Haxfix Haxdoor Removal (en)

**Ruby** · 21.02.2006 00:47

Haxfix
to remove the Backdoor.Haxdoor Family

Finally updated like the Original Pages of Spyware
(Translated into English by Ruby for the Users of HijackThis.de)
(German Translation)

Haxdoor-Variants
Here you will find a discussion of the different Haxdoor-Variants. All discussed Variants can be fixed with the HaxFix.

Haxdoor: ****32.dll
All variants from this type::
O20 - Winlogon Notify: ****32 - C:\WINDOWS\SYSTEM32\****32.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
avpe32
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
TCPIP2 Kernel32: \??\C:\WINDOWS\System32\avpe64.sys (autostart)
TCPIP2 Kernel: \??\C:\WINDOWS\System32\avpe64.sys (system)

avpx32
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll

avpi32
O20 - Winlogon Notify: avpi32 - C:\WINDOWS\SYSTEM32\avpi32.dll

avpp32
O20 - Winlogon Notify: avpp32 - C:\WINDOWS\SYSTEM32\avpp32.dll

avpu32
O20 - Winlogon Notify: avpu32 - C:\WINDOWS\SYSTEM32\avpu32.dll

fuxx32
O20 - Winlogon Notify: fuxx32 - C:\WINDOWS\SYSTEM32\fuxx32.dll

cert32
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll

tpcR32
O20 - Winlogon Notify: tcpR32 - C:\WINDOWS\SYSTEM32\tcpR32.dll

axxt32
O20 - Winlogon Notify: axxt32 - C:\WINDOWS\SYSTEM32\axxt32.dll

winm32
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
winm TCP: \??\C:\WINDOWS\System32\winm32.sys (autostart)
winm64 TCP: \??\C:\WINDOWS\System32\winm64.sys (system)

snda32
O20 - Winlogon Notify: snda32 - C:\WINDOWS\SYSTEM32\snda32.dll

sndu32
O20 - Winlogon Notify: sndu32 - C:\WINDOWS\SYSTEM32\sndu32.dll

lanH32
O20 - Winlogon Notify: lanH32 - C:\WINDOWS\SYSTEM32\lanH32.dll
LAN FW adapter: \??\C:\WINDOWS\System32\lanH64.sys (autostart)
LAN MSFW adapter: \??\C:\WINDOWS\System32\lanH64.sys (system)

twpR32
O20 - Winlogon Notify: twpR32 - C:\WINDOWS\SYSTEM32\twpR32.dll

pptp32
O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
MMX2 virtualization service: \??\C:\WINDOWS\System32\pptp64.sys (autostart)
MMX virtualization service: \??\C:\WINDOWS\System32\pptp64.sys (system)

semd32
O20 - Winlogon Notify: semd32 - C:\WINDOWS\SYSTEM32\semd32.dll
SE 3.2 memory driver: \??\C:\WINDOWS\System32\semd64.sys (autostart)
SE 3.0 memory driver: \??\C:\WINDOWS\System32\semd64.sys (system)

mmxF32
O20 - Winlogon Notify: mmxF32 - C:\WINDOWS\SYSTEM32\mmxF32.dll
MMX2 virtualization service: \??\C:\WINDOWS\System32\mmxF64.sys (autostart)
MMX virtualization service: \??\C:\WINDOWS\System32\mmxF64.sys (system)

xmsk32
O20 - Winlogon Notify: xmsk32 - C:\WINDOWS\SYSTEM32\xmsk32.dll

regP32
O20 - Winlogon Notify: regP32 - C:\WINDOWS\SYSTEM32\regP32.dll
Registry protect service 2: \??\C:\WINDOWS\System32\regP32.sys (autostart)
Registry protect service: \??\C:\WINDOWS\System32\regP64.sys (system)

mmX432
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\SYSTEM32\mmx432.dll
MMX Virtualization Service: \??\C:\WINDOWS\System32\mmx464.sys (autostart)
MMX2 Virtualization Service: \??\C:\WINDOWS\System32\mmx464.sys (autostart)

sslx32
O20 - Winlogon Notify: sslx32 - C:\WINDOWS\SYSTEM32\sslx32.dll

Haxdoor: ****16.dll
All variants from this type::
O20 - Winlogon Notify: ****16 - C:\WINDOWS\SYSTEM32\****16.dll
die dezelfde methode van infectie gebruiken.
(**** staat voor de haxdoor key, dit zijn willekeurige gekozen letters.)

