<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mjva.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mjva.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\i975gl.dll<br />system32\mjva.sys<br />system32\z98.bin<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection Goldun:</span><br />Detection updated for the variants that are using the orphaned service registrykeys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-49348295015029042?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-62414862850423200552009-02-16T20:40:00.002+01:002009-02-16T20:44:44.025+01:00HaxFix version 5.0.64<span style="font-weight: bold;">Version 5.0.64</span><br /><span style="font-weight: bold;">2009 02 16</span><br /><br /><span style="color: rgb(255, 255, 0); font-weight: bold;">Infection: Goldun</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eeekp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eeekp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\eeekp.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\eeekp.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\eeekp.sll<br />system32\eeekp.sys<br />system32\wdh.bin<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6241486285042320055?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-88855534355985089382009-02-08T19:56:00.001+01:002009-02-08T19:59:57.331+01:00HaxFix version 5.0.63<span style="font-weight: bold;">Version 5.0.63</span><br /><span style="font-weight: bold;">2009 02 08</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Troj/Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CC2F638-99FF-45d2-97C7-E30E83CF04D2}<br /><br />Files:<br />system32\ak<br />system32\alog.txt<br />system32\bb1.dat<br />system32\cs.dat<br />system32\ps1.dat<br />system32\rc.dat<br />system32\tb.dr<br />system32\ipv6sp.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8885553435598508938?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-57879505071237704082009-02-06T23:24:00.003+01:002009-02-06T23:35:46.829+01:00Haxfix version 5.0.62<span style="font-weight: bold;">Version 5.0.62</span><br /><span style="font-weight: bold;">2009 02</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Troj/Ambler</span><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6607E676-1BDE-4cb3-9913-4DC5EBCAE35E}<br /><br />Files:<br />system32\alog.txt<br />system32\conf.dat<br />system32\cs.dat<br />system32\ps1.dat<br />system32\rc.dat<br />system32\unifff.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5787950507123770408?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-34243853086695996042009-02-05T20:44:00.000+01:002009-02-05T20:45:40.731+01:00Haxfix version 5.0.61<span style="font-weight: bold;">Version 5.0.61</span><br /><span style="font-weight: bold;">2009 02 05</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />O20 - Winlogon Notify: tomto - C:\WINDOWS\system32\tomto.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tomto<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tomto<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tomto.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\tomto.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\tomto.dll<br />system32\tomto.sys<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br />O20 - Winlogon Notify: iokey - C:\WINDOWS\system32\iokey.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\iokey<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\iokey<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\iokey.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\iokey.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\iokey.dll<br />system32\iokey.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3424385308669599604?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-27447224937550452762009-02-04T18:58:00.001+01:002009-02-04T19:00:10.406+01:00HaxFix version 5.0.60<span style="color: rgb(0, 0, 0); font-weight: bold;">Version 5.0.60</span><br /><span style="color: rgb(0, 0, 0); font-weight: bold;">2009 02 04</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />Detection updated for the variants that are using the orphaned service registrykeys and the appinit key.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2744722493755045276?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-7780640795956455902009-01-21T12:12:00.004+01:002009-01-21T12:14:26.966+01:00Haxfix version 5.0.59<span style="font-weight: bold;">Verion 5.0.59</span><br /><span style="font-weight: bold;">2009 01 21</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rssync<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rdsync<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rdsync.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\rdsync.sys<br /><br />Files:<br />system32\a9k.bin<br />system32\hrpdcf.bin<br />system32\rdsync.sys<br />system32\rssync.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Banker Trojan</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6458C00E-EF7F-4f06-9E06-49EA923386FD}<br />HKEY_LOCAL_MACHINE\SOFTWARE\AmSoft<br /><br />File:<br />system32\kj32.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan/Ambler</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{89F2C12A-027A-4de3-88F6-9F31A1C0F17C}<br /><br />Files:<br />system32\alog.txt<br />system32\bb1.dat<br />system32\cs.dat<br />system32\ps1.dat<br />system32\rc.dat<br />system32\rs<br />system32\tb.dr<br />system32\xlk.dll<br />system32\xwa.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-778064079595645590?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-70751570266118290012009-01-18T15:48:00.000+01:002009-01-18T15:49:09.056+01:00Haxfix version 5.0.58<span style="font-weight: bold;">Version 5.0.58</span><br /><span style="font-weight: bold;">2009 01 18</span><br /><br />Scanning the whole drive for random used files, can take a while.<br />I added the possibility to use a quick scan to search for random used files in the most important windows folders.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7075157026611829001?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-46023289348984593752009-01-14T18:45:00.001+01:002009-01-14T18:45:47.923+01:00Haxfix version 5.0.57<span style="font-weight: bold;">Version 5.057</span><br /><span style="font-weight: bold;">2009 01 14</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />Detection updated for the variants that are using the orphaned service registrykeys.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-4602328934898459375?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-57871852464881884922009-01-13T20:27:00.000+01:002009-01-13T20:28:07.483+01:00Haxfix version 5.0.56<span style="font-weight: bold;">Version 5.0.56</span><br /><span style="font-weight: bold;">2009 01 13</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Troj/Ambler</span><br /><br />O2 - BHO: Microsoft copyright - {4D88F653-4230-4af1-A6A3-54B8D3CD7DF4} - msfacat32.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D88F653-4230-4af1-A6A3-54B8D3CD7DF4}]<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]<br />"StubPath"="rundll32 msfacat32.dll,InitModule"<br /><br />File:<br />system32\msfacat32.dll<br />system32\sft.res<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Troj/Ambler</span><br /><br />O2 - BHO: Microsoft copyright - {085E2757-F41D-42d1-B4CC-9DADF7113BBC} - aj32.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{085E2757-F41D-42d1-B4CC-9DADF7113BBC}]<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0EA88F0F-B698-4ab1-8DBC-EBE2CD00927F}]<br />"StubPath"="rundll32 aj32.dll,InitO"<br /><br />Files:<br />system32\aj32.dll<br />system32\alog.txt<br />system32\bb1.dat<br />system32\ps1.dat<br />system32\rc.dat<br />system32\lp<br />windows\inform.dat<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Troj/Ambler</span><br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6825FAC3-D7D2-4045-97A2-87DF42CB6728}]<br />"StubPath"="rundll32 kcms.dll,InitO"<br /><br />File:<br />system32\kcms.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5787185246488188492?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-32852512303684974422009-01-12T19:24:00.001+01:002009-01-12T19:25:14.783+01:00Haxfix version 5.0.55<span style="font-weight: bold;">Version 5.0.55</span><br /><span style="font-weight: bold;">2009 01 12</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: sbfxi - C:\WINDOWS\system32\sbfxi.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbfxi<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\surrd<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\surrd.sys]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\surrd.sys]<br /><br />system32\a9k.bin<br />system32\sbfxi.dll<br />system32\surrd.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3285251230368497442?