Ergebnis 1 bis 1 von 1

Thema: Haxfix Haxdoor Removal (en)

  1. #1
    Supermod a.D. Avatar von Ruby
    Registriert seit
    25.01.2005
    Ort
    The Netherlands
    Beiträge
    20.038

    Haxfix Haxdoor Removal (en)

    Haxfix
    to remove the Backdoor.Haxdoor Family


    Finally updated like the Original Pages of Spyware
    (Translated into English by Ruby for the Users of HijackThis.de)
    (German Translation)


    Haxdoor-Variants
    Here you will find a discussion of the different Haxdoor-Variants. All discussed Variants can be fixed with the HaxFix.

    Haxdoor: ****32.dll
    All variants from this type::
    O20 - Winlogon Notify: ****32 - C:\WINDOWS\SYSTEM32\****32.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    avpe32
    O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
    TCPIP2 Kernel32: \??\C:\WINDOWS\System32\avpe64.sys (autostart)
    TCPIP2 Kernel: \??\C:\WINDOWS\System32\avpe64.sys (system)


    avpx32
    O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll

    avpi32
    O20 - Winlogon Notify: avpi32 - C:\WINDOWS\SYSTEM32\avpi32.dll

    avpp32
    O20 - Winlogon Notify: avpp32 - C:\WINDOWS\SYSTEM32\avpp32.dll

    avpu32
    O20 - Winlogon Notify: avpu32 - C:\WINDOWS\SYSTEM32\avpu32.dll

    fuxx32
    O20 - Winlogon Notify: fuxx32 - C:\WINDOWS\SYSTEM32\fuxx32.dll

    cert32
    O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll

    tpcR32
    O20 - Winlogon Notify: tcpR32 - C:\WINDOWS\SYSTEM32\tcpR32.dll

    axxt32
    O20 - Winlogon Notify: axxt32 - C:\WINDOWS\SYSTEM32\axxt32.dll

    winm32
    O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
    winm TCP: \??\C:\WINDOWS\System32\winm32.sys (autostart)
    winm64 TCP: \??\C:\WINDOWS\System32\winm64.sys (system)

    snda32
    O20 - Winlogon Notify: snda32 - C:\WINDOWS\SYSTEM32\snda32.dll

    sndu32
    O20 - Winlogon Notify: sndu32 - C:\WINDOWS\SYSTEM32\sndu32.dll

    lanH32
    O20 - Winlogon Notify: lanH32 - C:\WINDOWS\SYSTEM32\lanH32.dll
    LAN FW adapter: \??\C:\WINDOWS\System32\lanH64.sys (autostart)
    LAN MSFW adapter: \??\C:\WINDOWS\System32\lanH64.sys (system)

    twpR32
    O20 - Winlogon Notify: twpR32 - C:\WINDOWS\SYSTEM32\twpR32.dll

    pptp32
    O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
    MMX2 virtualization service: \??\C:\WINDOWS\System32\pptp64.sys (autostart)
    MMX virtualization service: \??\C:\WINDOWS\System32\pptp64.sys (system)

    semd32
    O20 - Winlogon Notify: semd32 - C:\WINDOWS\SYSTEM32\semd32.dll
    SE 3.2 memory driver: \??\C:\WINDOWS\System32\semd64.sys (autostart)
    SE 3.0 memory driver: \??\C:\WINDOWS\System32\semd64.sys (system)

    mmxF32
    O20 - Winlogon Notify: mmxF32 - C:\WINDOWS\SYSTEM32\mmxF32.dll
    MMX2 virtualization service: \??\C:\WINDOWS\System32\mmxF64.sys (autostart)
    MMX virtualization service: \??\C:\WINDOWS\System32\mmxF64.sys (system)

