Tutorial do HaxFix




Ferramenta utilizada na remoção do trojan haxdoor/variantes goldun.
Link para download:
http://download.bleepingcomputer.com/marckie/haxfix.exe


Entradas no hijack de variantes conhecidas:
Citação:
O20 - Winlogon Notify: avpe32 - C:\WINDOWS\SYSTEM32\avpe32.dll
O20 - Winlogon Notify: avpx32 - C:\WINDOWS\SYSTEM32\avpx32.dll
O20 - Winlogon Notify: avpi32 - C:\WINDOWS\SYSTEM32\avpi32.dll
O20 - Winlogon Notify: avpp32 - C:\WINDOWS\SYSTEM32\avpp32.dll
O20 - Winlogon Notify: avpu32 - C:\WINDOWS\SYSTEM32\avpu32.dll
O20 - Winlogon Notify: fuxx32 - C:\WINDOWS\SYSTEM32\fuxx32.dll
O20 - Winlogon Notify: cert32 - C:\WINDOWS\SYSTEM32\cert32.dll
O20 - Winlogon Notify: tcpR32 - C:\WINDOWS\SYSTEM32\tcpR32.dll
O20 - Winlogon Notify: axxt32 - C:\WINDOWS\SYSTEM32\axxt32.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O20 - Winlogon Notify: snda32 - C:\WINDOWS\SYSTEM32\snda32.dll
O20 - Winlogon Notify: sndu32 - C:\WINDOWS\SYSTEM32\sndu32.dll
O20 - Winlogon Notify: lanH32 - C:\WINDOWS\SYSTEM32\lanH32.dll
O20 - Winlogon Notify: twpR32 - C:\WINDOWS\SYSTEM32\twpR32.dll
O20 - Winlogon Notify: pptp32 - C:\WINDOWS\SYSTEM32\pptp32.dll
O20 - Winlogon Notify: semd32 - C:\WINDOWS\SYSTEM32\semd32.dll
O20 - Winlogon Notify: mmxF32 - C:\WINDOWS\SYSTEM32\mmxF32.dll
O20 - Winlogon Notify: xmsk32 - C:\WINDOWS\SYSTEM32\xmsk32.dll
O20 - Winlogon Notify: regP32 - C:\WINDOWS\SYSTEM32\regP32.dll
O20 - Winlogon Notify: mmx432 - C:\WINDOWS\SYSTEM32\mmx432.dll
O20 - Winlogon Notify: sslx32 - C:\WINDOWS\SYSTEM32\sslx32.dll
O20 - Winlogon Notify: xptp16 - C:\WINDOWS\SYSTEM32\xptp16.dll
O20 - Winlogon Notify: pptp16 - C:\WINDOWS\SYSTEM32\pptp16.dll
O20 - Winlogon Notify: ppts16 - C:\WINDOWS\SYSTEM32\ppts16.dll
O20 - Winlogon Notify: skyx16 - C:\WINDOWS\SYSTEM32\skyx16.dll
O20 - Winlogon Notify: skyu16 - C:\WINDOWS\SYSTEM32\skyu16.dll
O20 - Winlogon Notify: mmx4xt - C:\WINDOWS\SYSTEM32\mmx4xt.dll
O20 - Winlogon Notify: xptptt - C:\WINDOWS\SYSTEM32\xptptt.dll
O20 - Winlogon Notify: xdudtt - C:\WINDOWS\SYSTEM32\xdudtt.dll
O20 - Winlogon Notify: wxtwdx - C:\WINDOWS\SYSTEM32\wxtwdx.dll
O20 - Winlogon Notify: dxtpdx - C:\WINDOWS\SYSTEM32\dxtpdx.dll
O20 - Winlogon Notify: yvpp01 - C:\WINDOWS\SYSTEM32\yvpp01.dll
O20 - Winlogon Notify: yvbb01 - C:\WINDOWS\SYSTEM32\yvbb01.dll
O20 - Winlogon Notify: vistax - C:\WINDOWS\SYSTEM32\vistax.dll
O20 - Winlogon Notify: dvb03a - C:\WINDOWS\SYSTEM32\dvb03a.dll
O20 - Winlogon Notify: sertgs - C:\WINDOWS\SYSTEM32\sertgs.dll
O20 - Winlogon Notify: seppgs - C:\WINDOWS\SYSTEM32\seppgs.dll
Etc...
Os arquivos costumam variar de nomes terminando em: ****32.dll, ****16.dll, ****xt.dll, ****tt.dll, ****dx.dll, ****01.dll, ****ax.dll, ****3a.dll, ****gs.dll, ****hh.dll, ****44.dll, debugg.dll, yvsvga.dll, xmm13g.dll, mmx17g.dll, yvprgb.dll, rxx5ot.dll, ydsvgd.dll, xopptp.dll, yvdrgb.dll, emul65.dll, wnmicf.dll, rmk8ot.dll, svkvpn.dll, utgrbe.dll, eetvpn.dll, wsmsag.dll, ovrscn.dll, rgbopx.dll, aeskap.dll, agpbrdg0.dll, arprmdg0.dll, asusrx20.dll, ati2kaag.dll, ati2paag.dll, atiddaxx.dll, atietaxx.dll, atixdaxx.dll, atixdbxx.dll, avload32.dll, axdebugl.dll,
bt848rom.dll, bt848rom.dll, cdscsix3.dll, ddirectz.dll, directpt.dll, directut.dll, docent0.dll, docent2.dll, dvd4free.dll, emldvc.dll, extxerox.dll, extfpu.dll, fanxctrl.dll, flashdma.dll, gatwxkey.dll, lsd_f3.dll, MSplg7.dll, flashdrvr.dll, gatexkey.dll, gdiwxp.dll, gdwxp3.dll, hpprintx.dll, ideusr50.dll, ies4dll.dll, iesdl4l.dll, ksapgh.dll, lanmui.dll, lgn1216a.dll, linksrv0.dll, logon032.dll,
logon16x.dll, mcfCC4.dll, mcfG7A.dll, mdfpro.dll, mi5035a0.dll, mmcdll.dll, mmxeroxk.dll, nclabydll.dll, nkunpack.dll, nucdrvdll.dll, nuclabdll.dll, nvsystl0.dll, obbf115.dll, obbn13t.dll, openglss.dll, openglwx.dll, pasksa.dll, printpnp.dll, printpn2.dll, prtsks.dll, prwsks.dll, psksds.dll, qhdtvv.dll, rdrVR2.dll, rege2usb.dll, rlx51dom.dll, rlx5dom1.dll, rsdapi.dll, satad640.dll, satau320.dll, satdll.dll, satmmc.dll, scsi2usb.dll, scsiusr4.dll, sdcard98.dll, se500mdm.dll, se633mxx.dll, sksdll.dll, sysprint.dll, tcpG4T.dll, tcpGDC.dll, tcpwrk.dll, twpkad.dll, upsctrl0.dll, vxtnav.dll, wartamll.dll, waxw2k.dll, winprint.dll, wndtx1.dll, wsmsge.dll, xartcd5.dll, xcdmfree.dll, xkeyshll.dll, zopenssl.dll, zopenssl.dll.


