Likewise with this log, if we could delete it after you're done with it, that'd be great. Thanks
Senior Member
Likewise with this log, if we could delete it after you're done with it, that'd be great. Thanks
Administrator
Let's let PP look at it and tell us what to do...I have only used this one once.
Administrator
Download haxfix.exe.
Save it to your desktop.
Close down all applications and every browser window.
Double-Click onto the haxfix.exe, to start the installation.
Put a checkmark next to "Create a desktop icon".
Click "Next" and follow the prompts on the screen.
When the installation is finished, make sure that "Launch HaxFix" is enabled.
Click "Finish".
Now a Red DOS Window opens with the following options to chose:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
Option 1: Make logfile.
Chose the Option 1: Create a log by pressing 1
This will need a moment of your time. When the HaxFix is finished, a textfile opens (haxlog.txt)
You need to use this option first. A log will be created which shows you all possible candidates, which may signalize that one of the Haxdoor variants runs on your system.
The controll will be done for:
- the file ps.a3d (the only olne file which is not hidden by a rootkit)
- notify subkeys of the type ****16, ****32, ****xt, ****tt
- services of the type ****16, ****24, ****32, ****64, ****xt, ****xm, ****tt, ****mm,...
- safeboot services of the type ****16.sys, ****24.sys, ****32.sys, ****64.sys, ****xt.sys, ****xm.sys, ****tt.sys, ****mm.sys,...
This Logfile must be done to get the right results for the Haxdoor variant on your system.
Post back here with that log.
Judy
Senior Member
Dare I hope that this is the last few steps?
HAXFIX logfile - by Marckie
version 4.43
Thu 05/17/2007 22:37:22.92
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
matching services found
Aspi32
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
checking iexplore.exe
iexplore.exe is not infected
--- Catchme logfile - thank you Gmer ---
catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-17 22:37:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
--- Analysing Catchme logfile ---
no matching regkeys found
Finished!
Administrator
Ok, we are getting there!
Checked with ShadowPuterDude who put this tool together. Here is his message;
Follow all his instructions and then attach the new log.It's a FP.(False Positive) That's WinLanMiniPort. I still have to filter that out. Probably do that this weekend and release Beta7.
Viewing of Hidden Files and Folders isn't properly enabled. Have the poster run ShowIt.bat from inside the ISeeYouXP folder. MsConfig is being used to disable several startups. Get the poster to enable everything. There are a couple of issues that need to be fixed, but first the OP needs to run ShowIt and stop using MsConfig.
Run this Registry patch
REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonceex]
"Flag"=-
"Windows Update"=-
If the reg key looks like this:
curr entversion
Delete the extra space
Killbox the following file:
C:\WINDOWS\scvhost.exe
Double-click on Killbox.exe to run it.
Put a tick by Delete on Reboot.
Then have the OP attach a new ISeeYouXP log.
Judy
Senior Member
How do I "run the registry patch"?
Senior Member
And does running ShowIt automatically stop running MsConfig, or do I need to do something in addition?
EDIT: I do'nt see scvhost.exe in the Windows directory. I haven't done the other steps - waiting on answers - but I thought I'd check, and, indeed, I don't see it.
Last edited by StckFigure; 05-17-2007 at 11:57 PM.
Administrator
You need to actually go into msconfig and re-enable EVERYTHING in there. I believe the ShowIt.bat is going to show your hidden files and folders properly.
scvhost.exe IS in there, you may not be able to see it but it IS showing in the ISeeYouXP log.
Just run the Killbox on that file as instructed and if it is there it will get rid of it. If it isn't there it will tell you it couldn't be found. But it does show in the log. Make sure you run the ShowIt.bat first before you do the Killbox.
Let me check again on that REGEDIT4
I think you need to check that key first in the registry to see if there IS a space between curr entversion then you will have to run that...but for now just check and see if the space is there.
Senior Member
Sorry to suddenly be so completely out of it and make it seem like pulling teeth... I just want to make sure I don't do anything wrong. You want me to go into MSConfig and enable ALL Startup programs, even the ones that have been disabled forever? What about ALL Services (which are all enabled already except for two from AOL and the ASFEGTGF one we disabled earlier)?
Super Moderator
Copy the contents of the below quote box to Notepad; Save As FixReg.reg to your Desktop; make sure File Type: is set to All Files (*.*).Close Notepad.REGEDIT4
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runonceex]
"Flag"=-
"Windows Update"=-
Locate FixReg.reg on your Desktop. Double-click on it and answer 'Yes' when asked if you want to merge with the registry.
If curr entversion looks like this in the above patch, delete the space. It's not supposed to be there.
Run MsConfig and enable everything that is disabled. MsConfig is a diagnostic tool, and not intended to be used in the manner you are using MsConfig. If you are receiving error messages, related to these items, at system start; we can fix this without using MsConfig. You will have to restart your computer for the changes to take effect.
Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate the following script:
ShowIT.bat
Double-click to run the batch.
Now run Pocket Killbox:
Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
Then after it deletes the files click the Exit (Save Settings) button.
NOTE: Pocket Killbox will only list the added files it is able to find on the system. So when you do the below, if some files do not show in the list after pasting them in, just continue..
Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\scvhost.exe- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.
If the file isn't there Killbox will tell you it couldn't find the file.
Please attach a fresh ISeeYouXP log. This log is quite long and it's easier to read as 1 file.
a-squared Team - www.emsisoft.com
"Only those who fail greatly can ever achieve greatly" - Robert F. Kennedy
Microsoft Most Valuable Professional - Consumer Security (2007-2008)
Member - Alliance of Security Analysis Professionals - Since 2006
Linux Registered User # 363218
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
Reply With Quote