    xmsk32
    O20 - Winlogon Notify: xmsk32 - C:\WINDOWS\SYSTEM32\xmsk32.dll

    regP32
    O20 - Winlogon Notify: regP32 - C:\WINDOWS\SYSTEM32\regP32.dll
    Registry protect service 2: \??\C:\WINDOWS\System32\regP32.sys (autostart)
    Registry protect service: \??\C:\WINDOWS\System32\regP64.sys (system)

    mmX432
    O20 - Winlogon Notify: mmx432 - C:\WINDOWS\SYSTEM32\mmx432.dll
    MMX Virtualization Service: \??\C:\WINDOWS\System32\mmx464.sys (autostart)
    MMX2 Virtualization Service: \??\C:\WINDOWS\System32\mmx464.sys (autostart)

    sslx32
    O20 - Winlogon Notify: sslx32 - C:\WINDOWS\SYSTEM32\sslx32.dll

    Haxdoor: ****16.dll
    All variants from this type::
    O20 - Winlogon Notify: ****16 - C:\WINDOWS\SYSTEM32\****16.dll
    die dezelfde methode van infectie gebruiken.
    (**** staat voor de haxdoor key, dit zijn willekeurige gekozen letters.)


    Known Variants:
    xptp16
    O20 - Winlogon Notify: xptp16 - C:\WINDOWS\SYSTEM32\xptp16.dll
    XPPTP winsock version 2: \??\C:\WINDOWS\System32\xptp24.sys (autostart)
    XPPTP winsock: \??\C:\WINDOWS\System32\xptp24.sys (system)

    pptp16
    O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll
    MMX2 virtualization service: \??\C:\WINDOWS\System32\pptp24.sys (autostart)
    MMX virtualization service: \??\C:\WINDOWS\System32\pptp24.sys (system)

    ppts16
    O20 - Winlogon Notify: ppts16 - C:\WINDOWS\SYSTEM32\ppts16.dll
    MMX2 emulation service: \??\C:\WINDOWS\System32\ppts24.sys (autostart)
    MMX emulation service: \??\C:\WINDOWS\System32\ppts24.sys (system)

    skyx16
    O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
    DVBa emulation service: \??\C:\WINDOWS\System32\skyx24.sys (autostart)
    DVB emulation service: \??\C:\WINDOWS\System32\skyx24.sys (system)

    skyu16
    O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
    DVB X11 controller¹: \??\C:\WINDOWS\System32\skyu24.sys (autostart)
    DVBa X11 controllerëDVB X11 controller¹: \??\C:\WINDOWS\System32\skyu24.sys (system)

    Haxdoor: ****xt.dll
    All variants from this type::
    O20 - Winlogon Notify: ****xt - C:\WINDOWS\SYSTEM32\****xt.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    mmx4xt
    O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\SYSTEM32\mmx4xt.dll
    MMX virtualization service: \??\C:\WINDOWS\System32\mmx4xm.sys (system)
    MMX2 virtualization service: \??\C:\WINDOWS\System32\mmx4xm.sys (autostart)

    Haxdoor: ****tt.dll
    All variants from this type::
    O20 - Winlogon Notify: ****tt - C:\WINDOWS\SYSTEM32\****tt.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    xptptt
    O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
    XPPTP 0x24 winsock: \??\C:\WINDOWS\System32\xptpmm.sys (system)
    XPPTP 0x25 winsock: \??\C:\WINDOWS\System32\xptpmm.sys (autostart)

    xdudtt
    O20 - Winlogon Notify: xdudtt - C:\WINDOWS\SYSTEM32\xdudtt.dll
    XPPTP 0x24 winsock: \??\C:\WINDOWS\System32\xdudmm.sys (system)
    XPPTP 0x25 winsock: \??\C:\WINDOWS\System32\xdudmm.sys (autostart)

