HaxFix is a tool that can be used to remove Haxdoor, Goldun en some SpyBanker Infections.
For the latest updates, have a look at my blog.
You can download haxfix from my site, or from Bleeping computer.
On both sites you will always find an updated version of the tool.
How to use?
Download haxfix.exe and save it to your desktop.
Double click on haxfix.exe to run it.
A red "dos window" (dos box) will open with this options:
1. Make logfile
E. Exit Haxfix
After running option 1, you will get a new menu with all options:
1. Make logfile
2. Run auto fix
3. Run manual fix
4. Run unknow fix
U. Uninstall Hafix
E. Exit Haxfix
Option 1. Make logfile.
When you use haxfix, always make a logfile first.
The logfile is showing all services, safeboot services and notify keys, that are matching with the current haxdoor/goldun variants.
Haxfix checks for known SSDOL keys related to Goldun.
Haxfix checks for known Browser Helper Objects (BHO) related to Goldun of SpyBanker infections.
Haxfix checks if iexplore.exe is infected with a (known) goldunvariant. If so, it looks for a clean alternative in the dllcache or the tempfolder.
Haxfix checks for known goldunvariants that use the appinit key to load. These filenames are randome. Haxfix checks the MD5 checksum.
Haxfix checks for a lot of related haxdoor and goldunfiles. If present haxfix will list them in the logfile. If the file is rootkitfile, haxfix will mark the file as a rootkitfile.
Catchme.exe has been integrated in haxfix since version 4.43.
The logfile produced by Catchme, will be analysed by haxfix for matching haxdoor-
The logfile made by option 1, shows you if a known infection is present on you computer.
Option 2. Run auto fix.
Option 2 deletes all haxdoor-
You can use option 2 if the notify keys that are found, are related to haxdoor or goldun.
Option 3. Run manual fix.
This gives you the possibilty to add one, or if necessary more then one haxdoor key.
When you start option 3, you 'll get a message:
echo Insert the haxdoorkey,
and then press Enter:
Insert the haxdoorkey without the numbers. (Ex: avpe, xtpt, fuxx,...)
When this is a valid choice (there is a check for the services/safeboot services), the key will be added to delete.
Next you have the possibilty to add a new key: Yes (press Y) or No (press N)
When do we use option 3?
Use option 3 if there are:
If you use option 3 to delete a haxdoorvariant, and one or more goldun-
Option 4. Run unknow fix.
The logfile produced by Catchme will be analysed by haxfix for hax-
If a match is found, you can delete them by using option 4 -
(this only works with the variants that uses notify and services regkeys.)
Variants that are not recognized by haxfix, but are detected by catchme, can now be deleted with haxfix.
Option U. Uninstall Hafix.
This will remove all files and folders produced by haxfix.
Option E. Exit HaxFix.
Use option E to shut down haxfix.
A few remarks:
If you see this in the logfile: registrysettings failed , use this command: %systemdrive%\haxfix.exe /reset
If you don't get the logfile after reboot, use this command: %systemdrive%\haxfix.exe /after