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-12514972732800037542009-01-10T22:20:00.001+01:002009-01-10T22:20:50.630+01:00Haxfix version 5.0.54<span style="font-weight: bold;">Version 5.0.54</span><br /><span style="font-weight: bold;">2009 01 10 </span><br /><br />Infection: Goldun<br />Detection added for other variants that use random orphaned service keys.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1251497273280003754?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-72704684164823037712009-01-08T22:00:00.005+01:002009-01-12T19:33:11.225+01:00Haxfix version 5.0.53<span style="font-weight: bold;">Version 5.0.53</span><br /><span style="font-weight: bold;">2009 01 08</span><br /><br />Detection added for the ones using the orphaned driver keys.<br /><br />Sample from the logfiles.<br /><br />Logfile option 1:<br />…<br />checking for random used files and services<br />C:\WINDOWS\system32\1.tmp<br />C:\WINDOWS\system32\drivers\gmer.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2<br />Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer<br />Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys<br />…[/quote]<br /><br />Logfile option 2:<br /><br />…<br />--- checking for random used files and services ---<br />these files and services will not be deleted by HaxFix<br />C:\WINDOWS\system32\1.tmp<br />C:\WINDOWS\system32\drivers\gmer.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MEMSWEEP2<br />Imagepath REG_EXPAND_SZ \??\C:\WINDOWS\System32\1.tmp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gmer<br />Imagepath REG_EXPAND_SZ System32\DRIVERS\gmer.sys<br />…<br /><br />Haxfix will not delete these services and files.<br />If you want to remove them, use SC DELETE <servicename>, reboot the computer and delete the file(s).<br /><br />These are samples from a logfile. In this case the infection was using the legit service gmer and the legit filename gmer.sys. (Gmer is a legit program, a rootkitscanner.)<br />The other service used by this infection is memsweep2. Not necessarily a bad service, but here used by the infection.<br /><br /></servicename><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7270468416482303771?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-57165816747880239402008-12-29T18:36:00.002+01:002008-12-29T18:37:50.122+01:00Haxfix version 5.0.52<span style="font-weight: bold;">Version 5.0.52</span><br /><span style="font-weight: bold;">2008 12 29</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Trojan Nethell</span><br /><br />O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - condw32.dll<br />O2 - BHO: Gamburg provider - {59D94AAD-0A67-417e-969B-8311296E8364} - contrld.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{59D94AAD-0A67-417e-969B-8311296E8364}<br /><br />Files:<br />system32\alog.txt<br />system32\condw32.dll<br />system32\contrld.dll<br />system32\msft.txt<br />system32\ps1.dat<br />system32\rc.dat<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: swapdm - C:\WINDOWS\system32\swapdm.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\swapdm<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\swapm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\swapm.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\swapm.sys<br /><br />Files:<br />system32\k86.bin<br />system32\swapdm.dll<br />system32\swapm.sys<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Other related files:</span><br />system32\vkj.bin<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5716581674788023940?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-31882277574868297202008-12-28T10:30:00.003+01:002009-01-02T22:13:57.101+01:00Haxfix version 5.0.51<span style="font-weight: bold;">Version 5.0.51</span><br /><span style="font-weight: bold;">2008 12 </span><span style="font-weight: bold;">28</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: TrojanSpy:Win32/Ambler.D - Trojan Nethell</span><br /><br />O2 - BHO: Microsoft copyright - {0DDD155F-B89C-4f34-90F0-53D7BD21A37C} - mscont32.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DDD155F-B89C-4f34-90F0-53D7BD21A37C}<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5EB96953-7D02-4594-AC15-F55FC9AACFCB}]<br />"StubPath"= "rundll32 mscont32.dll,InitModule"<br /><br />Files:<br />system32\mscont32.dll<br />system32\sft.res<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Troj/Ambler-G</span><br /><br />O2 - BHO: Microsoft copyright - {32C620D6-CC10-4e6a-9715-BACACD5B0E61} - sxmg4.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{32C620D6-CC10-4e6a-9715-BACACD5B0E61}<br /><br />O21 - SSODL: WebProxy - {A744F16C-B2D5-4138-81A2-085CDFCDE83A} - sxmg4.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]<br />"WebProxy"="{A744F16C-B2D5-4138-81A2-085CDFCDE83A}"<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{A744F16C-B2D5-4138-81A2-085CDFCDE83A}]<br />"StubPath"="rundll32 sxmg4.dll,InitModule"<br /><br />Files:<br />system32\lt.res<br />system32\sft.res<br />system32\sn.txt<br />system32\sxmg4.dll<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Troj/Ambler-G</span><br /><br />O2 - BHO: Microsoft copyright - {FFFFFFFF-BBBB-4146-86FD-A722E8AB3489} - sockins32.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-BBBB-4146-86FD-A722E8AB3489}<br /><br />O21 - SSODL: WebProxy - {66186F05-BBBB-4a39-864F-72D84615C679} - sockins32.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]<br />"WebProxy"="{66186F05-BBBB-4a39-864F-72D84615C679}"<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{66186F05-BBBB-4a39-864F-72D84615C679}]<br />"StubPath"="rundll32 sockins32.dll,InitModule"<br /><br />Files:<br />system32\lt.res<br />system32\sft.res<br />system32\sn.txt<br />system32\sockins32.dll<br /><br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: SpyBanker - Trojan Nethell</span><br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01BE3276-1420-45b5-9762-172C5C184EB7}]<br />"StubPath"= "rundll32 svchstb.dll,InitO<br /><br />File:<br />system32\svchstb.dll<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Spybanker - Trojan Nethell</span><br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{67525E1B-5B8E-41d4-AFCC-03CC04F141FA}]<br />"StubPath"="rundll32 rbsgam.dll,InitO"<br /><br />Files:<br />system32\log.txt<br />system32\bb1.dat<br />system32\kaxs.dat<br />system32\ps1.dat<br />system32\rbsgam.dll<br />system32\rc.dat<br />%Windir%\inform.dat<br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;"><br />Other files:</span><br />system32\kaxs.dat<br />system32\Spool\hpprintqueue.exe<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3188227757486829720?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-65512069051554372412008-12-27T13:01:00.004+01:002008-12-27T15:27:53.316+01:00Haxfix version 5.0.50<span style="color: rgb(0, 0, 0); font-weight: bold;">Version 5.0.50</span><br /><span style="color: rgb(0, 0, 0); font-weight: bold;">2008 12 27</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: modzlib - C:\WINDOWS\system32\modzlib.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modzlib<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys<br /><br />Files:<br />system32\modzlib.dll<br />system32\gzvba.sys<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Trojan-Downloader.Win32.BHO.aej - TrojanSpy:Win32/Ambler.D - Trojan-Dropper.Win32.Ambler</span><br /><br />O2 - BHO: Google plugin - {18CACF0E-72A4-4be1-AA42-DC2ECDB197F1} - C:\WINDOWS\system32\kcms.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18CACF0E-72A4-4be1-AA42-DC2ECDB197F1}<br /><br />Files:<br />system32\alog.txt<br />system32\bb1.dat<br />system32\kcms.dll<br />system32\mx<br />system32\ps1.dat<br />system32\rc.dat<br /><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Virus.Neshta - Trojan-Banker.Win32.Banker.ghd - TSPY_BANKER.LJU TrojanSpy:Win32/Ambler.A - Trojan-Spy.Win32.Banker </span><br /><br />Files:<br />system32\accs.txt<br />system32\cookie.dat<br />system32\ps.dat<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6551206905155437241?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-65322614694044260782008-12-26T11:00:00.004+01:002008-12-27T13:06:21.496+01:00Haxfix version 5.0.49<span style="font-weight: bold;">Version 5.0.49</span><br /><span style="font-weight: bold;">2008 12 26</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: syncps - C:\WINDOWS\system32\syncps.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syncps<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncmc<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncmc.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncmc.sys<br /><br />Files:<br />system32\syncmc.sys<br />system32\syncps.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6532261469404426078?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-7192711853122369132008-12-24T14:44:00.002+01:002008-12-27T13:07:15.227+01:00Haxfix version 5.0.48<span style="font-weight: bold;">Version 5.0.48</span><br /><span style="font-weight: bold;">2008 12 24</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />Updated the appinit detection.