    Haxdoor: ****dx.dll
    All variants from this type::
    O20 - Winlogon Notify: ****dx - C:\WINDOWS\SYSTEM32\****dx.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    wxtwdx
    O20 - Winlogon Notify: wxtwdx - C:\WINDOWS\SYSTEM32\wxtwdx.dll
    wxtwdu PNP DRIVER: \??\C:\WINDOWS\System32\wxtwdu.sys (system)
    wxtw PNP DRIVER: \??\C:\WINDOWS\System32\wxtwdx.sys (autostart)

    dxtpdx
    O20 - Winlogon Notify: dxtpdx - C:\WINDOWS\SYSTEM32\dxtpdx.dll
    MMX virtualization service: \??\C:\WINDOWS\System32\dxtpdh.sys (system)
    MMX2 virtualization service: \??\C:\WINDOWS\System32\dxtpdx.sys (autostart)

    Haxdoor: ****01.dll
    All variants from this type::
    O20 - Winlogon Notify: ****01 - C:\WINDOWS\SYSTEM32\****01.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    yvpp01
    O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
    NDIS OSI32: \??\C:\WINDOWS\System32\yvpp01.sys (autostart)
    NDIS OSI: \??\C:\WINDOWS\System32\yvpp02.sys (system)

    yvbb01
    O20 - Winlogon Notify: yvbb01 - C:\WINDOWS\SYSTEM32\yvbb01.dll

    Haxdoor: ****ax.dll
    All variants from this type::
    O20 - Winlogon Notify: ****ax - C:\WINDOWS\SYSTEM32\****ax.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    vistax
    O20 - Winlogon Notify: vistax - C:\WINDOWS\SYSTEM32\vistax.dll
    SE 3.0 memory driver: \??\C:\WINDOWS\System32\vistaj.sys (system)
    SE 3.2 memory driver: \??\C:\WINDOWS\System32\vistaj.sys (autostart)

    Haxdoor: ****3a.dll
    All variants from this type::
    O20 - Winlogon Notify: xxxx3a - C:\WINDOWS\SYSTEM32\****3a.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    dvb03a
    O20 - Winlogon Notify: dvb03a - C:\WINDOWS\SYSTEM32\dvb03a.dll

    Haxdoor: ****gs.dll
    All variants from this type::
    O20 - Winlogon Notify: ****gs - C:\WINDOWS\SYSTEM32\****gs.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    sergtgs
    O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll
    TCPIP2 Kernel: \??\C:\WINDOWS\System32\sertgm.sys (system)
    TCPIP2 Kernel32: \??\C:\WINDOWS\System32\sertgm.sys (autostart)

    seppgs.dll
    O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
    STK Bi 001: \??\C:\WINDOWS\System32\seppgm.sys (system)
    STK Bi 002: \??\C:\WINDOWS\System32\seppgm.sys (autostart)

    xcttgs.dl
    O20 - Winlogon Notify: xcttgs - C:\WINDOWS\SYSTEM32\xcttgs.dll
    STK Bi 001: \??\C:\WINDOWS\System32\xcttgm.sys (system)
    STK Bi 002: \??\C:\WINDOWS\System32\xcttgm.sys (autostart)

    Haxdoor: ****hh.dll
    All variants from this type::
    O20 - Winlogon Notify: ****hh - C:\WINDOWS\SYSTEM32\****hh.dll
    which are using the same method of infection..
    (**** is the random part.)


    Known Variants:
    bmtdhh
    O20 - Winlogon Notify: bmtdhh - C:\WINDOWS\SYSTEM32\bmtdhh.dll
    DVB X11 controller: \??\C:\WINDOWS\System32\bmtdhk.sys (autostart)
    DVBa X11 controller: \??\C:\WINDOWS\System32\bmtdhk.sys (system)

    Haxdoor: lanmui.dll
    O20 - Winlogon Notify: lanmui - C:\WINDOWS\SYSTEM32\lanmui.dll
    LAN FW adapter: \??\C:\WINDOWS\System32\lannui.sys (autostart)
    LAN MSFW adapter: \??\C:\WINDOWS\System32\lannui.sys (system)


    Haxdoor twpkad.dll
    O20 - Winlogon Notify: twpkad - C:\WINDOWS\SYSTEM32\twpkad.dll
    UDP32 netbios mapping: \??\C:\WINDOWS\System32\twpkbd.sys (autostart)
    NETLINK mapping: \??\C:\WINDOWS\System32\twpkbd.sys (system)


    Haxdoor ****44.dll
    All variants from this type::
    O20 - Winlogon Notify: ****44 - C:\WINDOWS\SYSTEM32\****44.dll
    (**** is the random part.)