Instruções:

*Desative temporariamente seu antivírus e anti-spyware
*Feche todos os programas ativos, Internet Explorer, Windows Explorer e desconecte-se da internet
*Duplo clique em haxfix.exe


*Tecle ENTER para continuar

*Tecle 1 para fazer um scan e gerar um relatório. Depois ENTER

*Caso seja encontrado haxdoor o resultado estará em c:\HaxFix\haxlog.txt


*Uma nova tela do programa será apresentada

*Para a remoção deve-se reiniciar o PC em Modo de Segurança (Pressione intermitentemente F8 durante a inicialização, no menu que aparecer escolha Modo Seguro)
*As opções adicionadas são:
- 2 (Run auto fix)
A remoção será automática e um relatório será criado em C:\haxfix.txt.
Citação:
HAXFIX logfile - by Marckie
--------------
version 5.0.34
seg 03/11/2008 9:33:03,67

--- Auto Haxdoorfix ---


searching for files:


searching for services....
service emul65 found
[SWSC] DeleteService SUCCESS
service emul37 found
[SWSC] DeleteService SUCCESS


--- Goldunfix ---


searching for files:

searching for SSODLkeys:
no SSODLkeys found

searching for notifykeys:
no notifykeys found

searching for services:
no services found


.....rebooting the computer.....


searching for ssodlkeys

not needed


searching for notifykeys

notifykey emul65 not found


searching for services

service emul65 not found
service emul37 not found


searching for safeboot services

safeboot service emul65.sys not found
safeboot service emul37.sys not found


searching for files

emul65.dll exists
deleting emul65.dll
emul65.dll has been deleted

emul37.sys exists
deleting emul37.sys
emul37.sys has been deleted

emul65.sys exists
deleting emul65.sys
emul65.sys has been deleted


checking for other files

qy.sys exists
deleting qy.sys
qy.sys has been deleted

qz.dll exists
deleting qz.dll
qz.dll has been deleted

qz.sys exists
deleting qz.sys
qz.sys has been deleted

x8.xxd exists
deleting x8.xxd
x8.xxd has been deleted

zxcsedr.dll exists
deleting zxcsedr.dll
zxcsedr.dll has been deleted


checking for a3d files

ps.a3d
deleting a3d files
a3d files are deleted


Finished

- 3 (Run manual fix)
Quando no log surgir haxdoor desconhecido. Ao escolher esta opção, uma mensagem será recebida: echo Insert the haxdoorkey,and then press Enter:
Digite o haxdoor sem os números (ex. avload)
Será perguntado se deseja adicionar nova haxdoorkey. Tecle Y ou N
- 4 (Run unknow fix)
Utilizada quando o Catchme detecta haxdoor descrito no haxlog.txt
- U (Uninstall Haxfix)
Para desinstalar o HaxFix
- E (Exit)
Para sair do HaxFix

Fonte: Fórum Guia do Hardware

Related Posts Plugin for WordPress, Blogger...
Feed Orkut Fórum Facebook Twitter
 

Copyright © Caixa de dicas | Política de Privacidade | Todos os direitos reservados |