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{63845B64-69B6-4b9a-9461-C59B2AFDC0A9}<br /><br />File:<br />system32\vgf32.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-719271185312236913?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-69402561642093672232008-12-23T20:43:00.004+01:002008-12-27T13:08:02.507+01:00Haxfix version 5.0.47<span style="font-weight: bold;">Version 5.0.47</span><br /><span style="font-weight: bold;">2008 12 23</span><br /><br /><span style="color: rgb(255, 255, 51); font-weight: bold;">Infection: Goldun</span><br /><br />Updated the appinit detection.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Spy.Banker - TrojanSpy:Win32/Ambler.D</span><br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F6E0EF5F-5F03-43f9-8E02-BBAAA95EAA9C}<br /><br />File:<br />system32\nods32.dll<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: modgzip - C:\WINDOWS\system32\modgzip.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\modgzip\modgzip<br /><br />File:<br />system32\modgzip.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6940256164209367223?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-30126041605394853582008-12-20T15:45:00.001+01:002008-12-27T13:09:37.134+01:00Haxfix version 5.0.46<span style="font-weight: bold;">Version 5.0.46</span><br /><span style="font-weight: bold;">2008 12 20</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: snjava - C:\WINDOWS\system32\snjava.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\snjava<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\java2.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\java2.sys<br /><br />Files:<br />system32\snjava.dll<br />system32\java2.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3012604160539485358?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-68851585572819984652008-12-19T22:34:00.002+01:002008-12-27T13:09:56.166+01:00Haxfix version 5.0.45<span style="font-weight: bold;">Version 5.0.45</span><br /><span style="font-weight: bold;">2008 12 19</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\gzvba.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\gzvba.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzvba<br /><br />File:<br />system32\gzvba.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6885158557281998465?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-88536323977331678472008-12-18T19:10:00.003+01:002008-12-27T13:10:15.567+01:00Haxfix version 5.0.44<span style="font-weight: bold;">Version 5.0.44</span><br /><span style="font-weight: bold;">2008 12 18</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: xliftm - C:\WINDOWS\system32\xliftm.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xliftm<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\xlift.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\xlift.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xlift<br /><br />system32\cardb.dat<br />system32\xlift.sys<br />system32\xliftm.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8853632397733167847?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-51459058193014352762008-11-30T08:51:00.004+01:002008-12-27T13:11:15.664+01:00Haxfix version 5.0.43<span style="font-weight: bold;">Version 5.0.43</span><br /><span style="font-weight: bold;">2008 11 30</span><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: mckwave - C:\WINDOWS\system32\mckwave.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mckwave<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kwave<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\kwave.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\kwave.sys<br /><br />Files:<br />system32\mckwave.dll<br />system32\kwave.sys<br />system32\drivers\mrxdavv.sys<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Haxdoor</span><br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sksdrvr2<br /><br />File:<br />system32\sksdrvr2.sys<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: wrapkm - C:\WINDOWS\system32\wrapkm.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wrapkm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wrapk<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wrapk.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wrapk.sys<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br />"advap32"=""%Temp%\load2.exe" /r"<br /><br />Files:<br />system32\wrapkm.dll<br />system32\wrapk.sys<br />windows\wiaserviv.log<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Infection: Goldun</span><br /><br />O20 - Winlogon Notify: sbrige - C:\WINDOWS\system32\sbrige.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sbrige<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sbunit.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\sbunit.sys<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sbunit<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br />"rs32net"="%System%\rs32net.exe"<br /><br /><br />Files:<br />system32\rs32net.exe<br />system32\sbrige.dll<br />system32\sbunit.sys<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5145905819301435276?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-67545577504789986182008-11-29T19:25:00.003+01:002008-11-30T08:54:48.568+01:00Haxfix downI removed haxfix this afternoon from my site and from bleeping, because the tool can not delete some of the latest goldun and haxdoor variants.<br /><br />I found a solution, and the tool will be available again soon<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6754557750478998618?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-67223965053700599282008-11-24T19:19:00.001+01:002008-11-24T19:19:59.986+01:00Haxfix version 5.0.42Version 5.0.42<br />2008 11 24<br />Infection: Haxdoor<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run<br />"Microsoft Update" = "system.exe"<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices<br />"Microsoft Update" = "system.exe"<br /><br />HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run<br />"Microsoft Update" = "system.exe"<br /><br />File:<br />system32/system.exe<br /><br /><br />Infection: SpyBanker - Trojan Nethell<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ABADC07C-9990-405a-AA24-2C209B50AE79}<br /><br />File:<br />system32/svchstb.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6722396505370059928?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-63325334756573616002008-11-21T15:17:00.000+01:002008-11-21T15:18:09.483+01:00Haxfix version 5.0.41Version 5.0.41<br />2008 11 21<br /><br />Added the file mmsystem.dll to the whitelist.<br />It wil not be detected anymore as a "possible infected file".<br /><br /><br />Infection: Goldun<br /><br />O20 - Winlogon Notify: priarsz - C:\WINDOWS\SYSTEM32\priarsz.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\priarsz<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6332533475657361600?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-55851188205812996552008-11-17T19:23:00.002+01:002008-11-17T19:26:19.495+01:00Haxfix version 5.0.40Version 5.0.40<br />2008 11 17<br /><br />Infection: SpyBanker - Trojan Nethell<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2FDA60DF-6D94-4f16-A48C-3C4EC57FEF58}<br /><br />File:<br />system32\nokia32.dll<br /><br /><br />Infection: Spy.Banker - Infostealer.Bancos<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{890C7964-9320-4055-BE11-7D7B562A6417}<br /><br />Files:<br />system32\mstrans.dll<br />system32\mstrans1.dll<br /><br /><br />Infection: Goldun<br />O20 - Winlogon Notify: netwrp - C:\WINDOWS\SYSTEM32\netwrp.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\netwrp<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netwp<br /><br />Files:<br />system32\netwrp.dll<br />system32\netwp.sys<br />system32\a9k.bin<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5585118820581299655?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-63078232895049059372008-11-12T22:06:00.000+01:002008-11-12T22:07:29.326+01:00Haxfix version 5.0.39Version 5.0.39<br />2008 11 12<br /><br />Infection: SpyBanker - Trojan Nethell<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E8FD36B2-A25B-47e3-9477-82557F5F5995}<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ECBA18CA-FF22-464c-A963-70BEC79D2485}<br /><br />Files:<br />system32\cukert.dll<br />system32\masyan.dll<br />system32\savec32.dll<br /><br /><br /><br />Infection: SpyBanker<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{60FD4F58-4748-48f6-B661-5FCE71B0D907}<br /><br />File:<br />system32\torm.dll<br />system32\torm1.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6307823289504905937?