    Known Variants:
    winf44
    O20 - Winlogon Notify: winf44 - C:\WINDOWS\SYSTEM32\winf44.dll
    winm TCP: \??\C:\WINDOWS\System32\winf44.sys (autostart)
    winf49 TCP: \??\C:\WINDOWS\System32\winf49.sys (system)

    Haxdoor: debugg.dll
    O20 - Winlogon Notify: debugg - C:\WINDOWS\SYSTEM32\debugg.dll

    Haxdoor: yvsvga.dll
    O20 - Winlogon Notify: yvsvga - C:\WINDOWS\SYSTEM32\yvsvga.dll
    NDIS OSI: System32\ycsvga.sys (system)

    Haxdoor: xmm13g.dll
    O20 - Winlogon Notify: xmm13g - C:\WINDOWS\SYSTEM32\xmm13g.dll
    MMX virtualization service: \??\C:\WINDOWS\System32\mmx19g.sys (system)
    MMX2 virtualization service: \??\C:\WINDOWS\System32\mmx19g.sys (autostart)

    Haxdoor: mmx17g.dll
    O20 - Winlogon Notify: mmx17g - C:\WINDOWS\SYSTEM32\mmx17g.dll

    Haxdoor: yvprgb.dll
    O20 - Winlogon Notify: yvprgb - c:\windows\system32\yvprgb.dll
    YVPB video output: \??\C:\WINDOWS\system32\ycsrgb.sys (system)
    RGB video output: \??\C:\WINDOWS\system32\ycsrga.sys (autostart)

    Haxdoor: rxx5ot.dll
    O20 - Winlogon Notify: rxx5ot - C:\WINNT\SYSTEM32\rxx5ot.dll

    Haxdoor: ydsvgd.dll
    O20 - Winlogon Notify: ydsvgd - C:\WINDOWS\SYSTEM32\ydsvgd.dll

    Haxdoor: xopptp.dll
    O20 - Winlogon Notify: xopptp - C:\WINDOWS\SYSTEM32\xopptp.dll
    YVPB video output:\??\C:\WINDOWS\system32\xdpptp.sys (system)
    xopptp.dll
    xdpptp.sys
    xopptp.sys

    Haxdoor: yvdrgb.dll
    O20 - Winlogon Notify: yvdrgb - C:\WINDOWS\SYSTEM32\yvdrgb.dll
    YVPB video output: \??\C:\WINDOWS\System32\ycsrgb.sys (system)
    RGB video output: \??\C:\WINDOWS\System32\ycsrga.sys (autostart)
    yvdrgb.dll
    ycsrgb.sys

    Haxdoor: emul65.dll
    O20 - Winlogon Notify: emul65 - C:\WINDOWS\SYSTEM32\emul65.dll
    DCode emulator A37: \??\C:\WINDOWS\System32\emul37.sys (system)
    DCode emulator: \??\C:\WINDOWS\System32\emul65.sys (autostart)
    emul65.dll
    emul65.sys
    emul37.sys

    Haxdoor: wnmicf.dll
    O20 - Winlogon Notify: wnmicf - C:\WINDOWS\SYSTEM32\wnmicf.dll
    MClear Service: \??\C:\WINDOWS\System32\wnmicf.sys (autostart)
    FClear Service: \??\C:\WINDOWS\System32\wnmifc.sys (system)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wnmicf
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wnmifc
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\wnmicf.sys
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\wnmifc.sys
    wnmicf.dll
    wnmicf.sys
    wnmifc.sys