Known Variants:
xptp16
O20 - Winlogon Notify: xptp16 - C:\WINDOWS\SYSTEM32\xptp16.dll
XPPTP winsock version 2: \??\C:\WINDOWS\System32\xptp24.sys (autostart)
XPPTP winsock: \??\C:\WINDOWS\System32\xptp24.sys (system)

pptp16
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll
MMX2 virtualization service: \??\C:\WINDOWS\System32\pptp24.sys (autostart)
MMX virtualization service: \??\C:\WINDOWS\System32\pptp24.sys (system)

ppts16
O20 - Winlogon Notify: ppts16 - C:\WINDOWS\SYSTEM32\ppts16.dll
MMX2 emulation service: \??\C:\WINDOWS\System32\ppts24.sys (autostart)
MMX emulation service: \??\C:\WINDOWS\System32\ppts24.sys (system)

skyx16
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
DVBa emulation service: \??\C:\WINDOWS\System32\skyx24.sys (autostart)
DVB emulation service: \??\C:\WINDOWS\System32\skyx24.sys (system)

skyu16
O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
DVB X11 controller¹: \??\C:\WINDOWS\System32\skyu24.sys (autostart)
DVBa X11 controllerëDVB X11 controller¹: \??\C:\WINDOWS\System32\skyu24.sys (system)

Haxdoor: ****xt.dll
All variants from this type::
O20 - Winlogon Notify: ****xt - C:\WINDOWS\SYSTEM32\****xt.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
mmx4xt
O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\SYSTEM32\mmx4xt.dll
MMX virtualization service: \??\C:\WINDOWS\System32\mmx4xm.sys (system)
MMX2 virtualization service: \??\C:\WINDOWS\System32\mmx4xm.sys (autostart)

Haxdoor: ****tt.dll
All variants from this type::
O20 - Winlogon Notify: ****tt - C:\WINDOWS\SYSTEM32\****tt.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
xptptt
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
XPPTP 0x24 winsock: \??\C:\WINDOWS\System32\xptpmm.sys (system)
XPPTP 0x25 winsock: \??\C:\WINDOWS\System32\xptpmm.sys (autostart)

xdudtt
O20 - Winlogon Notify: xdudtt - C:\WINDOWS\SYSTEM32\xdudtt.dll
XPPTP 0x24 winsock: \??\C:\WINDOWS\System32\xdudmm.sys (system)
XPPTP 0x25 winsock: \??\C:\WINDOWS\System32\xdudmm.sys (autostart)

Haxdoor: ****dx.dll
All variants from this type::
O20 - Winlogon Notify: ****dx - C:\WINDOWS\SYSTEM32\****dx.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
wxtwdx
O20 - Winlogon Notify: wxtwdx - C:\WINDOWS\SYSTEM32\wxtwdx.dll
wxtwdu PNP DRIVER: \??\C:\WINDOWS\System32\wxtwdu.sys (system)
wxtw PNP DRIVER: \??\C:\WINDOWS\System32\wxtwdx.sys (autostart)

dxtpdx
O20 - Winlogon Notify: dxtpdx - C:\WINDOWS\SYSTEM32\dxtpdx.dll
MMX virtualization service: \??\C:\WINDOWS\System32\dxtpdh.sys (system)
MMX2 virtualization service: \??\C:\WINDOWS\System32\dxtpdx.sys (autostart)

Haxdoor: ****01.dll
All variants from this type::
O20 - Winlogon Notify: ****01 - C:\WINDOWS\SYSTEM32\****01.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
yvpp01
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
NDIS OSI32: \??\C:\WINDOWS\System32\yvpp01.sys (autostart)
NDIS OSI: \??\C:\WINDOWS\System32\yvpp02.sys (system)

yvbb01
O20 - Winlogon Notify: yvbb01 - C:\WINDOWS\SYSTEM32\yvbb01.dll

Haxdoor: ****ax.dll
All variants from this type::
O20 - Winlogon Notify: ****ax - C:\WINDOWS\SYSTEM32\****ax.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
vistax
O20 - Winlogon Notify: vistax - C:\WINDOWS\SYSTEM32\vistax.dll
SE 3.0 memory driver: \??\C:\WINDOWS\System32\vistaj.sys (system)
SE 3.2 memory driver: \??\C:\WINDOWS\System32\vistaj.sys (autostart)