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-31123802508783154852008-11-12T19:50:00.002+01:002008-11-12T19:53:53.762+01:00Haxfix version 5.0.38Version 5.0.38<br />2008 11 12<br /><br />Infection: Haxdoor<br /><br />O20 - Winlogon Notify: mt49hub - C:\WINDOWS\SYSTEM32\mt49hub.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mt49hub<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msvtch<br />"ImagePath" = "system32\msvtch.sys"<br />"DisplayName" = "Kernel Mode SND msvtcher"<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\msvtch.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\msvtch.sys<br /><br /><br />Files:<br />system32\adrnln.bin <br />system32\mt49hub.dll<br />system32\msvtch.sys<br /><br /><br /><br />Infection: SpyBanker<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{850C7964-9320-4055-BE11-7D7B562A6417}<br /><br /><br />Files:<br />system32\Helper.dll <br />system32\Helper1.dll <br />system32\mstrans.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3112380250878315485?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-37655303130244420122008-11-11T13:40:00.001+01:002008-11-11T13:42:23.829+01:00Haxfix version 5.0.37Version 5.0.37<br />2008 11 11<br /><br />Infection: Haxdoor<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\status]<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tage32]<br />"ImagePath" = "system32\tage32.sys"<br />"DisplayName = "NGate service"<br /><br />Files:<br />system32\mprexe.exe<br />system32\snowx.ini <br />system32\status.dll<br />system32\tage32.sys <br />Windows\svchost32.exe<br /><br /><br />Infection: SpyBanker - Trojan Nethell<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68DF1496-983B-9ED5-03A6-F78E3267FB52}]<br /><br />Files: <br />system32\gh.dat <br />system32\nokia32.dll<br />system32\symdb32.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3765530313024442012?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-32571361911648825492008-11-09T14:52:00.003+01:002008-11-11T13:43:18.038+01:00Haxfix version 5.0.36Version 5.0.36<br />2008 11 09<br /><br />Infection: Goldun<br /><br />Added a new variant that is using the appinit key to load.<br />Filename is semi-random.<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]<br />"AppInit_DLLs" = "%System%\mms******.dll"<br /><br />Files:<br />%System%\DefaultColor.info<br />%System%\mms******.dll<br /><br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3257136191164882549?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-50688801687344004812008-11-05T18:21:00.001+01:002008-11-05T18:23:05.433+01:00Haxfix Version 5.0.35Version 5.0.35<br />2008 11 05<br /><br />Infection: Spybanker - Trojan Nethell<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BEEFD1C-446F-48a7-A7C7-C8E5986A9760}]<br /><br />File:<br />system32\rbsgam.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5068880168734400481?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-70842564370604977862008-11-02T18:53:00.000+01:002008-11-02T18:54:11.534+01:00Haxfix Version 5.0.34Version 5.0.34<br />2008 11 02<br /><br />Infection: Goldun.<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ctlsys]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mmctl]<br /><br />Files:<br />system32\ctlsys.dll<br />system32\mmctl.sys <br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7084256437060497786?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-15960031405153102672008-11-01T09:40:00.002+01:002008-11-01T09:45:45.930+01:00Haxfix version 5.0.33Version 5.0.33<br />2008 11 01<br /><br />Infection Haxdoor / Goldun.<br /><br />O20 - Winlogon Notify: kryostm - C:\Windows\System32\kryostm.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\kryostm]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kryo2.sys]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\kryo2.sys]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kryo2]<br />"DisplayName" = "CPU FUN Controller"<br /><br /><br />Files:<br />system32\kryostm.dll<br />system32\kryo2.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1596003140515310267?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-19218939628249709242008-10-31T20:25:00.001+01:002008-11-01T09:29:40.450+01:00Haxfix Version 5.0.32Version 5.0.32<br />2008 10 31<br /><br />Infection Goldun.<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mdhash]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mdhsh]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mdhsh.sys]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\mdhsh.sys]<br /><br />Files:<br />system32\mdhash.dll<br />system32\mdhsh.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1921893962824970924?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-74138475928950336412008-10-26T16:39:00.001+01:002008-10-26T16:45:44.555+01:00Haxfix version 5.0.31Version 5.0.31:<br />2008 10 26<br /><br />Infection: Goldun.<br /><br />O21 - SSODL: oledll - {12345B67-1234-1234-D123-7F84D123BC7D} - C:\WINDOWS\System32\wmldap.dll<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]<br />"oledll" = "{12345B67-1234-1234-D123-7F84D123BC7D}"<br /><br />File:<br />System32\wmldap.dll<br /><br /><br />Infection: Goldun.<br /><br />O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll<br />O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urikon.dll<br /><br />O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urinon.dll<br />O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urinon.dll<br /><br />O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ursnon.dll<br />O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\ursnon.dll<br /><br />O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urunon.dll<br />O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urunon.dll<br /><br />O18 - Filter hijack: text/html - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urwnon.dll<br />O18 - Filter: text/plain - {DC186800-657F-11D4-B0B5-0050BABFC904} - C:\WINDOWS\system32\urwnon.dll<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/html]<br />"CLSID = "{DC186800-657F-11D4-B0B5-0050BABFC904}"<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Filter\text/plain]<br />"CLSID" = "{DC186800-657F-11D4-B0B5-0050BABFC904}"<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DC186800-657F-11D4-B0B5-0050BABFC904}]<br /><br />Files:<br />urikon.dll<br />urinon.dll<br />ursnon.dll<br />urunon.dll<br />urwnon.dll<br /><br /><br />Infection: Goldun.<br /><br />scrcki32.dll<br /><br />If scrcki32.dll or scrcwi32.dll is present in the system32 folder, the default path for this registrykey will be modified:<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]<br /><br />HaxFix will restore the default value: %systemroot%\system32\shell32.dll<br /><br /><br />Other related files:<br />%System%\spool\c.ini <br />%System%\spool\desktops.ini <br />%System%\spool\dr.ini<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7413847592895033641?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-28485681831528165092008-10-24T19:56:00.003+02:002008-11-01T09:30:09.303+01:00Haxfix Version 5.0.30Version 5.0.30<br /><br />Infection: Spybanker - Trojan.Nethell<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EF99D588-3D5F-4194-828A-E03870A57A77}]<br /><br />system32\gcomd32.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2848568183152816509?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-67580189684810681212008-10-24T19:11:00.005+02:002008-11-01T09:30:30.453+01:00Haxfix Version 5.0.29Version 5.0.29<br />2008 10 24<br /><br />Infection Goldun.<br /><br />O2 - BHO: (no name) - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\ system32\msindeo.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ACB5731-5839-13AB-EABC-124791194525}]<br /><br />O21 - SSODL: msindeo.dll - {7ACB5731-5839-13AB-EABC-124791194525} - C:\WINDOWS\ system32\msindeo.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]<br />"msindeo.dll" = "{7ACB5731-5839-13AB-EABC-124791194525}"<br /><br />File:<br />system32\msindeo.dll<br /><br /><br />Infection Haxdoor / Goldun.<br /><br />O20 - Winlogon Notify: acpiz - C:\WINDOWS\SYSTEM32\acpiz.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\acpiz]<br />O20 - Winlogon Notify: hpstp - C:\WINDOWS\SYSTEM32\hpstp.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hpstp]<br /><br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\acup]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dmram]<br /><br />Files:<br />system32\acpiz.dll<br />system32\acup.sys<br />system32\dmram.sys<br />system32\hpstp.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6758018968481068121?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-39630724216070553942008-10-17T16:58:00.004+02:002008-11-01T09:30:44.372+01:00Haxfix Version 5.0.28Version 5.0.28<br />2008 10 17<br /><br />Infection: Goldun<br /><br />[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\netprp]<br /><br />%System%\netprp.dll 23724 bytes<br />%System%\netrp.sys 8512 bytes<br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3963072421607055394?