    Haxdoor: rmk8ot.dll
    O20 - Winlogon Notify: rmk8ot - C:\WINDOWS\SYSTEM32\rmk8ot.dll
    MMX2 virtualization service: \??\C:\WINDOWS\System32\rmk9ot.sys (autostart)
    MMX virtualization service: \??\C:\WINDOWS\System32\rmk9ot.sys (system)
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rmk8ot
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rmk9ot
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\rmk8ot.sys
    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot \minimal\rmk9ot.sys
    rmk8ot.dll
    rmk8ot.sys
    rmk9ot.sys

    Haxdoor: svkvpn.dll
    O20 - Winlogon Notify: svkvpn - C:\WINDOWS\SYSTEM32\svkvpn.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\svkvpn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\svjvpn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\svjvpn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svjvpn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\svkvpn
    MCRT accelerator: \??\C:\WINDOWS\System32\svjvpn.sys (system)
    DCRT acceleratorU‹ìè: \??\C:\WINDOWS\System32\svjvpm.sys (autostart)
    svkvpn.dll
    svjvpn.sys
    svkvpn.sys

    Haxdoor: utgrbe.dll
    O20 - Winlogon Notify: utgrbe - C:\WINDOWS\SYSTEM32\utgrbe.dll
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\utgrbe
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\utgrbe.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ufgrbe.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ufgrbe
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\utgrbe
    utgrbe.dll
    utgrbe.sys
    ufgrbe.sys

    Haxdoor: eetvpn.dll
    O20 - Winlogon Notify: eetvpn - C:\WINDOWS\SYSTEM32\eetvpn.dll
    MCRT accelerator: \??\C:\WINDOWS\System32\eexvpn.sys (system)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\eetvpn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\eetvpn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\eexvpn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eetvpn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\eexvpn
    eetvpn.dll
    eetvpn.sys
    eexvpn.sys

    Haxdoor: wsmsag.dll
    O20 - Winlogon Notify: wsmsag - C:\WINDOWS\SYSTEM32\wsmsag.dll
    RGB video output: \??\C:\WINDOWS\System32\mswsaf.sys (autostart)
    IPSTK driver: \??\C:\WINDOWS\System32\mswsag.sys (system)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wsmsag
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wsmsag
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mswsag
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\mswsag.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\mswsag.sys
    wsmsag.dll
    mswsag.sys
    wsmsag.sys

    Haxdoor: ovrscn.dll
    O20 - Winlogon Notify: ovrscn - C:\WINDOWS\SYSTEM32\ovrscn.dll
    Memory SCN X1: \??\C:\WINDOWS\System32\ovrscn.sys (autostart)
    Memory SCN: \??\C:\WINDOWS\System32\ovwscn.sys (system)
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ovrscn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovrscn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ovwscn
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ovrscn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\ovrscn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\ovwscn.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ovwscn.sys
    ovrscn.dll
    ovrscn.sys
    ovwscn.sys

    Haxdoor: rgbopx.dll
    O20 - Winlogon Notify: rgbopx - C:\WINDOWS\SYSTEM32\rgbopx.dll
    YVPB video output: \??\C:\WINDOWS\system32\ycsrgb.sys
    RGB video output: \??\C:\WINDOWS\system32\ycsrga.sys
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rgbopx
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\rgbopx
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ycsrgb
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\rgbopx.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\ycsrgb.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Minimal\rgbopx.sys
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot \Network\ycsrgb.sys
    rgbopx.dll
    ycsrgb.sys
    ycsrga.sys

    Reïnstall Processes:
    O4 - HKCU\..\Run: [userinit.exe] C:\WINDOWS\userinit.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\userinit.exe] C:\WINDOWS\userinit.exe
    O4 - HKLM\..\Run: [C:\WINDOWS\kernel%32.exe] C:\WINDOWS\kernel%32.exe
    C:\WINDOWS\userinit.exe
    C:\WINDOWS\kernel%32.exe

    HaxFix
    All variants which are discussed here and all unknown variants which use the same method of infection can be fixed with the HaxFix.