Haxdoor: ****3a.dll
All variants from this type::
O20 - Winlogon Notify: xxxx3a - C:\WINDOWS\SYSTEM32\****3a.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
dvb03a
O20 - Winlogon Notify: dvb03a - C:\WINDOWS\SYSTEM32\dvb03a.dll

Haxdoor: ****gs.dll
All variants from this type::
O20 - Winlogon Notify: ****gs - C:\WINDOWS\SYSTEM32\****gs.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
sergtgs
O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll
TCPIP2 Kernel: \??\C:\WINDOWS\System32\sertgm.sys (system)
TCPIP2 Kernel32: \??\C:\WINDOWS\System32\sertgm.sys (autostart)

seppgs.dll
O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
STK Bi 001: \??\C:\WINDOWS\System32\seppgm.sys (system)
STK Bi 002: \??\C:\WINDOWS\System32\seppgm.sys (autostart)

xcttgs.dl
O20 - Winlogon Notify: xcttgs - C:\WINDOWS\SYSTEM32\xcttgs.dll
STK Bi 001: \??\C:\WINDOWS\System32\xcttgm.sys (system)
STK Bi 002: \??\C:\WINDOWS\System32\xcttgm.sys (autostart)

Haxdoor: ****hh.dll
All variants from this type::
O20 - Winlogon Notify: ****hh - C:\WINDOWS\SYSTEM32\****hh.dll
which are using the same method of infection..
(**** is the random part.)

Known Variants:
bmtdhh
O20 - Winlogon Notify: bmtdhh - C:\WINDOWS\SYSTEM32\bmtdhh.dll
DVB X11 controller: \??\C:\WINDOWS\System32\bmtdhk.sys (autostart)
DVBa X11 controller: \??\C:\WINDOWS\System32\bmtdhk.sys (system)

Haxdoor: lanmui.dll
O20 - Winlogon Notify: lanmui - C:\WINDOWS\SYSTEM32\lanmui.dll
LAN FW adapter: \??\C:\WINDOWS\System32\lannui.sys (autostart)
LAN MSFW adapter: \??\C:\WINDOWS\System32\lannui.sys (system)

Haxdoor twpkad.dll
O20 - Winlogon Notify: twpkad - C:\WINDOWS\SYSTEM32\twpkad.dll
UDP32 netbios mapping: \??\C:\WINDOWS\System32\twpkbd.sys (autostart)
NETLINK mapping: \??\C:\WINDOWS\System32\twpkbd.sys (system)

Haxdoor ****44.dll
All variants from this type::
O20 - Winlogon Notify: ****44 - C:\WINDOWS\SYSTEM32\****44.dll
(**** is the random part.)

Known Variants:
winf44
O20 - Winlogon Notify: winf44 - C:\WINDOWS\SYSTEM32\winf44.dll
winm TCP: \??\C:\WINDOWS\System32\winf44.sys (autostart)
winf49 TCP: \??\C:\WINDOWS\System32\winf49.sys (system)

Haxdoor: debugg.dll
O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dll

Haxdoor: yvsvga.dll
O20 - Winlogon Notify: yvsvga - C:\WINDOWS\SYSTEM32\yvsvga.dll
NDIS OSI: System32\ycsvga.sys (system)

Haxdoor: xmm13g.dll
O20 - Winlogon Notify: xmm13g - C:\WINDOWS\SYSTEM32\xmm13g.dll
MMX virtualization service: \??\C:\WINDOWS\System32\mmx19g.sys (system)
MMX2 virtualization service: \??\C:\WINDOWS\System32\mmx19g.sys (autostart)

Haxdoor: mmx17g.dll
O20 - Winlogon Notify: mmx17g - C:\WINDOWS\SYSTEM32\mmx17g.dll