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-26857540706710240162008-10-14T19:36:00.004+02:002008-11-01T09:31:02.364+01:00Haxfix Version 5.0.27Version 5.0.27<br />2008 10 14<br /><br />Infection: SpyBanker<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB59DF5-544D-4A1C-8A74-1FD054950140}]<br /><br />%System%\ipv6monl.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2685754070671024016?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-31380905288932122142008-10-12T20:39:00.005+02:002008-11-08T13:18:57.343+01:00Haxfix instructions - updatedThis article is an update for <a href="http://marcvn.blogspot.com/2008/03/haxfix.html">this</a> one.<br /><br /><br /><span style="font-weight:bold;">Download</span><br />You can download haxfix from <a href="http://users.telenet.be/marcvn/tools/haxfix.exe">my site</a>, or from <a href="http://download.bleepingcomputer.com/marckie/haxfix.exe">Bleeping computer</a>. <br />On both sites you will find always an updated version of the tool.<br /><br /><span style="font-weight:bold;">How to use?</span><br />Download haxfix.exe and save it to your desktop.<br />Double click on haxfix.exe to run it.<br />A red "dos window" (dos box) will open with this options:<br />· 1. Make logfile<br />· E. Exit Haxfix<br /><br />After running option 1, you will get a new menu with all options:<br />· 1. Make logfile<br />· 2. Run auto fix<br />· 3. Run manual fix<br />· 4. Run unknow fix<br />· U. Uninstall Hafix<br />· E. Exit Haxfix<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 1. Make logfile.</span><span style="color: rgb(255, 255, 51);">.</span><br />When you use haxfix, always make a logfile first.<br />The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.<br />Haxfix checks for known SSDOL keys related to Goldun.<br />Haxfix checks for known Browser Helper Objects (BHO) related to Goldun of SpyBanker infections.<br />Haxfix checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.<br />Haxfix checks for known goldunvariants that use the appinit key to load. These filenames are randome. Haxfix checks the MD5 checksum.<br />Haxfix checks for a lot of related haxdoor and goldunfiles. If present haxfix will list them in the logfile. If the file is rootkitfile, haxfix will mark the file as a rootkitfile.<br />Catchme.exe has been integrated in haxfix since version 4.43. <br />The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.<br />The logfile made by option 1, shows you if a known infection is present on you computer.<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 2. Run autofix.</span><span style="color: rgb(255, 255, 51);">.</span><br />Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.<br />You can use option 2 if the notify keys that are found, are related to haxdoor or goldun.<br />- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them<br />- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys<br />- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.<br />- All known goldunvariants will be deleted with option 2.<br />- All known SpyBankervariants will be deleted with option 2.<br />- If ieplore.exe is infected, haxfix can fix this without a reboot.<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 3. Run manual fix.</span><span style="color: rgb(255, 255, 51);">.</span><br />This gives you the possibilty to add one, or if necessary more then one haxdoor key.<br />When you start option 3, you 'll get a message:<br />echo Insert the haxdoorkey,<br />and then press Enter:<br />Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)<br />When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.<br />Next you have the possibilty to add a new key: Yes (press Y) or No (press N)<br />When do we use option 3?<br />Use option 3 if there are:<br />- unknown or legit notify keys with related services in the haxlog.txt file.<br />- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)<br />If you use option 3 to delete a haxdoorvariant, and one or more goldun- or SpyBankervariants are present too, all infections will be deleted.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 4. Run unknown fix.</span><span style="color: rgb(255, 255, 51);">.</span><br />The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.<br />If a match is found, you can delete them by using option 4 - remove unknown.<br />(this only works with the variants that uses notify and services regkeys.)<br />Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option U. Uninstall Haxfix.</span><span style="color: rgb(255, 255, 51);">.</span><br />This will remove all files and folders produced by haxfix.<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option E. Exit Haxfix.</span><span style="color: rgb(255, 255, 51);">.</span><br />Use option E to shut down haxfix.<br /><br /><br /><span style="font-weight:bold;">A few remarks</span><br />If you see this in the logfile: registrysettings failed , use this command: <span style="font-style:italic;">%systemdrive%\haxfix.exe /reset</span><br />If you don't get the logfile after reboot, use this command: <span style="font-style:italic;">%systemdrive%\haxfix.exe /after</span><br /><br />More information about the tool you can find on <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">my website</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3138090528893212214?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-64529852723156238152008-10-12T11:38:00.002+02:002008-11-01T09:31:27.292+01:00Haxfix Version 5.0.26Version 5.0.26<br />2008 10 12<br /><br />Added detection for these Spy.Bankers: <br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2DB59DF5-544D-4A1C-8A74-1FD054950140}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D471CEA2-EDEC-4184-BE2E-574DD655DD2D}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7A4C0C8-2BFF-4241-9E8C-92E10245EC28}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{68D5BBF9-EED5-4125-B227-55F81540BF4D}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C8A3B994-E27A-42f5-A053-C63799E621FB}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3AAB6591-87DD-424b-AFF2-4685EBF6A5EF}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47D92EB6-E52C-4cda-92A6-2369963F4913}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{33161E98-0A6C-4d3c-BD62-3A7D56137F52}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D21D9540-6415-4288-BDD0-4453088D9D38}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4C579E8B-92F1-44d1-9444-66A4355E9386}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{930247B4-16BE-48d2-87DD-86D7FB314639}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FF37362D-4088-4c36-AEF1-C167F9CD3DAD}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B9249083-6055-476c-A69D-13E110BFEA91}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85911752-BC96-4fff-9121-6EB9D8F438E1}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FED228E-A6F7-49aa-A0BC-76E0A67C53BB}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00EBB3B3-DEAD-4440-B1F8-B09DDDB89EF3}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9916AF04-5F23-4ae8-A2B1-1C4FF50B2A51}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D9A7B3B6-1F8A-4cf9-A20C-BDF427DBDB4A}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-B432-46fc-9143-B82B832B1B14}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{096059FD-99AB-41eb-9E55-59AEB0A3B444}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-DAD2-4a4c-848D-2CBFC6F0FD21}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-D71D-41e4-A699-F506DBD097F0}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-08DF-483c-BD3A-99CBCF44E4DC}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-85A3-452b-B7A8-759AD9B42162}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DE68A8A-8158-4bde-8F5F-849F00AF31FB}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FFFFFFFF-8F0D-4322-B01F-B42439E0B71C}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B87D203B-B43D-4af9-9E1B-9C20478CBB74}]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{21D7135F-AEE9-45e7-A0C1-791A4654BFF1}]<br /><br /><br />alivefor.dll<br />alog.txt<br />bagetionwll.dll<br />bb1.dat<br />bodrowis.dll<br />bsn32.dll<br />bsndcom.dll<br />btaskv.dll<br />bulgan.dll<br />comd32.dll<br />conf.dat<br />cookie1.dat<br />cs.dat<br />csm.txt<br />dcrick.dll<br />dna32v1.dll<br />drweb32.dll<br />duis.txt<br />es.dat<br />gwin32.dll<br />haskel32.dll<br />hnew32.dll <br />hyperconn.dll<br />hyperser.dll<br />IEBHO.dll<br />IEBHO0B.dll<br />IEBHO23.dll<br />ieguard.dll<br />interns32.dll<br />jetaccss.dll<br />jkcom32.dll<br />jzcom32.dll<br />kd.txt<br />knmld.dll<br />ktaskr.dll<br />lbbd32.dll<br />lbcd64.dll<br />mac.dll<br />mac1.dll<br />macaaq.dll<br />mcac.dll<br />msindc.dll<br />mvx.dat<br />nod32.dll<br />nortn32.dll<br />paruisd.dll<br />pidfenon.dll<br />pns32.dll<br />ppret2.dll<br />roadmap16.dll<br />ritz8.dll<br />rozmchild.dll<br />sac32.dll<br />siemens32.dll<br />simcard1.dll<br />sincim32.dll<br />sklh.dat<br />skrb32.dll<br />smb32.dll<br />sndcom.dll<br />strike12.dll<br />strike45.dll<br />svc32.dll<br />swin32.dll<br />tb.dr<br />tconn1.dll<br />tkcom32.dll<br />tlove2.dll<br />xd.txt<br />xmd.dat<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6452985272315623815?