    How to clean it up:
    Download haxfix.exe.
    Save it to your desktop.
    Close down all applications and every browser window.
    Double-Click onto the haxfix.exe, to start the installation.
    Put a checkmark next to "Create a desktop icon".
    Click "Next" and follow the prompts on the screen.
    When the installation is finished, make sure that "Launch HaxFix" is enabled.
    Click "Finish".
    Now a Red DOS Window opens with the following options to chose:
    1. Make logfile
    2. Run auto fix
    3. Run manual fix
    4. Run unknown fix
    E. Exit Haxfix

    Option 1: Make logfile.
    Chose the Option 1: Create a log by pressing 1
    This will need a moment of your time. When the HaxFix is finished, a textfile opens (haxlog.txt)
    You need to use this option first. A log will be created which shows you all possible candidates, which may signalize that one of the Haxdoor variants runs on your system.

    The controll will be done for:
    - the file ps.a3d (the only olne file which is not hidden by a rootkit)
    - notify subkeys van het type ****16, ****32, ****xt, ****tt
    - services van het type ****16, ****24, ****32, ****64, ****xt, ****xm, ****tt, ****mm,...
    - safeboot services van het type ****16.sys, ****24.sys, ****32.sys, ****64.sys, ****xt.sys, ****xm.sys, ****tt.sys, ****mm.sys,...
    This Logfile must be done to get the right results for the Haxdoor variant on your system.

    Start the HaxFix on your desktop again by clicking onto the HaxFix Icon.
    (You can also open the folder program files\haxfix and have a double click onto the fix.bat)
    Chose now between Option 2 and Option 3.

    Option 2: Run the automatic Fix.
    Close down all applications and browser windows. Your system will restart while using the HaxFix.
    Chose 2 and press ENTER to start the Option 2 "Run auto fix".
    Follow the instructions on the screen.
    Your system will restart.
    As soon as the HaxFix is done, a textfile will open (c:\haxfix.txt)

    This Option works with the found notifyed keys.
    For every found key a controll will be done if there is a
    service or a Safebootservice available.
    (The controll will be done for 6 different registry keys.)
    As soon as a service or safebootservice is found, the Fix will start.
    As no matching service or safebootservice will be found, there will be no Fix
    for the notifyed key, it will become negociated.
    You can get all informations using the logfile under Option 1.

    Option 3: Run the manual Fix.
    Close down all applications and browser windows. Your system will restart while using the HaxFix.
    Chose 3 and press ENTER to start the Option 3 "Run manual fix".
    When you get the message:
    Insert the haxdoorkey,
    and then press enter:
    type: <haxdoorkey **** (without the numbers)>
    (for example: avpe, pptp, fuxx, snda, xptp, ....)
    Press ENTER.
    Now you get the message:
    Haxdoorkey xxxx added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:

    Do you want to add a key:
    Press Y for YES.
    When you get the message:
    Insert the haxdoorkey,
    and then press enter:
    type: <haxdoorkey **** (without the numbers)>
    Press ENTER.
    Now you will get the message:

    Haxdoorkey **** added to delete.

    Do you want to add a new haxdoorkey?

    Press Y for YES or N for NO and then press Enter:
    .....

    As you don't want to add an other key:
    Press N for NO.

    Follow the instructions on the screen.
    Your system will restart.
    When the HaxFix is done, it opens a textfile (c:\haxfix.txt).

    This Option gives you the possibility to add another key manually.
    As soon as you add a key, a controll will be done for the presence of a service / safebootservice. As nothing can be found, no key can be added.
    You have the possibility to add more than one key.