Haxdoor: yvprgb.dll
O20 - Winlogon Notify: yvprgb - c:\windows\system32\yvprgb.dll
YVPB video output: \??\C:\WINDOWS\system32\ycsrgb.sys (system)
RGB video output: \??\C:\WINDOWS\system32\ycsrga.sys (autostart)

Haxdoor: rxx5ot.dll
O20 - Winlogon Notify: rxx5ot - C:\WINNT\SYSTEM32\rxx5ot.dll

Haxdoor: ydsvgd.dll
O20 - Winlogon Notify: ydsvgd - C:\WINDOWS\SYSTEM32\ydsvgd.dll

Haxdoor: xopptp.dll
O20 - Winlogon Notify: xopptp - C:\WINDOWS\SYSTEM32\xopptp.dll
YVPB video output:\??\C:\WINDOWS\system32\xdpptp.sys (system)
xopptp.dll
xdpptp.sys
xopptp.sys

Haxdoor: yvdrgb.dll
O20 - Winlogon Notify: yvdrgb - C:\WINDOWS\SYSTEM32\yvdrgb.dll
YVPB video output: \??\C:\WINDOWS\System32\ycsrgb.sys (system)
RGB video output: \??\C:\WINDOWS\System32\ycsrga.sys (autostart)
yvdrgb.dll
ycsrgb.sys

Haxdoor: emul65.dll
O20 - Winlogon Notify: emul65 - C:\WINDOWS\SYSTEM32\emul65.dll
DCode emulator A37: \??\C:\WINDOWS\System32\emul37.sys (system)
DCode emulator: \??\C:\WINDOWS\System32\emul65.sys (autostart)
emul65.dll
emul65.sys
emul37.sys

Haxdoor: wnmicf.dll
O20 - Winlogon Notify: wnmicf - C:\WINDOWS\SYSTEM32\wnmicf.dll
MClear Service: \??\C:\WINDOWS\System32\wnmicf.sys (autostart)
FClear Service: \??\C:\WINDOWS\System32\wnmifc.sys (system)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wnmicf
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wnmifc
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\wnmicf.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\wnmifc.sys
wnmicf.dll
wnmicf.sys
wnmifc.sys

Haxdoor: rmk8ot.dll
O20 - Winlogon Notify: rmk8ot - C:\WINDOWS\SYSTEM32\rmk8ot.dll
MMX2 virtualization service: \??\C:\WINDOWS\System32\rmk9ot.sys (autostart)
MMX virtualization service: \??\C:\WINDOWS\System32\rmk9ot.sys (system)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rmk8ot
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rmk9ot
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\rmk8ot.sys
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\rmk9ot.sys
rmk8ot.dll
rmk8ot.sys
rmk9ot.sys

Haxdoor: svkvpn.dll
O20 - Winlogon Notify: svkvpn - C:\WINDOWS\SYSTEM32\svkvpn.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\svjvpn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\svjvpn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svjvpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svkvpn
MCRT accelerator: \??\C:\WINDOWS\System32\svjvpn.sys (system)
DCRT acceleratorU‹ìè: \??\C:\WINDOWS\System32\svjvpm.sys (autostart)
svkvpn.dll
svjvpn.sys
svkvpn.sys

Haxdoor: utgrbe.dll
O20 - Winlogon Notify: utgrbe - C:\WINDOWS\SYSTEM32\utgrbe.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\utgrbe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\utgrbe.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ufgrbe.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ufgrbe
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\utgrbe
utgrbe.dll
utgrbe.sys
ufgrbe.sys

Haxdoor: eetvpn.dll
O20 - Winlogon Notify: eetvpn - C:\WINDOWS\SYSTEM32\eetvpn.dll
MCRT accelerator: \??\C:\WINDOWS\System32\eexvpn.sys (system)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eetvpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\eetvpn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\eexvpn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eetvpn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eexvpn
eetvpn.dll
eetvpn.sys
eexvpn.sys

Haxdoor: wsmsag.dll
O20 - Winlogon Notify: wsmsag - C:\WINDOWS\SYSTEM32\wsmsag.dll
RGB video output: \??\C:\WINDOWS\System32\mswsaf.sys (autostart)
IPSTK driver: \??\C:\WINDOWS\System32\mswsag.sys (system)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wsmsag
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsmsag
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mswsag
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\mswsag.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\mswsag.sys
wsmsag.dll
mswsag.sys
wsmsag.sys