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-25473724484878506342008-10-09T16:32:00.006+02:002008-11-01T09:31:42.852+01:00Haxfix Version 5.0.25Version 5.0.25<br />2008 10 09<br /><br />Infection: Haxdoor - Infostealer<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\oedes]<br />system32\oedes.dll <br />system32\kedes.sys<br />system32\dadr.dat<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2547372448487850634?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-11218539069673003792008-10-05T19:20:00.005+02:002008-11-01T09:32:01.773+01:00Haxfix Version 5.0.24Version 5.0.24<br />2008 10 05<br /><br />Infection: Goldun<br /><br />[HKEY_LOCAL_MACHINESOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mt47hub]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svitch]<br />mt47hub.dll<br />svitch.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1121853906967300379?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-43807226868808308002008-10-03T19:33:00.003+02:002008-11-01T09:32:29.465+01:00Haxfix Version 5.0.23Version 5.023<br />2008 10 03<br /><br />Infection: Goldun<br /><br />Added detection for a new kind of files, using the Appinitkey.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-4380722686880830800?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-27655189933044656542008-10-02T18:17:00.004+02:002008-10-18T20:45:34.080+02:00Haxfix Version 5.0.22Version 5.0.22<br />2008 10 02<br /><br />Infection: Goldun<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D032570A-5F63-4812-A094-87D007C23012}]<br />%System%\IEBHO.dll<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2765518993304465654?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-24990889413809881922008-09-29T19:11:00.003+02:002008-10-18T20:45:45.050+02:00Haxfix version 5.0.21Version 5.021<br />2008 09 29<br /><br />Infection: Trojan.Win32.Agent<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br />"CIJBDYZA"="%systemroot%\CIJBDYZA.exe"<br /><br />%System%\tremir.bin<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2499088941380988192?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-83579931859468186762008-09-22T17:32:00.003+02:002008-10-18T20:46:00.830+02:00Haxfix version 5.0.20Version 5.0.20<br />2008 09 22<br /><br />Infection: Goldun<br /><br />O20 - Winlogon Notify: asplug - C:\WINDOWS\SYSTEM32\asplug.dll<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\asplug]<br />[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\asplg]<br />DirectSound KDriver: \??\C:\WINDOWS\SYSTEM32\asplg.sys<br /><br />C:\WINDOWS\SYSTEM32\asplg.sys<br />C:\WINDOWS\SYSTEM32\asplug.dll<br /><br />[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br />"solo"=-<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8357993185946818676?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-85693844135425607062008-09-18T17:12:00.004+02:002008-10-18T20:46:19.092+02:00Haxfix version 5.0.19Version 5.0.19<br />2008 09 18<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\gzipmod]<br /><br />gzipmod.dll<br />vbagz.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8569384413542560706?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com1tag:blogger.com,1999:blog-6525630119168364793.post-66697720287158259232008-09-15T18:44:00.003+02:002008-10-18T20:46:41.624+02:00Haxfix Version 5.0.18Version 5.018<br />2008 09 15<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ddrawxt]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cabpck]<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br />"braviax"=-<br />[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br />"braviax"=-<br /><br />Files:<br />ddrawxt.dll<br />cabpck.dll <br />ddraw.sys<br />krnlcab.sys<br />braviax.exe<br /><br />I changed the script that is checking for othter haxdoor and goldunfiles.<br />If known rootkitfiles are present, haxfix will find and delete them.<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6669772028715825923?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-22423923484003496152008-09-11T17:08:00.004+02:002008-11-01T09:32:58.037+01:00Haxfix Version 5.0.17Version 5.017<br />2008 09 11<br /><br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br />"WMedia16"="wmedia16.exe"<br /><br />%windir%\system32\wmedia16.exe<br />%windir%\wmedia16.exe<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2242392348400349615?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-13953464358492827572008-09-11T16:57:00.003+02:002008-11-01T09:33:17.191+01:00Haxfix Version 5.0.16Version 5.016<br />2008 09 10<br /><br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hinet<br />hinet.dll<br />ddram.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-1395346435849282757?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-34748924375082176702008-09-08T18:57:00.003+02:002008-10-18T20:47:36.291+02:00Haxfix version 5.0.15Version 5.015<br />2008 09 07<br /><br />Added:<br />[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\spndt.sys]<br />[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\spndt.sys]<br /><br /><br />Fixed a bug with some of the newer goldunvariants that use the notifykey.<br />Sometimes this notifykey is hidden.<br /><br /><br />Added detection for these browser helper objects:<br />{92617934-9abc-def0-0fed-fad682644311}<br />{68397934-9abc-def0-0fed-fad682644311}<br />{61468245-A343-CF27-3452-44DF4679BDF1}<br />{56262124-6251-5625-3072-548536364311}<br />{46278903-5678-2464-3452-545679092D31}<br />{68363724-9ABC-DEF0-0FED-FAD682644311}<br />{92617934-9ABC-DEF0-0FED-FAD48C654321}<br />{5240864B-FDFE-4563-3514-463926792311}<br />{13146842-6251-5625-3072-548536364311}<br />{62457936-6381-6170-3572-468926792311}<br />{5FCA4D4F-CBDD-4263-3814-463926792311}<br />{65194BCE-CBDD-4263-3814-463926792311}<br />{BCD2AF6E-4271-6572-6429-A63F26792311}<br />{80523A67-ABCD-CF37-3352-54DF4479BDF1}<br />{4A26217C-5521-3459-2345-AB36721975AF}<br />{78934132-3451-67A2-8919-678931572311}<br />{7548953E-4371-6552-6419-A43F26792311}<br />{73468251-2534-8760-3685-423479197575}<br />{81463526-1357-4638-2418-538263794561}<br />{0033669F-AADD-AA59-AA7D-AA4B78888000}<br />{00534B55-3155-CA4F-B41D-0E922121D03C}<br />{92617934-9ABC-DEF0-0FED-FAD48C654321}<br />{00534B55-3155-CA4F-B41D-0E922121D03C}<br />{BF468356-BB7E-42D7-9F15-4F3B9BCFCED2}<br />{DABCE839-3831-3818-AF3A-3837BCD324D2}<br />{DABCE839-3831-3818-AF3A-47D47A738D32}<br />{DABFC839-F831-3D1A-A33A-A7D4BA7C8D3D}<br />{0000AC13-3487-1583-C4BE-BE6A839DB000}<br />{AE1AA4FA-C3A2-4c33-90CD-69DD021A35C8}<br /><br />Haxfix deletes the clsid and the file.<br /><br /><br />Added detection for goldunvariants that use the appinitkey.<br />Detection is done by MD5 check: 21 different MD5's at this moment.<br /><br />Matching files that are not detected by MD5 check, will be enumerated.<br />May I ask you to upload these file in my bleeping channel: http://www.bleepingcomputer.com/submit-malware.php?channel=11<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3474892437508217670?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-72067212825044312692008-08-30T16:33:00.005+02:002008-10-18T20:47:51.797+02:00Haxfix Version 5.0.14Version 5.014<br />2008 08 30<br /><br />Files:<br />berzk.dll<br />core3.sys<br />irptp.sys<br />meth.bin<br />meth.plg<br />powerxt.dll<br />spndt.sys<br />xatcore.dll<br /><br />Notifykeys:<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\powerxt<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xatcore<br /><br />Services:<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\core3<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\irptp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spndt<br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\core3.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7206721282504431269?