    Option 3 can be used:
    - as no notifyed key can be found.
    - as there are important entries in the logfile, which may not be deleted.

    Information how to remove the Goldun Variants can be found ->here.
    (http://users.telenet.be/marcvn/spyware/1585977.htm)

    Option 4: Run the unknown fix.
    Since Version 4.43 catchme.exe is integrated into the haxfix. (many thanks to Gmer.)
    The logfile of catchme is controlled by the haxfix for haxdoor- and goldunvariants using the notifykey and the services.
    Haxfix for haxdoor- and goldunvariants, which has been found on this way, can be deleted with the option 4.

    E. Exit Haxfix
    This Option finishes the HaxFix.

    Take care, there can always be important entries in the logfile which you have created under Option 1.
    As soon as one key typ will be found on your system and only one running service, this key will be deleted using the HaxFix.
    Please take care using this program - don't play around!

    The Logfile created with the HaxFix will look like this::
    HAXFIX logfile - by Marckie
    ______________
    version 4.00
    do 27/07/2006 21:31:51,23
    running from: C:\Program Files\HaxFix

    checking for haxdoor
    --------------------
    checking for a3d files....
    a3d files found
    ps.a3d

    checking for matching notify keys....
    matching notify keys found
    winf
    checking for matching services....
    matching services found
    winf44
    winf49
    checking for matching safeboot services....
    matching safeboot services found
    winf44.sys
    winf49.sys


    Checking for goldun
    -------------------
    checking for notify keys....
    no notify keys found

    checking for services....
    no services found


    Finished


    Optie 2: run autofix geeft dit:
    HAXFIX logfile - by Marckie
    --------------
    version 4.00
    do 27/07/2006 21:33:09,29
    --- Auto Haxdoorfix ---


    searching for services....
    service winf44 found
    [SWSC] DeleteService SUCCESS
    service winf49 found
    [SWSC] DeleteService SUCCESS


    --- Goldunfix ---


    searching for notifykeys:
    no notifykeys found

    searching for services:
    No services found


    .....rebooting the computer.....


    searching for notifykeys

    notifykey winf44 not found


    searching for services

    service winf44 not found
    service winf49 not found


    searching for safeboot services

    safeboot service winf44.sys not found
    safeboot service winf49.sys not found

    searching for files

    winf44.dll exists
    deleting winf44.dll
    winf44.dll has been deleted

    winf44.sys exists
    deleting winf44.sys
    winf44.sys has been deleted

    winf49.sys exists
    deleting winf49.sys
    winf49.sys has been deleted


    checking for other files

    qy.sys exists
    deleting qy.sys
    qy.sys has been deleted

    qz.dll exists
    deleting qz.dll
    qz.dll has been deleted

    qz.sys exists
    deleting qz.sys
    qz.sys has been deleted

    x8.xxd exists
    deleting x8.xxd
    x8.xxd has been deleted

    zxcsedr.dll exists
    deleting zxcsedr.dll
    zxcsedr.dll has been deleted


    checking for a3d files

    ps.a3d
    deleting a3d files
    a3d files are deleted


    Finished

    ***


    With Lots of Thanks to You
    Marckie
    for this GREAT work
    Geändert von Ruby (22.10.2007 um 07:16 Uhr) Grund: UPDATE

Aktive Benutzer

Aktive Benutzer

Aktive Benutzer in diesem Thema: 1 (Registrierte Benutzer: 0, Gäste: 1)

Ähnliche Themen

  1. Haxfix Haxdoor Removal
    Von Ruby im Forum Tipps & Tricks
    Antworten: 3
    Letzter Beitrag: 10.02.2007, 17:43
  2. Antworten: 3
    Letzter Beitrag: 07.06.2005, 10:00

Berechtigungen

  • Neue Themen erstellen: Nein
  • Themen beantworten: Nein
  • Anhänge hochladen: Nein
  • Beiträge bearbeiten: Nein
  •