Haxdoor: ovrscn.dll
O20 - Winlogon Notify: ovrscn - C:\WINDOWS\SYSTEM32\ovrscn.dll
Memory SCN X1: \??\C:\WINDOWS\System32\ovrscn.sys (autostart)
Memory SCN: \??\C:\WINDOWS\System32\ovwscn.sys (system)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ovrscn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovrscn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovwscn
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ovrscn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\ovrscn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\ovwscn.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ovwscn.sys
ovrscn.dll
ovrscn.sys
ovwscn.sys

Haxdoor: rgbopx.dll
O20 - Winlogon Notify: rgbopx - C:\WINDOWS\SYSTEM32\rgbopx.dll
YVPB video output: \??\C:\WINDOWS\system32\ycsrgb.sys
RGB video output: \??\C:\WINDOWS\system32\ycsrga.sys
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rgbopx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rgbopx
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsrgb
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\rgbopx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\ycsrgb.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\rgbopx.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ycsrgb.sys
rgbopx.dll
ycsrgb.sys
ycsrga.sys

Reïnstall Processes:
O4 - HKCU\..\Run: [userinit.exe] C:\WINDOWS\userinit.exe
O4 - HKLM\..\Run: [C:\WINDOWS\userinit.exe] C:\WINDOWS\userinit.exe
O4 - HKLM\..\Run: [C:\WINDOWS\kernel%32.exe] C:\WINDOWS\kernel%32.exe
C:\WINDOWS\userinit.exe
C:\WINDOWS\kernel%32.exe

HaxFix
All variants which are discussed here and all unknown variants which use the same method of infection can be fixed with the HaxFix.

How to clean it up:
Download haxfix.exe.
Save it to your desktop.
Close down all applications and every browser window.
Double-Click onto the haxfix.exe, to start the installation.
Put a checkmark next to "Create a desktop icon".
Click "Next" and follow the prompts on the screen.
When the installation is finished, make sure that "Launch HaxFix" is enabled.
Click "Finish".
Now a Red DOS Window opens with the following options to chose:
1. Make logfile
2. Run auto fix
3. Run manual fix
4. Run unknown fix
E. Exit Haxfix

Option 1: Make logfile.
Chose the Option 1: Create a log by pressing 1
This will need a moment of your time. When the HaxFix is finished, a textfile opens (haxlog.txt)
You need to use this option first. A log will be created which shows you all possible candidates, which may signalize that one of the Haxdoor variants runs on your system.

The controll will be done for:
- the file ps.a3d (the only olne file which is not hidden by a rootkit)
- notify subkeys van het type ****16, ****32, ****xt, ****tt
- services van het type ****16, ****24, ****32, ****64, ****xt, ****xm, ****tt, ****mm,...
- safeboot services van het type ****16.sys, ****24.sys, ****32.sys, ****64.sys, ****xt.sys, ****xm.sys, ****tt.sys, ****mm.sys,...
This Logfile must be done to get the right results for the Haxdoor variant on your system.

Start the HaxFix on your desktop again by clicking onto the HaxFix Icon.
(You can also open the folder program files\haxfix and have a double click onto the fix.bat)
Chose now between Option 2 and Option 3.

Option 2: Run the automatic Fix.
Close down all applications and browser windows. Your system will restart while using the HaxFix.
Chose 2 and press ENTER to start the Option 2 "Run auto fix".
Follow the instructions on the screen.
Your system will restart.
As soon as the HaxFix is done, a textfile will open (c:\haxfix.txt)

This Option works with the found notifyed keys.
For every found key a controll will be done if there is a
service or a Safebootservice available.
(The controll will be done for 6 different registry keys.)
As soon as a service or safebootservice is found, the Fix will start.
As no matching service or safebootservice will be found, there will be no Fix
for the notifyed key, it will become negociated.
You can get all informations using the logfile under Option 1.