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-1596679633298859022008-08-26T17:06:00.002+02:002008-10-18T20:48:07.388+02:00Haxfix version 5.0.13Version 5.013<br />2008 08 26<br /><br />Files:<br />windows\servicez.exe<br />windows\nvchost.exe<br />windows\winlogon.exe<br />system32\alog.txt<br />system32\crypto64.dll<br />system32\csrcli32.dll<br />system32\dpl.txt<br />%System%\info.txt<br />system32\NGIX.bin<br />system32\ntld.bin<br />system32\preved.bat<br />system32\ps1.dat<br />system32\rc.dat<br />system32\rdata.bin<br />system32\rhs.bin<br />system32\scrcwi32.dll<br />system32\sms.bat<br />system32\sys32time.dll<br />system32\winsms.bat<br />system32\winsms.dll<br />system32\cryptmd5.dll<br />system32\datcom.dll<br />system32\datmps.dll<br />system32\droute.dll<br />system32\dwave.sys<br />system32\dx9sr.sys<br />system32\emulx86.sys<br />system32\hdtvu6.dll<br />system32\hooka.sys<br />system32\ke64boot.dll<br />system32\kteproc.sys<br />system32\mcrwave.dll<br />system32\necsopp.sys<br />system32\nkudpn1.sys<br />system32\pcixm.sys<br />system32\pcixmm.dll<br />system32\pemulx86.dll<br />system32\routew.dll<br />system32\rotw.sys<br />system32\stfilter.dll<br />system32\syncm.sys <br />system32\syslink.dll<br />system32\tehlink0.dll<br />system32\tehlink5.sys<br />system32\wlite.sys<br /><br />Notifykeys:<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptmd5<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datcom<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\datmps<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\droute<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\hdtvu6<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ke64boot<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mcrwave<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pcixmm<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pemulx86<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\routew<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\stfilter<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\syslink<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tehlink0<br /><br />Services:<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dwave<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dx9sr<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\emulx86<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\hooka<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\kteproc<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\necsopp<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\nkudpn1<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\pcixm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rotr<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rotw<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\syncm<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tehlink5<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wlite<br /><br /><br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\kteproc.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\kteproc.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\syncm.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\syncm.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wlite.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\wlite.sys<br /><br />Runkeys:<br />[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br />"nvchost"<br />"winlogon"<br />"Windows Services"<br />"KIT3"<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-159667963329885902?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-23638544904715867712008-07-13T11:54:00.004+02:002008-11-20T20:38:09.165+01:00Niets voor niets!Veel computergebruikers maken gebruik van cracks, patches of keygenerators om dat ene progje waar men niet wil voor betalen, toch maar werkend te krijgen.<br />Niets voor niets, is ook hier de boodschap.<br /><br />De meeste trucjes die 'gratis' verkrijgbaar zijn op het internet om niet-gratis software toch werkend te krijgen zijn, zijn helemaal niet gratis. Zonder medeweten van de gebruiker wordt immers malware mee op de computer geïnstalleerd. <br />Malware die weer andere malware downloadt en installeert. <br />Malware die je de nodige problemen bezorgd onder de vorm van ongevraagde advertenties.<br />Deze advertenties zijn vaak vervelend, ze duiken te pas en te onpas op. <br />Zoekmachines geven niet meer de gewenste zoekresultaten. <br />Allemaal geen onoverkomelijke problemen, sommigen kunnen er mee leven, anderen niet.<br />Malware is vaak ook slecht geprogrammeerd, en kan de computer onstabiel en traag maken: de computer is nog nauwelijks werkbaar.<br />Een hoge prijs die je betaalt om dat ene programma waar je niet wenst voor te betalen toch werkend te krijgen.<br />De problemen laten oplossen door het computerwinkeltje om de hoek, kost je vaak een aardige duit. Vaak meer dan indien je het programma wat je illegaal wenste te gebruiken, toch zou kopen.<br /><br /><br />Nog niet overtuigd?<br />Met de eerder genoemde nevenwerkingen van cracks en keygenerators houdt het vaak niet op. <br />De tijd dat malwaremakers je alleen maar brachten naar 'hun favoriete' websites is al lang voorbij.<br />Indien jouw computer geïnfecteerd is met malware, kan afhankelijk van de infectie, deze ingezet worden in botnetwerken. Je computer kan onder meer gebruikt worden voor het het uitvoeren van DDos aanvallen, of voor het versturen van (massa's) hoeveelheden spam.<br />Anderen hebben meer controle over de computer dan jij zelf...<br />Ook kan bepaalde malware zich doorsturen naar jouw contactpersonen die jij dan ook weer de nodige problemen bezorgt. <br /><br />Malwaremakers willen echter nog meer. <br />Men is uit op jouw persoonlijke informatie, jouw gegevens die je op het internet gebruikt om bijvoorbeeld te internetbankieren.<br />Op diverse manieren probeert men deze informatie van jou te achterhalen en de methoden die men hiervoor gebruikt gaan ver, heel ver.<br />Doe je niet aan internetbankieren op deze computer, maar misschien wel op een andere computer in het netwerk, geen probleem hoor. De malware kan zich via je netwerk of via draagbare media ook op andere computers nestelen.<br /><br /><br />Dit hele verhaal draait om geld.<br />Geld dat jij niet wil betalen voor bepaalde software. De andere kant van het verhaal draait ook om geld. Men wil je producten laten kopen, door je verleidelijke advertenties te tonen en in het slechtste geval wil men jouw bankgegevens om geld te halen van jouw bankrekening...<br /><br /><br />Het gebruik van illegale verkregen software zorgt altijd voor problemen. <br />Niet alleen voor jou, maar ook voor andere gebruikers van het internet.<br />Jij als medegebruiker hebt ook je verantwoordelijkheden om het World Wide Web leefbaar te houden en om de verspreiding van malware tegen te gaan.<br /><br /><br />Gebruik van illegaal verkregen software is niet netjes tegenover de makers van deze programma's. Zij steken er tijd en geld in om deze software te ontwikkelen, en daar mag best wat tegenover staan.<br />Wens je toch niet te betalen voor software, zoek dan naar gratis alternatieven, want die zijn er echt wel.<br /><br />Gebruik van legaal verkregen software, kan je veel problemen besparen!<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-2363854490471586771?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com5tag:blogger.com,1999:blog-6525630119168364793.post-52793006588875017672008-07-10T22:43:00.002+02:002008-10-18T20:49:28.884+02:00Haxfix version 5.0.122008 07 10<br />Version 5.0.12<br />O20 - Winlogon Notify: lstream - C:\WINDOWS\SYSTEM32\lstream.dll<br />HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lstream<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\fsxxd<br />XD FileSystemDriver: \??\C:\WINDOWS\System32\fsxxd.sys (system)<br />lstream.dll<br />fsxxd.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-5279300658887501767?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-86386037457163156492008-05-20T08:30:00.002+02:002008-10-18T20:49:42.874+02:00Haxfix Version 5.0.112008 04 23<br />O20 - Winlogon Notify: divxps - C:\WINDOWS\SYSTEM32\divxps.dll<br />HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\divxps<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\klite<br />KLite Codec 3.0: \??\C:\WINDOWS\System32\klite.sys (system)<br />divxps.dll<br />klite.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-8638603745716315649?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-62212598242037581192008-05-20T08:25:00.003+02:002008-11-01T09:33:45.334+01:00Haxfix Version 5.0.102008 04 22<br />Added the uninstall option to the menu<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6221259824203758119?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-412692494594713972008-04-21T18:31:00.003+02:002008-10-10T23:29:16.714+02:00Beautiful DayYesterday I was in South America for almost one hour and a half.<br />I could not believe what I saw and what I heard. <br />I was between a few ten thousand screaming U2 fans.<br />It was a wonderful experience. It was amazing.<br />I think I was at a place....where the streets have no name...a place where we are all together as One.<br />If you like U2, come and go to this place.<br />Go and see the movie <a href="http://www.u23dmovie.com/">U23D</a>.<br /><br /><script type="text/javascript" src="http://widgets.clearspring.com/o/47572cded2ffd3c3/48efc8f10108d1f5/47572cde422610d9/36c6352b/-cpid/3893050e5ad80e0e/widget.js"></script><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-41269249459471397?