Option 3: Run the manual Fix.
Close down all applications and browser windows. Your system will restart while using the HaxFix.
Chose 3 and press ENTER to start the Option 3 "Run manual fix".
When you get the message:
Insert the haxdoorkey,
and then press enter:
type: <haxdoorkey **** (without the numbers)>
(for example: avpe, pptp, fuxx, snda, xptp, ....)
Press ENTER.
Now you get the message:
Haxdoorkey xxxx added to delete.

Do you want to add a new haxdoorkey?

Press Y for YES or N for NO and then press Enter:

Do you want to add a key:
Press Y for YES.
When you get the message:
Insert the haxdoorkey,
and then press enter:
type: <haxdoorkey **** (without the numbers)>
Press ENTER.
Now you will get the message:

Haxdoorkey **** added to delete.

Do you want to add a new haxdoorkey?

Press Y for YES or N for NO and then press Enter:
.....

As you don't want to add an other key:
Press N for NO.

Follow the instructions on the screen.
Your system will restart.
When the HaxFix is done, it opens a textfile (c:\haxfix.txt).

This Option gives you the possibility to add another key manually.
As soon as you add a key, a controll will be done for the presence of a service / safebootservice. As nothing can be found, no key can be added.
You have the possibility to add more than one key.

Option 3 can be used:
- as no notifyed key can be found.
- as there are important entries in the logfile, which may not be deleted.

Information how to remove the Goldun Variants can be found ->here.
(http://users.telenet.be/marcvn/spyware/1585977.htm)

Option 4: Run the unknown fix.
Since Version 4.43 catchme.exe is integrated into the haxfix. (many thanks to Gmer.)
The logfile of catchme is controlled by the haxfix for haxdoor- and goldunvariants using the notifykey and the services.
Haxfix for haxdoor- and goldunvariants, which has been found on this way, can be deleted with the option 4.

E. Exit Haxfix
This Option finishes the HaxFix.

Take care, there can always be important entries in the logfile which you have created under Option 1.
As soon as one key typ will be found on your system and only one running service, this key will be deleted using the HaxFix.
Please take care using this program - don't play around!

The Logfile created with the HaxFix will look like this::
HAXFIX logfile - by Marckie
______________
version 4.00
do 27/07/2006 21:31:51,23
running from: C:\Program Files\HaxFix

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
winf
checking for matching services....
matching services found
winf44
winf49
checking for matching safeboot services....
matching safeboot services found
winf44.sys
winf49.sys

Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found

Finished

Optie 2: run autofix geeft dit:
HAXFIX logfile - by Marckie
--------------
version 4.00
do 27/07/2006 21:33:09,29
--- Auto Haxdoorfix ---

searching for services....
service winf44 found
[SWSC] DeleteService SUCCESS
service winf49 found
[SWSC] DeleteService SUCCESS

--- Goldunfix ---

searching for notifykeys:
no notifykeys found

searching for services:
No services found

.....rebooting the computer.....

searching for notifykeys

notifykey winf44 not found

searching for services

service winf44 not found
service winf49 not found

searching for safeboot services

safeboot service winf44.sys not found
safeboot service winf49.sys not found

searching for files

winf44.dll exists
deleting winf44.dll
winf44.dll has been deleted

winf44.sys exists
deleting winf44.sys
winf44.sys has been deleted

winf49.sys exists
deleting winf49.sys
winf49.sys has been deleted

checking for other files

qy.sys exists
deleting qy.sys
qy.sys has been deleted

qz.dll exists
deleting qz.dll
qz.dll has been deleted

qz.sys exists
deleting qz.sys
qz.sys has been deleted

x8.xxd exists
deleting x8.xxd
x8.xxd has been deleted

zxcsedr.dll exists
deleting zxcsedr.dll
zxcsedr.dll has been deleted

checking for a3d files

ps.a3d
deleting a3d files
a3d files are deleted

Finished

***

With Lots of Thanks to You
Marckie
for this GREAT work

Thema: Haxfix Haxdoor Removal (en)

Themen-Optionen

Haxfix Haxdoor Removal (en)

Aktive Benutzer

Aktive Benutzer

Ähnliche Themen

Haxfix Haxdoor Removal

Infektion mit Haxdoor.A und Haxdoor.CJ (nach Panda Software)

Forumregeln