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-33334300852590413672008-04-19T18:48:00.001+02:002008-10-18T20:50:13.517+02:00Haxfix version 5.00.9Haxfix version 5.00.9<br />2008 04 19<br />O20 - Winlogon Notify: divxrs - C:\WINDOWS\SYSTEM32\divxrs.dll<br />HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\divxrs<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\dprot.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dprot<br />DTM Protector: \??\C:\WINDOWS\System32\dprot.sys (system)<br />divxrs.dll<br />dprot.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-3333430085259041367?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-70763495956229276122008-03-31T19:48:00.002+02:002008-10-18T20:50:29.016+02:00Haxfix version 5.00.8Haxfix version 5.00.8<br />2008 03 31<br />O20 - Winlogon Notify: ibudu - C:\WINDOWS\SYSTEM32\ibudu.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ibudu<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\itcoe<br />itcoe adapter \\??\C:\WINDOWS\System32\itcoe.sys (system)<br />ibudu.dll<br />itcoe.sys<br /><br /><br />Use haxfix to remove this infection.<br />Removalinstructions for this infection, you can find <a href="http://marcvn.blogspot.com/2008/10/haxfix-instructions-updated.html">here</a> or <a href="http://users.telenet.be/marcvn/spyware/1970547.htm">here</a>.<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-7076349595622927612?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0tag:blogger.com,1999:blog-6525630119168364793.post-66302556793162522522008-03-23T10:27:00.006+01:002008-09-08T19:08:25.823+02:00HaxfixMaybe you know, maybe you don't, but I made a small removaltool (haxifx) to delete haxdoor and goldun infections.<br /><a href="http://users.telenet.be/marcvn/tools/haxfix.exe" target="_blank">http://users.telenet.be/marcvn/tools/haxfix.exe</a><br /><a href="http://download.bleepingcomputer.com/marckie/haxfix.exe" target="_blank">http://download.bleepingcomputer.com/marckie/haxfix.exe</a><br /><br /><br />When you start haxfix, you will get a menu with 4 options.<br /><br /><span style="font-weight: bold; color: rgb(255, 255, 0);">Option 1: Make logfile</span><br />If you use haxfix, always make a log file first.<br />The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.<br />Haxfix checks for known SSDOL keys related to goldun.<br />Haxfix also checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.<br />Catchme.exe has been integrated in haxfix since version 4.43. (thank You Gmer)<br />The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor- or goldunvariants.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 2: Run auto fix</span><span style="color: rgb(255, 255, 51);">.</span><br />Option 2 deletes all haxdoor-notify keys that are found when one, or more then one, matching service/safeboot service is present.<br />You can use option 2 if the notify keys that are found, are related to haxdooor or goldun.<br />- If there is a notify key (xxxx) and the letters xxxx are found between the matching services or matching safebootservices, haxfix deletes them<br />- If there is an unknown notify key or a legit notify key (xxxx) in the logfile, and there are no matching services/safeboot services (xxxx), haxfix will not delete the keys<br />- If there is an unknown notify key or a legit notify key in the haxdoor-logfile and a matching service, don't run option 2 (auto fix) but use the manual fix (option 3) to add the key(s) manually.<br />- All known goldunvariants will be deleted with option 2.<br />- If ieplore.exe is infected, haxfix can fix this without reboot.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 3: Run manual fix</span><br />This gives you the possibilty to add one, or if necessary more then one haxdoor key.<br />When you start option 3, you 'll get a message:<br /><br />echo Insert the haxdoorkey,<br />and then press Enter:<br /><br />Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)<br />When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.<br />Next you have the possibilty to add a new key: Yes (press Y) or No (press N)<br />When do we use option 3?<br />Use option 3 if there are:<br />- unknown or legit notify keys with related services in the haxlog.txt file.<br />- no notify keys are found, but there are haxdoor related services / safeboot services. (be careful, don't add legit ones, because after reboot they are all gone.)<br />If you use option 3 to delete a haxdoorvariant, and one or more goldunvariants are present too, all infection will be deleted.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Option 4: Run unknow fix.</span><br />The logfile produced by Catchme will be analysed by haxfix for hax- or goldunvariants.<br />If a match is found, you can delete them by using option 4 - remove unknown.<br />(this only works with the variants that uses notify and services regkeys.)<br />Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.<br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">A few remarks:</span><br />If you see this in the logfile: registrysettings failed<br />use this command: <span style="font-style: italic; color: rgb(102, 204, 204);">%systemdrive%\haxfix.exe /reset</span><br /><br />If you don't get a logfile after reboot:<br />use this command: <span style="font-style: italic; color: rgb(102, 204, 204);">%systemdrive%\haxfix.exe /after</span><br /><br /><br /><br />More information about the tool you can find on my website (or on the security boards).<br />http://users.pandora.be/marcvn/spyware/1541877.htm<br />http://users.pandora.be/marcvn/spyware/1585977.htm<br /><br /><br /><br /><span style="font-weight: bold; color: rgb(255, 255, 51);">Updates:</span><br />From now on, I will post all updates of haxfix also here.<br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.1</span><br /><br />2008 01 22<br />Goldun<br />O20 - Winlogon Notify: sha1hsh - C:\WINDOWS\SYSTEM32\sha1hsh.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sha1hsh<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sha1krnl<br />Kernel CryptoService: \??\C:\WINDOWS\System32\sha1krnl.sys (system)<br />sha1hsh.dll<br />sha1krnl.sys<br /><br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.2</span><br /><br />2008 01 28<br />Goldun<br />O20 - Winlogon Notify: px86emul - C:WINDOWS\SYSTEM32\px86emul.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\px86emul<br />FPU emulation service: ??C:WINDOWS\system32\x86emul.sys (system)<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\x86emul<br />px86emul.dll<br />x86emul.sys<br /><br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.3</span><br /><br />2008 02 20<br />Goldun<br />O20 - Winlogon Notify: alcomt - C:\WINDOWS\SYSTEM32\alcomt.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\alcomt<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\alcom<br />alcom.sys<br />alcomt.dll<br /><br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.4</span><br /><br />2008 02 24<br />Goldun<br />O20 - Winlogon Notify: alcopt - C:\WINDOWS\SYSTEM32\alcopt.dll<br />HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\alcopt<br />HKEY_LOCAL_MACHINE\system\currentcontrolset\services\alcop<br />alcop server: \??\C:\WINDOWS\System32\alcop.sys (system)<br />alcop.sys<br />alcopt.dll<br /><br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.5</span><br /><br />2008 02 27<br />O20 - Winlogon Notify: mplink - C:\WINDOWS\SYSTEM32\mplink.dll<br />HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mplink<br />HKEY_LOCAL_MACHINE\system\currentcontrolset\services\fprot<br />FT StarForce Protector: \??\C:\WINDOWS\System32\fprot.sys (system)<br />mplink.dll<br />fprot.sys<br /><br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.6</span><br /><br />2008 03 16<br />O20 - Winlogon Notify: mp3res - C:\WINDOWS\SYSTEM32\mp3res.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\mp3res<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\xprot<br />XPROTECTOR Driver \??\C:\WINDOWS\System32\xprot.sys (system)<br />mp3res.dll<br />xprot.sys<br />k86.bin<br /><br /><br /><span style="font-weight: bold; color: rgb(102, 204, 204);">Version 5.00.7</span><br /><br />2008 03 20<br />O20 - Winlogon Notify: upsctl - C:\WINDOWS\SYSTEM32\upsctl.dll<br />HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\upsctl<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\upscr<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot<br />\Minimal\upscr.sys<br />HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot<br />\Network\upscr.sys<br />hrs.bin<br />upscr.sys<br />upsctl.dll<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/6525630119168364793-6630255679316252252?l=marcvn.blogspot.com' alt='' /></div>Marchttp://www.blogger.com/profile/08903414120157522970noreply@blogger.com0